Security archivos » Aprende IT

How to Protect Your Linux System: The Ultimate Guide to Installing and Using RKHunter

Gerardo G. Urtiaga — Mon, 10 Jun 2024 12:07:34 +0000

In this article, we will explore how to install and configure RKHunter (Rootkit Hunter) on a Linux system. RKHunter is an essential tool for the security of any server, as it allows the detection of rootkits, backdoors, and local exploits on UNIX systems. We will detail each step, from installation to configuration and scheduling automatic scans. This tutorial is designed for users with basic knowledge of Linux system administration.

Installation of RKHunter

Step 1: Update the Repositories

Before installing any new package, it is always a good practice to make sure that the system repositories are up-to-date. This can be done with the command apt update.

apt update

Step 2: Install RKHunter

Once the repositories are updated, we can proceed to install RKHunter along with the basic system tools (coreutils).

apt install coreutils rkhunter -y

Step 3: Download RKHunter Database Repositories

For RKHunter to function correctly, we need to download the necessary data. This can be done with the curl command.

curl https://rkhunter.sourceforge.net/1.4/mirrors.dat > /var/lib/rkhunter/db/mirrors.dat

Configuration of RKHunter

Common Issue: Unable to Update

If we try to update RKHunter immediately after installation, we are likely to encounter an error similar to the following:

root@host# rkhunter --update
[ Rootkit Hunter version 1.4.6 ]

Checking rkhunter data files...
  Checking file mirrors.dat                                  [ Skipped ]
  Checking file programs_bad.dat                             [ Update failed ]
  Checking file backdoorports.dat                            [ Update failed ]
  Checking file suspscan.dat                                 [ Update failed ]
  Checking file i18n versions                                [ Update failed ]

Please check the log file (/var/log/rkhunter.log)

Solution: Edit the Configuration File

To solve this problem, we need to edit the RKHunter configuration file (/etc/rkhunter.conf). We will use vi or any other text editor we prefer.

vi /etc/rkhunter.conf

Inside the file, we modify the following parameters:

PKGMGR=DPKG
WEB_CMD=wget
UPDATE_MIRRORS=1
MIRRORS_MODE=0

Update of RKHunter

After making these changes, we can try to update RKHunter again.

rkhunter --update

If all goes well, we should see a message indicating that the files have been updated successfully.

Version Verification

We can verify that we are using the latest version of RKHunter with the following command:

rkhunter --versioncheck

Performing a System Scan

Once RKHunter is configured and updated, we can proceed to perform a complete system scan.

rkhunter --check

Example Output from a Scan
During the scan, RKHunter will check various aspects of the system, including system commands, shared libraries, and suspicious files. Here is an example of what we might see:

[ Rootkit Hunter version 1.4.6 ]

Checking system commands...

  Performing 'strings' command checks
    Checking 'strings' command                               [ OK ]

  Performing 'shared libraries' checks
    Checking for preloading variables                        [ None found ]
    Checking for preloaded libraries                         [ None found ]
    Checking LD_LIBRARY_PATH variable                        [ Not found ]

