Tag Archives: examples

Testing SMTP, POP3 and IMAP protocol access

This article assumes you have access to telnet and openssl. The example tests have been run against a Microsoft Exchange 2010 server. The IP and hostname have been obfuscated. The commands needed to perform these protocol access tests will be the same on both Linux and Windows.

Testing SMTP

Test using plain text

Execute the following command to initiate a plain text connection over port 25.

telnet smtp.server.com 25

Example output

The following is the typical output you’ll see as a response from a SMTP server. In this case being Microsoft Exchange 2010.

Trying 74.161.5.111...
Connected to smtp.server.com.
Escape character is '^]'.
220 smtp.server.com Microsoft ESMTP MAIL Service ready at Thu, 3 May 2012 13:06:21 +0200

Test using an encrypted connection

Execute the following command to initiate an encrypted connection over port 25.

openssl s_client -starttls smtp -crlf -connect smtp.server.com:25

Parameters

Beneath you’ll see the documentation for the parameters used in the above example.

-starttls protocol
send the protocol-specific message(s) to switch to TLS for communication.  protocol is a keyword for the intended protocol.  Currently, the only supported keywords are "smtp", "pop3", "imap", and "ftp".
-crlf
this option translated a line feed from the terminal into CR+LF as required by some servers.

Example output

There’s little to see here mainly because I had to exclude the certificate verification information to anonymize the test server.

<certificate verification output>
250 CHUNKING

Tip: You may run the usual SMTP commands directly from the command prompt after you initiated the encrypted connection.

Testing IMAP

Test using plain text

Execute the following command to initiate a plain text connection over the standard IMAP port 143.

telnet imap.server.com 143

Example output

The following is the typical output you’ll see as a response from an IMAP server. In this case being Microsoft Exchange 2010.

Trying 74.161.5.111...
Connected to imap.server.com.
Escape character is '^]'.
* OK The Microsoft Exchange IMAP4 service is ready.

Test using an encrypted connection

openssl s_client -connect imap.server.com:993

Example output

<certificate verification output>
* OK The Microsoft Exchange IMAP4 service is ready.

Testing POP3

Test using plain text

telnet pop.server.com 110

Example output

The following is the typical output you’ll see as a response from a POP server. In this case being Microsoft Exchange 2010.

Trying 74.161.5.111...
Connected to pop.server.com.
Escape character is '^]'.
+OK The Microsoft Exchange POP3 service is ready.

Test using an encrypted connection

openssl s_client -connect pop.server.com:995

Example output

<certificate verification output>
+OK The Microsoft Exchange POP3 service is ready.

References

SMTP – Simple Mail Transfer Protocol
IMAP – INTERNET MESSAGE ACCESS PROTOCOL
POP 3 – Post Office Protocol – Version 3
The OpenSSL Project

// CrashMAG

Change the default SSH port and alter SELinux context to match

Security through obscurity is not something one would generally recommend. But to thwart the effort of automated scanners changing the default OpenSSH port will yield you less pain in every day life. This will not fend off directed attacks or nullify vulnerabilities or bad security design.

Should you see an error message such as

shd[14221]: error: Bind to port 9898 on 192.168.0.50 failed: Permission denied

it indicates that the system prevented the daemon to bind that port. Most likely SELinux.

The instructions provided will be valid on Fedora 14/15, CentOS 6, RHEL 6, Scientific Linux 6 and newer versions.

To change the default SSH port you need to do the following.

  • Stop the SSH daemon
  • Alter the /etc/ssh/sshd_config with your new port
  • Alter the SELinux context with semanage
  • Start the SSH daemon

Stop the SSH daemon

# service sshd stop

Alter the /etc/ssh/sshd_config with your new port

Alter the configuration file with your favorite editor, in my case “nano”.

# nano /etc/ssh/sshd_config

Alter the port configuration parameter change the following line

Port 22

to

Port 9898

Alter the SELinux context with semanage

# semanage port -a -t ssh_port_t -p tcp 9898

Initially you would think the following would work. But it will not. For it to work you would have to alter the policy in the selinux-policy package, rebuild and install it. So skip it, but now you know why.

