Security

convert security.fdb to security2.fdb in firebird

I have to migrate from firebird 1.5 to 2.0. And of course there was a databases migration. The security.fdb as it is said in /opt/firebird/upgrade/security_database.txt is not compatibile:

You can’t use pre-2.0 security database in firebird 2.0 or higher directly.
If you try to put old security.fdb into firebird’s new home directory with
new (security2.fdb) name, you will get a message - cannot attach to password
database. That’s OK and is by design. In order to be able to use old database,
you must run appropriate upgrade script - security_database.sql. To do so:
1. Put your old security database in some known to you place (not new home directory). Always have a copy of it!
2. Start firebird using it’s new, native security2.fdb.
3. Convert your old security database to ODS11 (i.e. backup and restore it using gbak from firebird 2.0). Without this step you will get failure running security_database.sql!
4. Connect to restored database as SYSDBA and run the script.
5. Stop firebird.
6. Copy upgraded database to firebird’s home directory (as security2.fdb).
7. Start firebird.

but point 3 is not explained. so… let’s rock…

To be sure - You have to change native sercurity2.fdb password to same as your sysdba in previous version of firebird has, and check if firebird is running!

# /opt/firebird/bin/changeDBAPassword.sh
Please enter current password for SYSDBA user: oldpassword
Please enter new password for SYSDBA user: masterkey

STEP 1 (make a copy of security.fdb):

# /opt/firebird/bin/gbak -user SYSDBA -password masterkey /opt/firebird/security.fdb /opt/firebird/security.fbk

if you get following error you have to chown security.fdb to firebird user!

gbak: ERROR:I/O error for file “/opt/firebird/security.fdb”
gbak: ERROR:    Error while trying to open file
gbak: ERROR:    Permission denied
gbak:Exiting before completion due to errors

STEP 2 (restore the database):

# /opt/firebird/bin/gbak -rep -user SYSDBA -password masterkey /opt/firebird/security.fbk /opt/firebird/security.fdb

STEP 3 (database conversion):

# /opt/firebird/bin/isql -user SYSDBA -password masterkey -i /opt/firebird/upgrade/security_database.sql /opt/firebird/security.fdb

STEP 4 (stop the firebird):

# service firebird stop:

STEP 5 (overwrite the old security fdb):

cp security.fdb security2.fdb

that’s all… simple :) don’t you think so? :)

Tags:

Friday, November 14th, 2008 Linux, Security No Comments

e-mail delivery can’t be guaranteed

One of my business partners has something like this in his disclaimer:

Messages sent to and from CompanyName may be monitored to ensure compliance with internal policies and to protect our business. Emails are not secure and cannot be guaranteed to be error free. Anyone who communicates with us by email is taken to accept these risks.

In my opinion this is perfect definition of whole mailsystem based at pop3 and smtp protocol. It is doddored like whole Internet (which “be or not to be” is based at 13 global nameservers). The main problem is that is has been invented in time - when security was not considered.

Of course - we have the tls/ssl in mail comunication, but we cannot enforce the second server to use it, because of compatibility, and risk of loosing some mails.

No provider can guarantee email delivery. ISP’s have different rules about SPAM detection based on content, subject and how many of their users are reporting emails as SPAM. The best way to make sure that your specific survey invitation is not blocked as SPAM is to pre-test it with free email addresses from hotmail, yahoo etc. But as I said WITH NO GUARANTEE :)

next problem is that we cannot be sure, that person who send us an e-mail is the real person, not an robot or sth. Yes - there is an SPF - but enforcing it like tls/ssl can make some serious problems to delivery. And like you can read here SPF in his simplicyty is vulnerable too… which is not a good news.

