Tagsecurity

Only Threema rated uncritical, Telegram rated critical for privacy

The German “Stiftung Warentest” had a closer look (text is german) at instant messengers like WhatsApp, Telegram and Threema. The only one with a good privacy rating: Threema.

When Facebook bought WhatsApp, many started to look for alternatives. Telegram was chosen by millions of new users, probably also because it’s free to use. The problem with things free to use on the internet is this: If something’s free on the internet, you are the product.

This seems to be true yet again – Telegram uploads your full address book to the operators servers, of course without asking for your permission first. This is even more critical when one of the creators of Telegram is VK, the Russian Facebook alternative.

Contrary to that, the swiss based Threema asks for your permission to upload your address book and it’s used for synchronization purposes only. Even if uploaded, only aliases are transmitted.

Only Teleram and Threema provide useful end-to-end encryption, but on Telegram it has to be enabled explicitly (Secret Chat), while on Threema you can’t even disable it.

One constraint is left: none of the tested app is open source.

import and export GPG keys

list keys

list all keys currently in keyring:

gpg --list-keys

import

and to import private and public keys in binary or ASCII format:

gpg --import xyz.key

export

To export your private key in ASCII format, e.g. to send it via E-Mail:

gpg --export-secret-key --armor you@dom.tld > private.key

To export your public key, again in ASCII format:

gpg --export --armor you@dom.tld > public.key

If you don’t need it in ASCII format use for the private:

gpg --export-secret-key you@dom.tld > private.key

and the public:

gpg --export you@dom.tld > public.key

enable SELinux on a Debian DO droplet

debian-DO-SELinux

Sometimes I have a natural attraction to things making my life more complicated. I could have just installed CentOS. Or rented a dedicated server. Or stopped using SELinux. But I wanted it all. So I’d like to show you how you can install Debian 7 on a DigitalOcean droplet and have SELinux enabled.

The problem is that at DO the kernel comes from outside (KVM) and you cannot manipulate it nor it’s parameters. But you can use kexec to replace the kernel as soon as you’re in control.

Before you begin:

  • I assume a freshly installed Debian 7 here (tested on 64bit version)
  • you should take a backup before proceeding!

Okay, get all the updates and install the required software

$ sudo apt-get update
$ sudo apt-get upgrade
$ sudo apt-get install selinux-basics selinux-policy-default auditd kexec-tools

Run selinux-activate, it modifies grub (no matter here), PAM and touches /.autorelabel:

$ sudo selinux-activate

Then, edit the file /etc/init.d/rcS and put the following in front of exec /etc/init.d/rc S

if grep -v kexeced /proc/cmdline ;then
      kexec -l /vmlinuz --initrd=/initrd.img --command-line="$(cat /proc/cmdline) selinux=1 security=selinux kexeced" && kexec -e
fi

If this is done, you’re ready to reboot!

$ sudo reboot

You can add some extra time for the reboot as it has to relabel all the files for the first time.

When rebooted, check the SELinux status with:

$ sestatus

Happy labeling :)

monitoring bind9 DNS server with Zabbix

DNS-in-zabbix graph example

This is how to monitor the amount of queries in bind9 (version required is bind 9.5 at least) with Zabbix.

You need a working Zabbix server to follow these steps.

First, enable statistics in bind9. To do so, add the following line in /etc/bind/named.conf. (The location of the file can vary for different distributions). Do not put it between options {}!

statistics-channels {
 inet 127.0.0.1 port 8053 allow { 127.0.0.1; };
};

Then, restart bind:

# service bind9 restart

This enables a web service within bind. To query it, we use curl and to flatten the served XML we use xml2. Both must be installed for this to work. On Debian flowered systems, simply do this:

# apt-get install xml2 curl

Now you can try to query by hand:

# curl http://localhost:8053/ 2>/dev/null | xml2 | grep -A1 queries

This spits out the counter for every request done against your nameserver. Now, configure Zabbix agents so they can get data to monitor this. Add the following two lines to /etc/zabbix/zabbix_agentd.conf:

UserParameter=bind.queries.in[*],curl http://localhost:8053/ 2>/dev/null | xml2 | grep -A1 "/isc/bind/statistics/server/queries-in/rdtype/name=$1$" | tail -1 | cut -d= -f2
UserParameter=bind.queries.out[*],curl http://localhost:8053/ 2>/dev/null | xml2 | grep -A1 "/isc/bind/statistics/views/view/rdtype/name=$1$" | tail -1 | cut -d= -f2

Then, restart zabbix agent:

# service zabbix-agent restart

And now you can add items to your Zabbix config like so:

bind.queries.in[A]
bind.queries.out[A]

Or, download my template ( zabbix-bind9-dns-template ) and import it in Zabbix. The following is then pre configured:

  • A records in & out
  • AAAA records in & out
  • ANY records in & out
  • CNAME records in & out
  • MX records in & out
  • NS records in & out
  • PTR records in & out
  • SOA records in & out
  • SPF records in & out
  • TXT records in & out
  • All queries in graph
  • All queries out graph

 

reset HP iLO 3 Password

Someone in the office played me a trick, and configured an iLO configuration password. (Maybe it was me in a very weak moment, but of course I would never admit it.) Anyway, I was unable to configure the iLO and needed to reset it. Turns out, this is quite easy.
The following steps are necessary:

  • remove server from the rack and open the case.
  • locate system switches (Jumpers) (see Picture)
  • set the iLO security switch to ON (ON = security off, OFF = security on) (see red arrow on picture)
  • start the server and press F8 to enter iLO config menu
  • you will still be prompted for a password, but any will be accepted
  • set a new password, reboot and revert jumper settings

good luck!

 

find the switch to reset an HP iLO 3 password

find the switch to reset an HP iLO 3 password

© 2017 netmess

Theme by Anders NorenUp ↑