blog.mirabellette.eu

A blog about digital independence and autonomy

Cybersecurity

Important principles in cybersecurity - 1

Written by Mirabellette / 01 july 2018 / no comments

Introduction

This blog is focused on privacy and digital autonomy. However, digital privacy could not be possible if you do not know about cybersecurity. Today, I would like to discuss cybersecurity and especially about principles, I think they are important to keep in mind when you begin to think about cybersecurity. This is the first article of a series of I think two or three articles. To begin with, nothing better than to define the terms. Let's listen what Wikipedia say about cybersecurity:

Cybersecurity, computer security or IT security is the protection of computer systems from the theft of or damage to their hardware, software or electronic data, as well as from disruption or misdirection of the services they provide.
Cybersecurity includes controlling physical access to system hardware, as well as protecting against harm that may be done via network access, malicious data and code injection. Also, due to malpractice by operators, whether intentional or accidental, IT security personnel are susceptible to being tricked into deviating from secure procedures through various methods of social engineering.

The important principles

Security is a process, not a product

During one of my previous jobs, a client asked me about what I am concerned the more about security in the company IT service. They have devices which are used by a thousand clients, cloud systems, and websites. For me, they have multiple weaknesses which could be abused, but I decided to say an unexpected answer. My most important concern was about how they manage cybersecurity. Security threats and vulnerabilities will always occur, it is inherent to computer science and product. What it makes the difference is how you manage it.

As often, I don't get the idea from nowhere. It is a famous quote from Bruce Schneier. Why security is a process and not a product. Threats and counter measure constantly evolve. Even if you enable every security feature today, at year +1 or year +3 you will have something to do to be "secured".

Some example here of things you should do manually:

  • Enable new security features, SE Linux, Content Security policies ...
  • Replace old cryptographic cipher by new
  • Verify update were done, some update could disable automatic update, Wordpress did once.
  • Law evolves and you should add new features or modify some, GDPR for the last well know example
  • Dealing with a compromised system
  • Dealing with a world breaker vulnerability (hihi hearthbleed)

Nothing is invulnerable

invulnerable

I am sorry to tell you but, if you think your system can be invulnerable, you should probably need to make some research about that. Even a computer not connected to the internet could be compromised. Stuxnet did well with disturbing Iranian nuclear plants in 2012. Nuclear plants which were not connected to the internet and run on a specific system. The only thing you can do to protect your systems it is to have a good cybersecurity policy and dedicate time to work on this.

Another good example, with this important rule, is in cryptography. A lot of people recommended to store data in Google, Microsoft or Amazon cloud services. When you asked them about privacy, they just replied by encrypting it and it is ok. I am sorry, but it is not ok, not ok at all. Do you really think a file encrypted with nowadays technology could resist in 5 years, 10 years or 20 years to the technology improvement? Even the highest secure current cryptographic standard will be broken in a reasonable time in 30 years, probably before. If you want to know more, you just have to make some research about quantum computing .

Cybersecurity is not easy

I read in some place that cybersecurity is easy. You just have to do this and this and this and you are secure. Or doing this and this and this and you have now compromised 10000 computers. Yes, but in no. I am sorry to tell you, but in general, in computer science, it is not doing the thing which is complicated. What is complicated is to understand how it works behind and to model the solution. This took plenty of time and required dedication and abnegation. An example, who is coming to my mind is when hackers made presentations about offensive cybersecurity. They often say it requires just 10 lines of codes to take control of something.

For me, they are all newbies. First of all, because they need 6 lines of code whereas you can do it in one line code (troll inside :p). Secondly, because the number of lines is not the point. The hard part of hacking is not writing a code, it is understanding how it works and how to make things together. If you show how to compromise a camera linked to a computer connected to the same Wifi you use, you need at least to understand:

  • How a local network works
  • Which system is connected
  • How to identify if it is vulnerable
  • How to penetrate to him
  • Which kind of print you let behind you

If you don't understand one of this step, you are a script kiddy which does things without understanding what he is doing. When I began this part by saying they are all newbie, It has been just provocative. I have an immense respect for other people and I truly know that I know just a few things with a lot of things I ignore.

