Welcome Guest ( Log In | Register )


Profile
Personal Photo
Rating
 
Options
Options
Personal Statement
gpanagou doesn't have a personal statement currently.
Personal Info
gpanagou
Member
Age Unknown
Gender Not Set
Location Unknown
Birthday Unknown
Interests
No Information
Other Information
Source of interest: from a friend who is already member
Zodiac: No Information
Gender: Not telling
Profile Music: No Information
Statistics
Joined: 5-September 14
Profile Views: 2630*
Last Seen: 13th April 2020 - 09:24 PM
Local Time: 19 Mar 2024, 02:42 PM
40 posts (0 per day)
Contact Information
AIM No Information
Yahoo No Information
ICQ No Information
MSN No Information
* Profile views updated each hour

gpanagou

Members


Topics
Posts
Recipes
Tutorials
Arcade
Blog
Files
Comments
Friends
My Content
1 Mar 2016

Background Information

A group of security researchers discovered that SSLv2 (Secure Sockets Layer protocol version 2.0) is vulnerable to the Bleichenbacher RSA padding oracle attack, which can be used to decrypt RSA cipher text without the knowledge of the matching private RSA key. This can be done by observing responses from a server that has the private key and performs the decryption of attacker-provided cipher texts using that key. The researchers also demonstrated a new cross-protocol attack which allows decryption of SSL/TLS sessions using newer protocol versions - SSLv3 or any current TLS (Transport Layer Security) version (1.0 - 1.2) - using this SSLv2 weakness. This flaw is a SSLv2 protocol issue and affects all implementations of the protocol. Researchers refer to this attack as general DROWN.
Additionally, flaws were found in the SSLv2 protocol implementation in the OpenSSL cryptography and SSL/TLS library, which make it possible to perform a more efficient variant of the DROWN attack, referred to as special DROWN. These issues were assigned CVE-2016-0703 and CVE-2016-0704 , and were already recently corrected as part of the fix for CVE-2015-0293 .
Further details of this attack can be found in the researchers' paper titled DROWN: Breaking TLS using SSLv2 at https://drownattack.com/

Impact to systems

A server is vulnerable to the DROWN attack if it enables SSLv2 protocol in addition to SSLv3 or TLSv1.x, and if it uses RSA key exchange cipher suites. Server that does not enable SSLv2 can also be vulnerable if it does not enable SSLv2, but shares its private RSA key with another server. For example, DROWN attack can still be used to decrypt HTTPS sessions to a web server that does not enable SSLv2 if it shares its RSA key with e.g. IMAP server, possibly running on the same host, that does enable SSLv2. Use of weak or export SSLv2 ciphers is required to efficiently perform the attack.
SSL/TLS connections using non-RSA key exchange, such as Diffie-Hellman or Elliptic Curve Diffie-Hellman, can not be decrypted using the DROWN attack. 



What configurations are vulnerable to this attack?

  • TLS servers which support SSLv2 are vulnerable. Most daemons capable of communication over TLS in Red Hat Enterprise Linux are linked against the OpenSSL cryptographic library. OpenSSL removed support for SSLv2 cipher suites in openssl-1.0.0. Red Hat Enterprise Linux 6 and 7 ship openssl-1.0.1e and they contain this patch. However it was found that OpenSSL servers do not respect the cipher suites advertised in the ServerHello handshake message, which could result in export SSLv2 cipher suites being used even if they were explicitly disabled. Also, the SSLv2 protocol itself was enabled. The flaw was assigned CVE-2015-3197 and is being fixed by the security advisories listed in the Resolution section below.
  • The NSS (Network Security Services) library available in Red Hat Enterprise Linux does not enable SSLv2 by default.
  • Services which do not use SSLv2 , but share their RSA keys with those services which have SSLv2 support, are also vulnerable.
  • This attack can only be conducted if RSA cipher suites for key exchange are enabled on the server. Other asymmetric protocols like DHKE and ECC are not vulnerable.
  • Lastly, the attack can be conducted in real time for OpenSSL servers which are vulnerable to CVE-2015-0293 . This security flaw has been previously addressed by RHSA-2015:0800 for Red Hat Enterprise Linux 5, RHSA-2015:0715 for Red Hat Enterprise Linux 6 and RHSA-2015:0716 for Red Hat Enterprise Linux 7. This attack, which combines the SSLv2 protocol flaw and the OpenSSL implementation flaw, is dubbed as Special DROWN.

