Svend/ blog/ tag/ security
Security through invisible ports

The Open-E Data Storage Server documentation [Manual (Ver. 5.00 up49) November 19, 2008] has this to say about SSH access.

The default port is 22222 for security reasons, seeing as high-number ports are invisible to port scanners. You can change the setting only to a port within the 1024-65535 range.

(And painting your doors the same color as your the rest of your house will make them invisible to burglars.)

$ nmap -sV -p 1024-65535 X.X.X.X

Starting Nmap 5.21 ( http://nmap.org ) at 2010-08-26 13:18 PDT
Nmap scan report for X.X.X.X
Host is up (0.00055s latency).
Not shown: 64509 closed ports
PORT      STATE SERVICE  VERSION
3260/tcp  open  iscsi?
11211/tcp open  memcache memcached 1.1.12 (PID 14311; uptime 84778 seconds; curr items: 6; total items: 3142; bytes cached: 6131)
22222/tcp open  ssh      OpenSSH 4.3p2 Debian 9etch3 (protocol 2.0)
Service Info: OS: Linux

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 115.18 seconds
Posted Thu 26 Aug 2010 01:31:17 PM PDT Tags: security
Verifying the backports.org GPG key

How to download, verify, and install the backports.org GPG key.

These instructions are adapted from the DebianEdu backports.org instructions.

1. Download backports GPG key

The key ID is on the backports website. We will save it to a temporary keyring.

$ gpg --no-default-keyring \
      --keyring /tmp/backports.gpg \
      --keyserver hkp://subkeys.pgp.net \
      --recv-keys 16BA136C
gpg: keyring `/tmp/backports.gpg' created
gpg: requesting key 16BA136C from hkp server subkeys.pgp.net
gpg: key 16BA136C: public key "Backports.org Archive Key <ftp-master@backports.org>" imported
gpg: public key of ultimately trusted key EF6CC3C1 not found
gpg: public key of ultimately trusted key 78733EF8 not found
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   2  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 2u
gpg: Total number processed: 1
gpg:               imported: 1

2. Check the backports key's signatures

Check the signatures using the Debian developers keyring (part of the debian-keyring package).

$ gpg --no-default-keyring \
      --keyring /tmp/backports.gpg \
      --keyring /usr/share/keyrings/debian-keyring.gpg \
      --check-sigs 16BA136C
pub   1024D/16BA136C 2005-08-21
uid                  Backports.org Archive Key <ftp-master@backports.org>
sig!         7E7B8AC9 2005-11-20  Joerg Jaspert <joerg@debian.org>
sig!3        16BA136C 2005-08-21  Backports.org Archive Key <ftp-master@backports.org>
sig!3        16BA136C 2005-08-21  Backports.org Archive Key <ftp-master@backports.org>
sub   2048g/5B82CECE 2005-08-21
sig!         16BA136C 2005-08-21  Backports.org Archive Key <ftp-master@backports.org>

3 signatures not checked due to missing keys

You can see three self-signatures, and one valid signature by a Debian developer.

3. Add the backports key to apt's keyring

$ gpg --no-default-keyring \
      --keyring /tmp/backports.gpg \
      --export 16BA136C | 
      sudo apt-key add -
OK
Posted Tue 24 Feb 2009 01:01:29 PM PST Tags: security
Disabling middle click load in Iceweasel

Iceweasel's (and Firefox's) habit of loading the contents of the X clipboard as a URL on a middle-click can get you into trouble. If you are pasting a password into a web page and accidentally click outside of the text box, Iceweasel will attempt to load the password as a URL. This sends the password over the network unencrypted as Iceweasel tries to resolve "password123". As a bonus, the DNS query may also be cached by a nameserver.

This behavior can be disabled by setting middlemouse.contentLoadURL to false.

Posted Mon 09 Feb 2009 11:49:12 AM PST Tags: security