The holy grail of computing is security and performance, it’s all well and good having the most secure system in the world, but if it’s rubbish at doing the job it’s supposed to do then you’ve kinda missed the point. Tools like psad and denyhosts provide excellent security, but to do so actively use resource. Let’s take the example of a mail server, if some unsociable person starts heavily scanning your machine, and the above two applications slow down the delivery of mail, your users won’t be happy. That’s where “nice” comes into effect; nice allows you to add priorities to the applications that are important to you. Now I hear what you’re saying, psad and denyhosts are so light how could they possibly consume resource ? So let’s look at a real world example….

I’ve posted about the popularity or wordpress having a negative effect before. Here I pointed out only days after a security bug being patched by the WP Team, an exploit was freely available….. the up-shot being that we’ve only days to respond and patch our blogs (this could be a real problem should we dare to take a holiday ! )

The thing is, the problem appears to be getting worse, now plug-in exploits [1] [2] [3] are being posted, this is worse because many of us use a lot of plug-ins and without some kind of updating mechanism it’s difficult to stay onto of patching.

Whilst doing some routine maintenance, I noticed that I never published the rkhunter rpm I built, the software is officially supported at rootkit.nl but for ease I wanted a yum available rpm

Following a request I’ve rebuilt a later tripwire rpm (2.4.1.1); I think at this point it would be prudent to point out that the rpms found here are not maintained, and I do not offer any kind of support - you use them at your own risk - but you’re welcome to make requests !

tripwire-2.4.1.1-1.i386.rpm

My Yum repo has also been updated, config file here

If you look after a remote linux box, the chances are you use SSH, in order to connect to it you may even have to leave PORT 22 open to the whole Internet !

There are some basic security steps that you can do to protect SSH, such as block the root user from logging in, and force users to use STRONG authentication.

Just Found this,

heise Security - News - Fooling Cisco’s NAC network access control

Security experts at the Black Hat conference in Amsterdam have demonstrated how Cisco’s NAC network access control can be fooled. In a live demonstration using a modified Trust Agent, Michael Thumann and Dror-John Röcher from ERNW were able to gain full access to an NAC protected network using a computer which did not comply with network policies.

Although it was obvious that hackers would target the the Trust Agent, it’s interesting to read a sucess story.

Following yesterdays security announcement for wordpress, a freely available exploit has been published on milw0rm. What this means is… if you haven’t upgraded DO IT NOW, as the amount of attacks will go up very quickly.

If you look through the exploit you can see that it takes advantage of existing user accounts, so a further security option can be to disable the “anyone can register” option… within wordpress admin, click options -> general and “untick” the box. (If it is on and you don’t need it)

I think it’s safe to say, if you can’t get something to work then the manual is rubbish or the user is stupid, with setting up snmp v3 on linux, the user is me, so the fault is probably lies there.

SNMPv3 moves away from the community string idea from older version, and into a username & password combo. The correct tool for creating users is snmpusm, but no matter how many times I read the man page I can’t work it out. I get that you copy a user from the initial user, but how do you create the initial user ? If I try on my box I just get an “snmp timeout” error.

It’s been a while since I’ve been up close & personal with a nokia firewall , but recently I’ve needed to play.

The first thing I noticed was that the console cable has changed, now let’s not focus too much on the design floor where by you can’t actually get your fingers in properly to release the cable, but at least they got rid of the db9 type, serial thing that kept breaking.

The good news is, looking at the cable colours you can see that the cables are roll over cables - exactly the same as cisco use - great ! One less thing to carry around in the laptop bag

November was a slow posting month, the reason being that I’m working on a rather time consuming project, one of the areas I’ve had to focus on again is Linux Security.

Security goes on and on forever, you can do as much or as little as you deem necessary, too much will consume resources*, too little opens you up to attack; this article talks about some steps I take, be advised tho’ this will generate a load of e-mails, and if you’re not going to read them why bother implementing them.

Here you are, a cisco security “tid bit”, you can secure backup the running config of your Cisco ASA over https, now you should enable AAA and set a username, but for now, here’s default url & command for wget.

It’s a few days old, but I’ve just found this post….

Metasploit: Metasploit 3.0 Automated Exploitation
A recurring theme in my presentations about Metasploit 3.0 is the need for exploit automation

WOW, reading this just shows the dangers of not patching; it’d be nice to try and put some time aside to set up a lab and have a go.

It would have been irresponsible of me to write this any earlier, but a few days of past and hopefully the majority have installed the appropiate patch or at the very least are running personal/perimeter firewalls until they complete their change control.

Many may have seen e-mail alerts and news articles that say exploit in the wild and may not appreciate what this actually means. You hear people say “It’ll never happen to me” or “it’s only geeky Linux kids who can do this, my business isn’t at risk”; OK but do you know actually how easy it is ?

Network Intrusion detection systems (NIDS) , and Network Intrusion Prevention (NIPS) systems are a common complement to a firewall implementation; couple this with Host IDS (HIDS) or Host IPS (HIPS) and you’ve made a good start at implementing an advanced security infrastructure

What’s the difference ?

Sadly there’s no hard an fast rule, what’s important is understanding what you’re buying. Traditional IDS systems used sniffers & signatures to detect attacks very similar to how virus’s are found with AV; the problem with this kind of system is that it relies on a signature being available to recognize the attack; there is also a margin of error with sniffer technology, this means it’s possible to flood a network with “safe” traffic, and then slip the attack in under the radar.

He,he,he, I thought this was funny….