Categotry Archives: Security

Linux Security Checks

0

Amazon Square Trade, Cell Phone Repair, and Fraud Charges

by

xbox

My Samsung Galaxy S5 had a usb charging port problem after 18 months. I had gotten a SquareTrade policy when I bought the phone, since they are half the price of At&t’s protection plan.

I did NOT have enough battery power to do a factory reset, so I sent the phone in minus the SD Card. HUGE Mistake. A mere week had gone by after I sent the phone in for repair, and oh! What’s this? A charge from Microsoft Xbox on my account? I have never owned an Xbox, let alone opened an account. I called Microsoft Xbox at (800) 469-8269 and said, “Umm, I never bought an Xbox, what’s going on? They had opened an account using my gmail spam email account@outlook.com, that day. Sure enough, my credit card was linked to this account. They removed the credit card, but could NOT say what the charge was for….hmmm.

I called my bank, and cancelled the my credit card. Oh but wait. There were more surprises in store.

facebook_pass

They tried to change my Facebook password. Twice. But since I have dual layer authentication (something you have, plus something you know. Like an atm card and a pin.)

And I permanently lost about 6 weeks of emails from my regular gmail account.

But the fun was not over yet. When they returned the phone, it had been factory reset.

Then, I started getting a Sim Card Error. We traipsed lazily into the At&t store, and got a new Sim card. Nope. I still had no service. So we put a friend’s Sim Card in my phone. Nope, not going to happen. We put my Sim card into their phone and it worked as advertised. So the phone has a bad Sim Card Reader. Nice.

Round 2 of dealing with SquareTrade. I spoke to their “offshore” tech support person, and he said that someone would be calling me in 20 minutes (on another line.) Sure enough about 1/2 hour later, the phone rang, and this time it was good old American based tech support.

I explained the issue (again). Since the failure occurred less than 30 days after repair, this was covered. So my phone went to Los Angeles (via Memphis) a second time. I am still waiting.

Lesson learned. If you are going to send your cell phone in for repair, doesn’t matter if it’s SquareTrade, or someplace else. Save yourself some grief, do screen shots of your screens, save them to the micro sd card (or email them to yourself), and nuke that phone (factory reset) before it leaves your hands for repair, if at all possible. I could have gone to Batteries Plus and gotten a 2nd battery and done the wipe before shipping. But hey, I now have 2 batteries.

Enjoy my technological impairment!

Wayno

11

Stabilizing an atheros ar9485 (ath9k) connection in Linux (Wheezy)

by

If you search the internet, one of the issues that seems to come up a lot, are connectivity issues with the atheros AR 9485 card.

I am configuring a new laptop, an HP Pavilion G6-2323DX for my Mom. I ran into many issues that caused me to have to do hokey pokey.

This is pure hokey pokey. But it does work.

The operating system I am using is Debian/Wheezy V 7 RC 1 (64 Bit)

If you do a uname -a I get back:

Linux AnnLin 3.2.0-4-amd64 #1 SMP Debian 3.2.41-2 x86_64 GNU/Linux

Let’s just step by step check things.

1. let’s see if Linux see’s the card:


lspci | grep Wireless

You will get back a line like:

02:00.0 Network controller: Atheros Communications Inc. AR9485 Wireless Network Adapter (rev 01)

That means Linux sees it, but of course it is NOT configured.

2. Let’s see if the driver (ath9k) is loaded. We will use modprobe.


modprobe ath9k

if the device driver is loaded, it will just return a prompt. That’s a “good thing” as Martha would say.

3. Let’s look to make sure the wpa-supplicant programme is installed. The WPA supplicant provides wireless protected access (encryption) for our connection.


dpkg -l | grep supplicant

and you should get back:

ii wpasupplicant 1.0-3+b2
amd64 client support for WPA and WPA2 (IEEE 802.11i)

We’re good!

4. Now let’s modify /etc/network/interfaces


cd /etc/network # go to network interfaces
sudo cp interfaces interfaces.org # make a backup copy
sudo nano interfaces

You will get back something like this:

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

#define the network interface for the wireless lan card
iface wlan0 inet dhcp
wpa-ssid MyHome
wpa-psk MyPass

wpa-ssid is the name of the wireless network you are trying to connect to. wpa-psk is the password for that network. Yup plain text!

The iface line defines wlan0 so it has access to the internet, and gets it’s ip address dynamically (dhcp).

The card interface is STILL not up!

