Get APLawrence.com by RSS429 results. Narrow Selection By Tag Security AND
AIX Operating System Hardening Procedures & Security Guide
Some security packages address the problem by stripping all (or nearly all) network services and then instruct you to be careful about what you add to the system. That's a great approach but requires that you "get your hands on" the system before anyone laye rs anything onto it and you understand what you're adding to the system when you add it back in. These are two conditions that do not apply at many sites.\xa0 The approach here is different. We will consider services offered by the AIX 5.1 operating system, try to explain what each does, note the risks involved with each and make recommendations about what one ought to do to mitigate the risk.
| Title | Date | Comments | |||
|---|---|---|---|---|---|
| It was a good run | 2011 12 | 2011/12/11 TonyLawrence | |||
| - It was a good run - expect far less activity here - | |||||
| Book Review - Michal Zalewski's 'The Tangled Web' | 2011 11 | 2011/11/12 TonyLawrence | |||
| - We will not have ventured very far into the Internet forest before we realize that our 'crack team' of web browsers is anything but. Most of them can't seem to tell a squirrel from a poisonous snake. When they do decide to point their weapons at something threatening, we had better duck ourselves, because their aim is atrociously bad. Suspicious looking miscreants appear at the edges of our trail and beckon us to follow them into the dark woods; our guides lay down their weapons and, with beaming grins, trot off never to be seen again! - | |||||
| Exploring Apple versions | 2011 11 | ||||
| - When I made the switch, I of course had files under the old account. Some were things I knew I'd need immediately, so I copied them to the new account and changed permissions. Others were things I might need, but then again I might not. What to do about those? - | |||||
| Can Online Services Be Secure? | 2011 08 | 2011/08/22 Ralph | |||
| - Recent data theft disasters have shown that it is not enough to operate a "secure server" and leave all customer's information unencrypted on this server. Because if you think your secure server is invincible, all your customer's data is at risk, the moment it turns out that the secure server is not as secure as you thought. - | |||||
| Advantages of Kerio Control Firewall | 2011 07 | ||||
| - As this customer actually wanted the appliance version, he asked about hardware replacement policies, extended warranties and wondered if he should buy two - "just in case". I explained that extended warranties certainly are available, but also pointed out that in the unlikely event of an appliance failure, he could download and install the virtual appliance version, swap a few cables, and be back up and running in minutes. That's a big advantage of having software versions in addition to the hardware appliance. - | |||||
| Using fail2ban with Kerio Connect mailserver | 2011 06 | 2011/07/14 Pat | |||
| - Fail2ban is fussy about dates in log files; Kerio's security log does not meet its standards - | |||||
| Helping my sister-in-law with Gmail | 2011 06 | 2011/06/02 TonyLawrence | |||
| - I'd rather send pictures or a move than take control of their computer. They can refer back to what I sent over and over again. - | |||||
| Sophos free anti-virus for Mac | 2011 05 | 2011/05/23 TonyLawrence | |||
| - Although the main threat to Macs is trojans and malware, not viruses, the common man doesn't distinguish these - they are all the same to most folks. - | |||||
| A SCO Openserver to Red Hat Linux Conversion | 2011 04 | 2011/04/02 TonyLawrence | |||
| - A detailed history of a SCO to Linux Conversion - including desktop users. - | |||||
| Sendmail VRFY | 2004 09 | ||||
| - In the process of doing some testing of a mail server, I noticed a piece of spam mail delivered to an address that no one should have known about. This disturbed me greatly, because the only place that address appeared was in the mail alias file on my server. Had my server been compromised? - | |||||
| Using sudo | 2002 02 | 2012/01/26 anonymous | |||
| - I'm sure that there are more poorly written man pages, but "man sudoers" (which is how you find out about "sudo") is among my all time favorites for poor explanation. Let's clear that up. - | |||||
| GPG/PGP Basics | 2001 11 | 2011/12/15 Horace | |||
| - Using gpg for encryption, understanding the basic use of GPG for new users. Recently someone asked me for a GPG or PGP public key so that they could send some sensitive material to me by email. I understood what they meant, but inwardly I groaned because I've just never had any reason to use public key encryption, and had no idea how to create the key or decrypt what would be sent back to me. Looking at "man bgp" on my Linux box didn't make me feel any better, and a Google search for gpg docs didn't immediately turn up anything that wasn't techno gobbledy-dee-geek. - | |||||
 | |||||
| Lost root password (Linux) | 2003 12 | 2011/11/14 Per | |||
