Tag Archives: Secure Shell

[iPhone] Virus Worm Spreading on Jailbroken iPhones

Apple must be pleased about this news. They haven’t become tired in telling the people that jailbreaking the iPhone seriously compromises user security.

And now a worm developed by Ashley Towns from down under is nothing else but attacking jailbroken iPhones whose Secure Shell has not been disabled or where the default root password (“alpine”) is in place.

Luckily the first version of the worm was almost imperfect as it just changed the background wallpaper to a photograph of Rock Astley – yes rickrolled again. Anyway ITBusinessEdge now reports that a second version of the worm has been seen in the wild. This new version of the worm gives no indication that it has successfully compromised your jesus phone. Beware guys.

Now, will we get virus scanners for our jailbroken iPhones? Will it be necessary to run firewalls?

It seems like irony, but it seriously looks like that all the probs Microsoft’s operating systems have had for years with viruses and worms – just because Windows is the most widespread desktop operating system – are now coming to the iPhone.

via IT BusinessEdge.com

[Linux] Securing a Debian server by Enabling passwordless Login

I. Abstract

All of us know, there are lots of bad guys out there just trying to brute force our ssh ports. The following article provides information about the first steps to be performed when setting up a new webserver running Debian Etch.

For security reasons we recommend applying these how to’s before proceeding

  • Mandatory: How to secure your Debian server by updating the buggy openSSH Debian package (read tutorial here)
  • Optional: How to secure your Debian server by changing the SSH port number (read tutorial here)

The following howto will show you how to enable SSH login without a server based password (passwordless login) and how to disable password login in general on your server.

II. Generate SSH public- private-key pair

  • Generate keypair on your Linux client machine (works on Cygwin and Mac OS X as well!)
    client$ mkdir ~/.ssh
    client$ chmod 700 ~/.ssh
    client$ cd .ssh
    client$ ssh-keygen -q -f id_rsa -t rsa
  • You will be asked to provide a passphrase to encrypt your private key. Although you might leave this empty, we strongly recommend to provide it – for you own safety
  • In the folder called .ssh you will then find those two files:
    id_rsa > contains private-key (encrypted with your passphrase)
    id_rsa.pub > contains public-key (to be put on your Etch Webserver)

III. Upload public-key to server

  • In detail: the output of id_rsa.pub (which in fact is a textfile) is pushed via ssh on your root’s homefolder and being saved there as id_rsa.remote:
    client$ cat id_rsa.pub | ssh root@yourdomain.net cat “>“ id_rsa.remote

IV. Activate public- private-key authentication

  • log in to your server
    client$ ssh root@yourdomain.net (provide your password)
  • you may install nano (if you like vim, stay with vim), imho nano is faster for simpler tasks, but vim is much more powerful, so having both is no loss ;-)
    server$ apt-get install nano
  • Edit SSH configuration to allow public-key login
    server$ nano /etc/ssh/sshd_config
  • Allow AuthorizedKeysFile only (still in sshd_config)
    AuthorizedKeysFile %h/.ssh/authorized_keys
  • Disallow Password driven login (still in sshd_config)
    # Change to no to disable tunnelled clear text passwords
    PasswordAuthentication no
  • Save and exit (in nano: ctrl + x)
  • restart ssh deamon
    server$ /etc/init.d/ssh restart
  • Go back to your root’s home folder
    server$ cd
  • Makedir .ssh
    server$ mkdir .ssh
  • Copy uploaded id_rsa.remote to .ssh folder
    server$ cp id_rsa.remote .ssh/authorized_keys

V. Test your configuration

  • Don’t log out of your server, instead open a second terminal on your client machine to test your new configuration:
    client2$ ssh root@yourdomain.net
    (provide the passphrase for your private-key)
  • If everything works well, congratulations you’re done, consider clicking our sponsor (non offensive Google Adsense) to help maintaining this project free for all of you…

VI. Kindly Sponsored by

VII. Further steps

If you didn’t already do it. For further improving your server’s security you probably want to change ssh port address from 22 to anything else? Read here, how to do that…