  Performing file properties checks
    Checking for prerequisites                               [ OK ]
    /usr/sbin/adduser                                        [ OK ]
    /usr/sbin/chroot                                         [ OK ]
    /usr/sbin/cron                                           [ OK ]
    /usr/sbin/depmod                                         [ OK ]
    /usr/sbin/fsck                                           [ OK ]
    /usr/sbin/groupadd                                       [ OK ]
    /usr/sbin/groupdel                                       [ OK ]
    /usr/sbin/groupmod                                       [ OK ]
    /usr/sbin/grpck                                          [ OK ]
    /usr/sbin/ifconfig                                       [ OK ]
    /usr/sbin/init                                           [ OK ]
    /usr/sbin/insmod                                         [ OK ]
    /usr/sbin/ip                                             [ OK ]
    /usr/sbin/lsmod                                          [ OK ]
    /usr/sbin/modinfo                                        [ OK ]
    /usr/sbin/modprobe                                       [ OK ]
    /usr/sbin/nologin                                        [ OK ]
    /usr/sbin/pwck                                           [ OK ]
    /usr/sbin/rmmod                                          [ OK ]
    /usr/sbin/route                                          [ OK ]
    /usr/sbin/rsyslogd                                       [ OK ]
    /usr/sbin/runlevel                                       [ OK ]
    /usr/sbin/sshd                                           [ OK ]
    /usr/sbin/sulogin                                        [ OK ]
    /usr/sbin/sysctl                                         [ OK ]
    /usr/sbin/useradd                                        [ OK ]
    /usr/sbin/userdel                                        [ OK ]
    /usr/sbin/usermod                                        [ OK ]
    /usr/sbin/vipw                                           [ OK ]
    /usr/sbin/unhide                                         [ OK ]
    /usr/sbin/unhide-linux                                   [ OK ]
    /usr/sbin/unhide-posix                                   [ OK ]
    /usr/sbin/unhide-tcp                                     [ OK ]
    /usr/bin/awk                                             [ OK ]
    /usr/bin/basename                                        [ OK ]
    /usr/bin/bash                                            [ OK ]
    /usr/bin/cat                                             [ OK ]
    /usr/bin/chattr                                          [ OK ]
    /usr/bin/chmod                                           [ OK ]
    /usr/bin/chown                                           [ OK ]
    /usr/bin/cp                                              [ OK ]
    /usr/bin/curl                                            [ OK ]
    /usr/bin/cut                                             [ OK ]
    /usr/bin/date                                            [ OK ]
    /usr/bin/df                                              [ OK ]
    /usr/bin/diff                                            [ OK ]
    /usr/bin/dirname                                         [ OK ]
    /usr/bin/dmesg                                           [ OK ]
    /usr/bin/dpkg                                            [ OK ]
    /usr/bin/dpkg-query                                      [ OK ]
    /usr/bin/du                                              [ OK ]
    /usr/bin/echo                                            [ OK ]
    /usr/bin/ed                                              [ OK ]
    /usr/bin/egrep                                           [ OK ]
    /usr/bin/env                                             [ OK ]
    /usr/bin/fgrep                                           [ OK ]
    /usr/bin/file                                            [ OK ]
    /usr/bin/find                                            [ OK ]
    /usr/bin/fuser                                           [ OK ]
    /usr/bin/grep                                            [ OK ]
    /usr/bin/groups                                          [ OK ]
    /usr/bin/head                                            [ OK ]
    /usr/bin/id                                              [ OK ]
    /usr/bin/ip                                              [ OK ]
    /usr/bin/ipcs                                            [ OK ]
    /usr/bin/kill                                            [ OK ]
    /usr/bin/killall                                         [ OK ]
    /usr/bin/last                                            [ OK ]
    /usr/bin/lastlog                                         [ OK ]
    /usr/bin/ldd                                             [ OK ]
    /usr/bin/less                                            [ OK ]
    /usr/bin/logger                                          [ OK ]
    /usr/bin/login                                           [ OK ]
    /usr/bin/ls                                              [ OK ]
    /usr/bin/lsattr                                          [ OK ]
    /usr/bin/lsmod                                           [ OK ]
    /usr/bin/lsof                                            [ OK ]
    /usr/bin/mail                                            [ OK ]
    /usr/bin/md5sum                                          [ OK ]
    /usr/bin/mktemp                                          [ OK ]
    /usr/bin/more                                            [ OK ]
    /usr/bin/mount                                           [ OK ]
    /usr/bin/mv                                              [ OK ]
    /usr/bin/netstat                                         [ OK ]
    /usr/bin/newgrp                                          [ OK ]
    /usr/bin/passwd                                          [ OK ]
    /usr/bin/perl                                            [ OK ]
    /usr/bin/pgrep                                           [ OK ]
    /usr/bin/ping                                            [ OK ]
    /usr/bin/pkill                                           [ OK ]
    /usr/bin/ps                                              [ OK ]
    /usr/bin/pstree                                          [ OK ]
    /usr/bin/pwd                                             [ OK ]
    /usr/bin/readlink                                        [ OK ]
    /usr/bin/rkhunter                                        [ OK ]
    /usr/bin/runcon                                          [ OK ]
    /usr/bin/sed                                             [ OK ]
    /usr/bin/sh                                              [ OK ]
    /usr/bin/sha1sum                                         [ OK ]
    /usr/bin/sha224sum                                       [ OK ]
    /usr/bin/sha256sum                                       [ OK ]
    /usr/bin/sha384sum                                       [ OK ]
    /usr/bin/sha512sum                                       [ OK ]
    /usr/bin/size                                            [ OK ]
    /usr/bin/sort                                            [ OK ]
    /usr/bin/ssh                                             [ OK ]
    /usr/bin/stat                                            [ OK ]
    /usr/bin/strace                                          [ OK ]
    /usr/bin/strings                                         [ OK ]
    /usr/bin/su                                              [ OK ]
    /usr/bin/sudo                                            [ OK ]
    /usr/bin/tail                                            [ OK ]
    /usr/bin/telnet                                          [ OK ]
    /usr/bin/test                                            [ OK ]
    /usr/bin/top                                             [ OK ]
    /usr/bin/touch                                           [ OK ]
    /usr/bin/tr                                              [ OK ]
    /usr/bin/uname                                           [ OK ]
    /usr/bin/uniq                                            [ OK ]
    /usr/bin/users                                           [ OK ]
    /usr/bin/vmstat                                          [ OK ]
    /usr/bin/w                                               [ OK ]
    /usr/bin/watch                                           [ OK ]
    /usr/bin/wc                                              [ OK ]
    /usr/bin/wget                                            [ OK ]
    /usr/bin/whatis                                          [ OK ]
    /usr/bin/whereis                                         [ OK ]
    /usr/bin/which                                           [ OK ]
    /usr/bin/who                                             [ OK ]
    /usr/bin/whoami                                          [ OK ]
    /usr/bin/numfmt                                          [ OK ]
    /usr/bin/kmod                                            [ OK ]
    /usr/bin/systemd                                         [ OK ]
    /usr/bin/systemctl                                       [ OK ]
    /usr/bin/gawk                                            [ OK ]
    /usr/bin/bsd-mailx                                       [ OK ]
    /usr/bin/dash                                            [ OK ]
    /usr/bin/x86_64-linux-gnu-size                           [ OK ]
    /usr/bin/x86_64-linux-gnu-strings                        [ OK ]
    /usr/bin/telnet.netkit                                   [ OK ]
    /usr/bin/which.debianutils                               [ OK ]
    /usr/lib/systemd/systemd                                 [ OK ]

[Press  to continue]

...

[Press  to continue]

System checks summary
=====================

File properties checks...
    Files checked: 142
    Suspect files: 0

Rootkit checks...
    Rootkits checked : 498
    Possible rootkits: 0

Applications checks...
    All checks skipped

The system checks took: 4 minutes and 25 seconds

All results have been written to the log file: /var/log/rkhunter.log

One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter.log)

Automation of Scans with Cron

To ensure that our system remains secure, it’s a good idea to schedule automatic scans. We can do this by editing the /etc/crontab file to add the necessary cron jobs. Don’t forget to modify the destination email to receive the alerts.

vi /etc/crontab

Add the following lines to the file:

0 3 * * * root /usr/bin/rkhunter --update >> /var/log/rkhunter_update.log 2>&1
0 2 * * * root /usr/bin/rkhunter --cronjob --update --report-warnings-only | mail -s "RKHunter Daily Scan" your-email@example.com

With this, we have configured a cron job that will update RKHunter daily at 3 AM and perform a daily scan at 2 AM, sending a report by email only if warnings are found.

La entrada How to Protect Your Linux System: The Ultimate Guide to Installing and Using RKHunter se publicó primero en Aprende IT.

Install Your Own Wazuh Server on Ubuntu

Gerardo G. Urtiaga — Sat, 27 Apr 2024 14:41:38 +0000

Wazuh has become an essential tool for security management in information systems. Thanks to its ability to detect intrusions, ensure data integrity, and monitor security, many companies and individuals choose to set up their own Wazuh server. Here I will explain how you can install and configure your Wazuh server, step by step, without using complicated lists or enumerations.

What is Wazuh and Why Should You Use It?

Wazuh is an open-source security platform that provides intrusion detection, integrity monitoring, incident response, and compliance auditing. Its versatility makes it ideal for both small businesses and large corporations. Furthermore, being open-source, Wazuh is completely free and allows modifications to meet any specific needs.

Initial Preparations Before Installation

Before you dive into the installation of Wazuh, it is crucial that you prepare your system. This involves ensuring that the operating system is updated and setting up the environment to support the installation of Wazuh through Docker. Here is how you do it:

First, it is necessary to disable the firewall to prevent it from interfering with the installation process. To do this, simply execute in the terminal:

ufw disable

This command will disable the firewall, ensuring that it will not block any of the necessary connections during the installation.

Next, you must ensure that all system packages are updated and that git is installed, as you will need it to clone the Wazuh repository. Execute:

apt update && apt install git

With these commands, your system will be updated and ready for the next phase.

Installing Docker

Wazuh in Docker simplifies dependency management and ensures that the platform can run isolated and secure. To install Docker, you can use the script provided by Docker, which sets up everything automatically:

curl -sSL https://get.docker.com/ | sh

Once Docker is installed, it is essential to ensure it automatically runs at system startup:

systemctl start docker
systemctl enable docker

These commands will start the Docker service and configure it to automatically start at each system boot.

Docker Compose

If you install Docker as previously indicated, you do not need to install this tool, but if you already have Docker and it does not support “docker compose”, you can install docker-compose like this:

curl -L "https://github.com/docker/compose/releases/download/v2.12.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose

The following commands that have “docker compose” should be executed as docker-compose.

Setting Up the Wazuh Environment

With Docker already configured, the next step is to prepare the specific environment for Wazuh. Head to the optimal directory to keep organized the files related to security:

cd /opt

Now, it is time to clone the most recent version of the Wazuh repository for Docker:

git clone https://github.com/wazuh/wazuh-docker.git -b v4.7.3

This command downloads all the necessary files to run Wazuh in a Docker container.

Generating Certificates and Starting Up Wazuh

Before starting Wazuh, you must generate the necessary certificates for the proper functioning of the Wazuh components. Navigate to the correct directory and execute the certificate generator:

cd wazuh-docker/single-node/
docker compose -f generate-indexer-certs.yml run --rm generator

With the certificates generated, you are now ready to start all the Wazuh services:

docker compose up -d

This last command lifts all the containers necessary for Wazuh to operate properly in a single-node mode, ideal for test environments or small implementations.

Verification of the Installation

Once all the previous steps are completed, it is important to verify that everything is working as expected. You can check the status of the Docker containers to ensure that all Wazuh services are active and running. Additionally, access the Wazuh web interface to start exploring the functionalities and available settings.

Customization and Monitoring

With your Wazuh server now operational, the next step is to customize the configuration to adapt it to your specific needs. Wazuh offers a wide variety of options for configuring rules, alerts, and automatic responses to incidents. Take advantage of the available documentation to explore all the possibilities that Wazuh offers.

Installing and configuring your own Wazuh server may seem like a complex task, but by following these steps, you will have a robust computer security system without needing large investments. Not only will it improve the security of your information, but it will also provide you with a powerful tool to monitor and proactively respond to any incident.

Wazuh Password Change

Stop the service using Docker Compose:

docker compose down

Generate the hash of the new password using the Wazuh container:

Run the following command to start the hash script:

docker run --rm -ti wazuh/wazuh-indexer:4.6.0 bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/hash.sh

Enter the new password when prompted and copy the generated hash.

Update the internal users file with the hash of the new password:

Open the file with a text editor like vim:

vim config/wazuh_indexer/internal_users.yml

Paste the generated hash for the admin user.

Update the docker-compose.yml file with the new password:

Open the docker-compose.yml file:

vim docker-compose.yml

Enter the new password in lines 24 and 81 where it says INDEXER_PASSWORD.

Raise the services again with Docker Compose:

docker compose up -d

This restarts the service stack.

Access the container and run the security script:

Access the container:

docker exec -it single-node-wazuh.indexer-1 bash

Define the variables and run the security script:

export INSTALLATION_DIR=/usr/share/wazuh-indexer
CACERT=$INSTALLATION_DIR/certs/root-ca.pem
KEY=$INSTALLATION_DIR/certs/admin-key.pem
CERT=$INSTALLATION_DIR/certs/admin.pem
export JAVA_HOME=/usr/share/wazuh-indexer/jdk
bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -cd /usr/share/wazuh-indexer/opensearch-security/ -nhnv -cacert $CACERT -cert $CERT -key $KEY -p 9200 -icl

Exit the container:

exit

This process allows you to update the admin password for Wazuh using Docker, making sure to follow all the steps correctly to ensure the changes are effective.

La entrada Install Your Own Wazuh Server on Ubuntu se publicó primero en Aprende IT.

Create SOCKS Proxy with Dante and OpenSSH

Gerardo G. Urtiaga — Mon, 25 Mar 2024 22:31:35 +0000

How to Create a SOCKS Proxy with Dante on Ubuntu

In the digital era, maintaining online privacy and security is more crucial than ever. One way to protect your identity and data on the internet is through the use of a SOCKS proxy server. This type of proxy acts as an intermediary between your device and the internet, hiding your real IP address and encrypting your internet traffic. In this article, we will guide you step by step on how to set up your own SOCKS proxy server on Ubuntu using Dante, a versatile and high-performance proxy server.

Starting Dante Installation

Before diving into the Dante setup, it’s essential to prepare your system and ensure it is updated. To do this, open a terminal and run the following commands:

sudo apt update
sudo apt install dante-server

These commands will update your system’s package list and then install Dante, respectively.

Configuring the danted.conf File

Once Dante is installed, the next step is to configure the proxy server. This is done by editing the danted.conf configuration file located in /etc/danted/. To do this, use your preferred text editor. Here, we will use vim:

vim /etc/danted.conf

Inside this file, you must specify crucial details such as the external and internal interfaces, the authentication method, and access rules. Below, we show you an example configuration that you can adjust according to your needs:

logoutput: syslog
user.privileged: root
user.unprivileged: nobody

# The external interface (can be your public IP address or the interface name)
external: eth0

# The internal interface (usually your server's IP address or loopback)
internal: 0.0.0.0 port=1080

# Authentication method
socksmethod: username

# Access rules
client pass {
    from: 0.0.0.0/0 to: 0.0.0.0/0
    log: connect disconnect error
}

# Who can use this proxy
socks pass {
    from: 0.0.0.0/0 to: 0.0.0.0/0
    command: bind connect udpassociate
    log: connect disconnect error
    socksmethod: username
}

This configuration defines a SOCKS server that listens on all available interfaces (0.0.0.0) on port 1080. It uses username authentication and allows connections from and to any address.

Creating a User for the Proxy

For the proxy to be secure and not open to the public, it’s necessary to create a specific user for the connection. This is achieved with the following commands:

sudo useradd -r -s /bin/false username
sudo passwd username

Here, username is the username you wish for the proxy connection. The useradd command creates the user, and passwd allows you to assign a password.

Restarting and Enabling Dante Service

With the user created and the configuration file adjusted, it’s time to restart the Dante service and ensure it runs at system startup:

sudo systemctl restart danted.service
sudo systemctl enable danted.service
sudo systemctl status danted.service

Furthermore, it’s important to ensure that port 1080, where the proxy listens, is allowed in the firewall:

sudo ufw allow 1080/tcp

Verifying the Connection

Finally, to verify everything is working correctly, you can test the connection through the proxy with the following command:

curl -v -x socks5://username:password@your_server_ip:1080 https://whatismyip.com/

Remember to replace username, password, and your_server_ip with your specific information. This command will use your proxy server to access a website that shows your public IP address, thus verifying that traffic is indeed being redirected through the SOCKS proxy.

Setting up a SOCKS proxy server with Dante may seem complex at first, but by following these steps, you can have a powerful system

You can configure a SOCKS5 proxy server using OpenSSH on Ubuntu 22.04, which is a simpler and more direct alternative in certain cases, especially for personal use or in situations where you already have an SSH server set up. Below, I explain how to do it:

Creating a Socks 5 Proxy with OpenSSH

Unlike Dante, with which we can create a proxy service with authentication, with OpenSSH, we can create a tunnel on a port that can be used as a SOCKS proxy without authentication, so it is convenient to use it only for localhost within a single computer (we will explain this better later)

Installing OpenSSH Server

If you don’t already have OpenSSH Server installed on your server that will act as the proxy, you can install it with the following command as long as it’s a Debian / Ubuntu-based distribution:

sudo apt update
sudo apt install openssh-server

Ensure the service is active and running correctly with:

sudo systemctl status ssh

Configuring the SSH Server (Optional)

By default, OpenSSH listens on port 22. You can adjust additional configurations by editing the /etc/ssh/sshd_config file, such as changing the port, restricting access to certain users, etc. If you make changes, remember to restart the SSH service:

sudo systemctl restart ssh

Using SSH as a SOCKS5 Proxy

To configure an SSH tunnel that works as a SOCKS5 proxy, use the following command from your client (not on the server). This command establishes an SSH tunnel that listens locally on your machine on the specified port (for example, 1080) and redirects traffic through the SSH server:

ssh -D 1080 -C -q -N user@server_address

-D 1080 specifies that SSH should create a SOCKS5 proxy on local port 1080.
-C compresses data before sending.
-q enables silent mode that minimizes log messages.
-N indicates no remote commands should be executed, useful when you only want to establish the tunnel.
user is your username on the SSH server.
server_address is the IP address or domain of your SSH server.

At this point, we mention that with the -D option, you should only specify the port as exposing the port to the entire network may allow other devices on the network to use this proxy without authenticating:

[ger@ger-pc ~]$ ssh -D 0.0.0.0:1081 root@192.168.54.100

If we check with the command ss or netstat, we can see that it is listening on all networks:

[ger@ger-pc ~]$ ss -putan|grep 1081
tcp LISTEN 0 128 0.0.0.0:1081 0.0.0.0:* users:(("ssh",pid=292405,fd=4)) 
[ger@ger-pc ~]$

However, if we connect by specifying only the port without 0.0.0.0 or without any IP, it will only do so on localhost:

[ger@ger-pc ~]$ ssh -D 1081 root@192.168.54.100

.......

[ger@ger-pc ~]$ ss -putan|grep 1081
tcp LISTEN 0 128 127.0.0.1:1081 0.0.0.0:* users:(("ssh",pid=292485,fd=5)) 
tcp LISTEN 0 128 [::1]:1081 [::]:* users:(("ssh",pid=292485,fd=4)) 
[ger@ger-pc ~]$

Connecting Through the SOCKS5 Proxy:

Now you can configure your browser or application to use the SOCKS5 proxy on localhost and port 1080. Each application has a different way of configuring this, so you will need to review the preferences or documentation of the application.

