Security Archives - Page 2 of 8

Uncomplicated Firewall Stays True to its Name

Command Line, Linux, Security Comments Off

Sep 032022

Having a Ubuntu or Linux Mint desktop without the UFW (short for Uncomplicated Firewall) is like buying a nice home without a front door.

UFW, a host-based netfilter firewall, comes standard with Ubuntu and its derivatives like Linux Mint 21.

The program comes in both CLI and GUI versions.

True to its name, UFW is simple to use and supports both IPv4 and IPv6 addresses.

UFW – Inactive by Default

On a newly installed Linux Mint 21 desktop computer, UFW was bizarrely inactive by default (see below).

$ sudo ufw status
Status: inactive

I don’t understand the logic of Linux Mint developers in providing a firewall that comes disabled by default.

So I set to quickly enable the UFW firewall on Linux Mint 21 with the below command:

$ sudo ufw enable
Firewall is active and enabled on system startup

In contrast to Linux Mint, the firewall on Red Hat Enterprise Linux 9 is enabled by default. On the flip side, the firewall in RHEL 9 is anything but uncomplicated.

When you enable UFW, the program reloads the firewall and enables it on boot

Now when we re-run the status command after adding the verbose option we see that UFW is active and note its default configurations: deny (incoming), allow (outgoing), disabled (routed)

$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

That is all nice and dandy but what if we want to do more than stick with the defaults.

Block Cat Videos on YouTube

UFW supports both inbound and outbound filtering.

Let’s say you want to block all outbound web traffic on your new employee’s PC (she doesn’t need the Internet for her work).

In that scenario, you’d add the following lines:

$ sudo ufw deny out https
$ sudo ufw deny out http

The above lines will prevent your employee from wasting time looking at cat videos on YouTube during work hours.

By the way, you’ll get the same results by using the Port Numbers 443 and 80 for https and https respectively:

$ sudo ufw deny out 443
$ sudo ufw deny out 80

Lots of Options

There’s plenty of other CLI options that you can tweak in UFW.

You can delete or prepend a rule by its number or by using the actual rule itself.

You can also adjust logging levels, rate-limit connections, do a dry-run feature without actually modiying the rules, reset to installation defaults) and more.

If for some reason, you want to get back to the default install, use the ufw reset command:

$ sudo ufw reset
Resetting all rules to installed defaults. Proceed with operation (y|n)? y
Backing up ‘user.rules’ to ‘/etc/ufw/user.rules.20220902_154828’
Backing up ‘before.rules’ to ‘/etc/ufw/before.rules.20220902_154828’
Backing up ‘after.rules’ to ‘/etc/ufw/after.rules.20220902_154828’
Backing up ‘user6.rules’ to ‘/etc/ufw/user6.rules.20220902_154828’
Backing up ‘before6.rules’ to ‘/etc/ufw/before6.rules.20220902_154828’
Backing up ‘after6.rules’ to ‘/etc/ufw/after6.rules.20220902_154828’

For traffic not destined to the host itself but meant to be routed through the firewall, make sure you prepend route before the rule. So your syntax would lok like:

$ sudo ufw route [Rule}

According to UFW’s man pages, the rate-limit feature kicks in if an IP address tries to initiate 6 or more connections within 30 seconds.

For instance, if you want to rate-limit ssh connections, you’d use:

$ sudo ufw limit ssh/tcp

You can verify the ssh rate-limit you configured above by running:

$ sudo ufw status numbered
Status: active
To Action From
— —— —-
[ 1] 22/tcp LIMIT IN Anywhere
[ 2] 22/tcp (v6) LIMIT IN Anywhere (v6)

Clearly, UFW is a richly featured firewall with plenty of options.

We have barely scratched the surface of UFW’s capabilities in this post.

I’d encourage you to login to your Ubuntu 22.04 or Linux Mint 21 system and check out the man pages of UFW and play around with the various options.

GUI Version of UFW

If you think the CLI version of UFW is no biggie to configure, wait till you see the GUI version, which is appropriately named Gufw Firewall.

It takes just a few seconds to set up. If you’re using Linux Mint 21, go to Menu (bottom-left usually) and search for gufw or firewall.

UFW Uncomplicated Firewall
The GUI version has three profiles: Home, Office and Public.

By default, Outgoing traffic is allowed for all three profiles while Incoming traffic is denied for Public and Office.