# semanage port -d -t ssh_port_t -p tcp 22

Start the SSH daemon

# service sshd start

// CrashMAG

View information about your BIOS from Linux using dmidecode

To get at this information we will use a utility called “dmidecode”. dmidecode is a tool for dumping a computer’s DMI (some say SMBIOS) table contents in a human-readable format.

On CentOS/RHEL/Fedora you may run the following to install it.

# yum install dmidecode

On Arch Linux you may run

# pacman -S dmidecode

The following examples will allow you to see a few important parts of information such as;

  • The manufacturer of your motherboard
  • What type of motherboard you have
  • The version of the BIOS running on your motherboard

To view the manufacturer and what type of motherboard you have, run the following

dmidecode --type system

Example

# dmidecode 2.11
SMBIOS 2.4 present.

Handle 0x0001, DMI type 1, 27 bytes
System Information
        Manufacturer: Gigabyte Technology Co., Ltd.
        Product Name: GA-MA78G-DS3H
        Version:
        Serial Number:
        UUID: 4E2F4100-0000-0000-0000-0000FFFFFFFF
        Wake-up Type: Power Switch
        SKU Number:
        Family:

Handle 0x0034, DMI type 32, 11 bytes
System Boot Information
        Status: No errors detected

To view the version of your BIOS you may run the following

#dmidecode --type bios

Example

# dmidecode 2.11
SMBIOS 2.4 present.

Handle 0x0000, DMI type 0, 24 bytes
BIOS Information
        Vendor: Award Software International, Inc.
        Version: FA
        Release Date: 09/19/2008
        Address: 0xE0000
        Runtime Size: 128 kB
        ROM Size: 1024 kB
        Characteristics:
                ISA is supported
                PCI is supported
                PNP is supported
                APM is supported
                BIOS is upgradeable
                BIOS shadowing is allowed
                Boot from CD is supported
                Selectable boot is supported
                BIOS ROM is socketed
                EDD is supported
                5.25"/360 kB floppy services are supported (int 13h)
                5.25"/1.2 MB floppy services are supported (int 13h)
                3.5"/720 kB floppy services are supported (int 13h)
                3.5"/2.88 MB floppy services are supported (int 13h)
                Print screen service is supported (int 5h)
                8042 keyboard services are supported (int 9h)
                Serial services are supported (int 14h)
                Printer services are supported (int 17h)
                CGA/mono video services are supported (int 10h)
                ACPI is supported
                USB legacy is supported
                AGP is supported
                LS-120 boot is supported
                ATAPI Zip drive boot is supported
                BIOS boot specification is supported
                Targeted content distribution is supported

Handle 0x0029, DMI type 13, 22 bytes
BIOS Language Information
        Language Description Format: Long
        Installable Languages: 3
                n|US|iso8859-1
                n|US|iso8859-1
                r|CA|iso8859-1
        Currently Installed Language: n|US|iso8859-1

There’s also additional options to use with dmidecode. You probably also want to try the following to get an idea of what type of information you can get your hands on.

#dmidecode --type keyword
Valid type keywords are:
  bios
  system
  baseboard
  chassis
  processor
  memory
  cache
  connector
  slot

// CrashMAG

Resetting the root/postgres password for PostgreSQL

The following is required to reset the root/postgres user password for PostgreSQL. The distribution used in my example is CentOS 5.5 and PostgreSQL 8.4.

Note: By default there’s no password for the postgres user.

In step 2 and 5 you will most likely not be using “ident” but rather “password” or “md5”.

1. Shut down PostgreSQL

# service postgresql stop

2. Reset the authentication mechanism (assuming defaults are already being used)

Edit the /usr/lib/pgsql/data/pg_hba.conf file

# nano /usr/lib/pgsql/data/pg_hba.conf

Navigate down to the line that says

local all all ident

Edit it to

local all postgres trust

And now save the file.

3. Start PostgreSQL

# service postgresql start

4. Log in and change the password

# su - postgres
$ psql -d template1 -U postgres
alter user postgres with password 'new_password';

Or alternatively do it all in one go with the following command

> psql -U postgres template1 -c "alter user postgres with password 'new_password';"

5. Reverse the actions you did in step 2

Edit the /usr/lib/pgsql/data/pg_hba.conf file

# nano /usr/lib/pgsql/data/pg_hba.conf

Navigate down to the line that says

local all all trust

Edit it to

local all postgres ident

And now save the file.

