The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

    Mastodon

  • Twitter Updates

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,854 other subscribers

Archive for the ‘Security’ Category

« Previous Entries
Next Entries »

Cipher: a command-line tool to decrypt/encrypt files and directories (een recursively) on Windows

Posted by jpluimers on 2020/07/03

A while ago, I had to mass encrypt a lot of directories and files on Windows for some directories in an existing directory structure.

This helped me to find out which ones were already done (it lists all encrypted files on all drives; the /n ensures the files or encryption keys are not altered):

cipher.exe /u /n /h

This encrypted recursively in one directory B:\Directory:

cipher /D /S:B:\Directory /A

It also has options to wipe data (/W), export keys into transferrable files (/X) and many more.

If you like the Windows Explorer more then to encrypt/decrypt (it is a tedious process): [WayBack] How do I encrypt/decrypt a file? | IT Pro.

Via:

–jeroen

Posted in Encryption, NTFS, Power User, Security, Windows | Leave a Comment »

Just as “curl | sudo sh is not advised”, do not impose running http based scripts in your customers IDE

Posted by jpluimers on 2020/06/30

For a long time, it is advised against to curl | sudo sh or equivalent:

  • [WayBackwhy using curl | sudo sh is not advised? – Stack Overflow

    Because you are giving root access to whatever script you are executing. It can do a wide variety of nasty things.

  • [WayBack] The Security Spectrum of curl | sh

    By far the most irresponsible use of curl | sh is to use it with plain, unauthenticated, insecure HTTP instead of HTTPS. This is because it’s not only possible, but also increasingly likely, that the connection over which the shell script is delivered could have its contents silently modified by anyone in network position between the vendor and the installer—especially if you’re using public Wi-Fi. (If you don’t believe this is a real risk, consider that some companies’ business models revolve around modifying JavaScript delivered over HTTP in-transit—and anyone can hijack Wi-Fi with inexpensive, easy-to-obtain devices.)

So I’m surprised that companies still run content – include JavaScript – over an insecure http transport channel in their customers IDE instances.

Many developers run their IDE as Administrator, but even as regular user this is a large security risk: the transport layer is the easiest to hack and will eventually be hacked.

One such occasion was [WayBack] Delphi 10.2.3: Tools > Options Click OK = Script Error I have another weird situation with Delphi 10.2.3. Anytime I open up the options and click OK I … – Michael Riley – Google+ .

That one actually showed the script executed, but normally you do not see it happening at all.

So my advice:

Run the web-traffic from your development machines over a web-proxy like HTTP Fiddler, then disable all http based scripts.

–jeroen

Line 73: https://gist.github.com/jpluimers/40a60ca1e07bb91fa337ecfebe314d64#file-cf-common-js-L73

Read the rest of this entry »

Posted in Development, Power User, Security, Software Development | Leave a Comment »

Hardening: sshd_config – How to configure the OpenSSH server | SSH.COM

Posted by jpluimers on 2020/06/05

If you want to harden your ssh server, read at least [WayBack] sshd_config – How to configure the OpenSSH server | SSH.COM.

After that use some ssh tools to check your config from the outside world. They work in a similar way as the TLS/SSL/https scans from Source: SSL Server Test (Powered by Qualys SSL Labs) or these console based scans and documentation references:

Simiarly for SSH:

Then read further on more in depth SSH topics around key management:

–jeroen

 

Posted in Encryption, Hashing, https, HTTPS/TLS security, OpenSSL, Power User, Security, testssl.sh | Leave a Comment »

Expect your sites to be accessed over https and ensure your certificates match

Posted by jpluimers on 2020/05/22

igOver the last lustrum, there has been a steady increase in https usage. It crossed the 30% mark early 2016, crossing the 50% mark early 2017 and 80% mark early 2018, even the https-by-default configuration is now pretty large:

Ever since 2012, but especially with the increased HTTPS adoption, you can expect more and more users to run plugins like HTTPS Everywhere – Wikipedia which switch a request from insecure http to secure https.

Read the rest of this entry »

Posted in Encryption, HTTPS/TLS security, Let's Encrypt (letsencrypt/certbot), Power User, Security | Leave a Comment »

On my list of things to try: GitHub – arthepsy/ssh-audit; SSH server auditing

Posted by jpluimers on 2020/05/18

This looks like an ssh equivalent to testssl.sh: [WayBack] GitHub – arthepsy/ssh-audit: SSH server auditing (banner, key exchange, encryption, mac, compression, compatibility, security, etc).

It is on my list of things to try, so I’ve put a watch on the repository changes.

–jeroen

Read the rest of this entry »

Posted in Communications Development, Development, Encryption, Internet protocol suite, Power User, Security, SSH, TCP | Leave a Comment »

Exploits Database by Offensive Security

Posted by jpluimers on 2020/05/11

Interesting to monitor (it has a nice RSS feed!) so you can ensure your systems get patched sooner rather than later:

The Exploit Database – Exploits, Shellcode, 0days, Remote Exploits, Local Exploits, Web Apps, Vulnerability Reports, Security Articles, Tutorials and more.

