SSL Certificate Null Byte Poisoning

Security researcher Moxie Marlinspike demonstrated at the Black Hat security conference how an SSL certificate issued for a domain name containing a null byte could be used to spoof any address on the Web. The researcher incorporated the technique into a man-in-the-middle tool called SSLSniff, which he initially released back in 2002.

The whole trick is to get a Certificate Authority (CA) to sign a certificate for a subdomain containing a null byte character. An example would be gmail.com\0.example.com, where "gmail.com\0" is the subdomain and "\0" is the null byte.

The problem with it is that most SSL implementations are vulnerable to what is called "null byte poisoning." This refers to an attack where a string is forced to end at a particular location by inserting a null byte. Applying this to the SSL certificate above, the browser would interpret it as being for gmail.com.

"This is a vulnerability that would affect every SSL implementation, because almost everybody who has ever tried to implement SSL has made the same mistake," Marlinspike commented for Wired. However, he pointed out that Firefox 3.5 was amongst the few ones that were not vulnerable.

An even more dangerous attack would involve an SSL certificate issued for *\0.example.com. Due to the null byte poisoning, the vulnerable browsers and other SSL-aware applications would interpret this as a certificate for * (everything). "You get this certificate and it will match any domain you're trying to connect to. It's actually better than a CA cert because if you get a CA cert you at least have to create and sign another certificate to then present it for whatever you're trying to connect to."

The researcher explained that, even if CAs were to start refusing to sign such certificates, this wouldn't solve anything, since the ones already issued would remain valid. The only solution to the problem is for developers to fix their SSL implementations and continue reading the domain name when a null byte is encountered. SSLSniff, a tool created by Marlinspike back in 2002, has been updated to include this new attack.

More details about vulnerability at http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-2408

configure: error: C++ preprocessor "/lib/cpp" fails sanity check

configure: error: C++ preprocessor "/lib/cpp" fails sanity checkn in Ubuntu

Error while compiling a package as mentioned above

Solution:

run this command for resolution

sudo aptitude update
sudo aptitude install build-essential

Dovecot Mail Server

Dovecot Mail Server : Ubuntu

Dovecot is a Mail Delivery Agent, written with security primarily in mind. It supports the major mailbox formats: mbox or Maildir. This section explain how to set it up as an imap or pop3 server.

Installation

To install dovecot, run the following command in the command prompt:

sudo apt-get install dovecot-imapd dovecot-pop3d

Configuration

To configure dovecot, you can edit the file /etc/dovecot/dovecot.conf. You can choose the protocol you use. It could be pop3, pop3s (pop3 secure), imap and imaps (imap secure). A description of these protocols is beyond the scope of this guide. For further information, refer to the Wikipedia articles on POP3 and IMAP.

IMAPS and POP3S are more secure that the simple IMAP and POP3 because they use SSL encryption to connect. Once you have chosen the protocol, amend the following line in the file /etc/dovecot/dovecot.conf:

protocols = pop3 pop3s imap imaps

Next, choose the mailbox you would like to use. Dovecot supports maildir and mbox formats. These are the most commonly used mailbox formats. They both have their own benefits and are discussed on the Dovecot web site.

Once you have chosen your mailbox type, edit the file /etc/dovecot/dovecot.conf and change the following line:

mail_location = maildir:~/Maildir # (for maildir)
or
mail_location = mbox:~/mail:INBOX=/var/spool/mail/%u # (for mbox)

	You should configure your Mail Transport Agent (MTA) to transfer the incoming mail to this type of mailbox if it is different from the one you have configured.

Once you have configured dovecot, restart the dovecot daemon in order to test your setup:

sudo /etc/init.d/dovecot restart

If you have enabled imap, or pop3, you can also try to log in with the commands telnet localhost pop3 or telnet localhost imap2. If you see something like the following, the installation has been successful:

bhuvan@rainbow:~$ telnet localhost pop3
Trying 127.0.0.1...
Connected to localhost.localdomain.
Escape character is '^]'.
+OK Dovecot ready.

