Showing posts with label security. Show all posts
Showing posts with label security. Show all posts

Thursday, December 28, 2023

Mastering Packet Analysis with Tcpdump - Packet Analysing.

Tcpdump is a powerful command-line packet analyzer tool used for network troubleshooting and analysis. It allows the user to intercept and display the packets transmitted or received over a network to which the computer is attached. In this guide, we'll explore how to use tcpdump for various purposes, including capturing packets, filtering traffic, and analyzing packet content.

1. Display Available Interfaces:

To see a list of available network interfaces on your system:

tcpdump -D

2. Capture Packets from a Specific Interface:

To start capturing packets from a specific interface (e.g., venet0):

tcpdump -i venet0

3. Capture Only N Number of Packets:

To limit the capture to a specific number of packets (e.g., 2 packets):

tcpdump -c 2 -i venet0

4. Print Captured Packets in ASCII:

To view the captured packets in ASCII format:

tcpdump -c 2 -A -i venet0

5. Display Captured Packets in HEX and ASCII:

To view the packet's contents in both HEX and ASCII formats:

tcpdump -c 2 -XX -i venet0

Advanced Packet Capturing

6. Capture and Save Packets in a File:

To capture packets and save them to a file for later analysis:

tcpdump -w capture.pcap -i venet0 -c 2

7. Read Captured Packets from a File:

To read packets from a previously saved file:

tcpdump -r capture.pcap

8. Capture Packets from a Specific IP Address:

To capture packets involving a particular IP address:

tcpdump -n -i venet0 -c 2 src

9. Capture Only TCP Packets:

To capture only TCP packets:

tcpdump tcp -n -i venet0 -c 2

10. Capture Packets from a Specific Port:

To capture packets from a particular port (e.g., SSH port 22):

tcpdump -i venet0 -c 2 port 22

Filtering and Analyzing Traffic

11. Capture Packets with a Readable Timestamp:

To capture packets with a more readable timestamp:

tcpdump -i venet0 -c 2 -tttt

12. Read Packets Longer than N Bytes:

To capture and read packets longer than a certain size (e.g., 10 bytes):

tcpdump -i venet0 greater 10 -c 2

13. Filter Packets – Exclude ARP and RARP:

To capture all packets other than ARP and RARP:

tcpdump -i venet0 not arp and not rarp -c 2


Tcpdump is an incredibly versatile tool that can be used for a wide range of network analysis tasks. By understanding how to use its various options and filters, you can diagnose network issues, monitor traffic in real-time, and perform in-depth protocol analysis. Remember, while tcpdump can capture sensitive data, it should be used responsibly and ethically. Happy analyzing!

Thursday, March 12, 2015

Google Two-Factor Authentication on Linux Server

The Google Authenticator is an open-source module that includes implementations of one-time passcodes (TOTP) verification token developed by Google. It supports several mobile platforms, as well as PAM (Pluggable Authentication Module). These one-time passcodes are generated using open standards created by the OATH (Initiative for Open Authentication).

Install the needed packages
yum install pam-devel make gcc-c++ wget bzip*

cd /root
tar -xvf libpam-google-authenticator-1.0-source.tar.bz2

cd libpam-google-authenticator-1.0
make install

Do you want authentication tokens to be time-based (y/n) y

Your new secret key is: FGHLERMHLCISCSU6
Your verification code is 485035
Your emergency scratch codes are:

Do you want me to update your "/root/.google_authenticator" file (y/n) y

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) y

If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y

Configuring SSH to use Google Authenticator Module
Open the PAM configuration file ‘/etc/pam.d/sshd‘ and add the following line to the top of the file.

auth       required
Next, open the SSH configuration file ‘/etc/ssh/sshd_config‘ and scroll for fine the line that says.

ChallengeResponseAuthentication no
Change it to “yes“. So, it becomes like this.

ChallengeResponseAuthentication yes
Finally, restart SSH service to take new changes.

# systemctl restart sshd

Install the Google Authentication Application on the you mobile app or make use of the firefox addoon GAuth Authenticator .Below we show how the Gauth Application is used in Android Phones.

Once we enter the secret key in above setting we will get the verfificatuion code as below, which will be changing in very so and so period.

Login to the Server using Google Authentication
[root@localhost ~]# ssh
Password: <<User Password
Verification code: <<The Code which we get from the Phone
Last failed login: Fri Mar 13 04:49:59 UTC 2015 from on ssh:notty
There was 1 failed login attempt since the last successful login.
Last login: Fri Mar 13 04:48:35 2015 from
[root@server ~]#

Important: The two-factor authentication works with password based SSH login. If you are using any private/public key SSH session, it will ignore two-factor authentication and log you in directly.

Thursday, October 16, 2014

Poodle-SSLv3 Vulnerability

A vulnerability in SSLv3 encryption protocol was disclosed. This vulnerability, known as  POODLE (Padding Oracle On Downgraded Legacy Encryption), allows an attacker to read information encrypted with this version of the protocol in plain text using a man-in-the-middle attack.

