First Step we need package manager on MAC OS

ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"

Second Step Instal Qemu

brew install qemu

vaheeD

More Posts - Website

Follow Me:

BIOS and UEFI Bootable USB

Using dd

In GNU/Linux

# dd bs=4M if=/path/to/archlinux.iso of=/dev/sdx && sync

In Mac OS X

To be able to use dd on your USB device on a Mac you have to do some special maneuvers. First of all insert your usb device, OS X will automount it, and in Terminal.app run:

$ diskutil list

Figure out what your USB device is called with mount or sudo dmesg | tail (e.g. /dev/disk1) and unmount the partitions on the device (i.e., /dev/disk1s1) while keeping the device proper (i.e., /dev/disk1):

$ diskutil unmountDisk /dev/disk1

Now we can continue in accordance with the instructions above (but use bs=8192 if you are using the OS X dd, the number comes from 1024*8).

dd if=image.iso of=/dev/disk1 bs=8192

20480+0 records in
20480+0 records out
167772160 bytes transferred in 220.016918 secs (762542 bytes/sec)

It is probably a good idea to eject your drive before physical removal at this point:

$ diskutil eject /dev/disk1

vaheeD

More Posts - Website

Follow Me:

1. Execute a cron job every 5 Minutes

The first field is for Minutes. If you specify * in this field, it runs every minutes. If you specify */5 in the 1st field, it runs every 5 minutes as shown below.

*/5 * * * * /home/backup.sh

Note: In the same way, use */10 for every 10 minutes, */15 for every 15 minutes, */30 for every 30 minutes, etc.

2. Execute a cron job every 5 Hours

The second field is for hours. If you specify * in this field, it runs every hour. If you specify */5 in the 2nd field, it runs every 5 hours as shown below.

0 */5 * * * /home/backup.sh

Note: In the same way, use */2 for every 2 hours, */3 for every 3 hours, */4 for every 4 hours, etc.

3. Execute a job every 5 Seconds

Cron job cannot be used to schedule a job in seconds interval. i.e You cannot schedule a cron job to run every 5 seconds. The alternative is to write a shell script that uses ‘sleep 5′ command in it.

Create a shell script every-5-seconds.sh using bash while loop as shown below.

$ cat every-5-seconds.sh
#!/bin/bash
while true
do
 /home/backup.sh
 sleep 5
done

Now, execute this shell script in the background using nohup as shown below. This will keep executing the script even after you logout from your session. This will execute your backup.sh shell script every 5 seconds.

$ nohup ./every-5-seconds.sh &

4. Execute a job every 5th weekday

This example is not about scheduling “every 5 days”. But this is for scheduling “every 5th weekday”.

The 5th field is DOW (day of the week). If you specify * in this field, it runs every day. To run every Friday, specify either 5 of Fri in this field.

The following example runs the backup.sh every Friday at midnight.

0 0 * * 5 /home/backup.sh
(or)
0 0 * * Fri /home/backup.sh

You can either user number or the corresponding three letter acronym for the weekday as shown below.

• 0=Sun
• 1=Mon
• 2=Tue
• 3=Wed
• 4=Thu
• 5=Fri
• 6=Sat

Note: Get into the habit of using Fri instead of 5. Please note that the number starts with 0 (not with 1), and 0 is for Sun (not Mon).

5. Execute a job every 5 months

There is no direct way of saying ‘every 5 months’, instead you have to specify what specific months you want to run the job. Probably you may want to run the job on 5th month (May), and 10th month (Oct).

The fourth field is for Months. If you specify * in this field, it runs every month. To run for the specific month, you have to specify the number that corresponds to the month. For example, to run the job on May and Oct, you should specify 5,10 (or) you can simply use the 3 letter acronym of the month and specify May,Oct.

The third field is for DOM (Day of the Month). If you specify * in this field, it runs every day of the month. If you specify 1 in this month, it runs 1st of the month.

The following example runs the backup.sh twice a year. i.e 1st May at midnight, and 1st Oct at midnight.

0 0 1 5,10 * /home/backup.sh
(or)
0 0 1 May,Oct * /home/backup.sh

Note: Don’t make the mistake of specifying 5-10 in the 4th field, which means from 5th month until 10th month. If you want only 5th and 10th month, you should use comma.

vaheeD

More Posts - Website

Follow Me:

Example PAC File

The basic for all good PAC files start with a clear and concise coding methodology. It’s possible to achieve the same result using several different methods, both with the PAC file functions available and the flexibility of the JavaScript language.

