Install a SSL Certificate on a Cisco ASA

To install a certificate on a Cisco ASA firewall, you’ll probably want to use ASDM. Here are the steps:

  1. Select the certificate you want to renew beneath Configuration, Device Management, Identity Certificates, and then click Add.
  2. Under Add Identity Certificate, select the Add a new identity certificate radio button, and choose your key pair from the drop−down menu or create a new key pair.
  3. Enter the appropriate certificate attributes. MAKE SURE TO CLICK ON ‘ADVANCED, AND VERIFY THE FQDN! Once completed, click OK. Then click ‘Add Certificate’.
  4. In the Identity Certificate Request popup window, save your Certificate Signing Request (CSR) to a text file, and click OK. Verify in ASDM that the CSR is pending.
  5. Submit your CSR to get your certificate issued.
  6. Select the pending certificate request under Configuration, Device Management, Identity Certificates, and click Install. In the Install Identity Certificate window, select the Paste the certificate data in base−64 format radio button, and click Install Certificate.
  7. To bind the new certificate to the interface choose Configuration, Device Management, Advanced, SSL Settings. Select your interface under Certificates, and click Edit. Choose your new certificate from the drop−down menu, click OK, and click Apply.

Don’t forget to write your changes!

You can verify the available certs from the CLI using the command

show crypto ca certificates

You can verify the cert is applied to the interface with

show running−config ssl
Share

Fail2Ban – Reload banned IP’s after a restart

Restart fail2ban and load the previously banned IPs back into iptables

fail2ban

Restarting fail2ban will drop all of your currently banned IP’s from iptables. To reload those banned IP’s try this.

First, output your currently fail2-banned IP’s to a text file with the iptables commands:
iptables-save | grep '-A fail2ban' | sed 's/-A/iptables -A/' > bannedIPs.txt

Stop fail2ban, make your config changes, etc. and restart:
service fail2ban stop
service fail2ban start

Load your iptables commands by piping your saved rules to bash:
cat bannedIPs.txt | /bin/bash

Share

Generating and using SSH keys for authentication

Setting up SSH keys

SSH keys

SSH keys are great, but remember to keep your private key (~/.ssh/id_rsa by default) safe! And check out the “Top 20 OpenSSH Server Best Security Practices” article at cyberciti.biz for some security tips. That said, all you need to do to use SSH key authentication is to generate a key pair (public and private) and copy the public key to the remote server.

To generate a new key:
ssh-keygen -t rsa

Here’s an example of that includes the output:
[root@localhost ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx root@localhost

This will also create the /.ssh directory with the correct permissions (if it doesn’t already exist), along with the private key (id_rsa) and the public key (id_rsa.pub). You can specify different names, which may be useful for creating multiple keys. You can also generate keys for specific users other than root. ‘su’ is the easiest way to do this, because the directories and permissions won’t need to be fixed later:

[root@localhost ~]# su user1
[user1@localhost ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user1/.ssh/id_rsa):
Created directory '/home/user1/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/user1/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx user1@localhost

The public key will then need to be copied to the remote server’s ~user/.ssh/authorized_keys file:
scp .ssh/id_rsa.pub remotehost:.ssh/authorized_keys

Some additional notes on using SSH keys

Verbose output: ssh -vv -l user host

Specify a key to use with the -i flag:
ssh -i /path/to/key -l user host

ssh-keygen flags

Change a passphrase on a key: -p

Specify number of bits: -b 2048

Comment a key: -c comment

Share

Decrypt a Cisco VPN Client Pre-Shared Key

Cisco - Decrypt a pre-shared key

There is an old article at spiration.co.uk that covers how to setup a VPN client on Ubuntu. It includes details on how to decrypt an obfuscated pre-shared key from a .pcf:
You will then need to compile the cisco-decrypt.c utility which is downloadable from here: http://www.unix-ag.uni-kl.de/~massar/soft/cisco-decrypt.c Note that when you come to compile the program you will need to use the following compile options:

gcc -Wall -o cisco-decrypt cisco-decrypt.c $(libgcrypt-config --libs --cflags)

This will result in a working binary in ./cisco-decrypt:

$./cisco-decrypt encyptedpre-sharedkey
pre-sharedkey

In case you’re curious, here is what cisco-decrypt.c looks like:

/* Decoder for password encoding of Cisco VPN client.
Copyright (C) 2005 Maurice Massar
Thanks to HAL-9000@evilscientists.de for decoding and posting the algorithm!

This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/

/*
Requires libgcrypt version 1.1.90 or newer
Compile with:
gcc -Wall -o cisco-decrypt cisco-decrypt.c $(libgcrypt-config --libs --cflags)
Usage:
./cisco-decrypt DEADBEEF...012345678 424242...7261
*/