Home profile is turned off by default but you can turn it on and pick deny for Incoming traffic IF that is your preference.

UFW Verdict

All in all, UFW is one of the security utilities that make Ubuntu or Linux Mint 21 a worthy desktop Linux distribution.

Unlike the default firewall in RHEL 9 (which uses the concept of zones and a difficult syntax), UFW is easy to use whether in GUI or CLI mode.

I only wish UFW came enabled by default.

Before concluding, I’d like to share a bunch of key UFW commands I found on the firewall’s man pages:

$ sudo ufw –help
Usage: ufw COMMAND

Commands:
enable enables the firewall
disable disables the firewall
default ARG set default policy
logging LEVEL set logging to LEVEL
allow ARGS add allow rule
deny ARGS add deny rule
reject ARGS add reject rule
limit ARGS add limit rule
delete RULE|NUM delete RULE
insert NUM RULE insert RULE at NUM
prepend RULE prepend RULE
route RULE add route RULE
route delete RULE|NUM delete route RULE
route insert NUM RULE insert route RULE at NUM
reload reload firewall
reset reset firewall
status show firewall status
status numbered show firewall status as numbered list of RULES
status verbose show verbose firewall status
show ARG show firewall report
version display version information

GRE VPN Tunnel Configuration

Networking, Security Comments Off

May 172022

Since Generic Routing Encapsulation (GRE) VPN tunnels continue to remain on Cisco exams like CCNA and CCNP ENCOR, let’s demonstrate a quick configuration of a GRE tunnel.

Why do we care about GRE?

We care about GRE because it can encapsulate diverse network layer protocols that can be transported over an IP network between two locations over a public network like the Internet.

GRE can be used with or for:
* Multicast packets, such as OSPF, EIGRP, and streaming applications
* Connecting IPv6 networks over IPv4 networks

For purposes of this demonstration, we used the GNS3 emulation software running on a Linux VM.

The biggest problem with default GRE configuration (like the one below) is that it does not include security.

GRE Tunnel Configuration

! Configure PC1
ip 10.1.1.2/24 10.1.1.1
save
! Configure PC2
ip 10.1.2.2/24 10.1.2.1
save

! Configure Router R1
conf t
hostname R1
interface f0/0
ip address 10.1.1.1 255.255.255.0
no shut
interface s0/0
ip address 4.1.1.1 255.255.255.252
no shut
! Configure Router R2
conf t
hostname R2
interface s0/1
ip address 4.1.1.2 255.255.255.252
no shut
int s0/0
ip address 4.1.2.1 255.255.255.252
no shut
! Configure Router R3
conf t
hostname R3
interface s0/1
ip address 4.1.2.2 255.255.255.252
no shut
interface f0/0
ip address 10.1.2.1 255.255.255.0
no shut

Static Routing
We’ll use static routing for end-to-end connectivity.

! Configure Static Routing on R1 & R3
!R1
conf t
ip route 0.0.0.0 0.0.0.0 4.1.1.2
!R3
conf t
ip route 0.0.0.0 0.0.0.0 4.1.2.1

GRE Tunnel Interfaces
Now it’s time to configure the GRE tunnel.

! Configure GRE Tunnel on R1
conf t
int tun 0
ip address 10.1.3.1 255.255.255.252
tunnel mode gre ip
tunnel source s0/0
tunnel destination 4.1.2.2

! Configure GRE Tunnel on R3
conf t
int tun 0
ip address 10.1.3.2 255.255.255.252
tunnel mode gre ip
tunnel source s0/1
tunnel destination 4.1.1.1

Let’s check the Tunnel Interfaces on R1 and R3 to make sure they’re up.

Verify Tunnel Interfaces
R1#sh ip int br
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 10.1.1.1 YES NVRAM up up
Serial0/0 4.1.1.1 YES NVRAM up up
FastEthernet0/1 unassigned YES NVRAM administratively down down
Serial0/1 unassigned YES NVRAM administratively down down
Serial0/2 unassigned YES NVRAM administratively down down
Serial0/3 unassigned YES NVRAM administratively down down
FastEthernet1/0 unassigned YES NVRAM administratively down down
FastEthernet2/0 unassigned YES NVRAM administratively down down
Tunnel0 10.1.3.1 YES NVRAM up up