This page includes a PAC file example which has been proven to be flexible, easy to update, while still providing accurate results.

Features

• Proxy bypass rules for private IP networks, internal hostnames, and hosts with .local domain extension.
  • While the other rules in this example may be optional, most deployments should begin with this code block (lines 3-10).
• Example hostname bypass rule.
• Example protocol and URL bypass rule.
• Example machine based IP routing rule.
• Default proxy rule, if all above rules don’t match.

Example PAC File

vaheeD

More Posts - Website

Follow Me:

Under MS-Windows you can use the ipconfig command to flush dns cache.

c:\ ipconfig /flushdns

However, Linux and UNIX provides various ways to flush cache. Linux can run nscd or BIND or dnsmasq as the name service caching daemon. Large and work-group servers may use BIND or dnsmasq as a dedicated caching server to speed up queries.

HowTo: Flush nscd dns cache

Nscd caches libc-issued requests to the Name Service. If retrieving NSS data is fairly expensive, nscd is able to speed up consecutive access to the same data dramatically and increase overall system performance. Just restart nscd:
$ sudo /etc/init.d/nscd restart
OR
# service nscd restart
OR
# service nscd reload
This daemon provides a cache for the most common name service requests. The default configuration file, /etc/nscd.conf, determines the behavior of the cache daemon.

Flush dnsmasq dns cache

dnsmasq is a lightweight DNS, TFTP and DHCP server. It is intended to provide coupled DNS and DHCP service to a LAN. Dnsmasq accepts DNS queries and either answers them from a small, local, cache or forwards them to a real, recursive, DNS server. This software is also installed many cheap routers to cache dns queries. Just restart the dnsmasq service to flush out dns cache:
$ sudo /etc/init.d/dnsmasq restart
OR
# service dnsmasq restart

Flush caching BIND server dns cache

A caching BIND server obtains information from another server (a Zone Master) in response to a host query and then saves (caches) the data locally. All you have to do is restart bind to clear its cache:
# /etc/init.d/named restart
You can also use rndc command as follows flush out all cache:
# rndc restart
OR
# rndc exec
BIND v9.3.0 and above will support flushing all of the records attached to a particular domain name with rndc flushname command. In this example flush all records releated to cyberciti.biz domain:
# rndc flushname cyberciti.biz
It is also possible to flush out BIND views. For example, lan and wan views can be flushed using the following command:
# rndc flush lan
# rndc flush wan

A note about Mac OS X Unix users

Type the following command as root user:
# dscacheutil -flushcache
OR
$ sudo dscacheutil -flushcache
If you are using OS X 10.5 or earlier try the following command:
lookupd -flushcache

A note about /etc/hosts file

/etc/hosts act as the static table lookup for hostnames. You need to remove and/or update records as per your requirements under Unix like operating systems:
# vi /etc/hosts
Sample outputs:

127.0.0.1	localhost
127.0.1.1	wks01.WAG160N	wks01
# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
10.37.34.2     build
192.168.1.10	nas01
192.168.1.11	nas02
192.168.1.12	nas03

vaheeD

More Posts - Website

Follow Me:

With so many new DLNA media receivers emerging on the market, including the PS3 and X-Box 360, there are many options for media server software to run. Each server application has its own set of pros and cons. I researched all of the known products and listed out prices, supported operating systems and features. I also took the time to make a few notes and award best-in-class to a few select products that are the easiest to use, have the best features overall and provide the best end-user experience. Read on to find out how to choose your media server software.

Comparison Chart

The products are listed in alphabetical order. All servers are UPnP compliant. The Server column is the name of the server and a link to the vendor’s product page. The Price column is how much the server costs. The Windows, Mac and Linux columns show support for those operating systems. The Music column indicates that the software can stream at least 1 type of music. The Photo column indicates that the software can serve at least 1 type of image. The Video column indicates that the software can stream at least 1 type of AV. The Transcoding column indicates that the software can transcode from one format to another.

What is transcoding?

The average consumer doesn’t care about what technology is used to encode their media. They just want it to play. The problem is that many devices only support certain types of encoding and much media circulating around is in other formats. The solution? Transcoding. Transcoding means to convert a potentially unsupported encoding into a supported one for the receiving device on the fly. Wikipedia has more details on transcoding.

