Category Archives: Security

Some more details howto configure your nginx server with SSL

The guys from bsdnow.tv did a great job by putting together a tutorial with some more details on a proper Nginx configuration and a very good choice for SSL parameters. There where some parts I didn’t know neither and the tutorial is create as always.

If you want to configure a web server with SSL/TLS support and you’re not sure what parameters to set for SSL/TLS, watch their tutorial at the end of the episode and you will learn a lot.

Here the link to the video: http://www.bsdnow.tv/episodes/2014_08_20-engineering_nginx

And here the link to the tutorial for nginx and SSL/TLS: http://www.bsdnow.tv/tutorials/nginx

If you don’t know them yet, take you some time to browser trough their videos!

Beside this you can check your SSL/TLS configuration using the ssllabs test to improve your current settings or check frequently to not miss a newly found vulnerability: https://www.ssllabs.com/ssltest/

 

 

Wireshark with XQuartz on Mac OS X Moutain Lion

Since Apple removed the X11 support you may faced some problems with X11 based applications. Wireshark is one of those applications which made trouble on my mac. To fix the problem you need to install XQuartz.

Download the lates Wireshark version and run it. It should come up with and selection window for your X11 application. Click on browse and navigate to your application directory. Open the directory utilities and select XQuartz. Now quit Wireshark using cmd + q and start it again. It can take a second but now your Wireshark should work with Moutain Lion.

Very nice blog

Some time ago I wrote two articles about tunneling HTTP traffic through a SSH session or OpenVPN. This is useful if you need to secure your webtraffic in an untrusted network.

Today I found this blog: http://mark.koli.ch

You should review it, there are some nice articles. I found this one which explains how to tunnel SSH through an HTTP connection to make it possible to get an SSH session running when all traffic except HTTP is blocked.

Nice and useful article.

Torproject needs your help

In this email to the public world the tor projects is asking for help in testing and improving the QA process of the Tor-Bundle.

As you maybe know I am a supporter of the tor project and spend some time in the past of writing some howtos to help improving the tor network in a very small way. The idea behind anonymous communication is well known and you can read tons of information about it. Today I just want to blog about this announcement to share the information and maybe inspire someone to help this project.

In this special case you do not need so deep into the code, it mostly is testing pre versions of the Tor-Bundle.

For new people testing software often is a good starting point in getting known to the structure of a project.

Another way helping the Tor network is sharing some bandwith by running a bridge or exit-node. If you are not skilled to do this you still can donate some bugs to the torservers project.

Secure your browsing in a non trusted (wifi) network

As I wrote in an older post there is a simple solution using ssh to tunnel your webbrowser traffic through an ssh connection to a secure and trusted endpoint. This is a very simple solution to secure your access to the web while you are in a public wifi network or old fashioned cable network.

Because I got quite a lot of response to the article I decided to write this for the people who want to secure all of there traffic not only the web traffic.

The easiest way to do this is to use a VPN connection which will allow you to tunnel all your traffic no matter from which application to a secure endpoint. As I like open source for all of the security stuff I am using OpenVPN to do this job. It’s one of the most popular VPN solutions and based on SSL.

What do we need:

  • VPN Server somewhere in the internet
  • OpenVPN Client on our machine (Tunnelblick for Mac or OpenVPN Gui for Windows are both free and open source)
  • Some time to configure it

In my case the VPN Server is a Linux box but it can be every operating system which can run the OpenVPN server software.

In this tutorial I will not repeat every single step because the documentation of OpenVPN is very good and clear. Just follow the setup process descripted here to get openvpn installed and all necessary certificates created. After you have openvpn starting with the example configuration and your certificates you only need to modify some lines in your server.conf file to route all the traffic trough the openvpn server. If you are running an linux box with iptables (what you should) you need to add some rules to allow the traffic be routed.

Installation:

On CentOS install it via yum:

yum install -y openvpn

the example configuration files and the easy-rsa directory are located here: /usr/share/docs/openvpn-2.2.0/

Copy the easy-rsa directory to /etc/openvpn and make the shell scripts executeable:

cp -a /usr/share/docs/openvpn-2.2.0/easy-rsa /etc/openvpn
chmod +x /etc/openvpn/easy-rsa/2.0/build* /etc/openvpn/easy-rsa/2.0/pkitool \
/etc/openvpn/easy-rsa/2.0/vars /etc/openvpn/easy-rsa/2.0/clean-all \
/etc/openvpn/easy-rsa/2.0/revoke-full /etc/openvpn/easy-rsa/2.0/sign-req \
/etc/openvpn/easy-rsa/2.0/whichopensslcnf

Now follow the instructions here:

http://www.openvpn.net/index.php/open-source/documentation/howto.html#install

If you have OpenVPN up and running but you cant establish a connection from your client please check if the configured port is open on your server. If you have a custom iptables script you need to open the port you are using for openvpn for example the default udp port 1194.

 

Converting certificates

If you are running a webserver with https you maybe get a certificate for your site some times in a different format as you expect it.

The easiest way of converting the certificates is using the openssl tool.

For example if you get a certificate in .pfx format you can convert it easy to a format your apache or nginx can use it:

openssl pkcs12 -in inputfile.pfx -out outputfile.txt -nodes

Source:

http://www.digicert.com/ssl-support/apache-ssl-export.htm

Tor hosting project

Today I thought maybe some of you want to help the Tor project to work more efficient by running a bridge or a relay but you maybe don’t have the resources or internet connection.

I would like to start a little survey if there is a need to do a hosting of a tor bridge or tor server for you. If enough people come together I would setup one in a computer center and run it as long as we find people who join the project and pay a little amount of the costs for hosting and bandwidth.

This project will be setup as a non-profit project. Only the costs for hosting and traffic should be paid.

The money can be paid via Flattr or Paypal and I would setup a site where you can see how the status of sponsoring is.

Leave me a comment if you would participate on such a project or if you have some resources to support this idea.

Update:

There is a project doing exactly this: torservers.net

If you want to support the tor project you can give some bugs to them and they will run exit nodes and bridges from your money. This is very important for the project and all people who are using tor around the world. Free, uncensored and secure access to information should be a right for everybody everywhere.

You even can sponsor a complete exit node and get named as sponsor by them. Ask your friends, family, your politicians and your boss if free information and free access to the internet is worth 50€/month for hundreds of people you can help.

Easy way to use Tor on Mac OS X and Linux

Tor_logo

If you want to use Tor on your Mac OS X or Linux there is a new bundle you can easy use. The bundle includes all necessary tools and a preconfigured Firefox with the necessary plugin.

Up to now the Tor Browser Bundle is still beta but for me it works without problems. I could post a link here but please download it directly from the Tor website: www.torproject.org and verify the checksum to be sure you got a correct version of the software.

I tested the version on Mac and on Fedora 15. Just extract the downloaded file and run the start script or click on the symbol and everything starts without further user interaction needed. To be sure your identity is safe please read the information here: https://www.torproject.org/download/download.html.en#warning

Maybe you are in the position to support the Tor project by running a relay or a bridge to make the Tor network more powerful and secure for people who need to use this nice tool for uncensored internet access.

Some basic information about running a relay: https://www.torproject.org/docs/tor-doc-relay.html.en

Secure erase USB – Stick or Hard Disk on Mac OS X

Mac OS X brings a build in solution for secure erasing hard disks or usb devices. The option you should choose depends on what data where stored on the device you want to delete.

For example if you want to sell your old private hard disc with all your private photos your tax information etc. on it, you should have some time to delete it secure. If it’s just a usb stick with some music on it you maybe can safe some time and choose a faster option. If the device is for business use and it has high secure information stored on the it you should think about selling this device. In some cases it’s better to erase the data and destroy the device to make it not useable for anybody.

I use the Disk Utility to do this job. There are some console methods as well but they do the same thing. The erase mechanism which is built in the Disk Utility is certified by government institutions (Department of Defens) of the US and should do its job. If you need higher or different security certification you maybe can check the German BSI homepage for information about alternative tools and methods.

Disk Utiltiy Screenshot

Select the Secure Erase Options which fits best to your needs.

Secure Erase Options Screenshot

Secure Erase USB Stick Disk Utility