Security

From Things and Stuff Wiki
Jump to navigation Jump to search


General

See also Cryptography








  • EZCrypt - We provide you with the power to encrypt the data BEFORE it gets stored on our site. All encryption/decryption is done on the client end using AES-CBC 128bit with a hash key generated on each paste. The server will only store the encrypted data without the hash key, so only you have the power to decrypt it.
  • Gitian is a secure source-control oriented software distribution method. This means you can download trusted binaries that are verified by multiple builders.




Resources

News

Articles

RNG

Passwords

Articles

Software

Keypass


  • KeePassX - an application for people with extremly high demands on secure personal data management. It has a light interface, is cross platform and published under the terms of the GNU General Public License. KeePassX saves many different information e.g. user names, passwords, urls, attachments and comments in one single database. For a better management user-defined titles and icons can be specified for each single entry. Furthermore the entries are sorted in groups, which are customizable as well. The integrated search function allows to search in a single group or the complete database.

KeePassX offers a little utility for secure password generation. The password generator is very customizable, fast and easy to use. Especially someone who generates passwords frequently will appreciate this feature.

The complete database is always encrypted either with AES (alias Rijndael) or Twofish encryption algorithm using a 256 bit key. Therefore the saved information can be considered as quite safe. KeePassX uses a database format that is compatible with KeePass Password Safe. This makes the use of that application even more favourable. Originally KeePassX was called KeePass/L for Linux since it was a port of Windows password manager Keepass Password Safe. After KeePass/L became a cross platform application the name was not appropriate anymore and therefore, on 22 March 2006 it has been changed.


  • KeePassXC - a community fork of KeePassX, the cross-platform port of KeePass for Windows. Every feature works cross-platform and was thoroughly tested on multiple systems to provide users with the same look and feel on every supported operating system. This includes the beloved Auto-Type feature.



Other



  • Enpass - password manager for iOS, Android, Windows, Linux, Mac



  • Pass: The Standard Unix Password Manager - each password lives inside of a gpg encrypted file whose filename is the title of the website or resource that requires the password. These encrypted files may be organized into meaningful folder hierarchies, copied from computer to computer, and, in general, manipulated using standard command line file management utilities.

pass makes managing these individual password files extremely easy. All passwords live in ~/.password-store, and pass provides some nice commands for adding, editing, generating, and retrieving passwords. It is a very short and simple shell script. It's capable of temporarily putting passwords on your clipboard and tracking password changes using git.

You can edit the password store using ordinary unix shell commands alongside the pass command. There are no funky file formats or new paradigms to learn. There is bash completion so that you can simply hit tab to fill in names and commands, as well as completion for zsh and fish available in the completion folder. The very active community has produced many impressive clients and GUIs for other platforms as well as extensions for pass itself.

Services

Hardware

Multi-factor



Cracking

Windows

  • Ophcrack - a free Windows password cracker based on rainbow tables. It is a very efficient implementation of rainbow tables done by the inventors of the method. It comes with a Graphical User Interface and runs on multiple platforms.

Proxy

Server

See also Distros

cat /proc/sys/kernel/random/entropy_avail
  • haveged project is an attempt to provide an easy-to-use, unpredictable random number generator based upon an adaptation of the HAVEGE algorithm. Haveged was created to remedy low-entropy conditions in the Linux random device that can occur under some workloads, especially on headless servers. Current development of haveged is directed towards improving overall reliablity and adaptability while minimizing the barriers to using haveged for other tasks.


Firewalls

Firewalld

  • Firewalld - provides a dynamically managed firewall with support for network/firewall zones that define the trust level of network connections or interfaces. It has support for IPv4, IPv6 firewall settings, ethernet bridges and IP sets. There is a separation of runtime and permanent configuration options. It also provides an interface for services or applications to add firewall rules directly. With the firewalld D-Bus interface it is simple for services, applications and also users to adapt firewall settings. The interface is complete and is used for the firewall configuration tools firewall-cmd, firewallctl, firewall-config and firewall-applet.


Uncomplicated Firewall


  • Gufw - a firewall powered by UFW (Uncomplicated Firewall). For an overview of firewalls, please see Firewall.

Shorewall

  • Shorewall - a gateway/firewall configuration tool for GNU/Linux. iptables made easy.


pfSense

  • pfSense - a free, open source customized distribution of FreeBSD specifically tailored for use as a firewall and router that is entirely managed via web interface. In addition to being a powerful, flexible firewalling and routing platform, it includes a long list of related features and a package system allowing further expandability without adding bloat and potential security vulnerabilities to the base distribution. The pfSense project was started in September 2004 by Chris Buechler and Scott Ullrich, with a growing development team. Chris is a long time contributor to the m0n0wall project. m0n0wall is a great embedded firewall, but one of the great things about its design is also a limitation to expandability.

OPNsense

  • OPNsense - an open source, easy-to-use and easy-to-build FreeBSD based firewall and routing platform. OPNsense includes most of the features available in expensive commercial firewalls, and more in many cases. It brings the rich feature set of commercial offerings with the benefits of open and verifiable sources. OPNsense started as a fork of pfSense® and m0n0wall in 2014, with its first official release in January 2015. The project has evolved very quickly while still retaining familiar aspects of both m0n0wall and pfSense. A strong focus on security and code quality drives the development of the project.


Zeroshell

  • Zeroshell - a small open-source Linux distribution for servers and embedded systems which aims to provide network services. Its administration relies on a web-based graphical interface; no shell is needed to administer and configure it. Zeroshell is available as Live CD and CompactFlash images, and VMware virtual machines.

Smoothwall Express

  • Smoothwall Express - a Free firewall that includes its own security-hardened GNU/Linux operating system and an easy-to-use web interface. Supports LAN, DMZ, and Wireless networks, plus Extrnal. External connectivity via: Static Ethernet, DHCP Ethernet, PPPoE, PPPoA using various USB and PCI DSL modems. Portforwards, DMZ pin-holes. Outbound filtering. Timed access. Simple to use Quality-of-Service (QoS). Traffic stats, including per interface and per IP totals for weeks and months. IDS via automatically updated Snort rules. UPnP support. List of bad IP addresses to block. Web proxy for accelerated browsing. POP3 email proxy with Anti-Virus. IM proxy with realtime log viewing. Responsive web interface using AJAX techniques to provide realtime information. Realtime traffic graphs.

IPFire

  • IPFire - the professional and hardened Linux firewall distribution that is secure, easy to operate and coming with great functionality so that it is ready for enterprises, authorities, and anybody else. IPFire was designed with both modularity and a high-level of flexibility in mind. You can easily deploy many variations of it, such as a firewall, a proxy server or a VPN gateway. IPFire employs a Stateful Packet Inspection (SPI) firewall, which is built on top of netfilter (the Linux packet filtering framework). With IPFire 2.15, the graphical user interface has been completely rewritten and massively extended with new functionality. It is now possible to manage groups of hosts or services. That makes it simpler to create many similar rules for a great number of hosts, networks or services.

IPCop Firewall

  • IPCop Firewall is a Linux firewall distribution. It is geared towards home and SOHO users. The IPCop web-interface is very user-friendly and makes usage easy.


Endian Firewall Community

  • Endian Firewall Community - EFW, a "turn-key" linux security distribution that makes your system a full featured security appliance with Unified Threat Management (UTM) functionalities. The software has been designed for the best usability: very easy to install, use and manage and still greatly flexible. The feature suite includes stateful packet inspection firewall, application-level proxies for various protocols (HTTP, FTP, POP3, SMTP) with antivirus support, virus and spam-filtering for email traffic (POP and SMTP), content filtering of Web traffic and a "hassle free" VPN solution (based on both OpenVPN and IPsec).

Untangle NG Firewall

  • Untangle NG Firewall - takes the complexity out of network security—saving you time, money and frustration. Get everything you need in a single, modular platform that fits the evolving needs of your organization without the headaches of multiple point solutions. Enjoy the flexibility to deploy Untangle’s award-winning NG Firewall software on third party hardware, as a virtual machine, or as a turnkey appliance.

Leopard Flower personal firewall

  • https://github.com/themighty1/lpfw - Leopard Flower personal firewall for Linux gives the user control over which applications are allowed to use the network. It comes with a GUI.

FireHOL

  • FireHOL - a language (and a program to run it) which builds secure, stateful firewalls from easy to understand, human-readable configurations. The configurations stay readable even for very complex setups. FireQOS is a program which sets up traffic shaping from an easy-to-understand and flexible configuration file. Both programs abstract away the differences between IPv4 and IPv6. so you can concentrate on the rules you want. You can apply rules for IPv4 or IPv6, or both, as you need.

Firewall Builder

  • Firewall Builder - makes it easy to configure your firewalls. Our application is trusted by thousands of users to help them manage their production firewalls. With features like shared objects, drag-and-drop GUI, and search-and-replace, tasks that used to be time-consuming and frustrating are now simple and straightforward. Firewall Builder supports a wide range of firewall platforms, including Cisco ASA & PIX, Linux iptables, BSD pf and many more. The easy-to-use GUI, multiple platform support, and make-it-easy features let you forget about typing commands and instead focus on what traffic your firewall policies should allow or deny.

csf / lfd

csf -r
  # restart CSF

csf -d 192.18.1.100
  # quick deny an ip

csf -d 192.18.1.0/24
  # deny access from an ip range

csf -dr xxx.xxx.xxx.xxx
  # remove from the deny list

csf -a xxx.xxx.xxx.xxx
  # quick allow / whitelist an ip (bypass auto blocking)

csf -ar xxx.xxx.xxx.xxx
  # remove ip from whitelist


OpenSnitch

  • OpenSnitch - a GNU/Linux port of the Little Snitch application firewall.

TinyWall

  • TinyWall - free software to harden and control the advanced firewall built into modern Windows systems.

Logging

Integrity


Hardening

See also *nix#Permissions

grsecurity

TOMOYO Linux

AppArmor

SELinux

Sandboxing

  • User-Mode Linux - a safe, secure way of running Linux versions and Linux processes. Run buggy software, experiment with new Linux kernels or distributions, and poke around in the internals of Linux, all without risking your main Linux setup.

User-Mode Linux gives you a virtual machine that may have more hardware and software virtual resources than your actual, physical computer. Disk storage for the virtual machine is entirely contained inside a single file on your physical machine. You can assign your virtual machine only the hardware access you want it to have. With properly limited access, nothing you do on the virtual machine can change or damage your real computer, or its software.



  • https://wiki.archlinux.org/index.php/systemd-nspawn - like the chroot command, but it is a chroot on steroids. systemd-nspawn may be used to run a command or OS in a light-weight namespace container. It is more powerful than chroot since it fully virtualizes the file system hierarchy, as well as the process tree, the various IPC subsystems and the host and domain name. systemd-nspawn limits access to various kernel interfaces in the container to read-only, such as /sys, /proc/sys or /sys/fs/selinux. Network interfaces and the system clock may not be changed from within the container. Device nodes may not be created. The host system cannot be rebooted and kernel modules may not be loaded from within the container. This mechanism differs from Lxc-systemd or Libvirt-lxc, as it is a much simpler tool to configure.


  • Firejail - a SUID program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces and seccomp-bpf. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table. Written in C with virtually no dependencies, the software runs on any Linux computer with a 3.x kernel version or newer. The sandbox is lightweight, the overhead is low. There are no complicated configuration files to edit, no socket connections open, no daemons running in the background. All security features are implemented directly in Linux kernel and available on any Linux computer. The program is released under GPL v2 license. Firejail can sandbox any type of processes: servers, graphical applications, and even user login sessions. The software includes security profiles for a large number of Linux programs: Mozilla Firefox, Chromium, VLC, Transmission etc. To start the sandbox, prefix your command with “firejail”.


  • https://github.com/projectatomic/bubblewrap - Many container runtime tools like systemd-nspawn, docker, etc. focus on providing infrastructure for system administrators and orchestration tools (e.g. Kubernetes) to run containers. These tools are not suitable to give to unprivileged users, because it is trivial to turn such access into to a fully privileged root shell on the host. Bubblewrap could be viewed as setuid implementation of a subset of user namespaces. Emphasis on subset - specifically relevant superset CVEs, bubblewrap does not allow control over iptables. The original bubblewrap code existed before user namespaces - it inherits code from xdg-app helper which in turn distantly derives from linux-user-chroot.

Intrusion detection



Port knocking

  • https://en.wikipedia.org/wiki/Port_knocking - a method of externally opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports. Once a correct sequence of connection attempts is received, the firewall rules are dynamically modified to allow the host which sent the connection attempts to connect over specific port(s). A variant called single packet authorization exists, where only a single "knock" is needed, consisting of an encrypted packet. The primary purpose of port knocking is to prevent an attacker from scanning a system for potentially exploitable services by doing a port scan, because unless the attacker sends the correct knock sequence, the protected ports will appear closed.


Shells

Limited


Honeypots

TLS/SSL

See also HTTP#SSL

  • Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols that provide communication security over the Internet. They use asymmetric cryptography for authentication of key exchange, symmetric encryption for confidentiality and message authentication codes for message integrity. Several versions of the protocols are in widespread use in applications such as web browsing, electronic mail, Internet faxing, instant messaging and voice-over-IP (VoIP).

In the TCP/IP model view, TLS and SSL encrypt the data of network connections at a lower sublayer of its application layer. In OSI model equivalences, TLS/SSL is initialized at layer 5 (the session layer) then works at layer 6 (the presentation layer): first the session layer has a handshake using an asymmetric cipher in order to establish cipher settings and a shared key for that session; then the presentation layer encrypts the rest of the communication using a symmetric cipher and that session key. In both models, TLS and SSL work on behalf of the underlying transport layer, whose segments carry encrypted data.

Specs

some rfcs..

Guides

Software

Gnutils

OpenSSL

openssl ciphers -v
openssl verify -CAfile /etc/nginx/ca.pem certs/client.crt

Other

  • PolarSSL makes it trivially easy for developers to include cryptographic and SSL/TLS capabilities in their (embedded) products, facilitating this functionality with a minimal coding footprint.



HTTPS

See HTTP#SSL

CSP

Tools

  • SSL Server Test - This free online service performs a deep analysis of the configuration of any SSL web server on the public Internet.
  • Why No Padlock? - This web based tool will check a secure (https://) URL for the following items: Valid SSL Certificate (checks expiration date, properly installed intermediate certificate, URL matches the certificate domain, and displays the SSL Issuing company. All image, css, and javascript calls on the page are done so securely. Checks each linked css file to make sure any image calls are also secure. Outputs any insecure calls, along with the file (referrer) that made the insecure call. Verifies all third party SSL calls also have a valid and properly installed SSL certificate.
  • sslScanner - Scan SSL based TCP services, ips, ports and network ranges to obtain certificate expiry data. Get automated alerts about certificates expiring
  • SSL Converter - convert SSL certificates to and from different formats such as pem, der, p7b, and pfx
  • Certificate Depot - Create your self-signed SSL certificate instantly and for free.

Certificates

See also HTTP#SSL


Certificate signing request

  • .csr This is a Certificate Signing Request. Some applications can generate these for submission to certificate-authorities. It includes some/all of the key details of the requested certificate such as subject, organization, state, whatnot, as well as the public key of the certificate to get signed. These get signed by the CA and a certificate is returned. The returned certificate is the public certificate, which itself can be in a couple of formats.
openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr

Key formats

  • .pem Defined in RFC's 1421 through 1424, this is a container format that may include just the public certificate (such as with Apache installs, and CA certificate files /etc/ssl/certs), or may include an entire certificate chain including public key, private key, and root certificates. The name is from Privacy Enhanced Email, a failed method for secure email but the container format it used lives on.
  • .key This is a PEM formatted file containing just the private-key of a specific certificate. In Apache installs, this frequently resides in /etc/ssl/private. The rights on this directory and the certificates is very important, and some programs will refuse to load these certificates if they are set wrong.
  • .pkcs12 .pfx .p12 Originally defined by RSA in the Public-Key Cryptography Standards, the "12" variant was enhanced by Microsoft. This is a passworded container format that contains both public and private certificate pairs. Unlike .pem files, this container is fully encrypted. Every time I get one I have to google to remember the openssl-fu required to break it into .key and .pem files.

SAN

Wildcard

Domain Validation

Organisational Validation

involving better/slower background checks for the Organisation Name field

Extended Validation

Self-signed

Vulnerable to MITM as cracker can generate their own, OK if you control both ends.

Lets Encrypt / ACME





./letsencrypt-auto certonly -d example.com -d www.example.com --agree-tos --renew-by-default -a webroot --webroot-path=/tmp/letsencrypt-auto

CAs

Services

Comodo
VeriSign
GlobalSign
StartCom

Free certs, one cert per domain, 1 year. One only pays for acions that require human intervention, i.e., validation.


Cacert.org

Community group providing certs. Web of trust based assurance point system. Not carried by major browsers, just Linux distros.

Other
  • SSLMate - Buy SSL certs from the command line.
  • CertSimple - The fastest way to prove your company's identity online. EV Certificates are £149 a year. Multiple servers from £249 a year for 3 server names.

PFS

CRL

DNSSEC

DANE

HPKP

Future

  • TACK, a proposal for a dynamically activated public key pinning framework that provides a layer of indirection away from Certificate Authorities, but is fully backwards compatible with existing CA certificates, and doesn't require sites to modify their existing certificate chains.

Other


Vulnerabilities

  • https://en.wikipedia.org/wiki/Vulnerability_(computing) - a weakness which allows an attacker to reduce a system's information assurance. Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness. In this frame, vulnerability is also known as the attack surface.








Rooting


Scanning



Cookies

Virus


Web



OWASP

  • https://www.owasp.org/index.php/Main_Page Open Web Application Security Project (OWASP) is a 501(c)(3) worldwide not-for-profit charitable organization focused on improving the security of software. Our mission is to make software security visible, so that individuals and organizations worldwide can make informed decisions about true software security risks.

Fingerprinting

Testing

See Network, Development#Testing


Metasploit


Web

  • w3af is a Web Application Attack and Audit Framework. The project's goal is to create a framework to find and exploit web application vulnerabilities that is easy to use and extend.

DB

  • sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

Burp

Inception

  • Inception is a FireWire physical memory manipulation and hacking tool exploiting IEEE 1394 SBP-2 DMA. The tool can unlock (any password accepted) and escalate privileges to Administrator/root on almost any powered on machine you have physical access to. The tool can attack over FireWire, Thunderbolt, ExpressCard, PC Card and any other PCI/PCIe interfaces.

DetecTor.io

radare2

Capstone

Bettercap

Wi-fi

Disk cleanup


Hardware

  • https://en.wikipedia.org/wiki/Security_token - sometimes a hardware token, authentication token, USB token, cryptographic token, software token, virtual token, or key fob) may be a physical device that an authorized user of computer services is given to ease authentication. The term may also refer to software tokens.

Security tokens are used to prove one's identity electronically (as in the case of a customer trying to access their bank account). The token is used in addition to or in place of a password to prove that the customer is who they claim to be. The token acts like an electronic key to access something.

Some may store cryptographic keys, such as a digital signature, or biometric data, such as fingerprint minutiae. Some designs feature tamper resistant packaging, while others may include small keypads to allow entry of a PIN or a simple button to start a generating routine with some display capability to show a generated key number. Special designs include a USB connector, RFID functions or Bluetooth wireless interface to enable transfer of a generated key number sequence to a client system.



  • https://www.nitrokey.com/
    • https://en.wikipedia.org/wiki/Nitrokey - an open source USB key to enable secure encryption and signing of data. The secret keys are always stored inside the Nitrokey which protects against malware (such as computer viruses) and attackers. A user-chosen PIN and a tamper-proof smart card protect the Nitrokey in case of loss and theft. The hardware and software of Nitrokey are available as open source, free software and open hardware which enables independent parties to verify the security of the device. Nitrokey is supported on Microsoft Windows, Linux, and Mac OS X.


  • RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis - Many computers emit a high-pitched noise during operation, due to vibration in some of their electronic components. Here, we describe a new acoustic cryptanalysis key extraction attack, applicable to GnuPG's current implementation of RSA. The attack can extract full 4096-bit RSA decryption keys from laptop computers (of various models), within an hour, using the sound generated by the computer during the decryption of some chosen ciphertexts. We experimentally demonstrate that such attacks can be carried out, using either a plain mobile phone placed next to the computer, or a more sensitive microphone placed 4 meters away. Beyond acoustics, we demonstrate that a similar low-bandwidth attack can be performed by measuring the electric potential of a computer chassis. A suitably-equipped attacker need merely touch the target computer with his bare hand, or get the required leakage information from the ground wires at the remote end of VGA, USB or Ethernet cables.


Legal

UX

Other