Tuesday, September 29, 2015

Securing Linux with denyhosts

8:54 PM Posted by Dilli Raj Maharjan , No comments

Introduction

DenyHosts is a script intended to be run by Linux system administrators to help thwart SSH server attacks (also known as dictionary based attacks and brute force attacks). 

Installation and Configuration

Download and install denyhosts

Go to http://pkgs.repoforge.org/denyhosts/ and download http://pkgs.repoforge.org/denyhosts/denyhosts-2.6-5.el6.rf.noarch.rpm
wget http://pkgs.repoforge.org/denyhosts/denyhosts-2.6-5.el6.rf.noarch.rpm






Install package with following command.

rpm -ivh denyhosts-2.6-5.el6.rf.noarch.rpm







Configure known hosts or the network that do not rely on deny hosts. This means all the host on 192.168.1.0/24 boycott the hostdenys. If any host on 192.168.1.0/24 network types wrong password that host won't get blocked.


echo "SSHD: 192.168.1." >> /etc/hosts.allow

Restart the services with command below

/etc/init.d/denyhosts restart

Verify the denyhosts is running

ps ax | grep denyhost


Settings can be changed on /etc/denyhosts/denyhosts.cfg

PURGE_DENY = defines the deny_hosts entries to be purged after certain time.

 # PURGE_DENY: removed HOSTS_DENY entries that are older than this time
#             when DenyHosts is invoked with the --purge flag
#
#      format is: i[dhwmy]
#      Where 'i' is an integer (eg. 7)
#            'm' = minutes
#            'h' = hours
#            'd' = days
#            'w' = weeks
#            'y' = years
#
# never purge:

 DENY_THRESHOLD_INVALID = 5
# DENY_THRESHOLD_INVALID: block each host after the number of failed login
# attempts has exceeded this value.  This value applies to invalid
# user login attempts (eg. non-existent user accounts)

 ADMIN_EMAIL=
SMTP_HOST = localhost
SMTP_PORT = 25
SMTP_FROM = DenyHosts <nobody@localhost>
SMTP_SUBJECT = DenyHosts Report


Verify current hosts.deny list

cat /etc/hosts.deny

















Try ssh login with wrong password for 5 times
Now host entry can be seen on hosts.deny list



















SSH to that server is blocked now.



Secure oracle dumps with encryption.

8:37 PM Posted by Dilli Raj Maharjan , No comments

Available encryption options 


ENCRYPTION
Encrypt part or all of a dump file.
Valid keyword values are: ALL, DATA_ONLY, ENCRYPTED_COLUMNS_ONLY, METADATA_ONLY and NONE.

ENCRYPTION_ALGORITHM
Specify how encryption should be done.
Valid keyword values are: [AES128], AES192 and AES256.

ENCRYPTION_MODE
Method of generating encryption key.
Valid keyword values are: DUAL, PASSWORD and [TRANSPARENT].

ENCRYPTION_PASSWORD
Password key for creating encrypted data within a dump file.

Executing expdp command without encryption options.


expdp userid=system directory=tts_dir transport_tablespaces=TBS_TTS dumpfile=TBS_TTS.dmp logfile=TBS_TTS_exp.log

Executing expdp command with encryption options.

expdp system directory=tts_dir dumpfile=TBS_TTS_encrypted.dmp logfile=TBS_TTS_encrypted.log \
ENCRYPTION=ALL ENCRYPTION_ALGORITHM=AES256 ENCRYPTION_MODE=PASSWORD ENCRYPTION_PASSWORD='n**********3' schemas=USR_TTS









Regular impdp command without encryption options.

impdp system directory=tts_dir dumpfile=TBS_TTS_encrypted.dmp logfile=TBS_TTS_encrypted_imp.log


Trying to import encrypted dump without encryption options. 

[oracle@myhost tts_dir]$ impdp system directory=tts_dir dumpfile=TBS_TTS_encrypted.dmp logfile=TBS_TTS_encrypted_imp.log

Import: Release 11.2.0.3.0 - Production on Mon Sep 28 18:06:06 2015

Copyright (c) 1982, 2011, Oracle and/or its affiliates.  All rights reserved.
Password:

Connected to: Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
ORA-39002: invalid operation
ORA-39174: Encryption password must be supplied.













Now Executing import with encryption options. 


impdp system directory=tts_dir dumpfile=TBS_TTS_encrypted.dmp logfile=TBS_TTS_encrypted_imp_1.log \
ENCRYPTION_PASSWORD='n**********3'


Sunday, September 27, 2015

Encrypt bash script on Linux using shc

9:47 PM Posted by Dilli Raj Maharjan , , No comments

Download and install shc source.

wget http://www.datsi.fi.upm.es/~frosal/sources/shc-3.8.7.tgz
tar xzvf shc-3.8.7.tgz
cd shc-3.8.7
make
make install

























Create simple script file with following codes

#!/bin/bash

echo -e -n "Enter the first value \t:"
read a
echo -e -n "Enter the second value \t:"
read b
sum=$(expr $a + $b)
echo "Result is $sum"












Encrypt the test.sh script file with shc as below.


$ ./shc -f test.sh

List the files with ls command Now we have 2 more files with .sh.x and .sh.x.c extensions


[root@core scripts]# ls
test.sh  test.sh.x  test.sh.x.c









Execute the Encrypted script file with following command

 ./test.sh.x








Additional parameter that can be used with shc are below





 Setting expiration date on the script file with the message.

 shc -e '28/09/2015' -m "This script file is expired" -f test.sh






 

Execute the script before expiration date.

 ./test.sh.x 








 Change date and time with following command

  sudo date +%Y%m%d -s '20150928'







  


Execute the script after expiration date.  

  [dilli@core scripts]$ ./test.sh.x 
./test.sh.x: has expired!
This script file is expired









ulimit -c

If output is zero means that core file is not created.

Now we set core file size limit to 70000 byte

ulimit -c 70000

Now we start binary & segfault it right away.I used IP-Digger binary to get plain text from it.

./IP-Digger4.sh.x&  ( sleep 0.02 && kill -SIGSEGV $! )

 sleep 0.02 will give the binary enough time to start up and decrypt the original script. The variable $! contains the pid of the last background process started, so we can easily kill it with the segmentation fault signal SIGSEGV (same as kill -11 $!). 

+ segmentation fault (core dumped)  ./IP-Digger4.sh.x

cat core | strings >plain_text