| - Let's try to fix your lost root password the easy way first. The first thing to try is to boot to single user mode. This MIGHT not work for you, because your system might be configured to still ask for a root password to get to single user mode. If that's the case, we'll use another trick that replaces init with /bin/bash. - | |||||
| Understanding PAM | 2005 03 | 2011/11/06 anonymous | |||
| - Understanding PAM basics. PAM is the Pluggable Authentication Module, invented by Sun. It's a beautiful concept, but it can be confusing and even intimidating at first. We're going to look at it on a RedHat system, but other Linuxes will be similar - some details may vary, but the basic ideas will be the same. - | |||||
| Google Earth Street View | 2007 06 | 2011/10/14 bchopper | |||
| - I'm sorry. The ACLU will probably want their card back, but I just don't see cameras as a privacy problem. - | |||||
| OS X ACL usage | 2006 07 | 2011/08/11 AndyCanfield | |||
| - ACL use in OS X. The "chown" man page tells you about their usage, but it leaves a little bit out and isn't all that helpful. - | |||||
| OS X file encryption | 2006 05 | ||||
| - File encryption for Mac OS X. I'm going to look at two methods for encrypting files on Mac OS X. The first is built in, and uses DisK Utilty to create an encrypted disk image. - | |||||
| AIX Operating System Hardening Procedures & Security Guide | 2005 04 | ||||
| - System Hardening Procedures for AIX - | |||||
| What is a Managed Switch? | 2005 08 | 2010/05/15 TonyLawrence | |||
| - A managed switch allows you to control the individual ports of your switch - | |||||
| Unix Permissions | 2001 04 | ||||
| - Note: these are classic Unix permissions. However, many modern Unixes support extended attributes that go beyond this. We'll look at one example of that later in the article. - | |||||
| VPN's and other remote access | 2001 04 | 2011/05/09 TonyLawrence | |||
| - VPN Basics. A VPN is a Virtual Private Network. The concept is that you are using public or other shared lines (generally the Internet) to connect machines, but that all packets are encrypted (so your connections are "private"). - | |||||
| Xinetd | 2003 07 | 2010/10/29 SalvoLtWorfTomaselli | |||
| - Xinetd is a replacement for inetd, which was the original Unix super-daemon used to start network services on demand. The reason for inetd goes back to days of low memory and poor memory management: you didn't want to keep a service running in memory if it was infrequently used. - | |||||
| shc - shell script compiler | 2005 09 | ||||
| - Shell scripts are simple to create, but if a user has permission to execute the script, they also have permission to read it. There are ways to prevent that: - | |||||
| How can I restrict who can login with ssh? | 1997-2003 | 2010/06/27 anonymous | |||
| - How can I restrict who can login with ssh? - | |||||
| SSH passphrases and keys | 2005 02 | ||||
| - You then need to put the public key (.ssh/id_dsa.pub by default) into the authorized_keys2 file on the server. Once that's done, if you attempt an ssh to the server, you'll be asked for your passphrase rather than the password of the user on the server. Here's the most important thing to understand at this point: The password at the server doesn't matter anymore. You could log into the server and change the password, and ssh is still going to let you in because of the public key and the passphrase you've provided. You could even edit (as root, of course) /etc/shadow on the server and put a * in the password field, which would mean that no password could EVER be used to login as that user, but you could still login as that user using ssh and your key files/passphrase. - | |||||
| Understanding IPTABLES | 2002 11 | 2011/08/31 BigDumbDInosaur | |||
| - Packet filtering is something I've always hard a hard time getting my head around. Not the basics; that's easy enough. It's just the incredible level of detail, the difficulty of keeping it all in your head at once. - | |||||
| Random Numbers | 2003 09 | 2010/07/13 TonyLawrence | |||
| - Understanding Random Numbers. Until fairly recently, cpu's had no direct way to generate random numbers. Intel's Pentium III introduced a hardware random number generator that uses thermal noise "to generate high-quality random and nondeterministic numbers" , but prior to that systems that needed good random numbers had to rely on add-on boards or other external input. - | |||||
| SquidGuard | 2001 09 | ||||
| - squidGuard works with Squid to block access to sites by domain, ip address or even keywords. - | |||||
| sandbox-exec (Mac sandbox wrapper) | 2007 12 | ||||
| - Sandbox-exec can protect yoy from unknown binaries - | |||||
| Audit Logging | 2007 03 | ||||
| - regulatory compliance requirements logging - | |||||
| Fortinet Firewall Transparent Mode | 2007 04 | ||||
| - Using Fortinet firewall in transparent mode - | |||||
| SSH Login Attacks | 2005 01 | ||||
| - Failed password for illegal user [username]. - | |||||
| SSH | 2001 05 | ||||
| - Standard Unix tools like telnet and ftp are not encrypted- everything you type, including your precious passwords, travels in packets that can at least potentially be seen by every machine they pass by or through. - | |||||