    Take Action

    Imediately apply available patches to remediate the issue. Rebooting the system after updating is the safest way to ensure all affected services use the updated ssl library. If a reboot is not possible, restarting all network services that depend on openssl after applying the patches is required.

    Diagnose

    To manually detect if a system is vulnerable, please use the script below:

    DROWN-test.sh (script version 1.0)

    Usage

    $ chmod +x DROWN-test.sh
    $ ./DROWN-test.sh

    If the installed version of openssl is vulnerable, you will see output similar to:

    WARNING: The installed version of openssl (openssl-1.0.1e-42.el7) is vulnerable to both general and special DROWN attack and should be upgraded!
    See https://access.redhat.com/security/vulnerabilities/drown for more information.





View the full article
2 Sep 2015
QUOTE
Call of Duty Modern Warfare 3 smashes entertainment launch recordsCall of Duty: Modern Warfare 3 sells more than 6.5m copies within 24 hours of its launch, earning an estimated $400m in sales
As a Linux system admin we generally face low disk space issues. By implementing the user and group disk quota on the file system we can resolve the space issue.
Quota restricts the users to use only allowed disk and inodes on the particular file system. In this post we will discuss how to enable user & group disk quota on /home File system on CentOS 7 & RHEL 7
 

Step:1 Add usrquota & grpquota option on /home in /etc/fstab file.

[root@linuxtechi ~]# vi /etc/fstab




Save & exit the file.
In this example I have add user and group quota options on /home

Step:2 Remount  /home file system via  mount command

[root@linuxtechi ~]# mount -o remount /home

Now recheck the /home file system whether Quota is enable or not.

[root@linuxtechi ~]# mount | grep /home
/dev/mapper/centos-home on /home type ext4 (rw,relatime,seclabel,quota,usrquota,grpquota,data=ordered)

Step:3 Create Quota Database Files using quotacheck

[root@linuxtechi home]# quotacheck -cugv /home

Whereas :
-c : create quota file and dont use the existing file
-v : verbose ouput
-u : user disk quota
-g : group disk quota

Above Command will create aquota.user & aquota.group files under /home
Turn on quota on /home using below command :

[root@linuxtechi ~]# quotaon /home/

Step:4 Assign user & group disk quota via edquota commands

 
Syntax # edquota -u
# edquota -g

[root@linuxtechi ~]# edquota -u jack



 
[root@linuxtechi ~]# edquota -g sys_admin



As shown above we have two kind of Disk quota limits :
 
soft : It will warn the users if the soft limit of disk quota reached ( size is in KB), in above example for jack user soft limit is 5500 KB ( approx 5.5MB )
hard : It will not allow the users to create new files once the hard limit is reached. ( Size in KB ), in above example hard limit for jack user is 6000 KB ( approx 6 MB )
Note : We can also set the Quota on the basis of the inodes ( i.e numbers of files that the user can create on particular file system). Lets take an example , login as jack user and try to create a file of 8MB.

[root@linuxtechi ~]# su - jack

[jack@linuxtechi ~]$ dd if=/dev/zero of=bgfile bs=1M count=8
dm-2: warning, user block quota exceeded.
dm-2: write failed, user block limit reached.
dd: error writing bgfile: Disk quota exceeded
6+0 records in
5+0 records out
6144000 bytes (6.1 MB) copied, 0.00711317 s, 864 MB/s

As we see above soft & hard limit is exceeded for jack user. Now onwards user jack cant create new files. 
 

Step:5 Display Quota report for Users in human readable

 
[root@linuxtechi ~]# repquota -as

Step:6 Configure Grace Period for Soft Limit

 
Grace period is the amount of time during which soft limit can can be exceeded, once the grace period reached then soft limit will become the hard limit.
Use the edquota command to set Grace period .