#include
#include
#include
#include

int hex2bin_c(unsigned int c)
{
if ((c >= '0')&&(c <= '9')) return c - '0'; if ((c >= 'A')&&(c <= 'F')) return c - 'A' + 10; if ((c >= 'a')&&(c <= 'f')) return c - 'a' + 10; return -1; } int hex2bin(const char *str, char **bin, int *len) { char *p; int i, l; if (!bin) return EINVAL; for (i = 0; str[i] != ''; i++) if (hex2bin_c(str[i]) == -1) return EINVAL; l = i; if ((l & 1) != 0) return EINVAL; l /= 2; p = malloc(l); if (p == NULL) return ENOMEM; for (i = 0; i < l; i++) p[i] = hex2bin_c(str[i*2]) << 4 | hex2bin_c(str[i*2+1]); *bin = p; if (len) *len = l; return 0; } int c_decrypt(char *ct, int len, char **resp, char *reslenp) { const char *h1 = ct; const char *h4 = ct + 20; const char *enc = ct + 40; char ht[20], h2[20], h3[20], key[24]; const char *iv = h1; char *res; gcry_cipher_hd_t ctx; int reslen; if (len < 48) return 0; len -= 40; memcpy(ht, h1, 20); ht[19]++; gcry_md_hash_buffer(GCRY_MD_SHA1, h2, ht, 20); ht[19] += 2; gcry_md_hash_buffer(GCRY_MD_SHA1, h3, ht, 20); memcpy(key, h2, 20); memcpy(key+20, h3, 4); /* who cares about parity anyway? */ gcry_md_hash_buffer(GCRY_MD_SHA1, ht, enc, len); if (memcmp(h4, ht, 20) != 0) return -1; res = malloc(len); if (res == NULL) return -1; gcry_cipher_open(&ctx, GCRY_CIPHER_3DES, GCRY_CIPHER_MODE_CBC, 0); gcry_cipher_setkey(ctx, key, 24); gcry_cipher_setiv(ctx, iv, 8); gcry_cipher_decrypt(ctx, (unsigned char *)res, len, (unsigned char *)enc, len); gcry_cipher_close(ctx); reslen = len - res[len-1]; res[reslen] = ''; if (resp) *resp = res; if (reslenp) *reslenp = reslen; return 0; } int main(int argc, char *argv[]) { int i, len, ret = 0; char *bin, *pw; gcry_check_version(NULL); for (i = 1; i < argc; i++) { ret = hex2bin(argv[i], &bin, &len); if (ret != 0) { perror("decoding input"); continue; } ret = c_decrypt(bin, len, &pw, NULL); free(bin); if (ret != 0) { perror("decrypting input"); continue; } printf("%sn", pw); free(pw); } exit(ret != 0); }

Share

PGP Encryption – Enigmail in Thunderbird email

Enigmail is a security extension to Mozilla Thunderbird and Seamonkey. It enables you to write and receive email messages signed and/or encrypted with the OpenPGP standard.

PGP Encryption - Enigmail automatically decrypts and verifies your Email

 

 

 

 

To install and configure Enigmail:

1) Install GnuPG

2) Find the appropriate Enigmail package, download and install

3) Create your Keypair

4) Set up ‘Per-Recipient Rules’. This will allow you to automatically sign and/or encrypt mail to specific people (or based on other rules). Just go to ‘OpenPGP’>’Edit Per-Recipient Rules’

Thanks Chris!

Share

SElinux basics on CentOS 5

Check SElinux status: getenforce

Change SElinux status: setenforce 0
(0=permissive, 1=enforcing)

Disable SElinux: edit /etc/selinux/config and reboot

Troubleshoot SElinux: sealert and semanage
For more info on using sealert and semanage, see wiki.centos.org on troubleshooting selinux

Using audit2allow to create custom SElinux policies: SElinux denials are logged to /var/log/audit/audit.log. Issuing audit2allow -a -w will provide human readable info regarding the denial. To show the Type Enforcement rule, use audit2allow -a and to use the rule displayed here issue a audit2allow -a -M policyname which will then instruct you to run semodule -i policyname.pp

Share

Share

Installing Fail2Ban on CentOS 5

Fail2Ban scans log files like /var/log/pwdfail or /var/log/apache/error_log and bans IP that makes too many password failures. It updates firewall rules to reject the IP address. These rules (how many attempts before banning, amount of time banned, etc.) can be defined by the user. Fail2Ban can read multiple log files such as sshd or Apache web server ones.
You may need an additional repo for this. If so, see my post on rpmforge for additional info.

To install and configure fail2ban:

Install: yum install fail2ban

Configure: Edit vi /etc/fail2ban/jail.conf and fail2ban.conf, with special attention to the following:
# Option: ignoreip
# Notes.: space separated list of IP's to be ignored by fail2ban.
# You can use CIDR mask in order to specify a range.
# Example: ignoreip = 192.168.0.1/24 123.45.235.65
# Values: IP Default: 192.168.0.0/16
#
ignoreip = 192.168.0.1/16

[ssh-iptables]

enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest=youraddress@yourdomain.com, sender=fromaddress@your domain.com]
logpath = /var/log/secure
maxretry = 3

Note that the logpath needs to be changed to the logfile that you want to use to block IP’s, on CentOS 5 this is /var/log/secure

The finishing touches:
chkconfig fail2ban on
service fail2ban start

Fail2Ban can be used for all kinds of other things too… Blocking spammers from a mail server, and all kinds of other things.

Also, keep in mind that you’ll have to have sendmail (or some other mail) enabled if you want to receive the Fail2Ban notifications! You can simply relay through your mail server by modifying /etc/mail/sendmail.cf. Just add your mail server FQDN to the DS line and restart sendmail.

Share