Categorysecurity

Only Threema rated uncritical, Telegram rated critical for privacy

The German “Stiftung Warentest” had a closer look (text is german) at instant messengers like WhatsApp, Telegram and Threema. The only one with a good privacy rating: Threema.

When Facebook bought WhatsApp, many started to look for alternatives. Telegram was chosen by millions of new users, probably also because it’s free to use. The problem with things free to use on the internet is this: If something’s free on the internet, you are the product.

This seems to be true yet again – Telegram uploads your full address book to the operators servers, of course without asking for your permission first. This is even more critical when one of the creators of Telegram is VK, the Russian Facebook alternative.

Contrary to that, the swiss based Threema asks for your permission to upload your address book and it’s used for synchronization purposes only. Even if uploaded, only aliases are transmitted.

Only Teleram and Threema provide useful end-to-end encryption, but on Telegram it has to be enabled explicitly (Secret Chat), while on Threema you can’t even disable it.

One constraint is left: none of the tested app is open source.

import and export GPG keys

list keys

list all keys currently in keyring:

gpg --list-keys

import

and to import private and public keys in binary or ASCII format:

gpg --import xyz.key

export

To export your private key in ASCII format, e.g. to send it via E-Mail:

gpg --export-secret-key --armor you@dom.tld > private.key

To export your public key, again in ASCII format:

gpg --export --armor you@dom.tld > public.key

If you don’t need it in ASCII format use for the private:

gpg --export-secret-key you@dom.tld > private.key

and the public:

gpg --export you@dom.tld > public.key

enable SELinux on a Debian DO droplet

debian-DO-SELinux

Sometimes I have a natural attraction to things making my life more complicated. I could have just installed CentOS. Or rented a dedicated server. Or stopped using SELinux. But I wanted it all. So I’d like to show you how you can install Debian 7 on a DigitalOcean droplet and have SELinux enabled.

The problem is that at DO the kernel comes from outside (KVM) and you cannot manipulate it nor it’s parameters. But you can use kexec to replace the kernel as soon as you’re in control.

Before you begin:

  • I assume a freshly installed Debian 7 here (tested on 64bit version)
  • you should take a backup before proceeding!

Okay, get all the updates and install the required software

$ sudo apt-get update
$ sudo apt-get upgrade
$ sudo apt-get install selinux-basics selinux-policy-default auditd kexec-tools

Run selinux-activate, it modifies grub (no matter here), PAM and touches /.autorelabel:

$ sudo selinux-activate

Then, edit the file /etc/init.d/rcS and put the following in front of exec /etc/init.d/rc S

if grep -v kexeced /proc/cmdline ;then
      kexec -l /vmlinuz --initrd=/initrd.img --command-line="$(cat /proc/cmdline) selinux=1 security=selinux kexeced" && kexec -e
fi

If this is done, you’re ready to reboot!

$ sudo reboot

You can add some extra time for the reboot as it has to relabel all the files for the first time.

When rebooted, check the SELinux status with:

$ sestatus

Happy labeling :)

monitoring bind9 DNS server with Zabbix

DNS-in-zabbix graph example

This is how to monitor the amount of queries in bind9 (version required is bind 9.5 at least) with Zabbix.

You need a working Zabbix server to follow these steps.

First, enable statistics in bind9. To do so, add the following line in /etc/bind/named.conf. (The location of the file can vary for different distributions). Do not put it between options {}!

statistics-channels {
 inet 127.0.0.1 port 8053 allow { 127.0.0.1; };
};

Then, restart bind:

# service bind9 restart

This enables a web service within bind. To query it, we use curl and to flatten the served XML we use xml2. Both must be installed for this to work. On Debian flowered systems, simply do this:

# apt-get install xml2 curl

Now you can try to query by hand:

# curl http://localhost:8053/ 2>/dev/null | xml2 | grep -A1 queries

This spits out the counter for every request done against your nameserver. Now, configure Zabbix agents so they can get data to monitor this. Add the following two lines to /etc/zabbix/zabbix_agentd.conf:

UserParameter=bind.queries.in[*],curl http://localhost:8053/ 2>/dev/null | xml2 | grep -A1 "/isc/bind/statistics/server/queries-in/rdtype/name=$1$" | tail -1 | cut -d= -f2
UserParameter=bind.queries.out[*],curl http://localhost:8053/ 2>/dev/null | xml2 | grep -A1 "/isc/bind/statistics/views/view/rdtype/name=$1$" | tail -1 | cut -d= -f2

Then, restart zabbix agent:

# service zabbix-agent restart

And now you can add items to your Zabbix config like so:

bind.queries.in[A]
bind.queries.out[A]

Or, download my template ( zabbix-bind9-dns-template ) and import it in Zabbix. The following is then pre configured:

  • A records in & out
  • AAAA records in & out
  • ANY records in & out
  • CNAME records in & out
  • MX records in & out
  • NS records in & out
  • PTR records in & out
  • SOA records in & out
  • SPF records in & out
  • TXT records in & out
  • All queries in graph
  • All queries out graph

 

examine your attackers

key ok

This is interesting if you have a server on the internet that is accessible by SSH. Probably you noticed that from time to time you get attacked by SSH brute forcers, trying to get into your server by using some of the most common passwords.

Now there is a tool, badips.com, that can visualize these attacks. It’s very simple.

It works like this:

  1. You report the attackers to them
  2. They do all the visualizing stuff

I’ll describe my setup with fail2ban, which is also the simplest one.

First, if not already done so, install fail2ban:

apt-get install fail2ban

Second, replace the file /etc/fail2ban/actions.d/iptables-multiport.conf with the one you can copy&paste from http://www.badips.com/snippets.

Then, restart fail2ban.

From now on, all attackers that get banned by fail2ban are also reported to badips.com and the statistics show your attackers as well. But you want to see your attackers only, right?

Let’s proceed:

Third, go again to the  shell and type:

wget -q -O - http://www.badips.com/get/key

This should give an output like that:

{
  "err":"",
  "suc":"new key ea49a83bab4875db136bfb2c399a52ec5a6cf0f8 has been set.",
  "key":"ea49a83bab4875db136bfb2c399a52ec5a6cf0f8"
}

If not, it might be your fail2ban did not yet report any attackers. Try again as soon as it did.

But if you see an output similar to mine above, you got your own key now! With this key, you can personalize the statistics on badips.com:

Fourth, enter the key in the Key: field on the badips.com statistics page and hit return:

You should now see only a subset of IPs in the database, and these are the attackers that attacked you!

See mine as an example.

© 2017 netmess

Theme by Anders NorenUp ↑