Ichimusai

Photos and other rants

Meny Stäng

Författare: Ichimusai (sida 2 av 61)

A Better Login for the Web

Logins to the web today generally consists either of a username/password pair or an email address and password. This has to change. The reason is simple, people don’t select good passwords and even if they do they re-use them on multiple web pages meaning that a sysadmin of some site may know your password to other sites or by accident get hacked or a multitude of other things can happen to it.

Emails for usernames are inherently bad. First of all someone wanting to break in would not even have to guess your login credentials, only your password. Also, people tend to use things like webmail for their email today which means that anyone running that system can use credentials to log on as someone else.

Most services can reset their password if you know someones mail. It’s so easy to sneak in to a colleagues computer and use a password reset, then fetch a new password, delete the mail, go to another computer log in and change the email address for the reset. The first user stands little chance to get it back ever again.

We are starting to see logins based on your facebook account or google accounts or even Yahoo! although their services are getting more scarce every day, but that is at least a step in the right direction — that is if you have at least a two-factor authentication method turned on (google supports this) it can be reasonably safe. Nothing is a hundred percent and may not need to be, resonably safe is good enough here.

But that relies on a third party service which makes you vulnerable if it should be offline. Or if your account gets cancelled for whatever reason, even just a mistake, your screwed and may not even be able to log in to your email to send a complaint.

There has to be a better way!

We have already seen some things. There are web login systems out there that displays a challenge to your phone which then sends a response using a local encryption key. Clever but if your phone does not have network it won’t work very well. There are other similar things that are built around a sound or light show and QR codes or whatnot that you scan with your smartphone.

But all this relies on advanced hardware that may be out of battery, no connection to the network or if you are roaming you may not WANT to connect it to the operator network for data traffic because of the immense roaming charges on data.

There has to be a better way!

In fact, the solution is pretty easy. We can use standard every day public key encryption methods to make this work pretty well. Similar to what we do with SSL but without the fuzz and in a way that a registered user can identify himself using private key signing of a login certificate.

The certificate is issued by the web site when you register. It is encrypted with your public key so only you can decipher it. When you log in you encrypt the same certificate with the web site’s public key and then only they can verify your authenticity. You also sign it with your private key so the web site can verify that your key is valid still.

All this needs is a pen drive and some open source software.

It’s time to build a better login method for the web. It’s time to make it easy. Keys can be stored on a thumb drive, in your phone or even on your own computers. No need for a third party service. Losing a key means a revocation certificate is sent and your old key is no longer valid a new one needs to be provided.

When do we build it?

And now a short break…

New Emacs on old Ubuntu

If you want to install Emacs24 on an older Ubuntu such as 12.04 you can do it manually by adding the following repository and then installing.

First remove the emacsen you have which is probably emacs23

$ sudo apt-get remove emacs emacs23

Then add the new repository and update:

$ sudo add-apt-repository ppa:cassou/emacs
$ sudo apt-get update

Then install Emacs24:

$ sudo apt-get install emacs24 emacs24-el emacs24-common-non-dfsg

 

Christmas Greetings

DSCF2983

DSCF2982

Who has access to my Google Drive?

If you, like myself, rellay like the Google Drive and it’s abitlity to co-operate on a seamless basis no matter what operating system or office version the other parties are using and if you share entire folders or certain files with people from time to time it can after a while become rather difficult to keep track on these shares.

Maybe you sometimes share with someones email address or you may share a link to the document with a bunch of people. It is a good idea to go through your shares and revoke all that are not supposed to apply any more from time to time.

There isn’t’ an easy builtin tool to do this into the Google Drive but I hope we will get this one day. In the mean time there is an additiona tool that you may use: https://whohasaccess.com/ which is a third party app that will (after your permission) scan your google drive folders, create a report on the permissions you have set.

You can then use this report to review your sharing options and change them accordingly and when you are done you may also delete your data at the third party.

However, if your data is really sensitive you should think about using a third party app like this access to it. But if it is normal personal stuff we all put together and it’s not something that is sensitive commercially or worse it is a pretty good feature. I do hope Google Drive people would include this function in the normal Google Drive menu soon however. The service resides in Germany and is thus bound with the data protection act of Bundesrepublik Deutschland which is a little comforting.

Interstellar (Spoilers!)

Så var vi och såg filmen ”alla” pratar om och den var snygg som sjutton, första gången vi ser en någorlunda vetenskapligt renderat maskhål på bioduken samt ett svart hål med tidsdistorsion även om den var kraftigt överdriven.

Tyvärr tycker jag inte resten av storyn håller hela vägen det var ganska många saker jag störde mig på där. Det började ganska bra men sedan fyller det ju på med tidsparadoxer och annat samt en del väldigt ologiska beslut som när protagonisten i slutet bestämmer sig för att strunta i familjen, det enda som hållit honom samman under resan och drar iväg för att söka lyckan hos tjejen som precis begravt sin kärlek.

Dessutom håller inte fysiken något vidare vid en närmare studie. Tidsdilatationen på första planeten man besöker beskrivs som 1 timme motsvarande 7 år på jorden. I ett sådant gravitationsfält skulle tidvattenkrafterna slita planeten och folket i stycken. Egentligen borde det vara snarare så att 1 timme motsvarade 1 timme och 4 minuter på jorden.

En annan sak var att planet nummer 2 förefaller långt mycket kallare än planet nummer 3 som beskrivs som ännu mer avlägsen men har minst lika bra dagsljus.

Den celesta mekaniken lämnar också en del övrigt att önska även i denna film men det får duga. Det är i alla fall det absolut snyggaste maskhål och det absolut snyggaste svarta hål som vi sett på bioduken någonsin. Storyn är i övrigt rätt okay, har sina twistar och fängslar en del.

Berättartakten är ganska mjuk och filmen påminner i mer än en scen om 2001 faktiskt. Jag till och med förväntade mig att någon AI skulle knäppa ur (i stället var det en människa som gjorde det) men det fanns en del likheter och jag tycker det var skönt att berättartempot inte var så sjukt högt.

Gone to Tallinn / Vi far till Tallinn

We are going to Tallinn for a cruise over the weekend. Be back in business on Monday again, but if you should need to get hold of me, use my private number in the weekend as I am leaving the work phone at home.

Vi reser till Tallinn på en kryssning över helgen. Återkommer måndag morgon igen men om du behöver få tag i mig, använd min privata telefon eftersom jag kommer lämna arbetstelefonen hemma.

Systemd?

Nope

Nope

IP-Tables control of traffic by Country

Recently I have had quite a few bouts with people trying all sorts of nefarious things with my VPS from various places in the world. I realized the best way is to take whole countries out of the equation and I wanted to make this a nice easy way of doing this.

First of all, I soon realized that I needed to be a little bit restrictive but since some of the domains that runs on the server is probably legitimately accessed I wanted to divide all countries up in three categories:

0 – No restrictions
1 – Restricted access, basically just allowing ICMP and http on port 80
2 – Complete blocking, drop all packets

So countries in the 0 class would be Sweden and all countries where there is a reasonable legal system and where I have not yet seen too many attempts on the security from. Class 1 would be places like Russia, where there are legit traffic but also a lot of crap coming from and Class 2 would be china where there is likely no legit traffic and still a lot of attempts on the security.

First of all, you need to get hold of a zone file divided on country by country. This is also called a CIDR file (Classless Internet Domain Routing) where all the IP blocks assigned on an international level are put in the right file. You can find this here. Just download the file with all the blocks in and keep it somewhere. You may want to refresh this now and then, say on a montly basis or so.

I am assuming you already have an iptables script file and that you are just looking at adding this functionality. Open the script file and add the following to it

# Loop over all lists of banned networks
# Any rules below this will not work on these ranges as they will
# drop before they reach any other rule. If you want to open some ports
# even for banned countries, then you need to put those rules in front
# of this rule!
echo "Kill line certain CIDR, one way of blocking suspect countries!"
for f in /etc/iptables/banned-hosts/*
do
  echo "Processing k-line file $f..."
  while read p
  do
    $IPTABLES -A INPUT -s $p -j CBLK
  done < $f
done

This script should be placed before any rules that will allow any traffic what so ever!

After this part you place the rules that allows any traffic you wish to allow from the restricted countries and then you place this after those rules:

# Restricted hosts here from CIDR files in the restricted session
# these guys will only be able to do ICMP and http, nothing else
# and that should be quite a few countries
echo "Restrict line certain CIDR, one way of blocking suspect countries!"
for f in /etc/iptables/restricted-hosts/*
do
  echo "Processing r-line file $f..."
  while read p
  do
    $IPTABLES -A INPUT -s $p -j CBLK
  done < $f
done

Now you should create the following directories:

sudo mkdir /etc/iptables
sudo mkdir /etc/iptables/banned-hosts/
sudo mkdir /etc/iptables/restricted-hosts/

Explode the file you downloaded with all the IP Blocks in country by country into the /etc/iptables/banned-hosts/ directory and you should get a bunch of files called af.zone, al.zone and so on. Each of these referrs to a ISO 2 letter country code.

Do not run the iptables script at this point. Start by removing the file for your own country. In my case that would be se.zone for Sweden. Your mileage may vary here. Refer to this page if you do not know the country codes (which are the same as these countries internet domains).

Delete the files that you do not wish to impose any restrictions on.

Move the files for the countries you want to restrict to the /etc/iptables/restricted-hosts/ dir.

Anything remaining when you are done in the /etc/iptables/banned-hosts/ will be denied access when you run your iptables script.

So run the script now, it may take some time.