–jeroen

Posted in Power User, Security | Leave a Comment »

SSH through HTTPS

Posted by jpluimers on 2020/05/04

Often, hotspots only allow http/https traffic. Other traffic – like SSH – is blocked. Nowadays, fewer hotspots block that, but too many still do.

So it can be worth a while to route your SSH server through HTTPS (I don’t like Web-based SSH that much as terminal emulation in browsers isn’t that well yet, but that seems to change rapidly, more on that in the “Further reading” section below).

After some background reading at apache – Tunnel over HTTPS – Stack Overflow, here are a few links that help you do it:

Server side: DAG: Tunneling SSH over HTTP(S).

You need:

  • An internet connected Apache server (eg. with IP address 10.1.2.3)
  • A FQDN that points to this IP address (eg. ssh.yourdomain.com)
  • A virtual host configuration in Apache for this domain (eg. /etc/httpd/conf.d/ssh.yourdomain.com.conf)
  • A configuration to adapt ssh to use the HTTP tunnel

Read more at DAG: Tunneling SSH over HTTP(S) and SSH over SSL, a quick and minimal config..

Client side: Using SSH over the HTTPS port · GitHub Help.

Steps:

  1. Test of it works at all
  2. Edit your local ~/.ssh/config file to redirect SSH to HTTPS

Read more at Using SSH over the HTTPS port · GitHub Help.

Using Putty and an HTTP proxy to ssh anywhere through firewalls | Me in IT.

the Digital me: SSH Tunneling Proxy using Putty on Windows and Linux (Unblock YouTube / Orkut / Facebook).

Tunneling SSH through HTTP proxies using HTTP Connect – ArchWiki.

HTTP Tunneling – ArchWiki.

Running SSHD on port 443.

Not all proxy configurations and hotspots support this. But it might be worth a look: SSH Over Proxy.

Further reading: Web-based SSH.

SSH plugins for browsers:

Web based SSH:

–jeroen

Posted in Communications Development, Development, Encryption, HTTP, https, HTTPS/TLS security, Internet protocol suite, Power User, Security, SSH, TCP | Leave a Comment »

OpenSSH keygen guidelines

Posted by jpluimers on 2020/05/01

Verify [WayBack] OpenSSH: Key generation before generating keys.

At the time of grabbing it was this (for the mozilla tag; use another tag if you prefer):

# RSA keys are favored over ECDSA keys when backward compatibility ''is required'',
# thus, newly generated keys are always either ED25519 or RSA (NOT ECDSA or DSA).
$ ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_rsa_mozilla_$(date +%Y-%m-%d) -C "Mozilla key for xyz"

# ED25519 keys are favored over RSA keys when backward compatibility ''is not required''.
# This is only compatible with OpenSSH 6.5+ and fixed-size (256 bytes).
$ ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_mozilla_$(date +%Y-%m-%d) -C "Mozilla key for xyz"

This was not changed based on [WayBack] Key generation: pass-a and -o argument? · Issue #68 · mozilla/wikimo_content · GitHub: a discussion on the KDF rounds (-a parameter) and storage format (-o parameter).

This is slightly less strong than in [WayBack] Upgrade Your SSH Key to Ed25519 | Programming Journal, but seems to be OK when writing this in 2018.

For comparison, a similar discussion is at [WayBack] public key – How many KDF rounds for an SSH key? – Cryptography Stack Exchange.

In practice, I am not for one ssh ID per host, but I use different tags depending on where the ssh ID applies. More discussion on this is at [WayBack] privacy – Best Practice: ”separate ssh-key per host and user“ vs. ”one ssh-key for all hosts“ – Information Security Stack Exchange

Based on the above, I also learned about this password generator: [WayBack] GitHub – gdestuynder/pwgen

–jeroen

Posted in *nix, *nix-tools, Encryption, Hashing, Power User, Security, ssh/sshd | Leave a Comment »

SFTP (SSH file transfer protocol) server on Windows

Posted by jpluimers on 2020/04/10

A few links for my archive:

–jeroen

Posted in Communications Development, Development, Internet protocol suite, Security, SSH, TCP | Leave a Comment »

ssh – Why OpenSSH deprecated DSA keys – Information Security Stack Exchange

Posted by jpluimers on 2020/03/10

In a lot of ssh-keygen related posts, you still see DSA being mentioned, though that has been deprecated and later removed from OpenSSH.

I wondered why, so I did some digging.

TL;DR: it’s complicated:

  • different standards mandating eventually conflicting parameters,
  • extending the parameters would require protocol extension,
  • a logjam vulnerability for certain combinations of parameters and finally
  • better algorithms having become available.

Some of the related topics cannot be archived in the WayBack machine or refuse being archived at Archive.is, so here is a list of partially archived relevant links:

–jeroen

Posted in Communications Development, Development, Internet protocol suite, Power User, Security, SSH, TCP | Leave a Comment »

« Previous Entries
Next Entries »