Quick Links

Tip: Encrypted passwords, just add salt

You can generate encrypted password strings (hashes) using the openssl utility.

You need to supply both a “salt” string and the password you wish to encrypt:

# openssl passwd -1 -salt MoreSalt ThePassword
$1$MoreSalt$Cvu.5MdMq1BjAsFp1oc.f/

The following command line generates a random 8-character salt string:

# openssl rand -base64 6

Combine these into a single command line that uses a different random salt on each invocation:

# openssl passwd -1 -salt $(openssl rand -base64 6) ThePassword
$1$XpOpurgQ$41bulzoCV8viFy37EX6jk.

Read on for a comparison between old crypt()-style passwords and the current md5-style shadow passwords.

March 29th, 2011 | Tags: , , | Category: Work | Comments are closed

Annoyed by phpMyAdmin scans? Set up a tarpit with mod_security!

Note: Rho’s excellent blog post pointed me in the right direction – credit where credit is due.

On my websites, I’ve seen a lot of scanning for vulnerable phpMyAdmin installations.

As a matter of policy, I don’t run phpMyAdmin on any Internet-facing web server. The scans won’t find anything, but the log entries are annoying so I decided to take action.

Some information about the attacks:

The scans originate from a variety of sources, so an IP-address block will not work.
The scans typically probe IP-addresses (not hostnames) for phpMyAdmin installations. We will use this to our advantage.

The scans cannot be prevented, but at least [...]

Continue reading Annoyed by phpMyAdmin scans? Set up a tarpit with mod_security!

August 14th, 2010 | Tags: , | Category: Work | One comment - (Comments are closed)

Dropbox Tip: 1Password Sync

I’m a great fan of both 1Password and Dropbox, so what’s better than combining the goodness of both?

If you have multiple computers running 1Password, you’ll love how easy it is to set up password syncing using Dropbox. The 1Password team recommends Dropbox over MobileMe or iDisk, so I decided to follow their lead.

As an extra feature, you’ll even get “1PasswordAnywhere”…

July 5th, 2010 | Tags: , , , | Category: Work | Comments are closed

Configuring SELinux for WordPress

I recently installed WordPress 2.9.2 on my webservers.

Since these servers are obviously connected to the Internet, they run with SELinux enabled. This means that you cannot use the standard FTP functionality in the WordPress admin panel to manage your themes and plugins.

If you configure SELinux properly, you can enjoy the comforts of WordPress without compromising security.

June 23rd, 2010 | Tags: , , | Category: Work | Comments are closed

SSH Scanning and Brute-Force attacks

Many system administrators have already replaced their old Telnet, rsh/rlogin and ftp with more secure alternatives such as Secure Shell. While this improves security quite a bit, most SSH servers still allow access based on username/password credentials.

If your SSH server is connected to the Internet, you are still vulnerable to password-guessing attacks from automated scanning tools (see SANS “Internet Storm Center”).

To counter this threat, use SSH public key authentication instead of passwords. You can then disable password authentication in SSH altogether.

As an additional security measure, I recommend installing and configuring DenyHosts on your systems.

For more information, see my Wiki: HOWTO [...]

Continue reading SSH Scanning and Brute-Force attacks

June 21st, 2010 | Tags: , | Category: Work | Comments are closed