When you are done run the command iptables-save > /etc/iptables/tables to save your iptables then add the line in /etc/rc.local or some other similar place iptables-restore < /etc/iptables/tables in order to automatically load your tables on boot time.

Full example

echo "### IP-tables ###"

IPTABLES=/sbin/iptables

echo "Default policies."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT

echo "Flushing old rules"
$IPTABLES -F
$IPTABLES -X

echo "Create LOGDROP chain"
$IPTABLES -N LOGDROP
$IPTABLES -A LOGDROP -j LOG --log-prefix "IPT: DROP " --log-level 7
$IPTABLES -A LOGDROP -j DROP

echo "Create LOGACCEPT chain"
$IPTABLES -N LOGACCEPT
$IPTABLES -A LOGACCEPT -j LOG --log-prefix "IPT: ACCEPT " --log-level 7
$IPTABLES -A LOGACCEPT -j ACCEPT

echo "Create INVALIDDROP chain"
$IPTABLES -N INVALIDDROP
$IPTABLES -A INVALIDDROP -j LOG --log-prefix "IPT: INVALID " --log-level 7
$IPTABLES -A INVALIDDROP -j DROP

echo "Killfile certain IP chain"
$IPTABLES -N BANNED
$IPTABLES -A BANNED -j LOG --log-prefix "IPT: BANNED " --log-level 7
$IPTABLES -A BANNED -j DROP

echo "Create a country block chain"
$IPTABLES -N CBLK
$IPTABLES -A CBLK -j LOG --log-prefix "IPT: CBLK " --log-level 7
$IPTABLES -A CBLK -j DROP

# Loop over all lists of banned networks
# Any rules below this will not work on these ranges as they will
# drop before they reach any other rule. If you want to open some ports
# even for banned countries, then you need to put those rules in front
# of this rule!

echo "Kill line certain CIDR, one way of blocking suspect countries!"
for f in /etc/iptables/banned-hosts/*
do
 echo "Processing k-line file $f..."
  while read p
  do
    $IPTABLES -A INPUT -s $p -j CBLK
  done < $f
done

echo "Enabling ICMP"
$IPTABLES -A INPUT  -p icmp -j LOGACCEPT
$IPTABLES -A OUTPUT -p icmp -j LOGACCEPT

echo "Enabling http on standard port"
$IPTABLES -A INPUT  -p tcp --dport http -m state --state NEW         -j LOGACCEPT
$IPTABLES -A INPUT  -p tcp --dport http -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --sport http -m state --state ESTABLISHED -j ACCEPT

# Restricted hosts here from CIDR files in the restricted session
# these guys will only be able to do ICMP and http, nothing else
# and that should be quite a few countries

echo "Restrict line certain CIDR, one way of blocking suspect countries!"
for f in /etc/iptables/restricted-hosts/*
do
 echo "Processing r-line file $f..."
  while read p
  do
    $IPTABLES -A INPUT -s $p -j CBLK
  done < $f
done

echo "Dropping invalid packets"
$IPTABLES -A INPUT -m state --state INVALID -j INVALIDDROP

echo "Enabling DNS server connections."
$IPTABLES -A INPUT  -p tcp --sport domain -j ACCEPT
$IPTABLES -A INPUT  -p udp --sport domain -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport domain -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport domain -j ACCEPT

echo "Enabling NTP server connections."
$IPTABLES -A INPUT  -p udp --sport 123 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 123 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 123 -m state --state NEW         -j LOGACCEPT

echo "Applying rules for inbound and outbound ssh"
$IPTABLES -A INPUT  -p tcp --dport gopher -m state --state NEW         -j LOGACCEPT
$IPTABLES -A INPUT  -p tcp --dport gopher -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --sport gopher -m state --state ESTABLISHED -j ACCEPT

$IPTABLES -A INPUT  -p tcp --sport gopher -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport gopher -m state --state NEW         -j LOGACCEPT
$IPTABLES -A OUTPUT -p tcp --dport gopher -m state --state ESTABLISHED -j ACCEPT

echo "Applying rules for outbound ssh standard port"
$IPTABLES -A INPUT  -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 22 -m state --state NEW         -j LOGACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 22 -m state --state ESTABLISHED -j ACCEPT

echo "Enabling https traffic out from this machine"
$IPTABLES -A INPUT  -p tcp --sport 443  -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT  -p tcp --sport 443  -m state --state NEW         -j LOGACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 443  -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 443  -m state --state NEW         -j LOGACCEPT

echo "Dropping all other input packets."
$IPTABLES -A INPUT -j LOGDROP

echo "Done."

echo "IPV6 setting policy"

/sbin/ip6tables -P INPUT DROP
/sbin/ip6tables -P OUTPUT DROP
/sbin/ip6tables -P FORWARD DROP

echo "IPV6 flushing tables"

/sbin/ip6tables -F

echo "IPV6 Done."