R3#sh ip int br
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 10.1.2.1 YES NVRAM up up
Serial0/0 unassigned YES NVRAM administratively down down
FastEthernet0/1 unassigned YES NVRAM administratively down down
Serial0/1 4.1.2.2 YES NVRAM up up
Serial0/2 unassigned YES NVRAM administratively down down
Serial0/3 unassigned YES NVRAM administratively down down
FastEthernet1/0 unassigned YES NVRAM administratively down down
FastEthernet2/0 unassigned YES NVRAM administratively down down
Tunnel0 10.1.3.2 YES NVRAM up up
R3#

Configure EIGRP Routing on Tunnel Interfaces R1 and R3
! R1
conf t
router eigrp 100
network 10.0.0.0
no auto-summary

! R3
conf t
router eigrp 100
network 10.0.0.0
no auto-summary

Verify Routing on R1 and R3
R1#sh ip route
Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route

Gateway of last resort is 4.1.1.2 to network 0.0.0.0

4.0.0.0/30 is subnetted, 1 subnets
C 4.1.1.0 is directly connected, Serial0/0
10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
C 10.1.3.0/30 is directly connected, Tunnel0
D 10.1.2.0/24 [90/297270016] via 10.1.3.2, 00:21:00, Tunnel0
C 10.1.1.0/24 is directly connected, FastEthernet0/0
S* 0.0.0.0/0 [1/0] via 4.1.1.2
R1#

R3#sh ip route
Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route

Gateway of last resort is 4.1.2.1 to network 0.0.0.0

4.0.0.0/30 is subnetted, 1 subnets
C 4.1.2.0 is directly connected, Serial0/1
10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
C 10.1.3.0/30 is directly connected, Tunnel0
C 10.1.2.0/24 is directly connected, FastEthernet0/0
D 10.1.1.0/24 [90/297270016] via 10.1.3.1, 00:21:28, Tunnel0
S* 0.0.0.0/0 [1/0] via 4.1.2.1
R3#

Verify GRE
Now that we have configured the GRE VPN tunnel, let’s run some Verify commands on Routers R1 and R3.

We’ll start by verifying the tunnel0 interface on R1.

R1#show interface tunnel0
Tunnel0 is up, line protocol is up
Hardware is Tunnel
Internet address is 10.1.3.1/30
MTU 1514 bytes, BW 9 Kbit/sec, DLY 500000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 4.1.1.1 (Serial0/0), destination 4.1.2.2
Tunnel protocol/transport GRE/IP
Key disabled, sequencing disabled
Checksumming of packets disabled
Tunnel TTL 255
Fast tunneling enabled
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Last input 00:00:03, output 00:00:01, output hang never
Last clearing of “show interface” counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
302 packets input, 25344 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
302 packets output, 25364 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
R1#

Let’s check the tunnel interface on router R3 now.

R3#show interface tunnel0
Tunnel0 is up, line protocol is up
Hardware is Tunnel
Internet address is 10.1.3.2/30
MTU 1514 bytes, BW 9 Kbit/sec, DLY 500000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 4.1.2.2 (Serial0/1), destination 4.1.1.1
Tunnel protocol/transport GRE/IP
Key disabled, sequencing disabled
Checksumming of packets disabled
Tunnel TTL 255
Fast tunneling enabled
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Last input 00:00:03, output 00:00:04, output hang never
Last clearing of “show interface” counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
316 packets input, 26540 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
318 packets output, 26688 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out

We can verify that the GRE tunnel is working fine by running traceroute on R1 and R3.

R1#traceroute 10.1.2.1
Type escape sequence to abort.
Tracing the route to 10.1.2.1
1 10.1.3.2 8 msec 0 msec 0 msec

We can see that the packet is moving through the tunnel interface.

R3#traceroute 10.1.1.1
Type escape sequence to abort.
Tracing the route to 10.1.1.1
1 10.1.3.1 4 msec 4 msec 0 msec

Troubleshooting GRE
* Tunnel Interface IP addresses on either side must be in same subnet
* Subnet masks on both sides of the tunnel must match
* Check if interfaces for tunnel source/destination are configured with correct IP address
* Check if Tunnel interfaces are up
* Verify if static or dynamic routing is configured properly

Adding Security to GRE via IPSec
The biggest drawback of GRE is that GRE by itself does not provide security.

So we leverage IPSec to strengthen GRE.

In a following blog post, we’ll demonstrate GRE with IPSec.

How to Install KeePassX on CentOS 7

Linux, Security Comments Off

Sep 232018

Keepassx Even if you’re an Einstein, there’s no way you can remember all the user names and passwords for your Hotmail, Netflix, Gmail, multiple Bank accounts, Credit Card accounts, Dropbox and other sundry login details.

People without a password manager tend to write the user names and passwords on a piece of paper (not good because you can easily lose it) or, worse, use the same set of user names and passwords for multiple accounts (more dangerous because if one of your accounts is compromised the others will soon be too).

The biggest plus of a password manager is that you no longer have to remember multiple user names and passwords but just one master password that provides you with access to all the other user names and passwords.

If you’re not using a password manager, get one immediately. There are several password managers but a lot of them charge a monthly fee.

Since there are open source password managers of high quality, there’s no need to sign up for a fee-based service.

My personal favorite is KeePassX.

KeePassX Password Manager

KeePassX is a decent password manager for Linux and has been around for more than a decade.

I’ve used KeePassX on various flavors of Linux for a few years now and like that it’s free, local (i.e., not cloud-based), and comes with a secure password generator.

The latest version is KeePassX 2.0.2-1 on Ubuntu/Linux Mint repositories but the version for CentOS 7 or CentOS 6 is 0.4.4. The official KeePassX version is newer, 2.0.3.

Default security setting for the KeePassX database on version 0.4.4 of my CentOS 7 machine is AES (Rijndael) 256-bit encryption.

KeePassX has URL open (ctrl u) and auto-fill (ctrl v) capabilities but I must caution that once in a while the auto-fill does not work.

KeePassX also features Groups to let you keep all your user names and passwords for a certain category (say different e-mail accounts) into Groups. So you can have one group for E-mail, another for Entertainment (Netflix, Amazon Videos, etc.), a third for your bank and credit card accounts and so on.

Installing KeePassX

Installing KeePassX on CentOS 7 or CentOS 6 is a no-brainer.

[thomaspc@localhost ~]$ sudo yum install keepassx
[sudo] password for thomaspc: 
Loaded plugins: fastestmirror, langpacks, product-id, search-disabled-repos, subscription-manager
Loading mirror speeds from cached hostfile
epel/x86_64/metalink                                                                                                                                     |  14 kB  00:00:00     
 * base: mirror.datto.com
 * epel: mirror.umd.edu
 * extras: centos2.zswap.net
 * updates: mirror.atlanticmetro.net
base                                                                                                                                                     | 3.6 kB  00:00:00     
epel                                                                                                                                                     | 3.2 kB  00:00:00     
extras                                                                                                                                                   | 3.4 kB  00:00:00     
updates                                                                                                                                                  | 3.4 kB  00:00:00     
(1/2): epel/x86_64/updateinfo                                                                                                                            | 944 kB  00:00:00     
(2/2): epel/x86_64/primary                                                                                                                               | 3.6 MB  00:00:00     
epel                                                                                                                                                                12686/12686
Resolving Dependencies
--> Running transaction check
---> Package keepassx.x86_64 0:0.4.4-1.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================================================================================================================
 Package                                    Arch                                     Version                                       Repository                              Size
================================================================================================================================================================================
Installing:
 keepassx                                   x86_64                                   0.4.4-1.el7                                   epel                                   807 k

Transaction Summary
================================================================================================================================================================================
Install  1 Package

Total download size: 807 k
Installed size: 2.8 M
Is this ok [y/d/N]: y
Downloading packages:
keepassx-0.4.4-1.el7.x86_64.rpm                                                                                                                          | 807 kB  00:00:00     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : keepassx-0.4.4-1.el7.x86_64                                                                                                                                  1/1 
  Verifying  : keepassx-0.4.4-1.el7.x86_64                                                                                                                                  1/1 

Installed:
  keepassx.x86_64 0:0.4.4-1.el7                                                                                                                                                 

Complete!

Advantages & Disadvantages

Since every individual has unique needs, it’s hard to speak for everyone.

In my case, I prefer a password manager that’s local. So KeePassX is a plus for me.

But others may want a cloud-based password manager that they can access from any device anywhere.

KeePassX will not please such people because it lacks a cloud version. But you can keep a copy of the encrypted KeePassX database on Dropbox or similar online storage service and access the KeePassX database that way.

Overall, I’ve found KeePassX to be a reliable Password Manager on my CentOS 7 and Linux Mint 18 systems.

You can read more about KeePassX on the password manager’s web site KeePassX.org.

Early Christmas for KeePassX Users – KeePassX 2.0 Out

Products, Security Comments Off

Dec 072015

Folks, Christmas has arrived 18 days early for password manager KeePassX users.

After five years of development, version 2.0 of KeePassX has been released.

The previous stable version of KeePassX was 0.4.3, which was released way back in March 2010.

Clearing Confusion

Let’s first clear up lingering confusion.

In the minds of end users, there’s considerable confusion between the two major password management utilities. KeePassX and KeePass.

Here’s the key difference between the two utilities.

KeePass is primarily a password management utility developed for various versions of Windows although it can run on other platforms like Mac OS X and Linux via Mono.

Unofficial ports of KeePass for different platforms are also available.

KeePassX, on the other hand, was developed from the get-go as a cross-platform password management utility.

KeePassX (written in QT) was originally known as KeePass/L since it was a Linux port of Keepass Password Safe.

After the utility became cross-platform in 2006, the L was dropped and the name was changed to KeePassX.

New Features in KeePassX 2.0

KeePassX developers have highlighted various new features in version 2.0: Continue reading »

Free Anti-Virus Software for Linux Systems

Linux, Security Comments Off

Nov 272015

If you’re a Linux aficionado, bravo.

You’re obviously more knowledgeable about computers than the average user.

Linux – Risks Lurk

The good thing about Linux systems is that they’re less vulnerable compared to, say, Windows or any other operating system.

But don’t be fooled by all those fanboys who claim Linux is like Fort Knox, virtually impenetrable to the hackers.

Linux, like every other operating system, is prone to malware, viruses and all the other bad stuff.

Further, even if malware does not attack a Linux system directly they can still cause widespread harm if you run a Linux web server to which Windows, Mac, Android and other systems connect to.

So Linux server and desktop users would be well advised to be on the alert for malware.

Although Linux still has a small installed base at the consumer level, its growing usage is also prompting hackers to target this operating system.

Thankfully, for all ye scrooges there are a few free anti-virus Linux software.

Here are a couple of them.

1. Sophos offers anti-virus protection for Linux providing on-access and on-demand scanning.

Sophos supports popular Linux distributions including Red Hat Enterprise Linux (versions 4, 5, 6 and 7), CentOS (5.8+, 6.2+ and 7) and Ubuntu LTS Server Edition 12.04 / 14.04 (version 9.6.1+).

You can download the free Sophos anti-virus software for Linux from the company’s web site.

2. Clamav is another free anti-virus software for popular Linux distros like Red Hat, CentOS and Ubuntu.

Red Hat & CentOS

For Red Hat and CentOS distributions, make sure you have the EPEL repository enabled before trying to install Clamav.

$ sudo yum install clamav clamd

Nmap Security Scanner gets Major Upgrade in Version 7

Security Comments Off

Nov 192015

If you’re still running nmap 6.0, now’s the time to upgrade!

Open source security scanner nmap has received a big upgrade in version 7, which debuted November 19, 2015.

Touted as the product of three and a half years of work, nmap 7 includes nearly 3,200 code commits and enhancements that are part of over a dozen point releases since the big nmap 6 release in May 2012.

Nmap 7 – Highlights

Since nmap 6, developers of the free security scanner have added 171 new scripts and 20 libraries including firewall-bypass, supermicro-ipmi-conf, oracle-brute-stealth, and ssl-heartbleed.

The Nmap Scripting Engine (NSE) is now reportedly powerful enough that scripts can take on core functions such as host discovery (dns-ip6-arpa-scan), version scanning (ike-version, snmp-info, etc.) and RPC grinding (rpc-grind).

There’s even a proposal to implement port scanning in NSE.

Nmap 7 provides full IPv6 support for CIDR-style address ranges, Idle Scan, parallel reverse-DNS, and more NSE script coverage.

Faster scans is another highlight of nmap 7.

Version scan is supposedly quicker in nmap 7 because of 56 more softmatch lines that prevent nmap from sending irrelevant probes to certain services.

The ssl-enum-ciphers script has been entirely revamped in release 7 to perform fast analysis of TLS deployment problems, and version scanning probes have been tweaked to quickly detect the newest TLS handshake versions.

A favorite of systems and network administrators, nmap is used for network inventory, managing service upgrade schedules, monitoring host or service uptime and other tasks.

The cross-platform nmap uses raw IP packets to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.

Designed for rapid scan of large networks, nmap works well for single hosts too.

Older Entries Newer Entries