Tags: ,

Wednesday, October 22nd, 2008 Security, considers No Comments

signature verification failed - PLD Linux

For some time I have this warning:

poldek:/all-avail> upgrade pam-*
Processing dependencies…
pam-0.80.1-14.i686 obsoleted by pam-0.80.1-17.i686
pam-libs-0.80.1-14.i686 obsoleted by pam-libs-0.80.1-17.i686
There are 2 packages to install, 2 to remove:
I pam-0.80.1-17.i686, pam-libs-0.80.1-17.i686
R pam-0.80.1-14.i686, pam-libs-0.80.1-14.i686
Need to get 520.9KB of archives (520.9KB to download).
After unpacking 1.3MB will be used.
Retrieving ac-updates::pam-libs-0.80.1-17.i686.rpm…
………………………… 100.0% [139.9K (99.0K/s)]
Retrieving ac-updates::pam-0.80.1-17.i686.rpm…
………………………… 100.0% [381.0K (230.0K/s)]
error: pam-libs-0.80.1-17: signature verification failed
error: pam-0.80.1-17: signature verification failed
There were signature verification errors. Proceed? [N/y]

and finally I would love to make it clean!

But when I tried to do (followed by pld docs!!!):

rpm –import ftp://ftp.pld-linux.org/dists/2.0/PLD-2.0-Ac-GPG-key.asc

i got:

error: ftp://ftp.pld-linux.org/dists/2.0/PLD-2.0-Ac-GPG-key.asc: import read failed(-1).

So if you are scarred of “man in the middle” just to this:

wget -q ftp://ftp.pld-linux.org/dists/2.0/PLD-2.0-Ac-GPG-key.asc
rpm –import PLD-2.0-Ac-GPG-key.asc

best regards!

Tags: , , ,

Thursday, August 14th, 2008 Linux, Security No Comments

uninstall BitDefender - horrible

I’m testing some antivirus software (to compare performance and quality), first was BitDefender. I read some tests, and it has very good ranks. In my opinion it has some problems with windows xp sp3, but, now I noticed another problem.

I uninstalled (with add/remove programs) whole BitDefender (restarted my machine), and tried to install ESET NOD32. But NOD found that I have BitDefender installed, why?

First - registry…
deleted keys:

HKEY_CURRENT_USER\Software\BitDefender
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\BitDefender 2008
in:
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe
C:\Program Files\BitDefender\BitDefender 2008\seccenter.exe
and
HKEY_LOCAL_MACHINE\SOFTWARE\BitDefender

It worked :)

Tags:

Thursday, August 7th, 2008 Security, Tips, windows No Comments

openvpn configuration, some problems with understanding certs

I have some problems with understanding the certs things… but I found rather clear howto at openvpn site:

Setting up your own Certificate Authority (CA) and generating certificates and keys for an OpenVPN server and multiple clients.

next tip, for much more security in openvpn is setting:

server side:

tls-auth /path/to/ta.key 0

client side:

tls-auth /path/to/ta.key 1

first you should generate this cert by:

openvpn –genkey –secret ta.key

and maybe changing the default blowfish alghoritm (128bit) with 256-bit AES by adding:

cipher AES-256-CBC

Tags: , , ,

Tuesday, August 5th, 2008 Linux, Security, Tips No Comments

security model in polish companies

how security model looks in polish conditions, God save but sometimes like this:

security model

By Clay Bennett

and how simple it should be:

true security model

by White Gold Solutions

Tags:

Sunday, June 15th, 2008 Security, considers No Comments

files with no valid users

Totay tip:

sometimes in some migrations, reinstall or sth, or even in backup places, you have some files owned by no valid user for current system. It is rather high security issue (in mulituser systems), so you can find every file that does not have a valid user which can be found in /etc/passwd, how?

find / -nouser > no_no_valid_user

:)

Tags:

Sunday, June 1st, 2008 Linux, Security, Tips, cribs No Comments

glsa-check… securitity in gentoo

what is glsa-check - you can find here http://gentoo-wiki.com/Glsa-check

why to use it - because it shows every possible security hole made by outdated software. Because the output of glsa-check is rather chatty - my own grep method is like this:

glsa-check -d affected |grep -e “Affected package”

Tags: ,

Sunday, June 1st, 2008 Linux, Security, Tips, considers No Comments

some apache performance issues

I had some problems with apache… the php was very very slow. The system has linux gentoo with hardened profile, so me and x0ff believed that this was the main reason of poor apache performance. But recompiling php without “-pic” flag does no effect.