Analysis

While basic functionality is indicated on this chart, there is no way of knowing how many types of music, photo or video formats are supported. It is also difficult to tell what formats can be transcoded. Most of the informational pages for these products don’t give enough details, so without setting up every single product and testing all formats against a variety of devices, it’s very difficult to know for sure what the level of support is.

Four products support every operating system: Cidero, Cyber Media Gate, Rhapsody and TwonkyMedia. Both Cidero and Cyber Media Gate are Java-based ports of their original C++ open-source counterparts. They appear to run on any Java 1.5 platform.

TwonkyMedia not only supports every operating system but has every main feature covered as well. Their transcoding support is new, as last time I looked into their tech specs I didn’t see support for it, so time will tell how good it is.

Geexbox has no OS listed because despite being Linux-based, it runs its own distribution to work. To get similar DLNA server functionality in Linux, uShare can be compiled and installed, which is what Geexbox uses for its own server.

SimpleCenter has a free version without transcoding support.

vaheeD

More Posts - Website

Follow Me:

Open Terminal on macOSX and past …

/usr/sbin/system_profiler SPHardwareDataType

 
And here’s the output for Macbook book Air:

Hardware:

    Hardware Overview:

      Model Name: MacBook Air
      Model Identifier: MacBookAir3,1
      Processor Name: Intel Core 2 Duo
      Processor Speed: 1.6 GHz
      Number of Processors: 1
      Total Number of Cores: 2
      L2 Cache: 3 MB
      Memory: 4 GB
      Bus Speed: 800 MHz
      Boot ROM Version: MBA31.0000.0000
      SMC Version (system): 00000
      Serial Number (system): 00000000000
      Hardware UUID: 0000000-0000-0000-0000-0000000000

vaheeD

More Posts - Website

Follow Me:

Step1:

Install bind 9 on Debian/Ubuntu

sudo apt-get install bind9 dnsutils -y

Install bind 9 on CentOS/Fedora

sudo yum install bind dnsutils -y

Step 2: Configure the main Bind files. Usually,  you will have to edit the file named.conf.

sudo vi /etc/bind/named.conf.local

This is where we will insert our zones. By the way, a zone is a domain name that is referenced in the DNS server
Insert this in the named.conf.local file:

# This is the zone definition. replace example.com with your domain name
zone "example.com" {
        type master;
        file "/etc/bind/zones/example.com.db";
        };

# This is the zone definition for reverse DNS. replace 0.168.192 with your network address in reverse notation - e.g my network address is 192.168.0
zone "0.168.192.in-addr.arpa" {
     type master;
     file "/etc/bind/zones/rev.0.168.192.in-addr.arpa";
};

Ok, now, let’s edit the options file:

sudo vi /etc/bind/named.conf.options

We need to modify the forwarder. This is the DNS server to which your own DNS will forward the requests he cannot process.

forwarders {
      # Replace the address below with the address of your provider's DNS server
      123.123.123.123;
};

Now, let’s add the zone definition files (replace example.com with your domain name:

sudo mkdir /etc/bind/zones
sudo vi /etc/bind/zones/example.com.db

The zone definition file is where we will put all the addresses / machine names that our DNS server will know. You can take the following example:

// replace example.com with your domain name. do not forget the . after the domain name!
// Also, replace ns1 with the name of your DNS server
example.com.      IN      SOA     ns1.example.com. admin.example.com. (
// Do not modify the following lines!
                                                        2006081401
                                                        28800
                                                        3600
                                                        604800
                                                        38400
 )

// Replace the following line as necessary:
// ns1 = DNS Server name
// mta = mail server name
// example.com = domain name
example.com.      IN      NS              ns1.example.com.
example.com.      IN      MX     10       mta.example.com.

// Replace the IP address with the right IP addresses.
www              IN      A       192.168.0.2
mta              IN      A       192.168.0.3
ns1              IN      A       192.168.0.1

Now, let’s create the reverse DNS zone file:

sudo vi /etc/bind/zones/rev.0.168.192.in-addr.arpa

Copy and paste the following text, modify as needed:

//replace example.com with yoour domain name, ns1 with your DNS server name.
// The number before IN PTR example.com is the machine address of the DNS server. in my case, it's 1, as my IP address is 192.168.0.1.
@ IN SOA ns1.example.com. admin.example.com. (
                        2006081401;
                        28800; 
                        604800;
                        604800;
                        86400 
)

                     IN    NS     ns1.example.com.
1                    IN    PTR    example.com

Ok, now you just need to restart bind:

sudo /etc/init.d/bind9 restart

We can now test the new DNS server…
Step 4: Modify the file resolv.conf with the following settings:

sudo vi /etc/resolv.conf

enter the following:

// replace example.com with your domain name, and 192.168.0.1 with the address of your new DNS server.
search example.com
nameserver 192.168.0.1

Checking bind’s zone files and configuration

Before we attempt to start a bind nameserver with a new zone and configuration here are some tools to check

if we have not done some typo or misconfiguration. To check a configuration files run a following command:

named-checkconf

Now, test your DNS:

dig example.com

vaheeD

More Posts - Website

Follow Me:

STEP1 : X11 ( XQuartz )

Download and install XQuartz, Please click this link: XQuartz Download

About XQuartz :

A version of the X.Org X Window System that runs on OS X

XQuartz Website

STEP2 : XCODE

Please open the apple store then search and install XCode.

The easiest way to install XCode, Please click this link: XCode apple store link ( XCode is FREE :D )

About XCode :

Xcode is the complete toolset for building OS X and iOS applications — and with Xcode 4, the tools have been redesigned to be faster, easier to use, and more helpful than ever before. The Xcode IDE understands your project’s every detail, identifies mistakes in both syntax and logic, and will even fix your code for you. Quite simply, Xcode 4 will help you write better code.

STEP2 : MacPorts

Please Download and install MacPorts.
The easiest way to install MacPorts on a Mac OS X system is by downloading the dmg for Mountain Lion, Lion, Snow Leopard orLeopard and running the system’s Installer by double-clicking on the pkg contained therein, following the on-screen instructions until completion.

STEP3 : Update MacPorts Repository

sudo port -v selfupdate
sudo port sync

STEP4 : Install all you neeD !!!

sudo port install “Package name”

For Example :

sudo port install htop

Tips for using port

sudo port list
sudo port search nmap
sudo port install nmap
sudo port upgrade nmap
sudo port dependents nmap
sudo port upgrade outdated

vaheeD

More Posts - Website

Follow Me:

Default Config Files and SSH Port

• /etc/ssh/sshd_config – OpenSSH server configuration file.
• /etc/ssh/ssh_config – OpenSSH client configuration file.
• ~/.ssh/ – Users ssh configuration directory.
• ~/.ssh/authorized_keys or ~/.ssh/authorized_keys – Lists the public keys (RSA or DSA) that can be used to log into the user’s account
• /etc/nologin – If this file exists, sshd refuses to let anyone except root log in.
• /etc/hosts.allow and /etc/hosts.deny : Access controls lists that should be enforced by tcp-wrappers are defined here.
• SSH default port : TCP 22

#1: Disable OpenSSH Server

Workstations and laptop can work without OpenSSH server. If you need not to provide the remote login and file transfer capabilities of SSH, disable and remove the SSHD server. CentOS / RHEL / Fedora Linux user can disable and remove openssh-server with yum command:
# chkconfig sshd off
# yum erase openssh-server
Debian / Ubuntu Linux user can disable and remove the same with apt-get command:
# apt-get remove openssh-server
You may need to update your iptables script to remove ssh exception rule. Under CentOS / RHEL / Fedora edit the files /etc/sysconfig/iptables and /etc/sysconfig/ip6tables. Once done restart iptables service:
# service iptables restart
# service ip6tables restart

#2: Only Use SSH Protocol 2

SSH protocol version 1 (SSH-1) has man-in-the-middle attacks problems and security vulnerabilities. SSH-1 is obsolete and should be avoided at all cost. Open sshd_config file and make sure the following line exists:

Protocol 2

#3: Limit Users’ SSH Access

By default all systems user can login via SSH using their password or public key. Sometime you create UNIX / Linux user account for ftp or email purpose. However, those user can login to system using ssh. They will have full access to system tools including compilers and scripting languages such as Perl, Python which can open network ports and do many other fancy things. One of my client has really outdated php script and an attacker was able to create a new account on the system via a php script. However, attacker failed to get into box via ssh because it wasn’t in AllowUsers.

Only allow root, vivek and jerry user to use the system via SSH, add the following to sshd_config:

AllowUsers root vivek jerry

Alternatively, you can allow all users to login via SSH but deny only a few users, with the following line:

DenyUsers saroj anjali foo

You can also configure Linux PAM allows or deny login via the sshd server. You can allow list of group name to access or deny access to the ssh.

