Caleb Cushing's Blog Also known as XenoTerraCide
Posts with the tag security:

Making Secure Recoverable Passwords ( part 3 )

If you haven’t read Part 1please do so.Although the criticism of Part 2should be taken with a grain of XKCD Salt, and even the primary plaintiff admitted that it would take him 2 months to crack the final salted sha512. Usually your attacker shouldn’t have your shadow file, and having stored them as anything less is just plain not secure. I will acknowledge it has some merit.Doing a base64 transformation on hex only digits is a bad, idea, and does not have nearly enough possible combinations.

Making secure recoverable Passwords (Part 2)

This has been prompted by Dave Jacoby’s post on generating passwordsand the fact that I’ve learned a new trick since my my first article in 2008; which you should read first (it’s a prereq).Some might point out that using a hex digest limits the characters that will be generated too much, do this then.echo -n “date” | sum | base64So let’s say you have to change your password every month. Pick a day, let’s say the second Tuesday of the month.

Bypassing disabled accounts with KDM

So the most common way of disabling an account in a unix system is changing the users shell in /etc/passwd to /bin/false or /sbin/nologin. However, I’ve discovered on Arch Linux that if I do this only shell login’s are disabled, I was still able to log the user in with gui via kdm. I also tried using usermod –expiredate 1. this was not effective either however. the only way I found to lock the account from kdm login was to do a passwd -l accountname, which only locks password authentication.

Port forwarding in OpenWRT

So you need the outside world to have access to some box’s on your internal network. first you should use Static DHCPto tell static the IP’s of the computer you’re routing to. Then you of course need to know the inbound from the outside world and the port on the computer you are forwarding too. For this example we’ll forward WAN (Wide Area Network (or (probably) the Internet)) port 8080 to a local dev box running Apache on httpd (we assume you know how to set apache up and make sure it’s working on the LAN(Local Area Network)).

Quick sha1sum with Crypto++

I’ve been working on Korama. I was originally planning on hashing each music file and using the sha1 for the track primary key. However, after benchmarking an actual implementation. I’ve decided that it’s too slow, 20 minutes for 3k+ tracks, also my program was about 5 minutes slower than find … -exec sha1sumnot sure on the reason why. However, since I had problems figuring out how to do it I figure I’ll post a basic sha1sum program that I made with the help of people on the Crypto++Mailing List.

FSDaily security fail (see image)

<img style=“display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 334px;” src=“http://2.bp.blogspot.com/_3oPDnpvYrb4/SqLUMaJclwI/AAAAAAAAABY/o-xV9JVASss/s400/fs_daily_fail2.png" border=“0” alt=““id=“BLOGGER_PHOTO_ID_5378094214676256514” />Hint, Hint! FSDaily don’t access your db with the root account. and definitely make sure that, that error page doesn’t show that to users.–This workby Caleb Cushingis licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License.

PostgreSQL initial setup (authentication)

If you followed my last initial setuppost on creating users and are running a default install of postgres you currently should be able to access the database on your cli. However, many distributions do not install postgres in a default manner. A great many distributions make the default authentication for sockets ident sameuser. This is technically much more secure than trustwhich is the default. However, you may find yourself locked out of your database on the local cli if you make the database name different.

Adding a new group to an open shell without logging in and out

Most Unix users believe it’s impossible to add a group that was recently added to your user account without logging in and logging out. If you’re running X and need to give your gui new permissions (like dolphin/konqueoror) this may be true, for the most part. I don’t know how to change it for those processes. However, if you need to change it for a shell prompt it’s easy. You merely execute the command newgrp <newgroupname> in an open shell prompt and that prompt will now be loaded with the new group.

More Security = Better. Wrong!

So I just had a discussion on #ubuntu-server on freenode about why my not having a password to connect to postgresql via a socket (read local cli) is insecure. So I asked them, how exactly is it that someone is going to get this access? The answer “there are bad people on the Internet”. I’m sure many people right now are agreeing with them and thinking I’m crazy. Let’s discuss my setup though shall we.

iptables browsing samba shares

NOTE: this assumes that you’ve read my previous post on basic iptables setup on the desktopSo I just spent the longest time trying to determine what ports I needed to browse and use samba shares. The sad answer is it’s just one.iptables -A INPUT -p udp –sport 137 -j ACCEPTthe catch with all the information I found with google was that most of it was for samba servers. I didn’t want that.