Automating the Connection (Optional):
If you need the tunnel to be established automatically at startup or without manual interaction, you may consider using a tool like autossh to keep the tunnel connection open and reconnect in case it drops.

This is an effective way to establish a quick SOCKS5 proxy for a user or a few users, especially useful for bypassing network restrictions or securing your traffic on untrusted networks. The main advantage of this method is its simplicity and that it leverages existing SSH infrastructure without the need to configure additional software on the server.

La entrada Create SOCKS Proxy with Dante and OpenSSH se publicó primero en Aprende IT.

How to Fix Access Issues Due to Encryption Negotiation Errors in SSH

Gerardo G. Urtiaga — Mon, 30 Oct 2023 05:36:20 +0000

If you have ever tried to establish an SSH connection and encountered an error message saying something like “Unable to negotiate with [IP address] port 22: no matching cipher found,” you are not alone. These encryption negotiation issues can be frustrating, but don’t worry, we are here to help you understand and solve these problems.

Understanding Ciphers and KexAlgorithms

To address these issues, you first need to understand some key concepts: ciphers and KexAlgorithms. These elements are fundamental for the security of your SSH connection and are used to encrypt and protect communication between your SSH client and the remote server.

What are Ciphers?

Ciphers, or encryption algorithms, are used to protect information transmitted through an SSH connection. These algorithms determine how information is encrypted and decrypted, ensuring that communication is secure and private.

What are KexAlgorithms?

On the other hand, KexAlgorithms, or key exchange algorithms, are essential for establishing a secure SSH connection. These algorithms are used to negotiate and agree upon the encryption key that will be used during the SSH session. They are a critical part of authentication and security in SSH.

The Importance of Firmware Updates

Before diving into details on how to fix encryption negotiation issues, it’s important to highlight the relevance of keeping your SSH server’s firmware updated. Manufacturers and software developers often release updates that fix security vulnerabilities and improve compatibility with the latest security standards. Keeping your firmware updated is a crucial measure to ensure the security of your SSH server.

Secure Protocols and Their Differences

Now that we understand ciphers and KexAlgorithms, it’s time to talk about the most secure protocols available for SSH. Two of the most commonly used protocols are SSHv1 and SSHv2, and it is essential to understand their differences.

SSHv1

SSHv1 is an older version of the SSH protocol and is considered obsolete due to known security vulnerabilities. It is not recommended for use in modern environments due to these weaknesses.

SSHv2

SSHv2 is the latest and most secure version of the SSH protocol. It offers better security and performance compared to SSHv1. Using SSHv2 over SSHv1 is highly recommended to ensure a secure SSH connection.

Fixing Encryption Negotiation Issues

Now that we have a solid understanding of the key concepts, let’s look at how to fix encryption negotiation issues in SSH.
When you encounter an error message like “no matching cipher found,” it means that the remote SSH server and your SSH client cannot agree on a cipher for secure communication. To resolve this issue, you can follow these steps:

Update Your SSH Client: Ensure that you are using an updated version of your SSH client. The latest versions typically support more secure ciphers and KexAlgorithms.

Specify Ciphers and KexAlgorithms: You can use specific options on the command line when connecting, as in the following example:

ssh -oKexAlgorithms=+diffie-hellman-group14-sha1 -oHostKeyAlgorithms=+ssh-dss -c aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc [IP address]

This tells your SSH client which ciphers and KexAlgorithms to use in the negotiation.

Contact the Server Administrator: If you are the administrator of the SSH server, ensure that it is configured to support secure ciphers and KexAlgorithms. Consider updating the configuration to use more secure protocols like SSHv2.
Remember that security is a top priority in SSH connections, and it is crucial to take measures to ensure that your communication is secure and private.

Conclusion

In this article, we have explored the concepts of ciphers and KexAlgorithms in SSH and their importance for the security of connections. We have also discussed the SSHv1 and SSHv2 protocols, highlighting the preference for SSHv2 due to its higher security.
Additionally, we have provided tips on how to fix encryption negotiation issues in SSH, including updating your SSH client, specifying the appropriate ciphers and KexAlgorithms, and considering server configuration.

Always remember to keep your software and firmware up to date to ensure the security of your SSH connections and effectively protect your data.

La entrada How to Fix Access Issues Due to Encryption Negotiation Errors in SSH se publicó primero en Aprende IT.

Creating an Office Proxy with Squid on Ubuntu: A Detailed Guide with Examples

Gerardo G. Urtiaga — Tue, 27 Jun 2023 04:04:14 +0000

Hello! Are you ready to take a step further in improving your internet browsing experience? I’m sure you are. You’re here to learn how to install and configure Squid, a proxy server that enhances your web security and efficiency, on the Ubuntu operating system. Let’s get started!

What is Squid and Why Should You Use It?

Squid is an open-source proxy that acts as an intermediary between your computer and the web, allowing you to have more detailed control over internet traffic. Its popularity stems from being free, robust, and highly customizable.

Preparing for Squid Installation

Before installing Squid, update your Ubuntu system to ensure that you have the latest package versions using the following commands:

sudo apt-get update
sudo apt-get upgrade

Installing Squid on Ubuntu

To install Squid on Ubuntu, open the terminal and execute the following command:

sudo apt-get install squid

Configuring Squid on Ubuntu

After installation, it’s time for configuration. Edit the squid.conf configuration file using the following command:

sudo nano /etc/squid/squid.conf

In the configuration file, there are three main options to adjust:

acl: Defines who is allowed to access the proxy. You can define a group of networks to allow access with:

acl local_network src 192.168.1.0/24

In this example, access is allowed from the 192.168.1.0/24 network.

http_access: Controls access to the proxy. Set it to allow the users defined in the acl:

http_access allow local_network

http_port: The port on which the proxy listens for requests. By default, Squid uses port 3128, but you can change it:

http_port 8080

Remember to save any changes made in the squid.conf file.

Verifying Your Squid Configuration

Restart the Squid service for the changes to take effect:

sudo systemctl restart squid

And check the status of the service:

sudo systemctl status squid

If the status is “active (running)”, your proxy server is functioning correctly.

Testing Your Proxy Server

To test your proxy server, configure your browser to use the IP address of your server and the port configured in Squid. You can also review the Squid logs to see details of the processed requests.

Optimizing Your Proxy Server

Squid allows you to optimize page loading through caching. To configure this behavior, you can adjust various directives in the squid.conf file, such as the disk space for the cache:

cache_dir ufs /var/spool/squid 100 16 256

In this example, /var/spool/squid is the location of the cache directory. ufs is the storage system type that Squid should use for the cache. 100 is the amount of disk space, in megabytes, that Squid can use for the cache. 16 is the number of first-level subdirectories, and 256 is the number of second-level subdirectories. Together, these subdirectories determine the number of objects Squid can cache.

Additionally, Squid allows blocking or granting access to certain websites using access control lists (ACLs). You may want to block access to certain websites in your office network. To do so, you can create an ACL and then use the http_access directive to deny access. Here’s how you can do it:

acl blocked_sites dstdomain .facebook.com .twitter.com
http_access deny blocked_sites

In this example, .facebook.com and .twitter.com are the websites you want to block access to. “blocked_sites” is simply the name given to this access control list.

If you’re managing a network with limited bandwidth, you may also want to limit the amount of bandwidth each user can use. Squid allows you to do this using the delay_pools directive. Here’s an example of how it’s done:

delay_pools 1
delay_class 1 2
delay_parameters 1 -1/-1 10000/10000
delay_initial_bucket_level 100

In this example, a delay pool is created with a limit of 10000 bytes per second.

Maintaining Your Proxy Server

Maintaining your proxy server involves monitoring its usage, reviewing Squid logs, keeping your Ubuntu system up to date, and updating Squid when necessary. Squid logs can help you identify errors and performance issues. To view Squid logs, you can use the following command:

sudo tail -f /var/log/squid/access.log

This command displays the last lines of the log file and updates the output as more lines are added to the log.

Finally, make sure to regularly update Squid and your Ubuntu system to keep it secure and efficient. You can do this with the following commands:

sudo apt-get update
sudo apt-get upgrade
sudo apt-get install squid

One Last Tip

Installing and configuring a proxy server may seem like a complex task, but with some patience, you will become familiar with the process. And remember, you can always turn to the Squid and Ubuntu user community if you have any questions or encounter any issues.
Thank you for joining us on this journey to create your own proxy server! If you find this article helpful, feel free to share it with your colleagues and friends. And don’t forget to follow us for more technology guides and tips. Until next time!

La entrada Creating an Office Proxy with Squid on Ubuntu: A Detailed Guide with Examples se publicó primero en Aprende IT.

Checking SSL Certificates

Gerardo G. Urtiaga — Mon, 13 Mar 2023 05:05:32 +0000

An SSL certificate is a small data file that is used to encrypt communication between a web server and a browser. This ensures that the information sent between the server and browser is secure and cannot be viewed by third parties. It’s important to have an SSL certificate on any website that handles personal or financial information.

In this article, we’ll show you how to check if a website has a valid SSL certificate using the OpenSSL command line tool on Linux.

What is OpenSSL?

OpenSSL is an open-source software library used to implement online security protocols like HTTPS, SSL, and TLS. In addition to libraries, OpenSSL also includes a set of command-line tools that can be used to perform various security tasks.

Checking SSL certificates with OpenSSL

To check if a website has a valid SSL certificate, you first need to open a terminal and enter the following command:

openssl s_client -connect :443

In this command, you need to replace with the domain name of the website you want to check.

Once you enter the command, OpenSSL will establish a connection with the web server and return information about the SSL certificate. If the website has a valid SSL certificate, you’ll see a message similar to this:

Certificate chain
0 s: /C=US/ST=California/L=Los Angeles/O=Example Company/CN=www.example.com
i: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

This means that the website has a valid SSL certificate issued by Let’s Encrypt.

However, if the website doesn’t have a valid SSL certificate, you’ll see an error message like this:

CONNECTED(00000003)
depth=0 CN = localhost.localdomain
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = localhost.localdomain
verify error:num=10:certificate has expired
verify return:1
depth=0 CN = localhost.localdomain
verify error:num=24:invalid CA certificate
verify return:1
depth=0 CN = localhost.localdomain
verify error:num=25:hostname mismatch
verify return:1

This indicates that the SSL certificate for the website is either invalid or untrusted.

Generating and verifying SSL certificates with OpenSSL

OpenSSL can also be used to generate and verify SSL certificates. If you want to generate an SSL certificate for your own website, you can use the following command:

openssl req -x509 -newkey rsa:4096 -nodes -keyout key.pem -out cert.pem -days 365

This command will generate a self-signed SSL certificate that is valid for one year. However, if you want an SSL certificate issued by a trusted certification authority, you’ll need to acquire one.

If you want to verify if an SSL certificate is valid, you can use the following command:

openssl x509 -in cert.pem -text -noout

” alt=”” aria-hidden=”true” />This command will display detailed information about the SSL certificate, such as its expiration date and issuer.

La entrada Checking SSL Certificates se publicó primero en Aprende IT.

The 8 best hex editors for linux

Gerardo G. Urtiaga — Fri, 25 Nov 2022 08:00:19 +0000

In this article you will see the 8 best hexadecimal editors for Linux. But first let’s define what a hex editor is and what it is used for. We also add at the end a couple of surprises.

What is a hexadecimal editor?

A hex editor, in a nutshell, allows you to examine and edit binary files. The difference between a plain text editor and a hex editor is how the content is represented by the editor.

It is usually used to reverse engineer applications. To edit some bytes of a binary file a hexadecimal editor is usually used. With these editors we can replace text in binary files and modify information without corrupting the file.

Hexadecimal editors

Hexcurse

One of the most used editors for console is hexcurse. You can easily open, edit and save files. You can switch between hexadecimal and ASCII. The best thing about this editor is the simplicity of working with it from the console.

Dhex

It is an editor based on ncurses. It can edit large binary files. It has a “diff” mode to compare files, to enter this mode we only have to call two files instead of just one.

Ghex – GNOME Hex Editor

The Ghex editor is the hexadecimal editor par excellence in GNome desktops. Of all the options we have, GHex is one of the best, it represents the content of the file in hexadecimal and ASCII but also each fragment of the content represented in hexadecimal can be shown in decimal and octal, you only have to point it with the cursor. The content can also be searched.

Hexedit Hex Editor

HexEdit is a hexadecimal editor for console. It displays content in Hexadecimal and ASCII. It is one of the most widely used hexadecimal console editors in modern operating systems.

Bless Hex Editor

Bless is one of our favorite desktop hex editors. It has a lot of tools and is an advanced editor that allows you to edit large files. Among its advantages are that it supports plugins and you can open multiple tabs instead of opening multiple windows.

Okteta Editor

Okteta is an editor that has curious features such as opening remote files via HTTP, FTP, fish and other supported protocols. It is one of the simplest editors to use for viewing and editing binary files. Okteta is KDE’s hex editor and is the successor of KHexEdit.

wxHexEditor

Another of the best hexadecimal editors for desktop is WxHexEditor. It is able to recover data from the hard disk by editing the sectors from the editor itself because it allows you to edit large files and devices. It consumes few resources and can be run on Windows, Linux and Mac platforms.

All in all, it is a very good tool for someone who needs to do reverse engineering.

Hexer Binary File Editor

It is a multi-buffer editor (Read and Write). It does not allow block device editing. Command line editing is very similar to vi/vim. If you already know vi it will be easy to get started.
All in all, it is a very good tool for someone who needs to do reverse engineering.

Viewers and other editors

Hexyl Hex Viewer

Hexyl is not an editor as such, it is a hexadecimal viewer. It can highlight in color the different ASCII bytes, non-ASCII bytes, NULL bytes, ASCII blanks, etc. Being highlighted in one color or another allows us to better identify the type of byte. It also provides the number of bytes and their representation in text with details.

Xxd Hex Editor

Xdd is the best way to generate a hex dump of a binary file. We can use it to search for hexadecimal data in a file, it can also convert a hexdump to a binary file (as urlencode and urldecode do).

In short, it allows to work with binary files and hex dumps.

La entrada The 8 best hex editors for linux se publicó primero en Aprende IT.

How to configure SNMP to monitor our server

Gerardo G. Urtiaga — Sun, 23 Jan 2022 09:45:17 +0000

Hello again! Finally after a long stop of a month and a half without publishing, we are back to work. Today we bring you a small tutorial on how to configure SNMP to monitor our server, we will focus on CentOS as it is one of the most widespread distributions for servers. Except for the installation, the rest is similar in other distributions.

If you like these articles share it and or leave us your comments in your social networks so we can keep growing and publishing more articles.

If the article seems advanced and you need more information about the first steps in linux you can see the articles of the basic series:here. On the other hand, if you like this kind of articles you can see all the related articles in this category. here.

Let’s get started!

What is SNMP?

SNMP, or Simple Network Management Protocol, is an application layer protocol of the OSI network model, is used to exchange information about the system (Hardware and Software). This allows us to know the current state of the system, information about the hardware, running processes, etc. Mainly it is usually integrated in routers, switches, servers, firmware of some servers, especially servers with ILO technology (as the iLO/OA of HP, iDraq dell, etc.), network printers, etc. That is to say, normally the network oriented devices are already prepared. But what if I have a cloud server or a newly installed server and I want to monitor the system via SNMP? As the SNMP protocol is implemented at the application layer there are multiple implementations to put it into operation in our linux system.

Installing the service

One of the reasons why we chose to teach how to install this service in CentOS was also because of its ease of installation and configuration.

To install the service in CentOS you only have to do the following from a terminal with the root user:
1- Install the SNMP service:

yum -y install net-snmp net-snmp-utils

2- We make the service start at the beginning

chkconfig snmpd on

3- Now we have to configure the SNMP service:

To do this we must move the default configuration file from /etc/snmp/snmpd.conf to /etc/snmp/snmpd.conf.orig:

mv /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.orig

Then we edit the file with

vi /etc/snmp/snmpd.conf

And enter the following configuration (paying attention to the comments):

# Mapeamos la comunidad 'ConfigUserComunity' a 'ConfigUser'
# Mapeamos la comunidad 'AllUserCommunity' a 'AllUser'
#
sec.name
source community
com2sec ConfigUser default ConfigUserComunity
com2sec AllUser default AllUserCommunity
# Map 'ConfigUser' to 'ConfigGroup' for SNMP Version 2c
# Map 'AllUser' to 'AllGroup' for SNMP Version 2c
#
sec.model sec.name
group ConfigGroup v2c ConfigUser
group AllGroup v2c AllUser
# Definimos 'SystemView' para todo lo que cuelgue de  .1.3.6.1.2.1.1 (or
.1.3.6.1.2.1.25.1)
# Definimos 'AllView' para todo lo que cuelgue de  .1
#
incl/excl subtree
view SystemView included .1.3.6.1.2.1.1
view SystemView included .1.3.6.1.2.1.25.1.1
view AllView included .1
#Definimos permisos para las comunidades
access  ConfigGroup  "" any noauth exact SystemView none   none
access  AllGroup  "" any noauth exact AllView none   none

4- We lift the service

service snmpd restart

The data of each community can then be queried with an SNMP client such as snmpwalk:
Syntax

snmpwalk -v 2c -c COMUNIDAD -O e 127.0.0.1

For AllUserCommunity:

snmpwalk -v 2c -c AllUserCommunity -O e 127.0.0.1

Once the SNMP service is configured we can monitor the server in multiple ways. One of them is configuring a script from another point executing a “snmpwalk” to the server and if it does not give the proper values or does not respond it will trigger an alert.
Another way is to use systems like librenms or Zabbix and thus trigger more advanced alerts.

Remember, if you like these articles, share them and leave us your comments in your social networks so we can continue to grow and publish more articles.

See you soon!

La entrada How to configure SNMP to monitor our server se publicó primero en Aprende IT.

WORDPRESS: TOP 4 Best vulnerability scanners

Gerardo G. Urtiaga — Wed, 19 Jan 2022 00:51:41 +0000

Hello! Today we are back with an article about pentesting and computer security, this time we bring you the top 4 best wordpress vulnerability scanners online.

1. wpvulnb.com

In https://wpvulndb.com/ you can find the latest vulnerabilities discovered in wordpress, both in the core and in many plugins. You can see affected versions, scope of the vulnerability and in some cases links to the exploit to check if you are affected by the vulnerability.

2. wpscans.com

The online scanner https://wpscans.com/ performs a complete online scanner and generates a complete report on the security of the analyzed site. This report will help us a lot to improve the security of the analyzed wordpress.

3. hackertarget

The scanner https://hackertarget.com/wordpress-security-scan/ is the most complete online scanner we have found, allowing you to choose between several modes. You can run the scanner on several sites by specifying them in the text field provided. In the run mode it allows you to select between 5 different modes, each one focused on a type of “discovery” on the target. The report it generates is quite complete. It even indicates server parameters and also runs a scanner with nikto in some cases.

Although https://hackertarget.com/extract-links/ is not an online vulnerability scanner. We include it in this article because it is very useful for extracting links from a web page.

4. wpscan

This is not an online scanner but it can be downloaded from https://github.com/wpscanteam/wpscan and it is the most complete and updated offline scanner. Thanks to this wonderful scanner you can get a report of all vulnerabilities with their scope in order to fix them. It is perfect if you do not want a third party to have access to the reports of the scanners made because in those made from webs. We do not control if this report is stored. If so, it should be warned in the scanner form because it would be storing data on the security of our website and infrastructure.

La entrada WORDPRESS: TOP 4 Best vulnerability scanners se publicó primero en Aprende IT.

LINUX : How to create a Kernel module in C language to run our code with the highest possible privilege

Gerardo G. Urtiaga — Wed, 19 Jan 2022 00:38:11 +0000

Today we will talk about how to create a kernel module in C language to run our code with the highest possible privilege. In some cases, it is necessary to run code with a higher privilege than root, in linux this can only be done in one way, with a kernel module. And you may ask, how can I create a kernel module? Very simple: With C language. It seems much more difficult than it really is, let’s go there:

To do this the first thing we must do is to create our Kernel Module C code.

The path where these files have been saved is “/tmp/test-modulo”.

The file “testmodulo.c” will contain all the module code:

In plain text:

// Definiendo __KERNEL__ and MODULE nos permite acceder a nivel de kernel.
root@pc#undef __KERNEL__
root@pc#define __KERNEL__
root@pc#undef MODULE
root@pc#define MODULE
// Linux Kernel/LKM headers: module.h es necesario para todos los modulos y kernel.h 
//y tambien para para KERN_INFO.
root@pc#include     // Incluido para todos los modulos de kernel
root@pc#include     // Incluido para KERN_INFO
root@pc#include         // Incluido para __init y __exit macros

static int __init testmodulo_init(void)
{
   printk(KERN_INFO "testmodulo cargado\n"); //Se loga en el log del sistema
   //Aqui iria el codigo a ejecutar
   return 0;    // Si el retorno no es 0 
                //quiere decir que el modulo no se ha podido cargar
}

static void __exit testmodulo_cleanup(void)
{
   printk(KERN_INFO "Informacion de cleanup\n"); //se loga en el /var/log/messages
}
module_init(testmodulo_init);
module_exit(testmodulo_cleanup);

The “Makefile” file, with which we specify the compilation options:

obj-m := testmodulo.o
KDIR := /lib/modules/$(shell uname -r)/build
PWD := $(shell pwd)
all:
	$(MAKE) -C $(KDIR) M=$(PWD) modules
clean:
	$(MAKE) -C $(KDIR) M=$(PWD) clean

To compile and use the module you have to do the following from the console:

Go to the directory:

root@pc#cd /tmp/test-modulo

We compile with make and gcc:

root@pc#make

Now testmodulo.ko should exist

root@pc#ls /tmp/test-modulo/testmodulo.ko
testmodulo.ko

Install the module

root@pc#sudo insmod /tmp/test-modulo/testmodulo.ko
root@pc#

We check if it has been loaded

root@pc# cat /var/log/messages|grep testmodulo -i
Apr  9 20:52:21 sysger kernel: [15604.644410] testmodulo: module license 'unspecified' taints kernel.
Apr  9 20:52:21 sysger kernel: [15604.644859] testmodulo cargado
root@pc# lsmod|grep testmodulo
testmodulo                  192232  0

And with this we would have everything ready to use our new module.

Thank you very much for visiting the blog! If you liked it, don’t forget to leave a comment and share the article.

La entrada LINUX : How to create a Kernel module in C language to run our code with the highest possible privilege se publicó primero en Aprende IT.