#4: Configure Idle Log Out Timeout Interval

User can login to server via ssh and you can set an idel timeout interval to avoid unattended ssh session. Open sshd_config and make sure following values are configured:

ClientAliveInterval 300
ClientAliveCountMax 0

You are setting an idle timeout interval in seconds (300 secs = 5 minutes). After this interval has passed, the idle user will be automatically kicked out (read as logged out).

#5: Disable .rhosts Files

Don’t read the user’s ~/.rhosts and ~/.shosts files. Update sshd_config with the following settings:

IgnoreRhosts yes

SSH can emulate the behavior of the obsolete rsh command, just disable insecure access via RSH.

#6: Disable Host-Based Authentication

To disable host-based authentication, update sshd_config with the following option:

HostbasedAuthentication no

#7: Disable root Login via SSH

There is no need to login as root via ssh over a network. Normal users can use su or sudo (recommended) to gain root level access. This also make sure you get full auditing information about who ran privileged commands on the system via sudo. To disable root login via SSH, update sshd_config with the following line:

PermitRootLogin no

However, bob made excellent point:

Saying “don’t login as root” is h******t. It stems from the days when people sniffed the first packets of sessions so logging in as yourself and su-ing decreased the chance an attacker would see the root pw, and decreast the chance you got spoofed as to your telnet host target, You’d get your password spoofed but not root’s pw. Gimme a break. this is 2005 – We have ssh, used properly it’s secure. used improperly none of this 1989 will make a damn bit of difference. -Bob

#8: Enable a Warning Banner

Set a warning banner by updating sshd_config with the following line:

Banner /etc/issue

Sample /etc/issue file:

----------------------------------------------------------------------------------------------
You are accessing a XYZ Government (XYZG) Information System (IS) that is provided for authorized use only.
By using this IS (which includes any device attached to this IS), you consent to the following conditions:
+ The XYZG routinely intercepts and monitors communications on this IS for purposes including, but not limited to,
penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM),
law enforcement (LE), and counterintelligence (CI) investigations.
+ At any time, the XYZG may inspect and seize data stored on this IS.
+ Communications using, or data stored on, this IS are not private, are subject to routine monitoring,
interception, and search, and may be disclosed or used for any XYZG authorized purpose.
+ This IS includes security measures (e.g., authentication and access controls) to protect XYZG interests--not
for your personal benefit or privacy.
+ Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching
or monitoring of the content of privileged communications, or work product, related to personal representation
or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work
product are private and confidential. See User Agreement for details.
----------------------------------------------------------------------------------------------

Above is standard sample, consult your legal team for exact user agreement and legal notice details.

#8: Firewall SSH Port # 22

You need to firewall ssh port # 22 by updating iptables or pf firewall configurations. Usually, OpenSSH server must only accept connections from your LAN or other remote WAN sites only.

Netfilter (Iptables) Configuration

Update /etc/sysconfig/iptables (Redhat and friends specific file) to accept connection only from 192.168.1.0/24 and 202.54.1.5/29, enter:

-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -s 202.54.1.5/29 -m state --state NEW -p tcp --dport 22 -j ACCEPT

If you’ve dual stacked sshd with IPv6, edit /etc/sysconfig/ip6tables (Redhat and friends specific file), enter:

 -A RH-Firewall-1-INPUT -s ipv6network::/ipv6mask -m tcp -p tcp --dport 22 -j ACCEPT

Replace ipv6network::/ipv6mask with actual IPv6 ranges.

*BSD PF Firewall Configuration

If you are using PF firewall update /etc/pf.conf as follows:

pass in on $ext_if inet proto tcp from {192.168.1.0/24, 202.54.1.5/29} to $ssh_server_ip port ssh flags S/SA synproxy state

