Category Archives: Security

Basic SELinux Security Concepts

Overview

“SELinux is a security enhancement to Linux which allows users and administrators more control over access control.” (selinuxproject.org”
Continue reading

Linux ACL Permissions

Overview

“Access Control List (ACL) provides an additional, more flexible permission mechanism for file systems.
It is designed to assist with UNIX file permissions.
ACL allows you to give permissions for any user or group to any disc resource.” (Wikipedia)

Enable ACL on file system

Most likely is that the ACL option is already enabled on your file system but to be sure you can verify using the next command:

#make sure to replace sda2 with the name of your device
tune2fs -l /dev/sda2 | grep options

The output should be:

Default mount options:    user_xattr acl

In order to enable ACL on a file system use tune2fs command:

#make sure to replace sda2 with the name of your device
tune2fs -o acl /dev/sda2

View Linux ACL Permissions

ls command

With ls command you can see if there are any ACL permissions on a file, you will see a ‘+’ sign:

ls -l /folder-file

#Output:
-rw-rwxr--+ 1 root root 0 Mar 15 05:27 folder-file

Now we use getfacl command to see the ACL permissions.

getfacl command

You can use getfacl to view the current ACL permissions of a file or folder.

getfacl /folder-file

#Output
# file: folder-file
# owner: root
# group: root
user::rw-
user:nfsnobody:rwx
group::r--
mask::rwx
other::r--

setfacl command

#setfacl -m u:username:permissions /folder-file
setfacl -m u:bob:rwx /folder-file

#setfacl -m u:uid:permissions /folder-file
setfacl -m u:12345:rwx /folder-file

#setfacl -m g:groupname:permissions /folder-file
setfacl -m g:company:rx /folder-file

#setfacl -m g:gid:permissions /folder-file
setfacl -m g:12345:rx /folder-file

Remove all ACL permissions:

setfacl -b

Remove a specific ACL entry by username, uid, group or gid:

setfacl -x "bob"

Enjoy!

chmod suid sgid sticky bit

Overview

Linux chmod has a few options that can make your life a lot easier when managing a shared storage.
The most needed are chmod suid sgid sticky bit.
Also the impact of each one is different between files and folders.

chmod suid sgid sticky bit

SetUID and SetGID

SUID (SetUID) and SGID (SetGID) has different affects when used on files or on folders.

suid and sgid on files

When suid is set on an executable that means the file will run with the owner user permissions when run by a different user.
When used you will have the letter ‘S’ specified in the files permissions.
When you will have a lower-case ‘s’ that means it hides the permission ‘x’ of user so it means ‘t+x”

Apply SUID on ‘run.sh’:

chmod u+s run.sh

Apply SUID with 777:

chmod 4777 run.sh

Output SUID with 777:

-rwsrwxrwx.

Output SUID with 677:

drwSrwxrwx.

When sgid is set on an executable that means the file will run with the owner groups permissions when run by a different user.
When used you will have the letter ‘S’ specified in the files permissions.
When you will have a lower-case ‘s’ that means it hides the permission ‘x’ of group so it means ‘t+x”

Apply SGID on ‘run.sh’:

chmod g+s run.sh

Apply SGID with 777:

chmod 2777 run.sh

Output SGID with 777:

-rwxrwsrwx.

Output SGID with 767:

drwxrwSrwx.

suid and sgid on folders

suid and sgid on folders means inherit permissions for newly created files.
sgid will set the owner group permission of all new files the same as folders owner group.

Linux ignores the suid permission on folders.

Sticky-Bit

“When the sticky bit is set, only the item’s owner, the directory’s owner, or the superuser can rename or delete files.” (Wikipedia)

Sticky_bit is mostly applied to folders, it has a few uses on files but that not in the scope of this tutorial.

When used you will have the letter ‘T’ specified in the folders permissions.
When you will have a lower-case ‘t’ that means it hides the permission ‘x’ of others so it means ‘t+x”

Output sticky bit with 777:

drwxrwxrwt.

Output sticky bit with 776:

drwxrwxrwT.

Apply sticky bit to ‘/folder’:

chmod +t /folder

Apply sticky bit with 777:

chmod 1777 /folder

Enjoy!

iptables examples on CentOS

Overview

“iptables is a user space application program that allows a system administrator to configure the tables provided by the Linux kernel firewall (implemented as different Netfilter modules) and the chains and rules it stores.
Different kernel modules and programs are currently used for different protocols; iptables applies to IPv4, ip6tables to IPv6, arptables to ARP, and ebtables to Ethernet frames.”

In this tutorial I will give a few essential examples of how to use iptables on CentOS

iptables

There are several ways to configure iptables on CentOS.
The simplest way is to use the command system-config-firewall/system-config-firewall-tui, it will help you set up standard rules like Web Server, FTP Server and a few more.
The second way is to use iptables command to edit the configuration – this method is best for testing since it will NOT save the settings until you run the command:

/etc/init.d/iptables save

The third way is to edit the file /etc/sysconfig/iptables and that is what I will show you today.

iptables chains

First we clear the content of /etc/sysconfig/iptables using:

echo > /etc/sysconfig/iptables

Set all the default chains to DROP and save the file:

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]

Now we are ready to insert the necessary rules to our chains.

Stateful configuration

Using a stateful rule to allow all established connections:

#Allow all Established connections
-A INPUT -p all -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p all -m state --state ESTABLISHED -j ACCEPT

Some services requires you to allow related connections (ftp,tftp…):

#Allow all Related connections
-A INPUT -p all -m state --state RELATED -j ACCEPT
-A OUTPUT -p all -m state --state RELATED -j ACCEPT

iptables examples

Allow LocalHost

First we need to insert a rule to allow localhost to communicate:

#All localhost
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

Allow Web Browsing

#Out Internet Access
-A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT

#Out Internet Access SSL
-A OUTPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT

Allow Outgoing SSH

#Out SSH
-A OUTPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT

Allow Incoming SSH

Allow Incoming SSH from a specified subnet/ip address

#In SSH
-A INPUT -p tcp -s 10.0.0.0/24 --dport 22 -m state --state NEW -j ACCEPT

Allow Incoming SSH from all

#In SSH
-A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT

Allow Incoming Web Server

#In Internet Access Port 80
-A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT

#In Internet Access SSL Port 443
-A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT

Allow DHCP Client

#In/Out DHCP Client
-A INPUT -p udp --sport 67 --dport 68 -j ACCEPT
-A OUTPUT -p udp --sport 68 --dport 67 -j ACCEPT

Allow DHCP Server

#In/Out DHCP Server
-A INPUT -p udp --sport 68 --dport 67 -j ACCEPT
-A OUTPUT -p udp --sport 67 --dport 68 -j ACCEPT

Allow DNS requests

#Out DNS
-A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT

Allow Incoming ping

#In ping
-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
-A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

Allow Outgoing ping

#Out ping
-A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
-A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

Allow Zabbix Agent

#In Zabbix Agent
-A INPUT -p tcp --dport 10050 -m state --state NEW -j ACCEPT

Allow Outgoing RDP

#Out RDP
-A OUTPUT -p tcp --dport 3389 -m state --state NEW -j ACCEPT

Allow Incoming RDP Server

#In RDP
-A INPUT -p tcp --dport 3389 -m state --state NEW -j ACCEPT

Allow SMTP Server

#In SMTP
-A INPUT -p tcp --dport 25 -m state --state NEW -j ACCEPT

Allow SMTP Client

#Out SMTP
-A OUTPUT -p tcp --dport 25 -m state --state NEW -j ACCEPT

Allow SMTPs Server

#In SMTPs
-A INPUT -p tcp --dport 465 -m state --state NEW -j ACCEPT

Allow SMTPs Client

#Out SMTPs
-A OUTPUT -p tcp --dport 465 -m state --state NEW -j ACCEPT

Allow SMTP TLS Server

#In SMTP TLS
-A INPUT -p tcp --dport 587 -m state --state NEW -j ACCEPT

Allow SMTP TLS Client

#Out SMTP TLS
-A OUTPUT -p tcp --dport 587 -m state --state NEW -j ACCEPT

Allow POP Server

#In POP
-A INPUT -p tcp --dport 110 -m state --state NEW -j ACCEPT

Allow POP Client

#Out POP
-A OUTPUT -p tcp --dport 110 -m state --state NEW -j ACCEPT

Allow POPs Server

#In POPs
-A INPUT -p tcp --dport 995 -m state --state NEW -j ACCEPT

Allow POPs Client

#Out POPs
-A OUTPUT -p tcp --dport 995 -m state --state NEW -j ACCEPT

Allow IMAP Server

#In IMAP
-A INPUT -p tcp --dport 143 -m state --state NEW -j ACCEPT

Allow IMAP Client

#Out IMAP
-A OUTPUT -p tcp --dport 143 -m state --state NEW -j ACCEPT

Allow IMAPs Server

#In IMAPs
-A INPUT -p tcp --dport 993 -m state --state NEW -j ACCEPT

Allow IMAPs Client

#Out IMAPs
-A OUTPUT -p tcp --dport 993 -m state --state NEW -j ACCEPT

Allow mySQL Server

#In mySQL
-A INPUT -p tcp --dport 3306 -m state --state NEW -j ACCEPT

Allow mySQL Client

#Out mySQL
-A OUTPUT -p tcp --dport 3306 -m state --state NEW -j ACCEPT

Allow NTP Server

#In NTP
-A INPUT -p udp --dport 123 -m state --state NEW -j ACCEPT

Allow NTP Client

#Out NTP
-A OUTPUT -p udp --dport 123 -m state --state NEW -j ACCEPT

Allow rsync

#In rsync
-A INPUT -p tcp --dport 873 -m state --state NEW -j ACCEPT

#Out rsync
-A OUTPUT -p tcp --dport 873 -m state --state NEW -j ACCEPT

Allow rsyslogd

#In rsyslogd
-A INPUT -p tcp --dport 514 -m state --state NEW -j ACCEPT
-A INPUT -p udp --dport 514 -m state --state NEW -j ACCEPT

#Out rsyslogd
-A OUTPUT -p tcp --dport 514 -m state --state NEW -j ACCEPT
-A OUTPUT -p udp --dport 514 -m state --state NEW -j ACCEPT

Allow SAMBA Server

#In Samba
-A INPUT -p udp --dport 137:139 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m multiport --dport 139,445 -m state --state NEW -j ACCEPT

Allow NFS Server

NFS uses random ports on startup so we need to fix the port numbers, add the following lines to ‘/etc/sysconfig/nfs’:

RQUOTAD_PORT=875
LOCKD_TCPPORT=32803
LOCKD_UDPPORT=32769
MOUNTD_PORT=892
STATD_PORT=662
STATD_OUTGOING_PORT=2020
RDMA_PORT=20049

#In NFS
-A INPUT -p tcp -m multiport --dport 111,662,875,892,2020,2049,20049,32803 -m state --state NEW -j ACCEPT
-A INPUT -p udp -m multiport --dport 111,662,875,892,2020,2049,20049,32769 -m state --state NEW -j ACCEPT

Allow TFTP Server

TFTP needs an iptables module called “nf_conntrack_tftp”, edit ‘/etc/sysconfig/iptables-config’ and make sure you have:

IPTABLES_MODULES="nf_conntrack_tftp"

#In TFTP
-A INPUT -p tcp --dport 69 -m state --state NEW -j ACCEPT
-A INPUT -p udp --dport 69 -m state --state NEW -j ACCEPT

#You also need to allow related OUTPUT
-A OUTPUT -p all -m state --state RELATED -j ACCEPT

Allow Routing

Allow routing between Network-1 to Network-2 using 2 different NICs:

#Allow routing from eth0 to eth1
-A FORWARD -i eth0 -o eth1 -j ACCEPT

Specify port range

For example allow all communication from ports 100-200 to ports 200-300:

-A OUTPUT --sport 100:200 --dport 200:300 -j ACCEPT

Speciy IP Address range

IP Address range requires the ‘iprange’ module,
For example allow all communication to and from 10.0.0.1-10.0.0.100:

-A OUTPUT -m iprange --dst-range 10.0.0.1-10.0.0.100 -j ACCEPT
-A INPUT -m iprange --src-range 10.0.0.1-10.0.0.100 -j ACCEPT

Enjoy!

Copy SSH public key to another server instructions

copy ssh public key

Prerequisities

You need to have a public key. If you haven’t generated keys before use:

ssh-keygen -t rsa

copy ssh public key is very simple. there are some ways to achieve this:

Using ssh-copy-id (recommended)

ssh-copy-id user@host

with this very simple command you can copy your public key to any user@host combination

Using scp

scp .ssh/id_rsa.pub user@host2:.ssh/authorized_keys

cd ~/ before.

The different is that scp will create a new file called authorized_keys while ssh-copy-id will add to id.

Development Specialist, Artist and Activist
Personal Website

OpenVPN ALS Adito SSL VPN Gateway on CentOS

Overview

OpenVPN ALS Adito SSL VPN Gateway is a web-based SSL-VPN server written in Java and it is completely free and open-source.
The installation on CentOS 6 Linux Operating System is fairly simple using the next few steps (we will use CentOS Minimal x86_64).
Continue reading

How to disable java in all browsers at once

Overview

Several major companies have been hacked lately. Security advice for web users last week from the US Department of Homeland Security encouraging to disable java on browsers. Disable java in each browser takes time. You will learn how to disable java for all at once. and also for each browser if needed.

Continue reading

Development Specialist, Artist and Activist
Personal Website

Filter your visits in Google Analytics (Do not track your IP)

Overview

Setting up Google Analytics to not track your visits is a bit tricky. You can filter by IP, but most of us are using dynamic IP so we need another solution. You’ll learn to setup a cookie on your browser and configure settings in google analytics to achieve this.

Continue reading

Development Specialist, Artist and Activist
Personal Website

Using modern.IE – Testing for Internet Explorer just got a little easier

internet explorer logo

Microsoft to developers: This is the ‘modern.IE’ world

Microsoft announced their new tool called modern.IE. http://www.modern.ie/
Using this tool (website) you can scan for common coding problems.

Continue reading

Development Specialist, Artist and Activist
Personal Website

Deep Freeze + Windows Locked Loop: Change to thawed mode

deep freeze

 

So, You’re stuck in a loop?

If you using the evalution edition – it’s no problem! just change your date 30 days to the future and deep freeze will stop working.
If you using the full edition you need a different solution:

Continue reading

Development Specialist, Artist and Activist
Personal Website