6. Start PostgreSQL

# service postgresql start

Success!

// CrashMAG

Changing the default PostgreSQL data folder (PGDATA)

Installing the PostgreSQL server on RHEL, CentOS, Scientific Linux or Fedora installs the PostgreSQL databases and configuration files in “/var/lib/pgsql/data”.

This may or may not be desirable. Let’s assume for a moment you have a separately crafted partition for PostgreSQL to use, let’s say a RAID10 volume. You’d want to change this.

Change the defaults

Use your favorite text editor, in my case nano to create the following file (must be the same as the name of the service)

# nano /etc/sysconfig/pgsql/postgresql

Add the following

PGDATA=/postgresql/data

Optionally you can also add the following to change the default port (example is the default port)

PGPORT=5432

Adjusting SELinux to permit the new data folder (pgdata) location

Should the following command output “Permissive” or “Disabled” then you may skip the details for SELinux.

# getenforce

Run the semanage command to add a context mapping for /opt/postgresql and any other directories/files within it.

# semanage fcontext -a -t postgresql_db_t "/postgresql/data(/.*)?"

Now use the restorecon command to apply this context mapping to the running system

# restorecon -Rv /postgresql/data

Starting PostgreSQL

# chkconfig --levels 345 postgresql on
# service postgresql initdb
# service postgresql start

You’re all set to go! Keep in mind that PostgreSQL listens to ‘localhost’ by default. To change this you need to alter the “listen_address” parameter in “/var/lib/pgsql/data/postgresql.conf” (change will require restart).

// CrashMAG

RHEL/Centos 5 minimal installation

There’s no option during the CentOS 5 install, for a minimal installation. The purpose is quite simple, to keep the attack surface as small as possible.

A minimal installation is performed by doing the following

  • During the category/task selection, deselect all package categories, and choose the “Customize now” option at the bottom of screen.
  • During the customized package selection, deselect everything ( including the Base group ).

This will yield you 234 packages with the Centos 5.5 installation media. I’ve attached a .txt file containing all the packages for your leisure.

Link: installed-packages

// CrashMAG

Configuring BIND DNS Server to listen only on a specific IP address

This is a short example driven howto on how you can configure BIND to listen on certain IP addresses which can also be an implicit network interface. IPv6 is also included in the examples. You could also say that this how you disable IPv6 for BIND/named, but it’s implicit to the operation.

listen-on default syntax

Note the “-v6” syntax for IPv6.

IPv4

listen-on port 53 { 127.0.0.1; };

IPv6

listen-on-v6 port 53 { ::1; };

you can also combine several IP addresses

listen-on port 53 { 127.0.0.1; 192.168.0.1; };

From the man page

listen-on [ port integer ] { address_match_element; ... };
listen-on-v6 [ port integer ] { address_match_element; ... };

To listen on all interfaces and IP addresses

listen-on { any;};
listen-on-v6 { any;};

That’s all. A few short tips.

// CrashMAG

Disabling email alerts for cron

Having the cron daemon send email alerts could be a useful feature, but it could also get very tiresome depending on your setup. To disable this feature do the following.

Edit /etc/crontab with your favorite text editor, modify or insert the following line

MAILTO=""

Should you have crontabs set up for different users, use

crontab -e

and insert/edit the relevant configuration parameter as seen above.

Or should you want to disable output for certain jobs you could add

0 1 5 10 * /path/script.sh &> /dev/null

// CrashMAG

Public key authentication with SSH. Both with and without a password.

This article will run through quick and easy examples for setting up public key authentication with SSH. I will include one example that requires a password and one that does not. Typically used for scripts.

I will assume you know why you want to either use the one or the other. Public key authentication can only be set up on a per user/system basis, keep that in mind.

Public key authentication without a password

This the least secure option. It all boils down to how well secured your private key is. (.ssh/id_dsa)

  1. Create a key pair. (Private & public key)
  2. Copy the public key to the remote system.
  3. Log on the remote system.

Create a key pair

[user@localsystem ~]$ ssh-keygen -t dsa

Here’s what you’ll see when you run through this procedure. (“Press [ENTER]” are my comments)

[user@localsystem ~]$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_dsa): Press [ENTER]
Created directory '/home/usr/.ssh'.
Enter passphrase (empty for no passphrase): Press [ENTER]
Enter same passphrase again: Press [ENTER]
Your identification has been saved in /home/user/.ssh/id_dsa.
Your public key has been saved in /home/user/.ssh/id_dsa.pub.
The key fingerprint is:
29:d1:34:6c:53:2b:96:e6:ea:28:fd:c5:3a:cb:0f:65 user@localsystem
The key's randomart image is:
+--[ DSA 1024]----+
|       .o..      |
|       o+o .     |
|      ..*..      |
|       = o       |
|      . E        |
|       *         |
|   .  o o        |
|  . .+.+         |
|   ...*+.        |
+-----------------+

Copy the public key to the remote system

[user@localsystem ~]$ ssh user@remotesystem

If you don’t set the permissions in this step SSH will refuse the public key even if it’s there due to bad ownership.

[user@remotesystem ~]$ mkdir .ssh
[user@remotesystem ~]$ touch .ssh/authorized_keys
[user@remotesystem ~]$ chmod -R u=rwx,go= .ssh
[user@remotesystem ~]$ exit
scp ~/.ssh/id_dsa.pub user@remotesystem:.ssh/authorized_keys

Enter your password when asked, and you’re done.

Log on the remote system

[user@localsystem ~]$ ssh user@remotesystem

Public key authentication with password

This is the route you want to go. Once done, you should also disable logins with passwords only. Do this by editing the /etc/ssh/sshd_config file and add/modify the following parameter “PasswordAuthentication no”. Also make sure “PubkeyAuthentication” is set to “yes”.

  1. Create a key pair. (Private & public key)
  2. Copy the public key to the remote system.
  3. Log on the remote system.

Create the key pair

[user@localsystem ~]$ ssh-keygen -t dsa

Here’s what you’ll see when you run through this procedure. (“[Your Password]” and “Press [ENTER]” are my comments)

[user@localsystem ~]$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_dsa): Press [ENTER]
Created directory '/home/usr/.ssh'.
Enter passphrase (empty for no passphrase): [Your Password]
Enter same passphrase again: [Your Password]
Your identification has been saved in /home/user/.ssh/id_dsa.
Your public key has been saved in /home/user/.ssh/id_dsa.pub.
The key fingerprint is:
29:d1:34:6c:53:2b:96:e6:ea:28:fd:c5:3a:cb:0f:65 user@localsystem
The key's randomart image is:
+--[ DSA 1024]----+
|       .o..      |
|       o+o .     |
|      ..*..      |
|       = o       |
|      . E        |
|       *         |
|   .  o o        |
|  . .+.+         |
|   ...*+.        |
+-----------------+

Copy the public key to the remote system

[user@localsystem ~]$ ssh user@remotesystem

If you don’t set the permissions in this step SSH will refuse the public key even if it’s there due to bad ownership.

[user@remotesystem ~]$ mkdir .ssh
[user@remotesystem ~]$ touch .ssh/authorized_keys
[user@remotesystem ~]$ chmod -R u=rwx,go= .ssh
[user@remotesystem ~]$ exit
scp ~/.ssh/id_dsa.pub user@remotesystem:.ssh/authorized_keys

Enter your password when asked, and you’re done.

Log on the remote system

[user@localsystem ~]$ ssh user@remotesystem

Tip

You can later change the password for your keys by using

[user@localsystem ~]$ ssh-keygen -p

// CrashMAG

Guide and hardning tips for RHEL/CentOS 5 from NSA

As I was looking to see if NSA had updated their guides for RHEL 6 and it turns out they haven’t. I decided it would be a good idea to post about them to give them some better coverage.

This is just a small tip of free and useful information in regards to securing your RHEL/CentOS installation. A lot of the information is general in nature and can therefore be applied to any Linux distribution. It’s definitely worth your time.

I take no credit, the credit goes to NSA for creating the documents to begin with.

Guide to the Secure Configuration of Red Hat Enterprise Linux 5
www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf

Red Hat Linux 5 Hardening Tips
www.nsa.gov/ia/_files/factsheets/rhel5-pamphlet-i731.pdf

I just love how just about every section starts with “Disable ‘insert your service here’ if possible…” 😉

// CrashMAG