5. Bring up the interface!


sudo ifdown wlan0; sudo ifup wlan0;

you will get output that looks like:

ifdown: interface wlan0 not configured
Internet Systems Consortium DHCP Client 4.2.2
Copyright 2004-2011 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/
Listening on LPF/wlan0/20:16:d8:e5:32:b4
Sending on LPF/wlan0/20:16:d8:e5:32:b4
Sending on Socket/fallback
DHCPDISCOVER on wlan0 to 255.255.255.255 port 67 interval 8
DHCPREQUEST on wlan0 to 255.255.255.255 port 67
DHCPOFFER from 192.168.1.1
DHCPACK from 192.168.1.1
bound to 192.168.1.4 — renewal in 37985 seconds.

6. AND NOW THE HOKEY POKEY PART 1!

Install wicd (Wireless Interface Connection Daemon)


sudo apt-get install wicd

once that is installed, REMOVE the gnome network mangler!


sudo apt-get purge network-manager-gnome

7. HOKEY POKEY PART 2!

Reboot the machine. After re-booting bring up the interface.


sudo ifdown wlan0; sudo ifup wlan0;

It should look like this:

Wicd

8. HOKEY POKEY PART 3!

now go back to /etc/network/interfaces and remove (or comment out with a # in front the wpa-ssid, and wpa-pskid for the wlan card. so just: iface wlan0 inet dhcp and whatever else was there — just not the wpa information.


cd /etc/network # go to network interfaces
sudo nano interfaces

9. Restart the network:


sudo /etc/init.d/networking restart

you will get back something like this:

[….] Running /etc/init.d/networking restart is deprecated because it may not[warnnable some interfaces … (warning).
[….] Reconfiguring network interfaces…Internet Systems Consortium DHCP Client 4.2.2
Copyright 2004-2011 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/

Listening on LPF/wlan0/20:16:d8:e5:32:b4
Sending on LPF/wlan0/20:16:d8:e5:32:b4
Sending on Socket/fallback
DHCPRELEASE on wlan0 to 192.168.1.1 port 67

this basically makes sure we don’t have any errors in /etc/network/interfaces

10. HOKEY POKEY PART 4

Reboot once again, and this time the interface should come up automatically. Screensaver engagement should not knock the connection offline.

And that’s what it’s all about!

I have to thank 3 people for all their help. Joe, Loni and Frances.

Wayno

0

How to install and configure openvpn (virtual private network) for Linux

by

Virtual Private Networks are a useful tool, to allow us to securely reach an isolated computer or network.

Yet, is requires more tweaking then one would imagine. So here’s a step by step guide on how I did it, with a LOT of help in understanding some of the key concepts, provided by my friend Joe, and protocol explanations from Darren of hak5.

1. What’s the first thing we do? Why install openvpn of course!


sudo apt-get install openvpn

2. Now we need to generate our secret key. This is used to authenticate a remote user trying to gain access. We will use openvpn itself to generate the secret key. NOTE: Debian by default, does NOT provide a path to /usr/sbin

You can fully qualify it: /usr/sbin/openvpn

temporarily add it to the PATH variable: export PATH=$PATH:/sbin:/usr/sbin:/usr/sbin

Or just add:

export PATH=$PATH:/sbin:/usr/sbin:/usr/sbin

to .bashrc

If you add it to .bashrc, you will need to logout and back in again, so it will re-read the file.

Let’s generate that key!


openvpn --genkey --secret vpn.key

Simple, huh?

3. Let’s move some files, and create the configuration file for openvpn.

first, let’s move our secret key file:


sudo cp vpn.key /etc/openvpn/.

The period at the end, is significant. It says copy the file, right here.

4. Next is the configuration file. Using your favourite editor (nano in my case) create the
/etc/openvpn/openvpn.conf file as follows: Most of the explanations of the parameters come from here.