Although SSLv3 is an older version of the protocol which is mainly obsolete, many pieces of software still fall back on SSLv3 if better encryption options are not available. More importantly, it is possible for an attacker to force SSLv3 connections if it is an available alternative for both participants attempting a connection

How to test for SSL POODLE vulnerability?
$ openssl s_client -connect -ssl3
If there is a handshake failure then the server is not supporting SSLv3 and it is secure from this vulnerability. Otherwise it is required to disable SSLv3 support.

The POODLE vulnerability exists because the SSLv3 protocol does not adequately check the padding bytes that are sent with encrypted messages.

Since these cannot be verified by the receiving party, an attacker can replace these and pass them on to the intended destination. When done in a specific way, the modified payload will potentially be accepted by the recipient without complaint.

The POODLE vulnerability does not represent an implementation problem and is an inherent issue with the entire protocol, there is no workaround and the only reliable solution is to not use it.

In nginx configuration, just after the "ssl on;" line, add the following to allow only TLS protocols:

ssl_protocols TLSv1.2 TLSv1.1 TLSv1;

Apache Web Server

Inside /etc/httpd/conf.d/ssl.conf or httpd.conf you can find the SSLProtocol directive. If this is not available, create it. Modify this to explicitly remove support for SSLv3:

SSLProtocol all -SSLv3 -SSLv2

To disable SSLv3 in an HAProxy load balancer, you will need to open the haproxy.cfg file.

sudo nano /etc/haproxy/haproxy.cfg
frontend name
    bind public_ip:443 ssl crt /path/to/certs no-sslv3


In Postfix conf /etc/postfix/ add.
smtpd_tls_mandatory_protocols=!SSLv2, !SSLv3

In Dovecot

sudo nano /etc/dovecot/conf.d/10-ssl.conf
ssl_protocols = !SSLv3 !SSLv2


Edit @ $TOMCAT_HOME/conf/server.xml.

Tomcat 5 and 6:

    <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
               maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
               clientAuth="false" sslEnabledProtocols = "TLSv1,TLSv1.1,TLSv1.2" />
Tomcat >= 7

    <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
               maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
               clientAuth="false" sslProtocols = "TLSv1,TLSv1.1,TLSv1.2" />

Thursday, May 8, 2014

Tcp Wrapper's Security

TCP wrapper based access List Rules can be included in the two files
/etc/hosts.allow and
/etc/hosts.deny .

Work precedence:

if allow will not check 2
if not found then go to 2
/etc/hosts.deny .
if not found allow access.

Points to remember

You can have only one rule per service in hosts.allow and hosts.deny file.
Any changes to hosts.allow and hosts.deny file takes immediate effect.
The last line in the files hosts.allow and hosts.deny must be a new line character. Or else the rule will fail.

in.telnetd : : deny
in.telnetd : : allow

Friday, April 11, 2014

Mod-Security Installing Along with - Open Source Rules

Installing the Mod Security.

## For RHEL/CentOS 6.2/6.1/6/5.8 ##

Installing needed Modules

yum install gcc make
yum install libxml2 libxml2-devel httpd-devel pcre-devel curl-devel\

Installing the Mod-Security

## For RHEL/CentOS 6.2/6.1/6/5.8 ##
cd /usr/src
tar xzf modsecurity-apache_2.6.6.tar.gz
cd modsecurity-apache_2.6.6
make install
cp modsecurity.conf-recommended /etc/httpd/conf.d/modsecurity.conf

Adding the Mod-security Module to the Apache

# vi /etc/httpd/conf/httpd.conf
LoadModule unique_id_module modules/
LoadModule security2_module modules/

[root@54 modsecurity-apache_2.6.6]# httpd -t -D DUMP_MODULES |grep sec
security2_module (shared)
Syntax OK
[root@54 modsecurity-apache_2.6.6]#

<IfModule security2_module>
Include conf.d/modsecurity.conf


Adding new Mod-Security Rules ..

OWASP core rule set

tar zxvf modsecurity-crs_2.2.5.tar.gz
mv modsecurity-crs_2.2.5 modsecurity-crs

mv modsecurity-crs /etc/httpd/conf.d/

Adding the rules to httpd

<IfModule security2_module>
Include conf.d/modsecurity.conf
Include conf.d/modsecurity-crs/activated_rules/*.conf
Include conf.d/modsecurity-crs/base_rules/*.conf
Include conf.d/modsecurity-crs/optional_rules/*.conf
Include conf.d/modsecurity-crs/slr_rules/*.conf

More rules are available at
sudo wget -O SpiderLabs-owasp-modsecurity-crs.tar.gz

Now the Mod Security is in the detect mode . once we are set we need to move it to on mode

[root@54 conf]# cat /etc/httpd/conf.d/modsecurity.conf |grep SecRuleEngine -i

SecRuleEngine DetectionOnly

# when SecRuleEngine is set to DetectionOnly mode in order to minimize

[root@54 conf]#

Change to

SecRuleEngine on