Cybersecurity cursor is dictated by threats and associated risks

As for development, you need to have a cursor in order to avoid to spend your time in tasks which are not very important or, in cybersecurity, fighting against nonexistent risks. I think the most relevant indicator is the threat model. What do I have to protect against? If I have to protect against a government agency, I will tell you honestly, it is lost. If they really want to catch you, they can deal with it. In this case, the best thing to work around is to avoid to interest them in doing a bad thing.

My case is a little bit different because I am passionate about defensive security and work in this field. That's why I try to have the most secure stuff as possible. Even doing that, I know it is not enough, I accept it. Knowing threats and associated risks will help you to know what you have to prioritize. For example, if you are an unknown blogger as I am with an online website. I should not interest government agency or professional black hacker so I attached a very low probability to be attacked by them (still a possibility, you never know). I should also be attacked only by internet. If I do something offline, It should be "safe".

So, in my current situation, the most likely threats will come from the internet. It should be from bots. The second one in my threat model list is another blogger/tech guy which dislikes me or try to discredit me. This kind of person could have a high skill in computer science. That means they will probably attack the website with more specific tools than bots have but they will not persevere a lot (I hope). That's why I decided to set a security level to at least moderate (from my security ladder, a high level means the system should be able to resist to a professional pirate and a very high level means for me the system should be able to resist to a government agency).

In my scenario, I have to deploy and enable features to resist to bots and most common weaknesses. Concretely, that's why I decided to use Pluxml product. It is far less popular than Wordpress and Joomla that means bad people will less look for vulnerability and if they find one, there are few chances It was included in a bot. However, the maintenance of PluXml is currently quite abandoned, that is a problem and I will probably have to switch to another product. A high level of security would imply a static website, no available services; a very high level of security, no website at all.

Conclusion

I hope you enjoy this first article about cybersecurity. The tone I used was a little bit more engaged than usual.
Feel free to comment if you want to add ideas or discuss it. If you find this article useful, you can subscribe the RSS flux of the blog or follow me on Mastodon. Don't hesitate to share it if you think it could interest someone.

Fix openvpn mbuf packet dropped

Written by Mirabellette / 11 april 2018 / no comments

Hello everyone

I hope you are going great and everything was fine for you.

Use case

I have an openvpn daemon running with TCP on 443 port on a Debian system. I got thousands of error messages since months about MBUF packet dropped. The message was

openvpn MBUF: mbuf packet dropped

It occurs only if you use openvpn over TCP. I know it is considered to be a bad practice because it unneeded traffic but you have to make choice.

What I do

After hours of research, I was able to fix it. I add this two lines to the server configuration file:

tcp-queue-limit 4096
bcast-buffers 4096

Now, you have to restart openvpn with this command : systemctl restart openvpn or service openvpn restart if systemd isn't installed on your system.
You should not see this message in log anymore \o/ and get a little bit more stable connection thanks to the undropped packet.

Sources

Social media

If you find this article interesting, feel free to subscribe to my RSS flux and to follow me on Mastodon. Don't hesitate to share it if you think he could interest someone else.

Check if it is possible to establish a SSH connection with Bash

Written by Mirabellette / 20 march 2018 / no comments

Hello everyone

I am continuing to write an article each month. I add some little title and subtitle to improve the ease of reading. Today, I want to share to you a little trick I use to check if it is possible to establish a SSH connection with a remote host.

Introduction

Use case

  • You want to transfer some files with SSH protocol. You want to be sure it is possible to establish a connection and be notified if it is not possible.
  • You want to check periodically if it is possible to connect to a remote host with SSH.

What I do

I created a bash script to open a connection with the remote host in SSH and check if it works well. If it doesn't, I send an email to a specific address.

The main part

Scripts

Both scripts are available in Github following MIT LICENCE. You can find them here.

Script to check ssh connection

script

Crontab

crontab

Requirement and advice

  • You need to have a bash prompt after you connected to ssh.
  • You need to have a mail transfer agent properly configured.
  • You need to check when you established a SSH connection that you don't receive any warning message from SSH. In this case, the status variable will got another value than "ok" and the script will considered you aren't be able to establish a connection.

Sources

Conclusion

I know that it must be a better way to test that but it fit well for my use cases.

Social media

If you find this article interesting, feel free to subscribe to my RSS flux and to follow me on Mastodon. Don't hesitate to share it if you think he could interest someone else.

Examples of script to renew automaticaly web certificates with let's encrypt

Written by Mirabellette / 13 october 2017 / no comments

Hello everyone,

I know it is a very long time that I didn't post any article but life is life. ^^
Today, I wanted to share two scripts I used to renew my web certificates with let's encrypt. I know there is a lot of documentation about that, but it could help some of you to keep some time.

Generation web certificates with a specific domain name

The script browses the given file and ignore the line which begin with # or ----------. These symbols are used in the given file to make the text easier to read. Each line is one of my domains name or sub domains I managed. I just have to add a new one to this list to be sure the certificate of this new domain name will be automatically renewed.

#!/bin/bash
# file : /root/certs/renew-webcert.sh
# Renew all certificates which are in the given file
logFile="/var/log/renew-cert.log"

serverName=$1
while read c ; do
 if [[ ${c} != "#"* ]]; then
  if [[ ${c} != "----------" ]]; then
   echo $c
   echo "/opt/letsencrypt/letsencrypt-auto --apache --renew-by-default -d $c --rsa-key-size 4096 --uir --redirect" | tee -a $logFile
   /opt/letsencrypt/letsencrypt-auto --apache --renew-by-default -d $c --rsa-key-size 4096 --uir --redirect
  fi
 fi
done <$serverName
service apache2 restart
echo "service apache2 restart"


# file : /root/certs/serverName
toto.example.org
#titi.example.org
----------
tata.example.org

To use this one, I create a cron task which run the script each month
0 6 01 * * /root/certs/renew-webcert.sh /root/certs/serverName
Warning : be careful that /root/certs/renew-webcert.sh need to executable (chmod 700)

A single web certificate with multiple domain name

The second one is very similar to the first one. The main difference is that it creates a single certificate with multiple domain name and do not get a domain name from a file given as parameter.

#!/bin/bash
# file : /root/certs/renew-webcert-mirabellette.sh
logFile="/var/log/renew-cert-mirabellette.log"

serverName="server-name-mirabellette"
cmdRenew="/opt/letsencrypt/letsencrypt-auto --apache --rsa-key-size 4096 --uir --redirect"
while read domainName ; do
 if [[ ${domainName} != "#"* ]]; then
  if [[ ${domainName} != "----------" ]]; then
   echo $domainName
   cmdRenew="$cmdRenew -d $domainName"
  fi
 fi
done <$serverName

echo ${cmdRenew}
${cmdRenew}
service apache2 restart
echo "service apache2 restart"


# file : /root/certs/server-name-mirabellette
blog.mirabellette.eu
privatebin.mirabellette.eu
#lufi.mirabellette.eu

To use this one, I create a cron task which run the script each month
0 6 01 * * /root/certs/renew-webcert-mirabellette.sh

Warning : be careful that /root/certs/renew-webcert.sh need to executable (chmod 700)

sources:
I hope this article gave you some ideas to easily manage how to renew your web certificate.

Specific OpenVPN error on Windows 10 "endpoints must exist within the same 255.255.255.252"

Written by Mirabellette / 15 may 2017 / no comments

Hello everyone,

    system
  • debian jessie stable 8.7
  • windows 10 creators update
  • openvpn 2.3.4.5 on the server
  • openvpn 2.4.2 on the client

I recently got a new laptop with windows 10. Obviously, I installed OpenVPN with the correct configuration. When I try to connect it i got an error's message.

if The local and remote VPN endpoints must exist within the same 255.255.255.252

After some hours to find a solution, I finally find it and it is trivial. You just have to

open your open vpn configuration
add "topology subnet"
restart openvpn

vim /etc/openvpn/server.conf
add "topology subnet"
service openvpn restart

* on the client

service openvpn restart

Now, the openvpn client must be able to connect to the server without error.

I hope this article will help you to solve this kind of problem.