Posts

Understanding Kerberos

Image
Kerberos is a network authentication protocol developed by MIT. It enables secure, mutual authentication between client and service over insecure network. Kerberos typically uses symmetric key encryption, although it is capable of both symmetric and asymmetric cryptography. Free implementation is available from the MIT, the most recent is krb5-1.19.3 (as of 14 Mar 2022). It is also widely used by many operating systems, such as MS Windows, RHEL, HP-UX and others.  Terminology Principal - a unique identity identified by username and realm (domain), represented in the format username@REALM.NAME Realm - logical group of resources and identities within Kerberos; called also domain and typically named after DNS domain Ticket - an encrypted data block used for authentication; tickets contain ticket key and session key KDC - Key Distribution Center, a trusted third party that issues tickets to principals TGT - Ticket Granting Ticket, a ticket that allows the client to obtain additional ti...

Linux: auditd fundamentals

Image
auditd stands for the audit daemon and it can be used to log events happening on a Linux host. It is a very powerful tool that can enable Threat Detection and/or - as the name suggests - create audit records. It writes to /var/log/audit/audit.log and collects such information as timestamp, PID, UID, Audit UID (auid), session info (ses), SELinux info (subj) and message (msg). Installation auditd is installed by default on most of the Linux distributions. In my case, I'm using RHEL 8 for the test purpose. The package is called audit .  Rules auditd is rule-based software and it support the following three types of rules: control : to configure general settings of the audit system, such as event rate limit, etc. file : file rules or watches can monitor files or directories and are using the following syntax: -w path-to-file -p permissions -k keyname syscall : these rules are loaded into the matching engine that intercepts every single syscall on the system and for this reason they ...

OS anomaly detection with AIDE

Image
 Advanced Intrusion Detection Environment (AIDE) is a linux tool to detect changes in the system state. It can be classified as File Integrity Monitoring (FIM) software. It simply builds a database that describes current contents and attributes of monitored files. Later it can be used for comparison to detect any changes to the system. AIDE uses checksums to perform integrity checks; it support such algorithms as  sha1, rmd160, tiger, crc32, sha256, sha512, whirlpool and a few more, by optional integrations. Available rules and hashing algorithms are listed in /etc/aide.conf and on man pages. Installation sudo yum -y install aide In this case I am using Red Hat 8 and yum.  Set up monitoring /var/log/secure$ p+u+g+n+S+acl+selinux+xattrs Add this line to monitor changes to /var/log/secure.  Initialize database sudo aide --init Once this is completed, you need to move the new database to AIDE master database.  mv /var/lib/aide/aide.db.new.gz /var/lib/...

Study notes: Understanding DNSSEC

Image
DNSSEC Recently I have been researching materials covering DNSSEC as it is an important subject for LPIC-3 Exam 303. DNSSEC has been developed to address security issues of the DNS protocol, in particular preventing DNS cache poisoning attacks . Below I post DNSSEC description from Internet Corporation for Assigned Names and Numbers (ICANN), which I find useful and included in my study notes.  "DNSSEC strengthens authentication in DNS using digital signatures based on public key cryptography. With DNSSEC, it's not DNS queries and responses themselves that are cryptographically signed, but rather DNS data itself is signed by the owner of the data. Every DNS zone has a public/private key pair. The zone owner uses the zone's private key to sign DNS data in the zone and generate digital signatures over that data. As the name "private key" implies, this key material is kept secret by the zone owner. The zone's public key, however, is published in the zone itself ...

Splunk: Authentication with Discord? Wht not! (OAuth 2.0)

Image
As some of you may already know, thanks to OAuth standard (which stands for Open Authorization) we don't need a separate account for every single website. It allows us to share information about our Google account with a third party, such as our name and e-mail address. On many sites we are free to use that "Login with Google/Facebook/other" button to sign up and/or login. Thanks to OAuth we don't have to give our password to the app/website. Upon login we are redirected to the OAuth provider site to login there (for instance to our Google account). And now the best part - if we are already logged on the provider site, this is likely to result in instant login on a third party site (sometimes interrupted by a pop up to confirm OAuth scope).  Here is a list of well-known OAuth providers (Wikipedia): https://en.wikipedia.org/wiki/List_of_OAuth_providers To get better understanding of OAuth 2.0 I would recommend reading these docs for developers: Using OAuth 2.0 to Acces...

Encrypting data with eCryptfs

Image
  Encryption is probably the best way to secure sensitive data and protect your private files from unauthorized access. eCryptfs is a Linux tool to create an encrypted directory (user home directory encryption is also supported, see below). eCryptfs acts as a stacked filesystem and it works by mounting an encrypted directory to another unencrypted mount point at runtime.   This is also a topic for LPIC-303 exam:   331.3 Encrypted File Systems Use eCryptfs to encrypt file systems, including home directories and PAM integration Installation sudo apt-get install ecryptfs-utils ecryptfs-utils package installation example (Ubuntu). Creating an encrypted directory sudo mount -t ecryptfs ~/private/ ~/private/ Using mount command and selecting ecryptfs as the filesystem.  Encrypting home directory sudo ecryptfs-migrate-home -u test Note : user has to be logged out during this operation.                      ...

Apache HTTPD with mod_ssl: Exploring configuration options

This is yet another blog post related to LPIC-3 Exam 303: Security. Knowing Apache configuration options is an important topic for Security Engineers. Apache web server is often serving web interfaces or acting as reverse proxy (for example for Splunk or Kibana). TLS configuration is an important step for securing these interfaces from eavesdropping and man-in-the-middle attacks. Let's examine Apache web server configuration with mod_ssl. TLS configuration SSL/TLS configuration file resides under /etc/httpd/conf.d/ssl.conf . SSLCertificateFile and SSLCertificateKeyFile mod_ssl directives are used to enable https.  SSLCertificateFile "/usr/local/apache2/conf/ssl.crt/server.crt" SSLCertificateKeyFile "/usr/local/apache2/conf/ssl.key/server.key"   Mutual TLS authentication To enable client authentication with certificate we need the following three directives: SSLVerifyClient : set to require , so client has to present a valid certificate SSLVerifyDepth : the ma...