Dovecot SSL Configuration

To configure dovecot to use SSL, you can edit the file /etc/dovecot/dovecot.conf and amend following lines:

ssl_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
ssl_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
ssl_disable = no
disable_plaintext_auth = no

You can get the SSL certificate from a Certificate Issuing Authority or you can create self signed SSL certificate. The latter is a good option for email, because SMTP clients rarely complain about "self-signed certificates". Please refer to the section called “Certificates” for details about how to create self signed SSL certificate. Once you create the certificate, you will have a key file and a certificate file. Please copy them to the location pointed in the /etc/dovecot/dovecot.conf configuration file.

Firewall Configuration for an Email Server

To access your mail server from another computer, you must configure your firewall to allow connections to the server on the necessary ports.

• IMAP - 143

• IMAPS - 993

• POP3 - 110

• POP3S - 995

Linux DNS Troubleshooting

Ubuntu DNS Troubleshooting

Testing

resolv.conf

The first step in testing BIND9 is to add the nameserver's IP Address to a hosts resolver. The Primary nameserver should be configured as well as another host to double check things. Simply edit /etc/resolv.conf and add the following:

nameserver 192.168.1.10
nameserver 192.168.1.11

	You should also add the IP Address of the Secondary nameserver in case the Primary becomes unavailable.

dig

If you installed the dnsutils package you can test your setup using the DNS lookup utility dig:

• After installing BIND9 use dig against the loopback interface to make sure it is listening on port 53. From a terminal prompt:

  dig -x 127.0.0.1
  

  You should see lines similar to the following in the command output:

  ;; Query time: 1 msec
  ;; SERVER: 192.168.1.10#53(192.168.1.10)
  

• If you have configured BIND9 as a Caching nameserver "dig" an outside domain to check the query time:

  dig ubuntu.com
  

  Note the query time toward the end of the command output:

  ;; Query time: 49 msec
  

  After a second dig there should be improvement:

  ;; Query time: 1 msec
  

ping

Now to demonstrate how applications make use of DNS to resolve a host name use the ping utility to send an ICMP echo request. From a terminal prompt enter:

ping example.com

This tests if the nameserver can resolve the name ns.example.com to an IP Address. The command output should resemble:

PING ns.example.com (192.168.1.10) 56(84) bytes of data.
64 bytes from 192.168.1.10: icmp_seq=1 ttl=64 time=0.800 ms
64 bytes from 192.168.1.10: icmp_seq=2 ttl=64 time=0.813 ms

named-checkzone

A great way to test your zone files is by using the named-checkzone utility installed with the bind9 package. This utility allows you to make sure the configuration is correct before restarting BIND9 and making the changes live.

• To test our example Forward zone file enter the following from a command prompt:

  named-checkzone example.com /etc/bind/db.example.com
  

  If everything is configured correctly you should see output similar to:

  zone example.com/IN: loaded serial 6
  OK
  

• Similarly, to test the Reverse zone file enter the following:

  named-checkzone example.com /etc/bind/db.192
  

  The output should be similar to:

  zone example.com/IN: loaded serial 3
  OK
  

	The Serial Number of your zone file will probably be different.

Logging

BIND9 has a wide variety of logging configuration options available. There are two main options. The channel option configures where logs go, and the the category option determines what information to log.

If no logging option is configured the default option is:

logging {
    category default { default_syslog; default_debug; };
    category unmatched { null; };
};

This section covers configuring BIND9 to send debug messages related to DNS queries to a separate file.

• First, we need to configure a channel to specify which file to send the messages to. Edit /etc/bind/named.conf.local and add the following:

  logging {
     channel query.log {     
         file "/var/log/query.log";
         severity debug 3;
     };
  };
  

• Next, configure a category to send all DNS queries to the query file:

  logging {
     channel query.log {     
         file "/var/log/query.log";
         severity debug 3;
     };
     category queries { query.log; };
  };
  

	Note: the debug option can be set from 1 to 3. If a level isn't specified level 1 is the default.

• Since the named daemon runs as the bind user the /var/log/query.log file must be created and the ownership changed:

  sudo touch /var/log/query.log
  sudo chown bind /var/log/query.log
  

• Before named daemon can write to the new log file the AppArmor profile must be updated. First, edit /etc/apparmor.d/usr.sbin.named and add:

  /var/log/query.log w,
  

  Next, reload the profile:

  cat /etc/apparmor.d/usr.sbin.named | sudo apparmor_parser -r
  
  

• Now restart BIND9 for the changes to take effect:

  sudo /etc/init.d/bind9 restart
  

Network Time Protocol Ubuntu

Time Synchronisation with NTP

This page describes methods for keeping your computer's time accurate. This is useful for servers, but is not necessary (or desirable) for desktop machines.

NTP is a TCP/IP protocol for synchronising time over a network. Basically a client requests the current time from a server, and uses it to set its own clock.

Behind this simple description, there is a lot of complexity - there are tiers of NTP servers, with the tier one NTP servers connected to atomic clocks (often via GPS), and tier two and three servers spreading the load of actually handling requests across the Internet. Also the client software is a lot more complex than you might think - it has to factor out communication delays, and adjust the time in a way that does not upset all the other processes that run on the server. But luckily all that complexity is hidden from you!

Ubuntu has two ways of automatically setting your time: ntpdate and ntpd.

ntpdate

Ubuntu comes with ntpdate as standard, and will run it once at boot time to set up your time according to Ubuntu's NTP server. However, a server's clock is likely to drift considerably between reboots, so it makes sense to correct the time occasionally. The easiest way to do this is to get cron to run ntpdate every day. With your favourite editor, as root, create a file /etc/cron.daily/ntpdate containing:

ntpdate ntp.ubuntu.com

The file /etc/cron.daily/ntpdate must also be executable.

sudo chmod 755 /etc/cron.daily/ntpdate

ntpd

ntpdate is a bit of a blunt instrument - it can only adjust the time once a day, in one big correction. The ntp daemon ntpd is far more subtle. It calculates the drift of your system clock and continuously adjusts it, so there are no large corrections that could lead to inconsistent logs for instance. The cost is a little processing power and memory, but for a modern server this is negligible.

To set up ntpd:

sudo apt-get install ntp

Changing Time Servers

In both cases above, your system will use Ubuntu's NTP server at ntp.ubuntu.com by default. This is OK, but you might want to use several servers to increase accuracy and resilience, and you may want to use time servers that are geographically closer to you. to do this for ntpdate, change the contents of /etc/cron.daily/ntpdate to:

ntpdate ntp.ubuntu.com pool.ntp.org

And for ntpd edit /etc/ntp.conf to include additional server lines:

server ntp.ubuntu.com
server pool.ntp.org

You may notice pool.ntp.org in the examples above. This is a really good idea which uses round-robin DNS to return an NTP server from a pool, spreading the load between several different servers. Even better, they have pools for different regions - for instance, if you are in New Zealand, so you could use nz.pool.ntp.org instead of pool.ntp.org . Look at http://www.pool.ntp.org/ for more details.

You can also Google for NTP servers in your region, and add these to your configuration. To test that a server works, just type sudo ntpdate ntp.server.name and see what happens.

Troubleshooting Wireless Network Ubuntu

Wireless Network troubleshooting Ubuntu

While not exhaustive, this section covers some common problems faced with wireless support.

There is much more information available from the Community Documentation.

	This troubleshooting guide is designed to be carried out in order. If you reach the end of a section and are not directed to another - then try the section called “Wireless” and should it fail begin at the start again.

Check that the device is on

1. Many wireless network devices can be turned on or off. Check to see if there is a hardware switch, some devices can be switched off from Windows and may need to be turned back on from Windows.

2. If it is turned on then see the section called “Check for device recognition”.

Check for device recognition

1. Open a Terminal (Applications → Accessories → Terminal) and type the command: sudo lshw -C network

You should see an output, along with the words "CLAIMED, UNCLAIMED, ENABLED or DISABLED"

1. Claimed - this indicates a driver is loaded but not functioning, see the section called “Using Windows Wireless Drivers”

2. Unclaimed - there is no driver loaded, see the section called “Using Windows Wireless Drivers”.

3. Enabled - there is a driver loaded, see the section called “Check for a connection to the router”.

4. Disabled - see the section called “Check that the device is on”.

Using Windows Wireless Drivers

Ubuntu supports a system known as NDISWrapper. This allows you to use a Windows wireless device driver under Ubuntu.

1. Obtain the Windows Driver for your system and locate the file that ends with .inf.

2. Install the ndisgtk package.

3. Open ndisgtk (System → Administration → Windows Wireless Drivers).

4. Select Install new driver.

5. Choose the location of your Windows .inf file and click Install.

6. Click OK.

Check for a connection to the router

1. Open a Terminal (Applications → Accessories → Terminal) and type the command: iwconfig.

2. If the ESSID for our router is shown there may be a problem with ACPI support. Boot the kernel with the pci=noacpi option.

Check IP assignment

1. Open a Terminal (Applications → Accessories → Terminal) and type the command: ifconfig.

2. If there is an IP address shown see the section called “Check DNS”.

3. From the Terminal enter the command: sudo dhclient if_name where if_name is the connection listed earlier.

4. If you receive a message that says bound to xxx.xxx.xxx.xxx then see the section called “Check DNS”

5. If not then reboot the system.

Check DNS

1. Open a Terminal (Applications → Accessories → Terminal) and type the command: ping -c3 85.190.27.2.

2. Now type the command: ping www.ubuntu.com. If you get a response from the both then see the section called “IPv6 Not Supported”.

3. Type the command: cat /etc/resolv.conf. If there is no nameserver listed then contact your ISP and find out your primary and secondary domain name servers. Once you have this information see the section called “Wireless”.

IPv6 Not Supported

1. IPv6 is supported by default in Ubuntu and can sometimes cause problems.

2. To disable it, open a Terminal (Applications → Accessories → Terminal) and type the command: gksudo gedit /etc/modprobe.d/aliases.

3. Find the line alias net-pf-10 ipv6 and change it to read alias net-pf-10 off.

4. Reboot Ubuntu.

Troubleshooting Wired ethernet Ubuntu

Wired Network troubleshooting Ubuntu

If you have a network connection which is not working properly, you can use a few tools to help diagnose what the problem is.

Most of the tools in this section require use of the Terminal, which you can open by pressing Applications → Accessories → Terminal.

Get information about the current connection

ifconfig is intended to allow you to change the settings of your network connections, but it can also be used to list information about the current connection.

1. Press Applications → Accessories → Terminal to open a Terminal

2. Type ifconfig eth1 in the Terminal and press Enter, replacing eth1 with the name of your network interface if it is different.

   • inet addr gives the current IP address of the connection

   • HWaddr gives the MAC address of your network device

Check if a connection is working properly

A good way of checking if a connection is working properly is to ping another computer on the network or the Internet.

To check if you are connected to the Internet:

1. Press System → Administration → Network Tools

2. Select the Ping tab

3. Type ubuntu.com into the Network address box and then press Ping

4. After a while, a graph should appear. Look at the number for Successful packets under Transmission Statistics

   • 100% successful packets - Your computer should have a good connection to the Internet

   • Less than 100% successful - Your computer probably has a poor connection to the Internet or a poor wireless signal

   • 0% successful packets - Your computer has a very bad connection, or is connected to an access point or router which is not connected to the Internet

If you get an error message which says The address 'ubuntu.com' cannot be found, then your computer is probably not connected to the Internet or cannot reach a DNS server.

ESXi hosts experience intermittent lockups after upgrading to ESXi 3.5 Update 4

Symptoms

• Prior to upgrading to Update 4, no lockups were experienced
• Direct Console User Interface (DCUI) locks up after entering the username and password
• ESXi Server is pingable, however connections using SSH or VI Client fail
• Running the vm-support command from Tech Support mode fails
• Some or all of the running virtual machines may lose connectivity to the network

Resolution

This problem is related to updated components within the CIM agent (sfcbd) that are installed on the system. The CIM agent allows ESX to monitor the hardware status of the physical server and provide this hardware status information back to the administrator either through vCenter Hardware status or Health Status views. If this service is disabled or otherwise not available, no updated hardware status information is received until it is available again.

To verify whether this behavior is the cause of problem and temporarily workaround the issue:

1. Log in to vCenter as an Administrator and choose the ESXi host from the Inventory
   
   Note: These steps can be performed directly connected to the ESXi host as well
   
   
2. Click the Configuration tab.
3. Click the Advanced Settings link.
4. Navigate to the Misc Category
5. Find the Misc.CimEnabled parameter from the list and change the value to 0.
   
   Note: The default value of Misc.CimEnabled is 1.
   
   
6. Click OK.
7. Restart the ESX host for the change to take effect.

When these steps are complete, no lockups are experienced if you are experiencing the problem described in this article. This change is persistent across reboots.

VMware is aware of this problem and currently working on building a patch to resolve this behavior. This knowledge base article will be updated when a fix is available at which time CIM can be enabled again.

AppSpeed setup fails with a connection timeout

Symptoms

You may experience these symptoms:

• Setup of AppSpeed fails
• You receive the following error:
  
  Connection timed out. Verify the vCenter address and try again.

Resolution

This error occurs when when the vCenter Server IP address is entered incorrectly during the setup is incorrect.

To ensure setup completes successfully after receiving this error:

1. Verify the accuracy of the vCenter Server IP address.
2. Run the AppSpeed setup again and enter the correct IP address.

ESX host may become unresponsive with the error: BMC returned incorrect response, expected netfn 7 , got netfn 7

Symptoms

• You see the following error on the console or in /var/log/messages:
  
  BMC returned incorrect response, expected netfn 7 , got netfn 7
  
  
• ESX host may become unresponsive

Resolution

This issue may occur if the BMC controller requires a firmware update. Many vendors provide firmware for their BMC controllers separately from the system BIOS/firmware upgrades. To resolve this issue, apply the BMC specific firmware updates. These updates stop messages from being written to the log and prevents the server from reaching a point where a lock up occurs.

If applying the firmware updates does not resolve the issue, verify that the appropriate version of the 3rd party management agents are installed. If the correct versions are installed, briefly disable them as a diagnostic step. If this does not resolve the issue, engage your hardware vendor to determine if there is an issue with the BMC controller itself.

Host Power Management Causes Problems with Guest Timekeeping (Windows Hosts)

Details

• The host is a computer running Windows that has power management features in the hardware that varies the processor's operating speed.
• When the host processor speed increases, the guest operating system's real-time clock (RTC) runs too fast.

Solution

This problem can occur on some host computers that use Intel SpeedStep, AMD Cool 'n' Quiet, or other similar power-saving technologies that vary the processor speed.

Workaround

You must specify the correct maximum CPU speed of the physical hardware in the global configuration file ( config.ini).

To specify the correct maximum CPU speed:

1. Find the maximum speed of the host computer's CPU. To do this, open Control Panel > System. Note the speed rating of the processor (CPU) written in the model designation text. This may be higher than the current operating speed of the processor noted here. This value can often also be obtained from the computer's BIOS diagnostic screen when starting the computer.
   
   

2. Find the config.ini file:

   • Windows 2000 / XP - %AllUsersProfile%\Application Data\VMware\\config.ini

   • Windows Vista - C:\ProgramData\VMware\
     

   Note: This file is normally created when the VMware product is installed. However, if the file does not exist, create a new text file in the appropriate location as described above, then add the required lines to form a valid config.ini file..
   
   

3. Edit config.ini, and add the following lines. Modify the cpukHz value according to the value of the physical computer's maximum CPU speed from step 1. Also add the second and third lines. This enables a mechanism that keeps the guest's clock accurate even when the time stamp counter (TSC) is slow.

   host.cpukHz = "1700000"
   
        host.noTSC = "TRUE"
   
        ptsc.noTSC = "TRUE"

   The example above is for a computer that has a maximum CPU speed of 1700 MHz (or 1.7 GHz). The value entered on this line must be in KHz. To convert the speed from MHz, multiply by 1000. To convert from GHz, multiply by 1 000 000.

4. Restart the VMware Authorization service for the changes to take effect.
   
   Click Start > Control Panel > Administrative Tools > Services. Right-click VMware Authorization Service and click Restart.
   
   

5. In addition, verify that the VMware in the guest operating system are set to enable time synchronization.

   1. Open the VMware Tools toolbox application by double-clicking the VMware icon in the system notification area (tray).

   2. Click Options, select Time synchronization between the virtual machine and the host operating system.