Cisco passwords recognise trailing white spaces

We got bitten by a curious side effect of a feature of Cisco IOS recently which I felt was worth sharing. According to the Cisco Secure Router website, when enabling passwords (and secret passwords) on Cisco equipment:

Leading spaces are ignored but trailing spaces are recognized

What was interesting to me was the latter part about trailing white spaces. It may or may not be a well known fact but it was certainly not known to us. Now, take the following Cisco IOS command:

# enable secret NewPass9 ?

The inclusion of the question mark above allows you to take a look at any remaining parameters for the command you are entering, and it is very common to do this when you are new to Cisco systems. Now, consider that there are in fact no additional parameters for the enable secret command, so you go ahead and recall the above command, delete the question mark (i.e. press the backspace key once) and press Enter to commit the new password.

# enable secret NewPass9

Without realising it, you have now actually included a single space character in at the end of your password. Be careful out there!

Securing MySQL databases (the short way)

If you have ever installed of MySQL on a *nix system, you may have come across the mysql_secure_installation script. It takes you through a number of interactive questions/steps that help you to increase the security of your MySQL installation, and is quite a useful script.

As we have a high deree of automation in our server environment, we decided to break this script down to its raw MySQL command, and in a nut shell, here is what it actually does behind the scenes (assuming you want to answer Yes to all of the questions it asks in interactive mode):

UPDATE mysql.user SET Password=PASSWORD('XXXX') WHERE User='root';
DELETE FROM mysql.user WHERE User='';
DELETE FROM mysql.user WHERE User='root' AND Host!='localhost';
DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%';

Naturally, you should replace the XXXX in the first command with an appropriate password.

MySQL Grants List Revealed

A colleague of mine just sent me this hugely useful MySQL command for seeing which users have privileges in a database, and from which host. It prints a list of other MySQL commands which can then be used to show more precisely what privileges that user has been granted.

SELECT DISTINCT CONCAT('SHOW GRANTS FOR ''',user,'''@''',host,''';') AS query FROM mysql.user;

Prior to this, I found myself having to connect to the database from the appropriate (remote) MySQL client and issue a SHOW GRANTS from there.

Thanks to Mate Racz for this one.

Solaris ipfilter broken by Patch 125503-02

We recently installed a number of patches onto a T1000 server running Solaris 10 U3, only to discover that the ipfilter service was broken thereafter. The service itself appeared to be configured correctly with no visible signs of error but we discovered that many ports that we had configured to be blocked from certain sources were not.

After some careful analysis of the patches applied, we discovered that Patch 125503-02 had replaced a number of the files associated with the SUNWipfilter package, resulting in the main network interface for our system no longer being plumbed for use with the pfil driver.

Here is how we recovered from this situation:

1. Back out the patch and reboot

# smpatch remove –i 125503-02
# reboot

2. Replumb the appropriate network interface

# ifconfig bge0 modinsert pfil@2
# autopush -f /etc/ipf/pfil.ap
# ifconfig bge0 unplumb
# ifconfig bge0 plumb

Note: Replace bge0 with e1000g0 for a T2000 and ensure your pfil.ap has the correct entry in it.

Thanks to for assistance.

Schneier on Security of Faxes

I came across another interesting article by Bruce Schneier today on the security of faxed signatures. What fascinated me about even more about this was actually another story entirely, one where in 2004, a man managed to be freed from prison based on a bogus fax sent from a local McDonalds restaurant:

On October 30, 2004, Tristian Wilson was released from a Memphis jail on the authority of a forged fax message. It wasn’t even a particularly good forgery. It wasn’t on the standard letterhead of the West Memphis Police Department. The name of the policeman who signed the fax was misspelled. And the time stamp on the top of the fax clearly showed that it was sent from a local McDonald’s!

As Schneier explains, it was not the use of fax that lead to this fiasco but rather the poor verification processes used by the jail, and plain old human error. Sadly, I fear this is  not the only example of such terrible carelessness in modern society.

Source: SlashDot

Q&A Session with Bruce Schneier

For those of you who that have not heard of Bruce Schneier, he is an world renowned cryptographer and computer security specialist and has authored loads of books on these subjects.

This recent Questions & Answers Session with Freakonomics makes for fascinating reading, even to the most basic of computer users. All of the questions were created by subscribers to the Freakonomics Blog over the course of the previous week.

Source: SlashDot

Locking down your Solaris system

In preparation for a forthcoming public trial of a new web service powered by Solaris, we recently spent some time investigating some different ways to lock down the system down. Here is an overview of our findings.

Solaris Installation

If you have the option of (re)installing Solaris, then take it. And in doing so, be sure to choose the Solaris Core installation cluster (SUNWCreq) as this is the most secure (mainly due to reduced number of packages that it includes). Of course this cluster will almost certainly not provide you with everything that you need (and you will have to manually install several packages thereafter) but it is generally worth while as you will know exactly what is and is not installed on your system.

Useful Tools and Utilities

I found the following utilities very useful:

  • netstat
  • nmap
  • lsof

The first is natively available on Solaris and the other two can be downloaded from the website. The combination of these utilities make it very to diagnose which ports are open (by which process) on a system. Refer to some of the articles below to see some good ways in which you can do this.

Solaris Security Toolkit

If you want to, you can manually lock down your system using the netstat, svcs and svcadm commands but you really need to know what you are doing. However, there is a far simpler way to do this and that is to use the Solaris Security Toolkit (SUNWjass). This is a very powerful (and extremely well documented) utility that is pretty easy to use, to very good effect. It is also free.

All you need to do is run one simple command (there are 16 variations to choose from depending on paranoid you are) and the SST will do the rest – disabling all the appropriate services, setting file permissions, creating hosts.allow and hosts.deny files and even invalidating non-root user passwords in certain cases. So be sure that you have console access to your system before you run it.

You can even run it again in analyse mode to ensure that the system is still locked down the same degree as it was when you first ran it (although I have not tested this).

Useful Links
Here are some good postings on the Solaris Security Toolkit