Category Archives: Security

Web : Prevent image hot linking to your site

Posted by kgagnon@itechlounge.net on January 10, 2012 None comments

This article is about stopping theses sites who hot link your images, steal them and your bandwidth! I assume you are running Apache as Web server and have some basic knowledge of httpd.conf, htaccess and rewrite rules.

You have two choice, either put the rules directly inside your httpd.conf vhost or inside an Apache configuration file (well known as .htaccess). If you use the httpd.conf way, you can ignore the first step.

First, make sure your vhost is allowing htaccess usage (in httpd.conf) :

AccessFileName .htaccess

<Directory “/path/to/vhost”>
AllowOverride All
Options SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>

Now, add theses rewrite rules into your config file (httpd.conf or htaccess) :

RewriteEngine On
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?domain.tld [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ http://public.domain.tld/images/hotlinking_denied.jpg [NC,R,L]

 

Ok, let’s explain this a little bit… the following line contain the URL who is authorized to call images (your own site must be listed! – replace “domain.tld” with your own domain). You may add as many allowed URL you want, simply duplicate the line and domain.

RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?domain.tld [NC]

The last line contain the image to return to theses stealers… their site will show this image instead of the one they tried to link (again, replace with your own URL/path) :

RewriteRule \.(jpg|jpeg|png|gif)$ http://public.domain.tld/images/hotlinking_denied.jpg [NC,R,L]

*Make sure the image you want to display is not contained into the same URL you are trying to protect. Infinite loop is expected!

Qmail : HowTo generate a certificate for POP3-SSL and IMAP-SSL

Posted by kgagnon@itechlounge.net on January 4, 2012 None comments

This tutorial is about generating a SSL certificate to secure POP3 and IMAP communications between clients (MUA) and Qmail server (MTA).

1. Go to Qmail config directory :

cd /var/qmail/control

2. Generate key :

openssl genrsa -des3 -out servercert.key.enc 2048

3. Decrypt the key (get rid of the passphrase) :

openssl rsa -in servercert.key.enc -out servercert.key

4. Generate a certificate request (well known as CSR) :

openssl req -new -key servercert.key -out servercert.csr

5. Submit your CSR to your certificate provider (CA) or generate a self-signed certificate :

openssl req -x509 -key servercert.key -in servercert.csr > servercert.crt

6. Create a PEM certificate (either with your certificate provided by your CA or your self-signed certificate) :

cat servercert.key servercert.crt > /var/qmail/control/servercert.pem

7. Restart Qmail :

qmailctl restart

Linux : Automated login with SSH keys

Posted by kgagnon@itechlounge.net on December 27, 2011 None comments

There is a ton of reasons why you would use SSH keys to log into your Linux/Unix systems automatically :

- Faster than entering password
- More secure than password
- Automate login for backup using Rsync
- And a lot more !

Actually, this is pretty easy to do – so let’s start generating the keys.

First, log into the system you want to connect from and type the following command as the user you want to log from :

ssh-keygen -t rsa

Just hit enter when asking where the key should be written (leave at the default location) and hit enter again when asking entering a passphrase (if you enter a passphrase, you will be prompted to enter it every time you use the key… so a little useless for “automated login”!

Now, you got a pair key (~/.ssh/id_rsa and ~/.ssh/id_rsa.pub).

Connect into the system you want to connect to and have a look at directory named “.ssh” in the home directory of the user you are using for automated login (create and chmod 700 if does not exist).

Then, you need to copy the public key (id_rsa.pub) on the system you want to use automated login into the file named “authorized_keys” (located in ~userdir/.ssh).  You may either scp the file into “.ssh/authorizd_keys” or cut and paste into it.

vi .ssh/authorized_keys

Make sure “authorized_keys” file is chmod 600

You can now log automatically on the target system without password.  You can now disable password authentication in /etc/sshd_config for more security (be aware – do not lose your public key!).

Not working?  Make sure you set correct permission file and make sure the user you want to log with is authorized in AllowedUsers if set.

Apache : Unable to configure RSA server private key

Posted by kgagnon@itechlounge.net on May 5, 2011 None comments

Apache startup failed – look at /var/log/httpd/ssl_error_log and show the following error :

Unable to configure RSA server private key
SSL Library Error: x509 certificate routines:X509_check_private_key:key values mismatch

The private key and the certificate do not match. You can compare the certificate and the key with the following commands :

View the certificate modulus using the following command :

openssl x509 -noout -text -in certfile -modulus

View the key using the following command :

openssl rsa -noout -text -in keyfile -modulus

TCP Treason uncloaked

Posted by kgagnon@itechlounge.net on November 22, 2010 None comments

TCP: Treason uncloaked! Peer xxx.xxx.xxx.xxx:xxxxx/80 shrinks window
76154906:76154907. Repaired.

This mean that someone is attacking your server. Probably by sending fragmented packets. This may be avoid by manually blocking this IP in IPtables or if this is a DDoS attack, automated script may be used. See above (use with caution).

Short script:

#!/bin/bash

for ATTACKER_IP in $(dmesg | grep ‘Treason uncloaked!’ | cut -d’ ‘ -f5 | cut -d’:’ -f1 | sort –unique)
do
iptables -A INPUT -s $ATTACKER_IP -j DROP
done

 

Complex script:

—cut—

iptables -F TREASON
iptables -X TREASON
iptables -N TREASON

… (your rest of the rules)

iptables -j TREASON # insert before state established and other lines

—cut—

Then, the below script should be in a cronjob (run once every whatever interval you feel fit).

—cut—
#!/bin/bash

# Stupid shell script to stop stupid TCP Treason attacks
# Setup cronjob to stop them

# First, flush and clean Treason rules
iptables -F TREASON
#iptables -X TREASON
#iptables -N TREASON

for ATTACKER_IP in $(dmesg | grep ‘Treason uncloaked!’ | cut -d’ ‘ -f5 | cut -d’:’ -f1 | sort –unique)
do

FOUNDIT=0

for DONTBLOCK in $(route -n | grep -v Destination | grep -v Kernel | awk ‘{print $2}’ | sort | uniq && ifconfig -a | grep inet | cut -f 2 -d ‘:’ | cut -f 1 -d ‘ ‘ | sort | uniq)
do
# echo “Checking $DONTBLOCK against $ATTACKER_IP …”
if [ "$DONTBLOCK" = "$ATTACKER_IP" ]; then
# echo “UHOH! Hacker using forged local IP! Don’t block it!”
FOUNDIT=1
fi
done

if [ "$FOUNDIT" = "0" ]; then
# echo “Hacker IP $ATTACKER_IP not found in don’t block list… Dropping”
iptables -A TREASON -s $ATTACKER_IP/32 -j DROP
fi
done
iptables -A TREASON -j RETURN

—cut—

Block IP address in IPtables

Posted by kgagnon@itechlounge.net on November 22, 2010 None comments 
INBOUND



iptables -A INPUT -s xxx.xxx.xxx.xxx -j DROP




OUTBOUND



iptables -A OUTPUT -p tcp -d xxx.xxx.xxx.xxx -j DROP