[root@linuxtechi ~]# edquota -t





Source: http://www.linuxtechi.com/enable-user-group-disk-quota-on-centos-7-rhel-7/
View the full article
1 Sep 2015
NIC(Network Interface Card) bonding is also known as Network bonding. It can be defined as the aggregation or combination of multiple NIC  into a single bond interface. Its main purpose is to provide high availability and redundancy.
In this article we will learn how to configure nic or netwok bonding in CentOS 7 & RHEL 7. In my case I have two interface cards (enp0s3 & enp0s8) and will form a bond interface (bond0).

Prerequisite

If bonding module is not loaded on your linux box then use the below command to load.
 
If bonding module is not loaded on your linux box then use the below command to load.
 
[root@openstack ~]# modprobe bonding
 
To list the bonding module info, use following command.
 
[root@openstack ~]# modinfo bonding
 
Output will be something like below

Step:1 Create Bond Interface File

Create a bond interface file (ifcfg-bond0) under the folder “/etc/sysconfig/network-scripts/

[root@openstack network-scripts]# vi ifcfg-bond0
DEVICE=bond0
TYPE=Bond
NAME=bond0
BONDING_MASTER=yes
BOOTPROTO=none
ONBOOT=yes
IPADDR=192.168.1.70
NETMASK=255.255.255.0
GATEWAY=192.168.1.1
BONDING_OPTS="mode=5 miimon=100"

Save & exit the file.
Specify the IP address, Netmask & bonding modes as per your requirement. In my example i am using mode=5′ which is used to provide fault tolerance and load balancing.

Step:2 Edit the NIC interface files



For ifcfg-enp0s3

[root@openstack ~]# vi /etc/sysconfig/network-scripts/ifcfg-enp0s3
TYPE=Ethernet
BOOTPROTO=none
DEVICE=enp0s3
ONBOOT=yes
HWADDR="08:00:27:69:60:c9"
MASTER=bond0
SLAVE=yes

For ifcfg-enp0s8

[root@openstack ~]# cat /etc/sysconfig/network-scripts/ifcfg-enp0s8
TYPE=Ethernet
BOOTPROTO=none
DEVICE=enp0s8
ONBOOT=yes
HWADDR="08:00:27:ea:71:8d"
MASTER=bond0
SLAVE=yes

 

Step:3 Restart the Network Service

Below command will restart the network service and will bring above changes into the effect.

[root@openstack ~]# systemctl restart network.service

 

Step:4 Test & Verify bond interface.

Use ifconfig & ip add command to check bond interface along with its slave interfaces.

ifconfig-bond

Use following command to view bond interface settings like bonding mode & slave interface.

[root@openstack ~]# cat /proc/net/bonding/bond0

bonding-settings

Step:5 Fault tolerance testing

To test the fault tolerance we can down one interface and check whether you are still able access the server.

[root@openstack ~]# ifdown enp0s8
Device 'enp0s8' successfully disconnected.
[root@openstack ~]#

fault-tolerance-bonding


Source: http://www.linuxtechi.com/configure-nic-bonding-in-centos-7-rhel-7/
View the full article
5 Feb 2015
QUOTE
Call of Duty Modern Warfare 3 smashes entertainment launch recordsCall of Duty: Modern Warfare 3 sells more than 6.5m copies within 24 hours of its launch, earning an estimated $400m in sales
I have had many people come to my blog looking how to install oVirt 3.5 software on the new CentOS 7. Much of this content is the same as my 3.4 post, but I thought I would keep it separate. Below are simple step by step instructions for installing the node and getting it configured for the hosted engine.

Installation Requirements

Please Note: Installing Hosted Engine on CentOS 7 requires oVirt 3.5.1
Please Note: Both the node and engine will be running CentOS 7 (Minimal Installation)
Please Note: Ensure the host is fully updated via “yum update” and rebooted before proceeding

Prerequisites

DNS
Ensure you have set up hostnames for the host and engine. If you do not have a DNS server configured and you are only testing oVirt on a single server, you can use /etc/hosts instead. I have the following:
Engine: Hostname: engine.xrsa.net, IP Address: 192.168.122.101/24
Host:
Hostname: ovirt01.xrsa.net, IP Address: 192.168.122.100/24
 
NFS
Ensure you have set up NFS mount points for the engine and virtual machines. If you do not have a shared NFS server and you are only testing oVirt, you can configure NFS locally on the host instead.
 

