Something New

opie keys: One-time Passwords In Everything

Daniel — Thu, 04 Mar 2010 17:25:58 +0000

OPIE is the initialism of "One time Passwords In Everything". Opie is a mature, Unix-like login and password package installed on the server and the client which makes untrusted networks safer against password-sniffing packet-analysis software like dSniff and safe against Shoulder surfing. It works by circumventing the delayed attack method because the same password is never used twice after installing Opie. OPIE implements a one-time password (OTP) scheme based on S/key, which will require a secret passphrase (not echoed) to generate a password for the current session, or a list of passwords you can print and carry on your person.

OPIE uses an MD4 or MD5 hash function to generate passwords.

OPIE can restrict its logins based on IP address. It uses its own passwd and login modules.

Sources:

http://en.wikipedia.org/wiki/OPIE_Authentication_System

http://www.freebsd.org/doc/handbook/one-time-passwords.html

ipsec: Authentication Header (AH) and Encapsulating Security Payload (ESP)

Daniel — Tue, 02 Feb 2010 23:49:20 +0000

The IPsec suite is a framework of open standards. IPsec uses the following protocols to perform various functions:

Internet key exchange (IKE and IKEv2) to set up a security association (SA) by handling negotiation of protocols and algorithms and to generate the encryption and authentication keys to be used by IPsec.

Authentication Header (AH) to provide connectionless integrity and data origin authentication for IP datagrams and to provide protection against replay attacks.

Encapsulating Security Payload (ESP) to provide confidentiality, data origin authentication, connectionless integrity, an anti-replay service (a form of partial sequence integrity), and limited traffic flow confidentiality.

The IPSec headers (AH and ESP) can be used in transport mode or tunnel mode. In transport mode, the original IP header is followed by the AH or ESP header. If ESP is used in transport mode, only the upper-layer (e.g., TCP, UDP, IGMP) is encrypted. The IP header is not encrypted.

Additional Reading:

http://www.networksorcery.com/enp/protocol/esp.htm

http://www.networksorcery.com/enp/protocol/ah.htm

http://docs.hp.com/en/J4255-90011/ch04s03.html

http://en.wikipedia.org/wiki/IPsec

Virtual Private Dialup Network (VPDN)

Daniel — Fri, 22 Jan 2010 20:43:05 +0000

A VPDN is a network that extends remote access to a private network using a shared infrastructure. VPDNs use Layer 2 tunnel technologies (L2F, L2TP, and PPTP) to extend the Layer 2 and higher parts of the network connection from a remote user across an ISP network to a private network. VPDNs are a cost effective method of establishing a long distance, point-to-point connection between remote dial users and a private network.

Reading:

http://www.cisco.com/en/US/tech/tk801/tk703/tsd_technology_support_protocol_home.html

Cisco VPDN Configuration Examples and TechNotes

l2tp: layer 2 tunneling protocol

Daniel — Tue, 29 Dec 2009 18:15:05 +0000

In computer networking, Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol used to support virtual private networks (VPNs). It does not provide any encryption or confidentiality by itself; it relies on an encryption protocol that it passes within the tunnel to provide privacy.[1]

Although L2TP acts like a Data Link Layer protocol in the OSI model, L2TP is in fact a Session Layer protocol,[2] and uses the registered UDP port 1701. (see List of TCP and UDP port numbers).

(shamelessly copied from wikipedia)

Additional Reading:

http://en.wikipedia.org/wiki/Layer_2_Tunneling_Protocol

http://www.cisco.com/en/US/docs/ios/12_0t/12_0t1/feature/guide/l2tpT.html

http://www.cisco.com/en/US/tech/tk801/tk703/technologies_tech_note09186a0080094c4f.shtml

http://www.iana.org/assignments/l2tp-parameters

protocol overhead

Daniel — Fri, 18 Dec 2009 20:47:52 +0000

Additional Reading:

http://sd.wareonearth.com/~phil/net/overhead/

http://en.wikipedia.org/wiki/Protocol_overhead

Iptables : Remove an entry

Daniel — Tue, 17 Nov 2009 18:30:24 +0000

Sorry it's been a while.

You can either delete by number or by recreating the rule. "iptables -D
INPUT 3" will remove the 3rd (counting from 1) rule. Or "iptables -D
INPUT -s 65.75.152.40 -j DROP" will remove the corresponding entry
independent of location. The rules must match exactly though or you'll
get a "Bad rule" error.

http://www.plug.org/pipermail/plug/2004-November/010606.html
http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/ref-guide/s1-iptables-options.html
http://netfilter.org/documentation/HOWTO/packet-filtering-HOWTO-7.html

xargs and find

Daniel — Mon, 16 Nov 2009 19:16:11 +0000

xargs is a command on Unix and most Unix-like operating systems. It is useful when one wants to pass a large number of arguments to a command. Until Linux kernel 2.6.23, arbitrarily long lists of parameters could not be passed to a command ^[1], so xargs will break the list of arguments into sublists small enough to be acceptable.

Additional Reading:

http://en.wikipedia.org/wiki/Xargs

http://www.softpanorama.org/Tools/xargs.shtml

http://www.linuxplanet.com/linuxplanet/tutorials/6522/1/

tail -f multiple files

Daniel — Tue, 03 Nov 2009 18:58:47 +0000

Pass more than one filename to tail -f and it will follow each file and let you know when one changes.

daniel@mycomputer:~$ tail -f /var/log/dmesg /var/log/kern.log
==> /var/log/dmesg <==
[   14.951256] type=1505 audit(1256945274.318:9): operation="profile_load" name="/usr/sbin/tcpdump" name2="default" pid=2001
[   16.052417] e1000e 0000:00:19.0: irq 2300 for MSI/MSI-X
[   16.108300] e1000e 0000:00:19.0: irq 2300 for MSI/MSI-X
[   16.108533] ADDRCONF(NETDEV_UP): eth0: link is not ready
[   17.572692] Bluetooth: BNEP (Ethernet Emulation) ver 1.3
[   17.572694] Bluetooth: BNEP filters: protocol multicast
[   17.578508] Bridge firewalling registered
[   18.272754] 0000:00:19.0: eth0: Link is Up 100 Mbps Full Duplex, Flow Control: None
[   18.272757] 0000:00:19.0: eth0: 10/100 speed: disabling TSO
[   18.272906] ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready

==> /var/log/kern.log <==
Nov 2 09:39:21 mycomputer kernel: [231116.479553] [drm] Resetting GPU
Nov 2 09:39:21 mycomputer kernel: [231116.479608] [drm] writeback test succeeded in 1 usecs
Nov 2 09:39:25 mycomputer kernel: [231120.406627] CPU0 attaching NULL sched-domain.
Nov 2 09:39:25 mycomputer kernel: [231120.406630] CPU1 attaching NULL sched-domain.
Nov 2 09:39:25 mycomputer kernel: [231120.407377] CPU0 attaching sched-domain:

Bash Numeric Comparison

Daniel — Mon, 02 Nov 2009 19:40:37 +0000

Do not use > or < when comparing numbers in BASH. It doesn't work. It tries to redirect output instead of performing the comparison. Use -lt or -gt instead.

Additional Reading:

http://fvue.nl/wiki/Bash:_Numeric_comparison

http://tldp.org/LDP/abs/html/

policy based routing

Daniel — Sun, 01 Nov 2009 19:46:56 +0000

When a router receives a packet it normally decides where to forward it based on the destination address in the packet, which is then used to look up an entry in a routing table. However, in some cases, there may be a need to forward the packet based on other criteria. For example, a network administrator might want to forward a packet based on the source address, not the destination address.

Additional Reading:

http://en.wikipedia.org/wiki/Policy-based_routing

http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a008009481d.shtml

http://www.policyrouting.org/PolicyRoutingBook/ONLINE/TOC.html