Zelut’s Blog

I’ve been spending a lot of time lately researching FreeBSD security solutions. Topics such as pf (packet filter), system hardening, etc. One of the tips that I thought I’d share here is a method of configuring your system to use blowfish encryption for passwords as opposed to the default MD5. If you are on a system that has a lot of users it might be prudent to update the encryption type to make your stored passphrase safer.

Configure /etc/login.conf

The password format is stored within the /etc/login.conf file. The default value being “md5″. To update your configuration to use blowfish instead make the following change to your file:

-       :passwd_format=md5:\

+       :passwd_format=blf:\

After you’ve made this change you’ll need to rehash the login database, which is done using the cap_mkdb command:

cap_mkdb /etc/login.conf

At this point any newly assigned passwords will be created using blowfish instead of MD5. Any existing accounts will retain their MD5 password hash until the password is reset.

I’ve been using my Mac more and more while I’m at work these days and one of the things that I quickly started to miss was the Linux keyboard shortcut for locking your screen (ctrl-alt-l) when you’re going to be away from your desk. The first few times I simply resigned myself to trust my office mate, but that wasn’t going to cut it long-term. I set out to find a solution to locking my screen while I was going to be away from my Mac. This is what I found.

There are actually a number of solutions that I found. Some require third-party software. Others require creating dock icons to launch command-line tools. The solution I came up with requires no third-party software, custom dock icons or arthritis-inducing keyboard shortcuts. This uses easily configurable options that can also easily be undone if desired. I used Hot Corners.

If you’re not familiar with Hot Corners, it is the ability to use your mouse and the four corners of your desktop to achieve additional functionality. I use my upper-right hand corner to launch Spaces. The lower-right for Expose (All Windows). I’ve now added the lower-left to launch my Screensaver. By configuring my machine to activate the screensaver when the mouse is in the lower-left corner of the screen I am easily able to lock my screen when I need to be away from the computer. I simply drag the mouse down, screensaver turns on (which requires a password to unlock, of course) and I’m golden.

To activate this feature, do the following:

1. Click Apple > System Preferences > Desktop and Screensaver
2. In the lower left corner of that window you’ll find a button that says “Hot Corners”. Select that and then select one of the four corners to “Start Screensaver”.

As I mentioned before, there are other solutions to this problem, but this is the solution that I found the least complicated or difficult to setup. Do you have another solution that you consider easier? Let us know in the comments.

As I’m sure you’ve all heard, today is April Fools and the day that the conficker worm is set to… well, do something.  I haven’t read any reports on just exactly what it has done, if anything today, but I was able to come up with a solution that will allow you to scan for it using Arch Linux and the latest-greatest build of nmap.  I just ran a scan on my home network and didn’t find anything (granted I only have Arch Linux, FreeBSD and Mac OS X machines here), but the same steps can be used to scan your office networks if you’re still wondering about being vulnerable.  I will outline below how to install the Arch Build System (ABS), update the PKGBUILD for nmap to install the latest nmap and finally how to scan a range of networks for the conficker worm.

Installation via ABS
To build the latest-greatest copy of nmap we’ll use the ABS and simply update the PKGBUILD information.  If you do not have ABS setup on your machine you’ll need to complete the following steps:

pacman -S abs
abs

These two commands will install the ABS on your system and then sync with the repository mirror.

Configuring nmap
Next you’ll want to copy the PKGBUILD from the ABS directory structure to your home directory for building.

mkdir ~/abs/
cp -r /var/abs/extra/nmap/ ~/abs/

Now head back to ~/abs/nmap/ and edit the PKGBUILD file with the following changes:

pkgver=4.85BETA6
md5sums=('33af2a98032b2e6617cea8de23808e64')

With those two changes saved you can now compile the latest nmap.  Use: makepkg -i

Detecting Conficker
Now that you have the latest nmap compiled and installed you can scan your network(s) for the Conficker worm.  Use the following command and look for any “INFECTED” or “VULNERABLE” lines in the output.

nmap -PN -d -p445 –script=smb-check-vulns –script-args=safe=1 [network_range]

(of course, replace network_range with your home/office network. ie; 192.168.0.0/24)

Conclusion
While I still don’t know what, if anything, the Conficker worm is going to do today (or ever), its best to make sure your machines are not vulnerable and that someone else does not have control of them.  If you administer a number of Windows machines, take a minute to scan them and verify that nothing is left vulnerable.  I hope these steps were helpful for anyone needing to verify security on their networks.

For those using FreeBSD, there has been another security update to the 7.1 release family.  According to the UPDATING file:

20090323:       p4      FreeBSD-SA-09:06.ktimer, FreeBSD-EN-09:01.kenv
Correctly sanity-check timer IDs. [SA-09:06]
Limit the size of malloced buffer when dumping environment
variables. [EN-09:01]

If you’re interested in applying this update to your system, here is the method I use:

csup -g -L2 cvsup.freebsd.org /usr/share/examples/cvsup/standard-supfile
cd /usr/src
make buildkernel && make installkernel
make buildworld && make installworld
reboot

There are other methods for keeping your base system updated, but I prefer the compiling method. What other methods might you suggest?