Sample /etc/pf.conf

1. #### First declare a couple of variables ####
2. ### Outgoing tcp / udp port ####
3. ### 43 – whois, 22 – ssh ###
4. tcp_services = “{ ssh, smtp, domain, www, https, 22, ntp, 43,ftp, ftp-data}”
5. udp_services = “{ domain, ntp }”
6. ### allow ping / pong ####
7. icmp_types = “{ echoreq, unreach }”
9. #### define tables. add all subnets and ips to block
10. table <blockedip> persist file “/etc/pf.block.ip.conf”
12. martians = “{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }”
14. ### admin server ranges ###
15. adminrange = “112.220.11.0/23”
17. # connected to internet
18. ext_if = “em1”
19. # connected to vpn / lan
20. int_if = “em0”
22. ##### ftp proxy
23. #proxy=”127.0.0.1″
24. #proxyport=”8021″
26. #### Normalization
27. #scrub provides a measure of protection against certain kinds of attacks based on incorrect handling of packet fragments
28. scrub in all
30. #### NAT and RDR start
31. #nat-anchor “ftp-proxy/*”
32. #rdr-anchor “ftp-proxy/*”
34. # redirect ftp traffic
35. #rdr pass proto tcp from any to any port ftp -> $proxy port $proxyport
37. # Drop incoming everything
38. block in all
39. block return
41. # keep stats of outgoing connections
42. pass out keep state
44. # We need to have an anchor for ftp-proxy
45. #anchor “ftp-proxy/*”
47. # unlimited traffic for loopback and lan / vpn
48. set skip on {lo0, $int_if}
50. # activate spoofing protection for all interfaces
51. block in quick from urpf-failed
53. #antispoof is a common special case of filtering and blocking. This mechanism protects against activity from spoofed or forged IP addresses
54. antispoof log for $ext_if
56. #Block RFC 1918 addresses
57. block drop in log (all) quick on $ext_if from $martians to any
58. block drop out log (all) quick on $ext_if from any to $martians
61. # Block all ips
62. # pfctl -t blockedip -T show
63. block drop in log (all) quick on $ext_if from <blockedip> to any
64. block drop out log (all) quick on $ext_if from any to <blockedip>
66. # allow outgoing
67. pass out on $ext_if proto tcp to any port $tcp_services
68. pass out on $ext_if proto udp to any port $udp_services
70. # Allow trace route
71. pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 keep state
73. # Allow admin to get into box
74. pass in on $int_if from $adminrange to any
76. # Allow incoming ssh, http, bind traffic
77. # pass in on $ext_if proto tcp from any to any port 25
78. pass in on $ext_if proto tcp from any to any port ssh flags S/SA synproxy state
79. pass in on $ext_if proto udp from any to any port domain
80. pass in on $ext_if proto tcp from any to any port domain flags S/SA synproxy state
81. pass in on $ext_if proto tcp from any to any port http flags S/SA synproxy modulate state
82. pass inet proto icmp all icmp-type $icmp_types keep state
83. ## add your rule below ##

#9: Change SSH Port and Limit IP Binding

By default SSH listen to all available interfaces and IP address on the system. Limit ssh port binding and change ssh port (by default brute forcing scripts only try to connects to port # 22). To bind to 192.168.1.5 and 202.54.1.5 IPs and to port 300, add or correct the following line:

Port 300
ListenAddress 192.168.1.5
ListenAddress 202.54.1.5

A better approach to use proactive approaches scripts such as fail2ban or denyhosts (see below).

#10: Use Strong SSH Passwords and Passphrase

It cannot be stressed enough how important it is to use strong user passwords and passphrase for your keys. Brute force attack works because you use dictionary based passwords. You can force users to avoid passwords against a dictionary attack and use john the ripper tool to find out existing weak passwords. Here is a sample random password generator (put in your ~/.bashrc):

genpasswd() {
	local l=$1
       	[ "$l" == "" ] && l=20
      	tr -dc A-Za-z0-9_ < /dev/urandom | head -c ${l} | xargs
}

Run it:
genpasswd 16
Output:

uw8CnDVMwC6vOKgW

#11: Use Public Key Based Authentication

Use public/private key pair with password protection for the private key. See how to use RSA and DSA key based authentication. Never ever use passphrase free key (passphrase key less) login.

Create the cryptographic Key on FreeBSD / Linux / UNIX workstation, enter:
ssh-keygen -t rsa
Assign the pass phrase (press [enter] key twice if you don’t want a passphrase). It will create 2 files in ~/.ssh directory as follows:

• ~/.ssh/id_rsa : identification (private) key
• ~/.ssh/id_rsa.pub : public key

Use scp to copy the id_rsa.pub (public key) to rh9linux.nixcraft.org server as authorized_keys2 file, this is know as Installing the public key to server.
scp .ssh/id_rsa.pub vivek@rh9linux.nixcraft.org:.ssh/authorized_keys2
From FreeBSD workstation login to server:
ssh rh9linux.nixcraft.org
Changing the pass-phrase on workstation (if needed):
ssh-keygen -p
Use of ssh-agent to avoid continues pass-phrase typing
At freebsd workstation type:
ssh-agent $BASH
ssh-add
Type your pass-phrase

Now ssh server will not use prompt for the password. Above two commands can be added to your ~/.bash_profile file so that as soon as you login into workstation you can set the agent.