Verify you can see the correct mount points.




Installation

NTP
This not a requirement, but it is recommended that you keep your servers time in sync:


You may put your own NTP servers in /etc/ntp.conf if required.
Once you have verified DNS and NFS, install the required repositories and packages.


We will need an ISO for the hosted engine installation.


Now all the prerequisites are in place, verify DNS and then go through the hosted-engine wizard.


The hosted-engine wizard will give you VNC details so you can connect to the hosted engine virtual machine and install CentOS 7.
1
$ vncviewer -quality 2 ovirt01.xrsa.net:5900
Once installed choose option (1) on the hosted-engine wizard, it will wait until you have rebooted the hosted engine virtual machine. The wizard will give you another set of VNC details to connect to if you need it. However, if you configured networking during the install you should be able to SSH instead.
Once you have connected to the hosted engine, download the repositories, configure NTP and run through the ovirt-engine wizard. Please make sure the admin password matches up with the password set in the hosted-engine wizard.
Please note: Ensure DNS is configured properly so the engine can resolve itself and the host, else the installation will fail!
Please note: While in the engine setup wizard below ensure you put a proper ACL for the “NFS export ACL” option. If you do not you will not be able to activate the ISO_DOMAIN later.


Once finished go back to the hosted-engine wizard and finish off the installation by choosing option (1). It will ask you one final time for the hosted engine to be shutdown, wait a few minutes and it will come back up automatically.
After around a minute you can verify the state of the hosted engine virtual machine by using the following command:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
-----------
-[ Host ] -
-----------
# hosted-engine --vm-status
 
--== Host 1 status ==--
 
Status up-to-date                  : True
Hostname                           : ovirt01.xrsa.net
Host ID                            : 1
Engine status                      : {"reason": "bad vm status", "health": "bad", "vm": "up", "detail": "powering up"}
Score                              : 2400
Local maintenance                  : False
...
        host-id=1
        score=2400
        maintenance=False
        state=EngineStarting
#
 
Please wait for around five / ten minutes for the hosted engine virtual
machine to come back up properly.
 
# hosted-engine --vm-status
 
--== Host 1 status ==--
 
Status up-to-date                  : True
Hostname                           : ovirt01.xrsa.net
Host ID                            : 1
Engine status                      : {"health": "good", "vm": "up", "detail": "up"}
Score                              : 2400
Local maintenance                  : False
...
        host-id=1
        score=2400
        maintenance=False
        state=EngineUp
#


Data Domain and ISO_Domain Setup

Before you can create virtual machines in oVirt you need to create a Data Domain and ensure the ISO_DOMAIN is attached to the Default cluster.
Navigate to https://engine.xrsa.net and login with admin.
Create a new Data / NFS Domain by going to “System -> Storage -> New Domain”:

ovirt_create_datadomain

You must wait until the NFS01 Data Domain is in an active state.

ovirt_datadomain_active

Once activated attach the ISO_DOMAIN to the Default Data Center:

ISO_DOMAIN_attach

Please note: If you are having issues attaching ISO_DOMAIN to the cluster you might have forgot to add a proper ACL on the “NFS export ACL” option during the engine wizard. You can check this as follows:


If everything went as expected you should see both the NFS01 and ISO_DOMAIN in an up and active state:

ISO_NFS_DOMAIN_UP

 

Uploading ISO Images

There is no GUI based ISO upload tool during this time, so to upload ISO images you must login to the engine first and run the following commands:



Using oVirt

At this point everything should be up and running for you to start creating virtual machines. For more information please read the oVirt Documentation: http://www.ovirt.org/Documentation


