I have been tunneling all of my web traffic over an encrypted SSH connection for some time now. Considering the fact that I travel a lot, I’m very regularly on untrusted, insecure networks. I prefer to secure those connections (web, IM, email, etc) by creating an encrypted SSH connection and pushing the traffic through it. Today I also found a method for also pushing DNS requests through the same tunnel. This ensures total privacy between yourself and the SSH Server.

Step 1: Creating the Tunnel

Creating this private connection you’ll need a remote SSH server to connect to. Mine runs at home in my garage on an old Pentium III 500MHz box (yeah, the kind most people threw away long, long ago!). I connect to this tunnel using:

ssh -D 8080 -fN user@server

This creates a SOCKS compatible proxy, which is a requirement of the DNS forwarding. Other methods on the interwebs suggest using ssh -L or similar, which are not SOCKS compatible proxies.

Step 2: Forwarding DNS

If you’d like to also forward your DNS requests (ie; the site addresses you type into your browser), you’ll need to change a setting in Firefox. This can be done by accessing the address about:config, and entering this string into the configuration:

network.proxy.socks_remote_dns

Change this value to “true”.

Step 3: Using the Tunnel

The last step is to configure your browser to use these new settings. In Firefox 3 (I hope you’ve upgraded by now), you can activate/toggle these settings via:

Edit > Preferences > Advanced > Network > Settings

Select “Manual Proxy Configuration” and add localhost to the “SOCKS Host:” field, followed by port 8080 (assuming you’ve used the port in the example above).

This will then forward your web traffic through the SSH tunnel and DNS requests will also be forwarded.

You may want to check out the FoxyProxy plugin for a simpler way of toggling this on & off.

To deactivate the tunneling and use the local DNS again simply revert Step 3 back to “Direct Connection to the Internet”.

Related

• Use VNC? Encrypt It Via SSH
• “What Would You Like To See?” Poll Expiring Tomorrow
• Install Adobe Acrobat Plugins For Firefox
• Firefox Shortcut Keys
• Enhance Your Network Connection With OpenDNS
• Mozilla Firefox Easter Eggs

If you use VNC regularly to connect to other Linux machines you may want to consider adding a level of encryption with SSH. Here is a quick run-down on how that is done:

If you look at the man page for vncviewer (man vncviewer) you’ll notice there is a small section for -via. The -via option, as outlined in the man page will do:

Makes the connection go through SSH to a gateway host. The gateway should be the target host for best connection secrecy.

Basically this is saying that you can tunnel VNC over SSH within your connection command. Let’s give it a try.

vncviewer -via user@host localhost:0

This, of course, will require that you have both ssh and vnc access to a remote machine.

This is a much simpler method than many other tutorials I’ve found which generally suggest creating a tunnel with ssh -L and then using that tunnel.

Related

• Tunnel Web and DNS Traffic Over SSH

If you’ve never installed openssh-server, used openssh-clients or generated an X.509 certificate you should be safe.  If you have done any of the above keep reading for a validation and fix instructions.  It can’t hurt to run the validation script in either case, just to be safe.

Security patches have been deployed to the Ubuntu archives so the first step is to, of course, apply any security patches available.

Am I Affected?

The first item at hand is verifying whether or not you have been affected by the vulnerability.  As mentioned above there are some common tasks that would qualify, but lets test your machine to make sure.

Download the script linked below and run it using the example syntax below:

dowkd.pl.gz (Download this file and unzip)

dowkd.pl PGP signature (Optionally verify the signature of the script)

Cut-n-Paste command-line example of downloading and running the test:

wget -c http://security.debian.org/project/extra/dowkd/dowkd.pl.gz
gunzip dowkd.pl.gz
chmod u+x dowkd.pl
./dowkd.pl user
./dowkd.pl host <hostname>

If you see output similar to:

/home/username/.ssh/id_dsa.pub:1: weak key

…then you have been affected by the vulnerability.  If you do not see “weak key” reported then you are OK.

How Do I Fix My Machine?