after

# ab -c 100 -n 10000 http://localhost/test.php

Benchmarking localhost (be patient)
Completed 1000 requests
apr_socket_recv: Connection reset by peer (104)
Total of 1810 requests completed

and in apache log:

[Fri May 30 19:40:54 2008] [alert] (11)Resource temporarily unavailable: setuid: unable to change to uid: 81
[Fri May 30 19:40:54 2008] [alert] Child 16566 returned a Fatal error… Apache is exiting!
[Fri May 30 19:40:54 2008] [emerg] (22)Invalid argument: couldn’t grab the accept mutex

So… it is not - the performance problem, because only 1810 requests were done.

Because system is hardened, i have a lot of limits in /etc/security/limits.conf. I was not sure if apache uses these vaules (because they are connected with PAM!!!!), but apache did ;(

http://bugs.gentoo.org/show_bug.cgi?id=64700

so the way to make it work was adding to
/etc/init.d/apache2 a line:

ulimit -u unlimited

the whole start section looks now like this

start() {
checkconfig || return 1
ebegin “Starting apache2″
[ -f /var/log/apache2/ssl_scache ] && rm /var/log/apache2/ssl_scache
ulimit -u unlimited
 ${APACHE2} ${APACHE2_OPTS} -k start
eend $?
}

to be sure that everything works fine a did a ab test one more time (with pic enabled).

# ab -c 100 -n 10000 http://localhost/test.php
This is ApacheBench, Version 2.0.40-dev <$Revision: 1.146 $> apache-2.0
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Copyright 2006 The Apache Software Foundation, http://www.apache.org/

Benchmarking localhost (be patient)
Completed 1000 requests
Completed 2000 requests
Completed 3000 requests
Completed 4000 requests
Completed 5000 requests
Completed 6000 requests
Completed 7000 requests
Completed 8000 requests
Completed 9000 requests
Finished 10000 requests

Server Software: Apache
Server Hostname: localhost
Server Port: 80

Document Path: /test.php
Document Length: 45361 bytes

Concurrency Level: 100
Time taken for tests: 48.260264 seconds
Complete requests: 10000
Failed requests: 100
(Connect: 0, Length: 100, Exceptions: 0)
Write errors: 0
Total transferred: 455159500 bytes
HTML transferred: 453609500 bytes
Requests per second: 207.21 [#/sec] (mean)
Time per request: 482.603 [ms] (mean)
Time per request: 4.826 [ms] (mean, across all concurrent requests)
Transfer rate: 9210.29 [Kbytes/sec] received

Connection Times (ms)
min mean[+/-sd] median max
Connect: 0 13 46.3 0 361
Processing: 9 466 200.4 472 4058
Waiting: 1 422 101.7 458 756
Total: 20 479 194.3 475 4058

Percentage of the requests served within a certain time (ms)
50% 475
66% 486
75% 498
80% 509
90% 546
95% 616
98% 708
99% 860
100% 4058 (longest request)

Without “pic” enabled i got:

Requests per second: 234.96 [#/sec] (mean)

so there is no big difference.

The test.php script consist of:

<?
phpinfo();
?>

niggle: note that there is no security problem with no limit - the apache has internal limiting functions

Tags: , , , , ,

Friday, May 30th, 2008 Linux, Security, Tips, considers No Comments

KB949031 and Office 2007 with SP1

Hmm… today I was reviewing installed updates in my Windows Vista… and I noticed that I have both - SP1 to my Microsoft Office Enterprise 2007 and KB949031 update. The date of install sp1 was earlier that the critical security update that allow remote code execution in outlook, so… why microsoft distribute this patch even if Office 2007 SP1 is not affected by THIS critial vulnerability?

Maybe because it is Microsoft? :)

Tags: , ,

Friday, May 16th, 2008 Security, considers, vista, windows No Comments
« Previous Entries

Categories

Archive

Links

Meta