Source: https://xrsa.net/2015/02/04/installing-ovirt-3-5-on-centos-7-hosted-engine/ View the full article
31 Jan 2015
QUOTE
Call of Duty Modern Warfare 3 smashes entertainment launch recordsCall of Duty: Modern Warfare 3 sells more than 6.5m copies within 24 hours of its launch, earning an estimated $400m in sales
The funkily-named bug of the week is GHOST.
Its official moniker is the less catchy CVE-2015-0235, and it's a vulnerability caused by a buffer overflow in a system library that is used in many, if not most, Linux distributions.
A buffer overflow is where you assume, for example, that when you handle a four-byte network number written out as decimal digits, you will never get anything longer than 255.​255.​255.​255.
That takes up 15 characters, so you may decide that you'll never need more than 15 bytes of memory.
So, if you add a spare byte for luck and allocate 16 bytes, you're bound to have enough space.
And then, one day, a malicious user decides to see what happens if he ignores the rules, and uses a network number like, say, 1024.​10224.​102224.​1022224.
That network number is nonsense, of course, but your program might not hold out long enough to reject it.
Your code will probably crash right away, because the attacker's 25 bytes will overflow your 16 bytes of available memory.

GHOST explained


As it happens, the GHOST vulnerability is connected with network names and numbers.
The spooky name comes from the system functions where the vulnerable code was found.
The functions are called gethostbyname() and gethostbyname2(), and they do what the names suggest.
They find the computer-friendly network number of a host (e.g. 93.​184.​216.​34) from its human-friendly name (e.g. example.com).
In other words, these functions do a DNS (domain name system) lookup for you, so your program doesn't need to deal with the intricacies of the DNS protocol.
For example, if you ignore any error checking in your code, you might do this:

And you'd see something like this:

By the way, even if your program doesn't directly call gethostbyname(), you may end up calling it indirectly as a side-effect of doing something, anything, involving a computer name.
For example, if your software looks up email addresses, calls home for updates, retrieves postings from online forums, plays podcasts, or any of a number of perfectly unexceptionable network-related activities, it almost certainly triggers name-to-number lookups at some point.
And if those lookups are based on data received from outside, such as a sender's email address in received email headers, then attackers may very well get to choose what data gets passed to your Linux computer's gethostbyname() function.

The bug


It turns out that gethostbyname() has a clever feature, where it works out whether you called it with name that is already a network number (digits-dot-digits-dot-digits-dot-digits).
In that case, it would be a waste of time to do a DNS lookup, so it doesn't bother.
Unfortunately, the code that runs through the name to see if it's really a network number has a buffer overflow, and if you deliberately send a super-long number laid out just right...
...poof – the GHOST strikes!
So an attacker may be able to rig up messages or network requests that crash your program; and with a bit (or, more likely, a lot) of trial and error, they might be able to trigger that crash in a way that gives them control over your computer.
That's known as a Remote Code Execution (RCE) exploit, similar to the bug recently found in the super-secure Blackphone, though in that case it was a text message that caused the phone's software to trip over itself.

What to do?


The good news is that this bug doesn't exist on every computer.
It actually exists only in some versions of a software module called glibc, short for GNU C library.
In fact, most computers in the world don't have glibc installed, because it's not used by default on Windows, OS X, iOS or Android.
The bad news is that many, if not most, computers running Linux do use glibc, and may be at risk.
In short, therefore, if you have any Linux-based systems, including home firewalls and routers:
  • Check with your vendor, or the maker of your distribution, to see if you need a patch.
  • If you do, make plans to apply the patch as soon as you can.
Oh, and if you are a programmer, you shouldn't really be using the gethostbyname functions anyway.
They were superseded many years ago by the much more flexible and useful function getaddrinfo(), which you should use instead.

View the full article
Last Visitors


14 Apr 2020 - 1:04


4 Mar 2016 - 0:28

Comments
Other users have left no comments for gpanagou.

Friends
There are no friends to display.
RSS Lo-Fi Version Time is now: 19th March 2024 - 01:42 PM
Skin and Graphics by Dan Ellis and Anubis. Hosting by Forums & More 2005-2011.
InvisionGames - Your #1 Arcade Games Repository | AllSigs - Signatures for all | Rock Band + Guitar Hero = RockHero ! | The Remoters - Remote Assistance | FileMiners - You ask, We find