# Sample openvpn configuration file
# jjs June 6, 2012 V1.0
#
# annotated by Wayno
#
# remote specifies the address of the server

remote 172.229.15.5

# dev tun specifies that we are using a tunnel device

dev tun

# ifconfig tells ip address for the interface

ifconfig 192.168.224.253 192.168.224.254

# and the secret key name (in /etc/openvpn)

secret vpn.key

# use port 5001 (default) to connect to the vpn. This may require
# you to add this in your router.

port 5001

# if you want data compression

comp-lzo

# ping every 10 seconds, if no ping in 120 seconds, other side dead

keepalive 10 120

# ping timer starts after it receives a connection

ping-timer-rem

# don't recreate a virtual net interface TUN after automatic restart

persist-tun

# Don't read pre-shared static key file again after auto restart

persist-key

# user and group

user nobody
group nogroup

# after initialization, run in the background as a daemon

daemon

# setup the route after ifconfig

route 192.168.111.0 255.255.255.0

# append the /etc/openvpn/openvpn.log

log-append openvpn.log

5. Restart openvpn


sudo service openvpn restart

If you check /etc/openvpn/openvpn.log you will get something like this:

sudo cat openvpn.log
Tue Oct 2 01:22:07 2012 OpenVPN 2.1.3 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Feb 21 2012
Tue Oct 2 01:22:07 2012 NOTE: OpenVPN 2.1 requires ‘–script-security 2’ or higher to call user-defined scripts or executables
Tue Oct 2 01:22:07 2012 /usr/sbin/openvpn-vulnkey -q vpn.key
Tue Oct 2 01:22:07 2012 WARNING: file ‘vpn.key’ is group or others accessible
Tue Oct 2 01:22:07 2012 LZO compression initialized
Tue Oct 2 01:22:07 2012 TUN/TAP device tun0 opened
Tue Oct 2 01:22:07 2012 /sbin/ifconfig tun0 192.168.224.253 pointopoint 192.168.224.254 mtu 1500
Tue Oct 2 01:22:07 2012 GID set to nogroup
Tue Oct 2 01:22:07 2012 UID set to nobody
Tue Oct 2 01:22:07 2012 UDPv4 link local (bound): [undef]
Tue Oct 2 01:22:07 2012 UDPv4 link remote: [AF_INET]72.200.67.229:5001
Tue Oct 2 01:22:07 2012 OpenVPN 2.1.3 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Feb 21 2012
Tue Oct 2 01:22:07 2012 NOTE: OpenVPN 2.1 requires ‘–script-security 2’ or higher to call user-defined scripts or executables
Tue Oct 2 01:22:07 2012 /usr/sbin/openvpn-vulnkey -q vpn.key
Tue Oct 2 01:22:07 2012 WARNING: file ‘vpn.key’ is group or others accessible
Tue Oct 2 01:22:07 2012 LZO compression initialized
Tue Oct 2 01:22:07 2012 TCP/UDP: Socket bind failed on local address [undef]: Address already in use
Tue Oct 2 01:22:07 2012 Exiting
Tue Oct 2 01:22:10 2012 read UDPv4 [EHOSTUNREACH]: No route to host (code=113)
Tue Oct 2 01:22:20 2012 read UDPv4 [EHOSTUNREACH]: No route to host (code=113)
Tue Oct 2 01:22:20 2012 read UDPv4 [EHOSTUNREACH]: No route to host (code=113)

6. Let’s see if it works?


ping -c 5 192.168.224.253

PING 192.168.224.253 (192.168.224.253) 56(84) bytes of data.
64 bytes from 192.168.224.253: icmp_req=1 ttl=64 time=0.033 ms
64 bytes from 192.168.224.253: icmp_req=2 ttl=64 time=0.041 ms
64 bytes from 192.168.224.253: icmp_req=3 ttl=64 time=0.030 ms
64 bytes from 192.168.224.253: icmp_req=4 ttl=64 time=0.041 ms
64 bytes from 192.168.224.253: icmp_req=5 ttl=64 time=0.040 ms

— 192.168.224.253 ping statistics —
5 packets transmitted, 5 received, 0% packet loss, time 3999ms
rtt min/avg/max/mdev = 0.030/0.037/0.041/0.004 ms

0

How to generate an easy to remember password

by

Need a strong, but easy to remember password? No need to remember, generate it! Up to 48 chars, works on any unix-like system:


read -s pass; echo $pass | md5sum | base64 | cut -c -16

Joe –

========================================

MD5SUM creates a 128 bit hash.

Base64 turns a binary number into ASCII

cut – simply removes sections for each line.

Output looks like:

n@H:~$ read -s pass; echo $pass | md5sum | base64 | cut -c -16
(I entered: abcdefg)
MDIwODYxYzhjM2Zl

1

25 worst passwords — how to change your password in Linux

by

Noob thing.

Might be interesting to find out if your password is on the list.

The top 25 worst passwords.

How do you change your password?


:~$ passwd

You will get output that looks like:

Changing password for (youruserid)
(current) UNIX password:
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
:~$

Wayno