To update your machine and patch the vulnerability the first thing you want to do is check for and apply any system updates available.  The main Ubuntu archives have been updated with the fixes.  If you are using an alternate mirror the fix may not have propagated yet, so you may not see it available for another few hours.

Apply any updates:

sudo apt-get update
sudo apt-get upgrade
sudo apt-get dist-upgrade

You should see an update for openssl and openssh packages (along with anything else available).

After these new packages have been applied you’ll want to regenerate any keys that you’ve generated (ie; openssh keys, CA cert, etc).

UPDATE: The latest package release will automagically re-create any server-side ssh keys for you and notify you of the reason. Also, there is a new utility built into the latest release that will check keys for you. After your updates are applied try the tool:

ssh-vulnkey

To generate a new openssh key for your user: (This only required if ‘./dowkd.pl user‘ reports weak)

ssh-keygen -t dsa -b 1024

To generate a new openssh key for your server: (This only required if ./dowkd.pl host <hostname> reports weak)

sudo rm /etc/ssh/ssh_host_{dsa,rsa}_key*
sudo dpkg-reconfigure -plow openssh-server

You should now run the validation script again and make sure it does not report any errors.  If you still see reported warnings such as:

/home/username/.ssh/authorized_hosts:1: weak key

…this means that you have authorized_host keys saved that are still affected.  Open the .ssh/authorized_hosts file with a text editor and delete the affected line (:1: means line 1, etc).

Continue to run the ./dowkd.pl script until no weaknesses are reported.

These steps should be run on any system that you manage to ensure they are sufficiently patched.

Random Posts

• Ubuntu 7.04 “Feisty” Herd 3 Released
• Privacy and Encryption with PGP : Signing and Encrypting Email / Files
• Remove duplicate menu entries in GNOME : Ubuntu (5.10 / 6.06.1 /6.10)
• How to install Java Runtime Environment (JRE) with Firefox Plugin : Ubuntu (6.06.1 / 6.10)
• Ubuntu 6.06.2 LTS Released
• Biggest Pizza I’ve Ever Seen
• Debian netinst
• Gnome and Nautilus Keyboard Shortcut Keys
• Installing Sunbird 0.5 or 0.7 Calendar : Ubuntu 7.10
• javascript to the rescue?

What is ufw?

ufw, or “uncomplicated firewall”, is simply a management tool for creating kernel-level firewall rules which is done via the netfilter kernel module and iptables userspace tool.  iptables has been around for quite a long time, is very, very robust and very widely used.  It is installed by default on any Ubuntu system, but no “rules” have historically been applied to it.  (Technically, every Linux system has a firewall utility built into the kernel, but if no rules are applied to that filter nothing is actually being specifically allowed or denied.)

The reason ufw was developed (I sat in on the sprint at UDS for this) is that we wanted to create a server-level firewalling utility that was a little bit more “for human beings”.  While iptables is already installed and available for use, the syntax can be complicated.  For example, lets say you wanted to block all connections from the IP address 10.100.0.5:

iptables : sudo iptables -A INPUT -s 10.100.0.5 -j REJECT
ufw: sudo ufw deny from 10.100.0.5


Another slightly more complicated example could be written for blocking specific ports and protocols:

iptables: sudo iptables -A INPUT --dport 22 -s 10.100.0.5 -j REJECT
ufw: sudo ufw deny from 10.100.0.5 to any port 22

ufw is creating the iptables / netfilter rule “under the hood”, but allowing us to create the rules in a simpler way.  Both of the commands above basically do the same thing, ufw simply “uncomplicates” the process.

For those that are looking for a GUI on top of ufw, remember that you already have tools such as Firestarter or lokkit, etc.  Those are graphical tools which create and manage iptables / netfilter rules “under the hood”.  ufw is simply a command-line tool to manage iptables / netfilter rules “under the hood”.

The existing GUI tools (Firestarter) and ufw both use iptables underneath, so adding a GUI to ufw would basically be re-creating Firestarter, which is not really needed.  ufw is simply a less complicated way to create firewall (iptables) “rules” on the command line.

Related

• Presenting at OSCON 2008 : July 21-25, 2008

apturl for Gnome Do

I spent some time in the #gnome-do channel last nite seeing what needed to be done for the apturl plugin to become better supported.  The end result is that its much cleaner, properly licensed and has been submitted to the do-plugins branch on launchpad for possible future inclusion in the “official” plugins package.  If you have been using the apturl plugin for Gnome Do and saw some recent breakage, you can download the new known-to-be-working-on-0.4 version here.

GoogleSecure Greasemonkey Script

I’m a big fanboy of data encryption, including encrypting as much of my web traffic as I can.  I hacked together a small Greasemonkey script long ago that will force encryption on any supported Google application (gmail, reader, docs, calendar, etc), and recently added Twitter as well.  I guess that might be cause for a name change, but I didn’t get that far.  I would like to extend the list of sites that it supports, so if you know of any sites that offer https on login but don’t require (but support) https session-wide, let me know.  If you’re interested in this tool you can download Greasemonkey here and GoogleSecure here.

folding.sh

I also have time set aside today to try and squash two remaining bugs in folding.sh.  For all of you great folks that have been using folding.sh, expect an update fairly soon.

Random Posts

• Enable Basic Keyboard Lighting On a MacBook
• DOS Emulation with DOSBox - Get your old-school game on!
• Removing KDE icons in gnome / remove gnome icons in KDE
• The 100 Best Products of the Year
• How to Install VMware Server on Ubuntu 7.10
• PHP/mySQL help
• Explorer Destroyer
• AllTray
• Mozilla Firefox Easter Eggs
• the Ubuntu Linux Bible : CD-ROM Included

If you would prefer to use SELinux over AppArmour, or if you’re just a good soul that would like to help test Ubuntu’s SELinux implementation, please read on.

Install SELinux in Ubuntu 8.04

All that is needed is to install the SELinux package, which will remove AppArmour and apply the SELinux policy.

sudo apt-get install selinux

If you run across any issues or bugs please report them against SELinux on launchpad. Welcome to a more secure Ubuntu!

Random Posts

• Beagle : Simple Questions
• Sinking Deeper - Continued Impressions of Kubuntu
• The Switch To KDE : Day 5
• How To Choose The Right Ubuntu CD
• Extended Display on the MacBook (with xorg.conf) : Ubuntu 8.04
• Folding 0.6 “Awesomely Awesome!” Released
• How to clone an installation : Ubuntu (5.10 / 6.06.1 / 6.10)
• Action-crap modems and DSL…
• How To Find Your Ubuntu or Kernel Version
• Ubuntu 7.10 “Gutsy Gibbon” Release Countdown

ListenAddress

The /etc/ssh/sshd_config file configures how your ssh daemon should run. By default it is likely listening on 0.0.0.0 (all ipv4 addresses) and :: (all ipv6), which is defined by two lines:

#ListenAddress 0.0.0.0
#ListenAddress ::

To configure your server to *not* listen on ipv6 you can remove that line. Now it might appear a bit confusing that the line we’re removing is commented out. That means its not reading that line, right? In this case it is displaying one of the default settings. I have altered my file to only listen on my public facing ipv4 address by removing the “::” listing, and specifically defining an ip instead of “0.0.0.0″.

Another solution which was brought to my attention by a comment is outlined here:

AddressFamily any # default
AddressFamily inet # IPv4 only
AddressFamily inet6 # IPv6 only

By defining the AddressFamily type that we want to use we can listen on both ipv4 and ipv6, just ipv4 or just ipv6. Find the line above in your config and define the AddressFamily you would prefer to listen on.

Once you update these lines you’ll need to restart your ssh service.

sudo /etc/init.d/ssh restart

Also, as a second measure you can firewall ipv6. I’ll be posting a firewall tutorial soon, but the below single command will block all incoming traffic on ipv6:

sudo ip6tables -P INPUT -j DROP

Random Posts

• Support for 5-button mouse in Firefox : Ubuntu (6.06.1 / 6.10)
• Kubuntu till 8.04…
• How To Find Your Ubuntu or Kernel Version
• How to install multimedia codecs : Ubuntu (6.06.1 / 6.10)
• Issues with Launchpad / Malone
• Aptitude Easter Egg?
• Ubuntu 7.10 “Gutsy Gibbon” Release Candidate Available - “Suitable for testing by any user”
• Vim Tip of the Week : August 31, 2007 - Remote Editing
• How To Set Evolution E-Mail To NON-HTML
• Ubuntu Dapper Drake nVidia Compiz XGL

1. Been able to deploy it on Ubuntu / Debian
2. Can refer me to documentation on doing so
3. Can give me information on the any status of the possibility

please let me know.  I am perfectly aware that Apparmor has been chosen beginning with 7.10 but I would prefer not to use it.  If I’m going to use one I’d prefer to use SELinux.  If anyone can point me toward making this work I would very much appreciate it.

Random Posts

• Tomboy 0.5.0 Released Today (deb package available) : Ubuntu (6.10)
• Vista : Top 5!
• Windows Genuine Disadvantage: 60 million users burned
• How To Use Jigdo For Incremental CD Updates (Daily Builds)
• Utah Multi-Distro Release Party
• Comcast Is Starting The Tiered Internet.. Whether We Like It or Not
• How To Install VMware Tools on Ubuntu Guests
• Codecs & Players, Games, LAMP, Fonts & Favorites - by Seveas : Ubuntu (6.10)
• Quick-Launch Network Connections and Shares with ALT-F2
• Why ufw Does Not Need A GUI

tcpwrappers compatibility

The first thing to remember is that not every network-based application on your machine is compatible with tcpwrappers.  The restrictions on hosts.allow or hosts.deny are only valid if they refer to the tcpwrappers library.  How can you find out if your application is compatible?  Use this command:

ldd /path/to/binary | grep libwrap (general example)

ldd /usr/sbin/sshd | grep libwrap (shows that the sshd refers to libwrap)

ldd /usr/sbin/apache2 | grep libwrap (show that apache does not refer to libwrap)

In the basic example above we see that the sshd (ssh server) is referring to the libwrap.so, so we can tell that any restrictions in hosts.allow and hosts.deny are applicable to that service.  We also see that apache2 does not refer to libwrap.so, so any restrictions outlined there do not apply to apache2 connections. (ie; you could lock down ssh but apache2 is still wide open)

hosts.allow and hosts.deny

These two files, located in your /etc/ folder, allow you to limit or permit connections from specific hosts or ips.  Using these two files you could setup a whitelisting firewall or blacklist.  Remember, as mentioned in the compatibility section, this only applies to the services referring to libwrap.  If you are running services outside of the scope of libwrap.so this may not be the best solution for you in terms of firewalling.

/etc/hosts.allow

ALL: 127.0. [::1] (the 127.0. range is allowed, as well as the localhost ipv6 address)

sshd : 192.168.0.5 (specific IP) 192.168.0. (specific range) EXCEPT 192.168.0.10 (range exceptions)

/etc/hosts.deny

ALL : ALL (denying all services to all hosts)

This example would allow connections from localhost on ipv4 and ipv6 for all services and also explicitly allow ssh connections from the 192.168.0.5 address, the entire 192.168.0. range, but excluding the 192.168.0.10 host.  The hosts.deny then outright denies all services for all hosts.  This is a very basic example but hopefully it gets the idea across.  You could also reverse the contents of the two files in the example above and do blacklisting.  ALL : ALL are allowed with the exceptions of services and ips listed in the hosts.deny.

The syntax of the hosts.allow and hosts.deny files are:

service(s) : ips or hosts

You can comma separate the list of services you want to allow or deny and make a similar list of hosts/ips to allow or deny.  Very simple syntax.

conclusion

The hosts.allow and hosts.deny files are very flexible and allow you to lock down your network in very granular ways.  The limitation of some applications not honoring hosts.allow and hosts.deny is the biggest thing to remember.  Make sure the service you are trying to block refers to libwrap.so before you start writing rules or you may sit and wonder why your rules don’t work, when its really the application itself not being compatible.

Random Posts

• View A Package Changelog Entry With Aptitude or Synaptic
• Basics for the command line - for newbies : Ubuntu (5.10 / 6.06.1 / 6.10)
• Vista : Top 5!
• I'm a Flockstar!
• VLC - the cross-platform media player and streaming server
• How to install Tor & Privoxy : (K)Ubuntu (6.06 / 6.10)
• …and the winner is
• Twitter Casualty
• Evolution + Gmail IMAP = …really slow?
• TCP: Treason Uncloaked?

This last week I’ve been very interested in encryption. If you missed it you might be interested in my post on encrypting files or emails with GPG. In this tutorial I wanted to outline how to encrypt a local partition or a removable device (like a USB key). The steps used here will work for either type of device although you’ll need to replace your partition name and number for the examples provided here.

Attention: following this tutorial will wipe all data from the partition or device you write it to. You cannot encrypt your file system after-the-fact using this method. Be sure you have backups or don’t care about the data being lost if you follow these steps!!!

Step 1:

The first step in the tutorial is installing the cryptsetup utility, which is part of the cryptsetup package. You can search for this using your favorite package management utility or use this command:

sudo aptitude install cryptsetup

Step 2:

Now that we have the cryptsetup utility installed we’ll need to prepare the device for use. If you have a newly created device or partition you may be able to skip this step, but it also won’t hurt to redo this step anyway.

If you are unsure what the device is listed as, you can use either of these two commands:

sudo fdisk -l

(this will list your current partition table, both on local and removable media.)

dmesg

(this will show kernel messages pertaining to hardware. If you plug in a removable device and wait a few seconds, this will show what you what device the kernel assigned the hardware.)

Once you know what device you want to apply this to you can run the following command on [your device] to create the partition you want to encrypt. I suppose you can also use a graphical utility like gparted, etc. Those tools are outside the scope of this tutorial.

sudo fdisk /dev/[your device]

(ie; if your device showed up as /dev/sdb you would use: sudo fdisk /dev/sdb)

For removable media make a single primary partition using the entire space of the device (or alter for your needs if you know what you’re doing).

Once you have created the partition you’ll want to “w”rite the change in fdisk. Remember, if you don’t “w”rite the changes none will be applied.

Step 3:

To make sure that your kernel is up to date concerning the newly created / altered partition table you may need to run the command:

sudo partprobe

Step 4:

Now we’ll get to encrypting this new partition. There are different options you can use here, and I’ll outline a few of them, but there really isn’t one that is “the best”. It depends on your level of security needs and the time you want to spend on it. If you want it done quickly and want a basic level of fairly-hard-to-break encryption you can use the first option. If you are super paranoid and don’t mind letting this take some time (hours or days on large disks!) to build you can use option three. Somewhere in the middle, option two is probably fine. Anyone have suggestions on other methods?

We’ll write data over the newly created partition to help aid in the encryption process. By writing data to the partition prior to encryption it helps protect against data attacks, finding patterns on the block-level, etc. You can use one of the following three commands:

sudo dd if=/dev/zero of=/dev/[your device] bs=4K

(this method is probably recommended unless you expect active attacks against your encryption layer)

sudo badblocks -vfw /dev/[your device] [block-size-of-your-device]

(this option will write 5 data patterns across your drive and overwrite and verify the data. This is used to check for badblocks, but can also be used to wipe out any existing data)

sudo dd if=/dev/urandom of=/dev/[your device] bs=4K

(this method is considered pretty secure. It is based on the truly random option below but is pseudo-random data–probably a very good option in most cases.)

sudo dd if=/dev/random of=/dev/[your device] bs=4K

(this is considered the most secure but will take a long time. It is also important to generate a lot of random data on your machine. Launch some applications, do some high disc I/O, move the mouse erratically, etc. This may take DAYS!)

Step 5:

At this point the partition is ready to be encrypted. Now there are multiple encryption methods and options to be used within each. This tutorial outlines using the LUKS encryption with my prefered string length, hash and cipher. You may change these if you know what you’re doing. If not, omitting my options will use the defaults (ripemd160 hash). This command will remind you that all data will be lost (although we already lost everything in Step 4. This is also where you’ll be prompted for your passphrase to access the encryption.

sudo cryptsetup luksFormat /dev/[your device] -c aes -s 256 -h sha256

(again, past [your device] are my preferred options)

If you see an error near this point similar to “Failed to setup dm-crypt key mapping. Check kernel for support for the aes-cbc-plain cipher spec and verify that /dev/[your device] contains at least 258 sectors.” you’ll need to run this command:

sudo modprobe dm-crypt

You may want to have this module auto-magically added at boot time by appending this line to your /etc/modules file:

dm-crypt

Step 6:

Now that we’ve created the encryption basic layout on the partition we need to open the encrypted partition for use.

sudo cryptsetup luksOpen /dev/[your device] name

(name can be whatever you like. I use things like secure or vault or encrypt)

Step 7:

Now that we have the device open and added to the dm (dev mapper) system we can actually create a file system on it and use it. One last command and we’ve got ourselves an encrypted, usable filesystem.

sudo mke2fs -j /dev/mapper/name -L label

(where name was applied above and label is the filesystem label. I generally match the two. This also assumes an ext3 file system. If you know you want a different filesystem type I’m assuming you know the right command.)

If you’ve come this far your device is ready to use. A few additional points that you may be interested in.

Additional

First, if this is a local partition and filesystem, such as a /data folder, you may want it to be mounted automagically at boot time. You can add the new partition to your /etc/fstab file to be mounted at boot. Be sure to specify the /dev/mapper/[name] location and not the original partition location. You should note that when your booting system arrives at this device it will prompt you for a passphrase key and halt the boot process until one is provided. An example of a line in the /etc/fstab is:

/dev/mapper/name /data ext3 defaults 0 0

Second, if you are using this on a removable drive such as a usb key the Gnome Desktop (someone verify in KDE?) will recognize the encrypted setup and prompt you for a key visually. A message such as “The storage device contains encrypted data. Enter a password to unlock” will appear. You will be required to know the passphrase (as supplied in Step 5) to access this device again. The desktop system also allows you to “forget immediately“, “remember password until you logout” or “remember forever” the key provided. Those options are up to you and your usage. “Remember forever” should store the key in your gnome keyring.

Third, if you are following this guide for use on a removable disk you may want to change ownership (chown) on the mounted path and set group id (sgid) on the directory so that your user has full permissions. Considering we ran everything with sudo the mounted path and ownership is probably set to the root user. You can use these two commands to set the permissions:

sudo chown -R user.user /media/[name]

(user.user should, of course, be replaced with your username on the system)

sudo chmod g+s /media/[name]

([name] is the mount point that the system auto-mounted the device on. It *should* match whatever you set the label to in step 7.)

There is also an option to create multiple keys to unlock the device. This is helpful if it is a multi-user system and you don’t want to use a shared passphrase. You would add a key to the encrypted device using:

sudo cryptsetup luksAddKey /dev/[your device]

This will prompt you for your current key and then the new key. The new key will have to be entered twice. Also, if you want to remove a key you can use the similar:

sudo cryptsetup luksDelKey /dev/[your device] [slot #]

To find out more information about your encrypted partition / device, and to see things such as assigned key slots, you can also use:

sudo cryptsetup status name

sudo cryptsetup luksDump /dev/[your device]

I would like to expand this soon to include encrypting your entire root filesystem or other variations like bypassing the passphrase but storing the “key” an a usb drive or similar. This way it is similar to a hardware key needed to boot your machine. There are a lot of different ways this could go… until then, I think this has become long enough

Random Posts

• How To pwn Your Text Files With Vim
• View A Package Changelog Entry With Aptitude or Synaptic
• Looking For a Few Passionate Volunteers - Ubuntu Community Participation Project
• VHCS v2.4.7.1 Pro - DO NOT USE
• Verizon treads into the realm of The Prince
• Ubuntu Tutorials Poll: What Would You Like To See?
• IE: A whole new internet
• Right-Click to Launch Custom Scripts with Nautilus : Ubuntu (6.06.1 / 6.10)
• XO Laptop Specs.. for those interested
• Print Directly To PDF in Ubuntu 8.04