Deleting the keys hold by ssh-agent

To list keys, enter:
ssh-add -l
To delete all keys, enter:
ssh-add -D
To delete specific key, enter:
ssh-add -d key

#12: Use Keychain Based Authentication

keychain is a special bash script designed to make key-based authentication incredibly convenient and flexible. It offers various security benefits over passphrase-free keys. See how to setup and use keychain software.

Install keychain on CentOS / RHEL / Fedora Linux

You need RPMForge repo enabled to install keychain package.
# yum install keychain

Install keychain on Debian / Ubuntu Linux

# apt-get update && apt-get install keychain

Install keychain on FreeBSD

# portsnap fetch update
# cd /usr/ports/security/keychain
# make install clean

How Do I Setup SSH Keys With passphrase?

Simply type the following commands:
$ ssh-keygen -t rsa
OR
$ ssh-keygen -t dsa
Assign the pass phrase when prompted. See the following step-by-step guide for detailed information:

#13: Chroot SSHD (Lock Down Users To Their Home Directories)

By default users are allowed to browse the server directories such as /etc/, /bin and so on. You can protect ssh, using os based chroot or use special tools such as rssh. With the release of OpenSSH 4.8p1 or 4.9p1, you no longer have to rely on third-party hacks such as rssh or complicated chroot(1) setups to lock users to their home directories. See this blog post about new ChrootDirectory directive to lock down users to their home directories.

Install rssh

CentOS / Fedora / RHEL Linux rssh installation

Visit Dag’s repo to grab rssh package
# cd /tmp
# wget http://dag.wieers.com/rpm/packages/rssh/rssh-2.3.2-1.2.el5.rf.i386.rpm
# rpm -ivh rssh-2.3.2-1.2.el5.rf.i386.rpm

Debian / Ubuntu Linux rssh installation

Use apt-get command:
$ sudo apt-get install rssh

FreeBSD installation

# cd /usr/ports/shells/rssh
# make install clean

#14: Use TCP Wrappers

TCP Wrapper is a host-based Networking ACL system, used to filter network access to Internet. OpenSSH does supports TCP wrappers. Just update your /etc/hosts.allow file as follows to allow SSH only from 192.168.1.2 172.16.23.12 :

sshd : 192.168.1.2 172.16.23.12

#15: Disable Empty Passwords

You need to explicitly disallow remote login from accounts with empty passwords, update sshd_config with the following line:

PermitEmptyPasswords no

#16: Thwart SSH Crackers (Brute Force Attack)

Brute force is a method of defeating a cryptographic scheme by trying a large number of possibilities using a single or distributed computer network. To prevents brute force attacks against SSH, use the following softwares:

• DenyHosts is a Python based security tool for SSH servers. It is intended to prevent brute force attacks on SSH servers by monitoring invalid login attempts in the authentication log and blocking the originating IP addresses.
• Explains how to setup DenyHosts under RHEL / Fedora and CentOS Linux.
• Fail2ban is a similar program that prevents brute force attacks against SSH.
• security/sshguard-pf protect hosts from brute force attacks against ssh and other services using pf.
• security/sshguard-ipfw protect hosts from brute force attacks against ssh and other services using ipfw.
• security/sshguard-ipfilter protect hosts from brute force attacks against ssh and other services using ipfilter.
• security/sshblock block abusive SSH login attempts.
• security/sshit checks for SSH/FTP bruteforce and blocks given IPs.
• BlockHosts Automatic blocking of abusive IP hosts.
• Blacklist Get rid of those bruteforce attempts.
• Brute Force Detection A modular shell script for parsing application logs and checking for authentication failures. It does this using a rules system where application specific options are stored including regular expressions for each unique auth format.
• IPQ BDB filter May be considered as a fail2ban lite.

#17: Rate-limit Incoming Port # 22 Connections

Both netfilter and pf provides rate-limit option to perform simple throttling on incoming connections on port # 22.

