Category Archives: Security

UDF on MacOS and Linux

Recently I wanted to have the ability to use SSH to log in to my Amazon Lightsail instances from my work laptop. For privacy reasons, I didn’t want to put my SSH private key permanently on the laptop and I didn’t want to put the public key for my laptop on the Lightsail instances.

Since I’m very comfortable with the unix command line, I decided to put a new (password protected) private key on a flash drive so I could use that key to log in to the Linux instances.

The problem is permissions.

SSH won’t let you use a private key file with open permissions. If the key file is world readable, it will display an error and refuse to use it. There isn’t a workaround that I’ve been able to find (other than recompiling SSH from source with modifications).

This mean that the most common flash drive file systems (FAT, FAT32, & exFAT) can’t be used. None of those file system formats support permissions.

I could have formatted the flash drive using the MacOS HFS format, and installed the necessary packages on my Ubuntu Laptop to support that, but I wanted to go for something more generic.

After some research, I decided to give the User Defined File system (udf) a try.

I did have to install UDF support on the Ubuntu system, but that wasn’t a big deal.

sudo apt-get install udftools

To format the flash drive on my Mac, I used this command:

sudo newfs_udf -m blk -v <label> /dev/disk<n>

Important to note, the device file (/dev/disk<n>) must be the device itself, not a partition of the device (on Mac systems a partition will be denoted with ‘s9’ after the device name where 9 is the partition number, for example /dev/disk4s1).

After the UDF file system is created on the flash drive, you must … eject the drive, physically remove the device, and re-insert it. The device will now show up on the system as “/Volumes/<label>”.

Interestingly, the owner of the mounted device is the currently logged in user.

macbook-pro:newkey david$ ls -l /Volumes/FLASHDRIVE/
total 3
-rw-------@ 1 david  staff  1073 Jul 11 10:11 aws-key

I copied the new SSH private key file to the flash drive, made sure the permissions were correct, and ejected the drive.

I then inserted the drive into my Ubuntu system. It mounted correctly right away.

I was then able to log in to my Lightsail instances using the command

slogin -i /media/<my linux user id>/<flash drive label>/<private key file> ec2-user@<aws hostname>

Interestingly, when the UDF formatted flash drive is mounted, the owner is the logged in user, but had the correct permissions.

user@linux:~#: ls -l /media/user/FLASHDRIVE/
total 2
-rw-------- 1 user  user  1073 Jul 11 10:11 aws-key

So far it’s been working well. I’m pleased with this little project.

Postmaster Resources

This post is as much to help me remember as it is to help other people.

Below is a list (not comprehensive) of the postmaster resource pages for some of the major email providers.

Microsoft / Outlook https://postmaster.outlook.com
Google https://postmaster.google.com/
Yahoohttps://help.yahoo.com/kb/postmaster
Comcasthttps://postmaster.comcast.net/
AOL https://postmaster.aol.com/

On these sites you can get information about how the provider handles spam, feedback loops, blacklists, whitelists, etc.

Very useful for those managing mailing list servers.




Protecting domains from spammers

Spammers quite often ‘spoof’, or fake, the from address of an email.

As a result of this, many unsuspecting domain owners are being ‘blamed’ for spam that appears to come from their domain.

Fortunately, there is a relatively easy way to protect your domain from this: Publish DMARC policies.

If you are publishing SPF records and signing your email with DKIM, you can publish DMARC policies that tell receiving mail servers what do with emails that don’t align with the SPF and DKIM information.

SPF policies are DNS records that indicate what mail servers your mail is sent from.

DKIM is a way to add digital signatures to your email so that receiving mail servers can verify it was sent from an authorized source and that it wasn’t modified in transit.

Now what if you have a domain that you NEVER send email from?

Protecting those domains from being used in spam is even easier.

Continue reading

WordPress Under Attack

If you run a wordpress blog, you really should  be aware that there is a global attack on wordpress blogs going on.

It’s coming from a bot net and is an attempt to find blogs that have their admin account enabled with easy to guess passwords.

I noticed the attack a couple of months ago when, while watching my web server log scrolling by, I noticed a significant number of attempts to use the wp-login.php script from random IP addresses.

A bit of research turned up information on the global attack.

Obviously I wanted to do something about it to protect my server.

Continue reading

Spontaneous Security

Over the holiday weekend, I experienced the ultimate computer security mechanism:

“Spontaneous Security”

I was using my new Dell Latitude E6420 to do some network reconfiguration when the machine started acting weird with regard to the network.

Since this machine runs Windows 7, I decided to just reboot it to clear the network configuration.

After I restarted the machine I was asked for a password by the BIOS.

The odd thing was … I never set a BIOS password.

Continue reading

Good Deed

This morning the SSH scan detector software that I run (DenyHosts) sent me an email indicating that it had detected a SSH scan and blocked the host.

The host name it reported did not appear to be a dynamic host (like those usually assigned by DSL provider), so did a little digging to identify who owned the system.

I notified Terry about the problem … and they replied …

I just checked the .100 address and found that I had (in an unbelievable amount of stupidity) left a test account on the system, and someone from Italy was actively engaged in running an SSH scan from that account. I contacted their ISP, hopefully they will do something about it. I removed the account, and will be taking the machine down momentarily to be rebuilt after I back some data off of it. How embarrassing. Thanks for letting me know. I suppose it is time for me to install that bridging firewall running snort I’ve been meaning to build… gah!

Glad I could help, Terry. Chalk one up for the good guys.

[tags]ssh, security, linux[/tags]