| Fortinet Firewall Virtual IP's | 2007 04 | ||||
| - Using Fortinet firewall virtual ip's to forward services to intrnal machines. - | |||||
| ProFTPd, wu-ftpd, and general ftp security | 2004 12 | ||||
| - FTP in general has a long and sad history of security problems. If you need to run an ftp server, you need to keep careful track of vulnerabilites and exploits that may make for a very unhappy da - | |||||
| Basic TrueCrypt Usage | 2010 01 | 2010/01/12 TonyLawrence | |||
| - People have said that they installed TrueCrypt, but have no idea what to do next. OK, maybe the interface isn't all that user friendly. - | |||||
| Security Paranoia - restricting ssh access | 2004 10 | ||||
| - I had email from someone today whose system was hacked, apparently by a dictionary attack over ssh. There is no reason to let that happen to you. - | |||||
| Prevent deletion or moving of files | 2009 10 | ||||
| - You need to let users create files in a common directory, but you don't want them to be able to delete other's files. Or you've put certain files, directories or symlinks into a user's home directory and don't want them to be able to mess with any of those. What can you do? - | |||||
| Domain or not? | 2005 11 | ||||
| - Domain or not? Computer networks are often just automatically set up without much thought: if it's a business, it's set up as a domain, if it's home, it's not. Often nobody even asks the owners of the computers what they might want or bothers to discuss the advantages and disadvantages. If it's business, the users authenticate to a domain, if it's home, they don't. - | |||||
| Protect your Laptop with TrueCrypt | 2009 08 | ||||
| - Truly affordable hard drive, laptop and USB Drive encryption software for your business critical data - | |||||
| ssh forwarding | 2006 06 | ||||
| - Unconfusing ssh forwarding - | |||||
| Encryption Problem | 2006 07 | ||||
| - Mac OS X command line encryption: "Well, you did me in good this time. Or maybe I did myself in, I don't know. Either way, I'm poached." That's a heck of a way to start a conversation, especially at 7:00 AM on a crackly cell phone. I recognized the voice, though. Long time customer, recent convert to Mac OS X. - | |||||
| opensnoop (Mac file open watcher) | 2007 12 | ||||
| - opensnoop is powerful stuff, but it's easy to misuse. There is a large pile of pre-made Dtrace scripts available on Mac OS X Leopard. - | |||||
| SSH_CLIENT, SSH_CONNECTION (OpenSSH Variables) | 2005 05 | ||||
| - 2005/05/31 SSH_CLIENT, SSH_CONNECTION (OpenSSH Variables) - | |||||
| VMware Player | 2005 10 | ||||
| - VMware Player - | |||||
| blacklist unwanted ip addresses | 2005 05 | ||||
| - blacklist unwanted ip addresses - | |||||
| Web site IP filtering | 2005 11 | ||||
| - Web site IP filtering - filter traffic by country of origin - | |||||
| Caller ID Manipulation | 2006 03 | ||||
| - False caller identification is more serious than pranks. It facilitates fraud and can be potentially used for more sinister practices. - | |||||
| GIAC Enterprises Goes Cyber! | 2002 10 | ||||
| - With this in mind, GIAC Enterprises will make every concerted effort to follow a best practices policy, in regards to its network topology. Because we have a tight budget to work with, we will have to become very creative in our schemes, but not our methods. - | |||||
| GIAC Enterprises Goes Cyber! | 2002 10 | ||||
| - GIAC Enterprises Goes Cyber! - | |||||
 | |||||
| Tor Bundle for Mac OS X | 2009 03 | 2011/02/04 TonyLawrence | |||
| - Tor, Vidalia (a Tor GUI ), Torbutton (a Firefox tool to control your use of Tor), and Privoxy (a filtering web proxy) into one package, with everything ready to work together. - | |||||
| Lan sniffing with a DualComm port mirroring switch and Windump | 2010 01 | 2010/01/23 TonyLawrence | |||
| - Using Dualcomm Port Mirroring switch and Winump - | |||||
| Telnetting to a port other than 23 | 2001 03 | ||||
| - A quick check proved I could telnet to either router. What I really wanted to do though, was to have the remote site telnet to the SCO system at the local site. Since I also wanted to be able to have the DSL providers telnet to the routers for maintenance, port 23 (telnet) was unavailable to me. - | |||||
| Privileged Account Management | 2008 08 | ||||
| - How organizations establish Privileged Account Management. - | |||||
| Preventing DDOS attacks | 2006 03 | ||||
| - Managing DDOS attack - | |||||
| John the Ripper: Tech Words the Day | 2005 03 | ||||
| - This is a tool for administrators to test for weak passwords - no non-administrative user should be able to read the hashed passwords at all - | |||||
| Some common Unix network ports on my server and what they mean | 2003 08 | ||||
| - One of the rules of thumb for system security is to turn off the ports you don't need. It had never really concerned me, as my Unix box is behind a router and the router doesn't forward any ports except for a couple I have specifically allowed. - | |||||
| Spamassassin on Mac OS X | 2003 03 | ||||
| - Spamassassin on Mac OS X - | |||||
| DSL and Cable Modem Security with SSH | 2000 02 | ||||
| - DSL and Cable Modem Security - | |||||
More Security articles