Iptables Example

The following example will drop incoming connections which make more than 5 connection attempts upon port 22 within 60 seconds:

#!/bin/bash
inet_if=eth1
ssh_port=22
$IPT -I INPUT -p tcp --dport ${ssh_port} -i ${inet_if} -m state --state NEW -m recent  --set
$IPT -I INPUT -p tcp --dport ${ssh_port} -i ${inet_if} -m state --state NEW -m recent  --update --seconds 60 --hitcount 5 -j DROP

Call above script from your iptables scripts. Another config option:

$IPT -A INPUT  -i ${inet_if} -p tcp --dport ${ssh_port} -m state --state NEW -m limit --limit 3/min --limit-burst 3 -j ACCEPT
$IPT -A INPUT  -i ${inet_if} -p tcp --dport ${ssh_port} -m state --state ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -o ${inet_if} -p tcp --sport ${ssh_port} -m state --state ESTABLISHED -j ACCEPT
# another one line example
# $IPT -A INPUT -i ${inet_if} -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport 22 -m limit --limit 5/minute --limit-burst 5-j ACCEPT

See iptables man page for more details.

*BSD PF Example

The following will limits the maximum number of connections per source to 20 and rate limit the number of connections to 15 in a 5 second span. If anyone breaks our rules add them to our abusive_ips table and block them for making any further connections. Finally, flush keyword kills all states created by the matching rule which originate from the host which exceeds these limits.

sshd_server_ip="202.54.1.5"
table <abusive_ips> persist
block in quick from <abusive_ips>
pass in on $ext_if proto tcp to $sshd_server_ip port ssh flags S/SA keep state (max-src-conn 20, max-src-conn-rate 15/5, overload <abusive_ips> flush)

#18: Use Port Knocking

Port knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports. Once a correct sequence of connection attempts is received, the firewall rules are dynamically modified to allow the host which sent the connection attempts to connect over specific port(s). A sample port Knocking example for ssh using iptables:

$IPT -N stage1
$IPT -A stage1 -m recent --remove --name knock
$IPT -A stage1 -p tcp --dport 3456 -m recent --set --name knock2

$IPT -N stage2
$IPT -A stage2 -m recent --remove --name knock2
$IPT -A stage2 -p tcp --dport 2345 -m recent --set --name heaven

$IPT -N door
$IPT -A door -m recent --rcheck --seconds 5 --name knock2 -j stage2
$IPT -A door -m recent --rcheck --seconds 5 --name knock -j stage1
$IPT -A door -p tcp --dport 1234 -m recent --set --name knock

$IPT -A INPUT -m --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p tcp --dport 22 -m recent --rcheck --seconds 5 --name heaven -j ACCEPT
$IPT -A INPUT -p tcp --syn -j doo

• fwknop is an implementation that combines port knocking and passive OS fingerprinting.
• Multiple-port knocking Netfilter/IPtables only implementation.

#19: Use Log Analyzer

Read your logs using logwatch or logcheck. These tools make your log reading life easier. It will go through your logs for a given period of time and make a report in the areas that you wish with the detail that you wish. Make sure LogLevel is set to INFO or DEBUG in sshd_config:

LogLevel INFO

.

Installation
Debian Linux type the following command::

apt-get install logwatch

Fedora Linux type the following command::

yum install logwatch

RedHat Enterprise Linux type the following command::

up2date logwatch

To customize logwatch go to /usr/share/doc/logwatch-*/ directory and read the file HOWTO-Customize-LogWatch

Or Open logwatch.conf file:

vi /etc/logwatch/conf/logwatch.conf

OR

vi /usr/share/logwatch/default.conf/logwatch.conf

Read man page of logwatch for more information.

#20: Patch OpenSSH and Operating Systems

It is recommended that you use tools such as yum, apt-get, freebsd-update and others to keep systems up to date with the latest security patches.

Other Options

To hide openssh version, you need to update source code and compile openssh again. Make sure following options are enabled in sshd_config:

#  Turn on privilege separation
UsePrivilegeSeparation yes
# Prevent the use of insecure home directory and key file permissions
StrictModes yes
# Turn on  reverse name checking
VerifyReverseMapping yes
# Do you need port forwarding?
AllowTcpForwarding no
X11Forwarding no
#  Specifies whether password authentication is allowed.  The default is yes.
PasswordAuthentication no

Verify your sshd_config file before restarting / reloading changes:
# /usr/sbin/sshd -t

Tighter SSH security with two-factor or three-factor (or more) authentication.

References:

1. The official OpenSSH project.
2. Forum thread: Failed SSH login attempts and how to avoid brute ssh attacks
3. man pages sshd_config, ssh_config, tcpd, yum, and apt-get.

If you have a technique or handy software not mentioned here, please share in the comments below to help your fellow readers keep their openssh based server secure.

vaheeD

More Posts - Website

Follow Me: