The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

  • Twitter Updates

  • My Flickr Stream

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,512 other followers

Archive for the ‘Security’ Category

Keep a Changelog

Posted by jpluimers on 2019/03/20

Lot’s of tips (and translations!) on how to Keep a Changelog [WayBack].

There are lots of useful tips, ranging from content (how to write, what to include) to technicalities (order of entries, unreleased, version numbering, date format) that might seem unimportant but in practice makes using the changelog.

The really cool thing: the site has a changelog of itself showing the best practices.

via:

–jeroen

Posted in Development, Documentation Development, Encryption, Let's Encrypt (letsencrypt/certbot), Security, Software Development | Leave a Comment »

openssl: checking out RSA private key files in .rsa and .pem format

Posted by jpluimers on 2019/03/19

While checking out an issue with the SSH server for ContinuaCI issue (see info below), I wanted to look at the files leading to the issue: .pem and .rsa files with the private key for the SSH server.

So I browsed through my series of openssl related articles to see if I already had made a script better explaining the cryptic openssl command-line parameters. I didn’t have it yet, but it turned out to be really simple:

C:\ProgramData\VSoft\ContinuaCI\SSHD>"C:\Program Files (x86)\Git\usr\bin\openssl.exe" rsa -in server_keypair.rsa
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----
C:\ProgramData\VSoft\ContinuaCI\SSHD>"C:\Program Files (x86)\Git\usr\bin\openssl.exe" rsa -in server_keypair.rsa -text
Private-Key: (1024 bit)
modulus:
    ..:..:..:.....
publicExponent: 35 (0x23)
privateExponent:
    ..:..:..:.....
prime1:
    ..:..:..:.....
prime2:
    ..:..:..:.....
exponent1:
    ..:..:..:.....
exponent2:
    ..:..:..:.....
coefficient:
    ..:..:..:.....
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----
C:\ProgramData\VSoft\ContinuaCI\SSHD>"C:\Program Files (x86)\Git\usr\bin\openssl.exe" rsa -in server_keypair.pem
Enter pass phrase for server_keypair.pem:
unable to load Private Key
2675996:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:529:
2675996:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:p12_decr.c:108:
2675996:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:p12_decr.c:139:
2675996:error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib:pem_pkey.c:141:
C:\ProgramData\VSoft\ContinuaCI\SSHD>"C:\Program Files (x86)\Git\usr\bin\openssl.exe" rsa -in server_keypair.pem -passin pass:password
unable to load Private Key
2675996:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:529:
2675996:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:p12_decr.c:108:
2675996:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:p12_decr.c:139:
2675996:error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib:pem_pkey.c:141:

The command-lines use the [WayBack]rsa tool with:

  • the -in parameter
  • (for the first file) the -text parameter to dump it into human readable form
  • (for the second file) the -passin parameter with a [WayBackpass phrase argument pass:password.

The server_keypair.pem file (having the header -----BEGIN ENCRYPTED PRIVATE KEY----- and footer -----END ENCRYPTED PRIVATE KEY-----) was a password protected RSA private key where somehow ContinuaCI had the wrong password for.

I’m not sure it’s a good idea that the server_keypair.pem file has not password at all.

Read the rest of this entry »

Posted in Continua CI, Continuous Integration, Development, OpenSSL, Power User, Security, Software Development | Leave a Comment »

{Updated} Linux server security checklist. #sysadmin 

Posted by jpluimers on 2019/03/11

Most tips are OK, but:

  1. for password related policies, please read these:
  2. If you do DNS, implement DNSSEC
  3. I think ipv6 is OK, but like ipv4 needs to be firewalled
  4. Be really careful with fail2ban and similar tools: they are easy ways to lock yourself out as well, for instance by someone doing a nice (D)DoS on you.

Tips: [WayBack40 Linux Server Hardening Security Tips [2017 edition] – nixCraft

Via:

–jeroen

Posted in *nix, *nix-tools, Encryption, Let's Encrypt (letsencrypt/certbot), Power User, Security | Leave a Comment »

Installing Let’s Encrypt Free SSL/TLS Certificate in 2 Minutes with Certbot, Spending Hours Making it Work with Cloudflare

Posted by jpluimers on 2019/03/06

If I ever need to get LetsEncrypt to work with CloudFlare, then I need to read [WayBackInstalling Let’s Encrypt Free SSL/TLS Certificate in 2 Minutes with Certbot, Spending Hours Making it Work with Cloudflare

The steps there should save me hours.

Via [WayBcack] Free Let’s Encrypt SSL/TLS certificates are even easier to install than self-signed certificates. I could do so in 2 minutes in my +Linode … – Jean-Luc Aufranc – Google+.

–jeroen

Posted in Encryption, Let's Encrypt (letsencrypt/certbot), Power User, Security | Leave a Comment »

Calls from 18553308653 might be because someone is trying to use your phone number to setup a Microsoft account two factor authentication

Posted by jpluimers on 2019/02/18

Got some calls to my phone numbers in The Netherlands from 18553308653 that I did not ask for. The below searches revealed it is likely someone trying to use those to setup Two Factor Authentication.

It was not my live account, as that was already covered by the Microsoft Authenticator app (you can set up your phone number through account.live.com/names/Manage and authentication through account.microsoft.com/security, see steps at[WayBack] Microsoft – Authy).

Phone searches:

All of these indicate the phone calls come from the Microsoft phone verification system.

Problems for me are that:

  1. this number is not prominently listed on the Microsoft site, so at first I did not trust it was theirs
  2. even outside the USA they use this number, but for other purposes the use more local numbers (for The Netherlands the SMS verification came from +447754836756)
  3. the SMS verification number is not listed on their site either, hardly any hits outside it as well: [Archive.is] +447754836756 – Google Search

–jeroen

Posted in Authentication, Power User, Security | Leave a Comment »

 
%d bloggers like this: