Archive for the ‘Encryption’ Category

Disable Weak Ciphers in Dovecot

In running my periodic Nessus scans, it picked up a few medium severity vulnerabilities against Dovecot. One was “SSL Anonymous Cipher Suites Supported” and the other, “SSL Weak Cipher Suites Supported.”

Look in the Dovecot config file located in /etc/dovecot.conf under “SSL ciphers to use” and you will see:
ssl_cipher_list = ALL:!LOW:!MEDIUM

To disable these weak ciphers change this to:
ssl_cipher_list = ALL:!LOW:!MEDIUM:!MD5:!SSL2:!EXP-ADH-DES-CBC-SHA:!EXP-EDH-RSA-DES-CBC-SHA:!EXP-DES-CBC-SHA:!EXP-EDH-RSA-DES-CBC-SHA:!EXP-ADH-DES-CBC-SHA:!EXP-DES-CBC-SHA:!ADH-AES256-SHA:!ADH-AES128-SHA:!ADH-DES-CBC3-SHA:!EXP-ADH-DES-CBC-SHA:!EXP-ADH-DES-CBC-SHA:!ADH-DES-CBC3-SHA

Run the Nessus scan again and those two vulnerabilities go away :-)

Postfix and SSL

First we need to create our certificates. To create a certificate authority download the openssl-perl package through Yum:
———————————————————–
yum install openssl-perl
———————————————————–

Then issue the following command to create the CA certificate.
———————————————————–
./CA.pl -newca
———————————————————–

After this process is done we need to create the certificate request and key. Once the certificate request has been generated you then need to have the pem file signed by the CA.
———————————————————–
openssl req -new -days 365 -newkey rsa:2048 -keyout newkey.key -out newreq.pem
openssl ca -out post_signed_cert.pem -infiles newreq.pem
———————————————————–

Create a directory on the Postfix server under the /etc/pki directory called postfix, place these files there, and change the permissions on the files.
———————————————————–
chmod 0400 *
———————————————————–

Add the following lines at the bottom of the main.cf file for Postfix
———————————————————–
#SASL
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination

#TLS
smtpd_tls_key_file = /etc/pki/postfix/private/postkey.key
smtpd_tls_cert_file = /etc/pki/postfix/certs/post_signed_cert.pem
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_cache
tls_random_source = dev:/dev/urandom
smtpd_tls_auth_only = yes
smtpd_tls_security_level = may

#HELO Restrictions
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks,
reject_non_fqdn_helo_hostname,
reject_invalid_helo_hostname,
permit
———————————————————–

Next uncomment the submission line in the master.cf file.
———————————————————–
smtp inet n - n - - smtpd
submission inet n - n - - smtpd
———————————————————–

We now need to tie it into Dovecot. Go to the auth default section of the configuration file and add/edit the following lines.
———————————————————–
auth default {
mechanisms = plain login
passdb pam {
}
userdb passwd {
}
user = root
socket listen {
client {
path = /var/spool/postfix/private/auth
mode = 0660
user = postfix
group = postfix
}
}
}
———————————————————–

Restart the Postfix and Dovecot services.
———————————————————–
service postfix restart
service dovecot restart
———————————————————–

In order to test to make sure SSL/TLS is working we will need to telnet to the port and run a few commands.
———————————————————–
$ telnet localhost 25
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 smtp.example.com ESMTP Postfix
ehlo smtp.example.com
250-smtp.example.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
———————————————————–

What you are looking for is STARTTLS, this will tell you that SSL/TLS is activated. To make sure that the certificates are working correctly type: STARTTLS which should say 220 2.0.0 Ready to start TLS. If it says anything else then there is something wrong and you will need to go back and fix it.

USB encryption with Luks

Here is an easy way of encrypting USB thumb drives with Luks. Examples below assume your thumb drive is/dev/sdb

First, check the device for bad blocks:

~]# badblocks -c 10240 -s -w -t random -v /dev/sdb

Next create the partition on the drive itself.

~]# fdisk /dev/sdb

Device contains neither a valid DOS partition table, nor Sun, SGI or OSF disklabel
Building a new DOS disklabel with disk identifier 0x99faf680.
Changes will remain in memory only, until you decide to write them.
After that, of course, the previous content won't be recoverable.

Warning: invalid flag 0x0000 of partition table 4 will be corrected by w(rite)

Command (m for help): p

Disk /dev/sdb: 4066 MB, 4066377728 bytes
126 heads, 62 sectors/track, 1016 cylinders
Units = cylinders of 7812 * 512 = 3999744 bytes
Disk identifier: 0x99faf680

Device Boot Start End Blocks Id System

Command (m for help): n
Command action
e extended
p primary partition (1-4)
p
Partition number (1-4): 1
First cylinder (1-1016, default 1):
Using default value 1
Last cylinder, +cylinders or +size{K,M,G} (1-1016, default 1016):
Using default value 1016

Command (m for help): p

Disk /dev/sdb: 4066 MB, 4066377728 bytes

126 heads, 62 sectors/track, 1016 cylinders
Units = cylinders of 7812 * 512 = 3999744 bytes
Disk identifier: 0x99faf680

Device Boot Start End Blocks Id System
/dev/sdb1 1 1016 3968465 83 Linux

Command (m for help): w
The partition table has been altered!

Calling ioctl() to re-read partition table.
Syncing disks.

Now create the password and encrypt the device. This will encrypt the device with AES256.

~]# cryptsetup luksFormat -v -y -s 256 -c aes /dev/sdb1
WARNING!
========
This will overwrite data on /dev/sdb1 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
Command successful.

To open the encrypted drive type:

cryptsetup luksOpen /dev/sdb1 usbdrive

It will then prompt for the password.

***WARNING*** Do not lose your password, there is no way to recover it!

Now format the drive. This example shows how to format the drive with ext4 however ext3 will also work if you are running an older distro.

~] # mkfs.ext4 /dev/mapper/usbdrive
mke2fs 1.41.4 (27-Jan-2009)
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
248000 inodes, 991859 blocks
49592 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=1019215872

31 block groups
32768 blocks per group, 32768 fragments per group
8000 inodes per group
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736

Writing inode tables: done
Creating journal (16384 blocks): done
Writing superblocks and filesystem accounting information: done

This filesystem will be automatically checked every 31 mounts or
180 days, whichever comes first. Use tune2fs -c or -i to override.

Mount the drive:

~]# mount /dev/mapper/usbdrive /media/thumbdrive/

Now your drive is encrypted ;-)

Gnome should automatically ask the next time you insert your usb drive for the password. However if you are using the cli, here are the steps to mount/unmount the drive.

Mount the device

~]# cryptsetup luksOpen /dev/sdb1 usbdrive
~]# mount /dev/mapper/usbdrive /media/usbdrive

Unmount the device

~]# umount /media/usbdrive
~]# cryptsetup luksClose usbdrive

Return top

View Jason Brown's profile on LinkedIn

Get Adobe Flash playerPlugin by wpburn.com wordpress themes