Fedora Project Insider

User who follows Life: Infinity, Freedom and Voice.

Article by Peter Czanik, from Fedora Community Hungary.

Source page: https://czanik.blogs.balabit.com/2012/11/security-spin-preview-as-syslog-ng-3-3-7-is-part-of-the-upcoming-fedora-18/

The beta of Fedora 18 was supposed to be released earlier… sadly it was postponed again by two weeks, but as there are some great news regarding Fedora and syslog-ng, so I did not wait for the official release. I rather downloaded a nightly build to check it out. I did not research why the release was postponed, but personally I ran only some minor cosmetic problem during installation

As I tested in a virtual machine, the regular Fedora release was not really optimal for me, as it uses Gnome3 and needs 3D acceleration. As I don’t have 3D support, don’t like Gnome3 and I’m interested in security anyway, I downloaded the so called “security spin”. This raises two questions for those not familiar with Fedora, for which I quote the security spin website:

What is a spin? “Fedora Spins are alternate version of Fedora, tailored for various types of users via hand-picked application sets and other customizations.”

What is the security spin? “The Fedora Security Lab provides a safe test environment to work on security auditing, forensics, system rescue and teaching security testing methodologies in universities and other organizations.”

Luckily for me, the security spin is equipped with LXDE, which is a light weight Desktop Environment. It does not need 3D or much system resources and it runs very fast. All of the tools are collected under the “Security Lab” menu, which is further divided based on point of interest, ranging from code analysis to wireless network security. Some of these are graphical tools, many of them console based, but even these are easily available from the menus and a console window is started for them. Most of my favorite tools are available: nmap for port scanning, nwipe for securely wiping partitions, iptraf & co for looking at network traffic and many more.

The current look and feel of the security spin is now quite boring. Just a simple blue background with some stripes on it. But it will be changed in the next few weeks, as one of the guys from the Hungarian Fedora team (which invited me to FUDcon Paris) did a very nice new artwork. It will be worth to try the security spin just for this

Now back to the reason why I originally downloaded the Fedora installer: syslog-ng. The good news is that syslog-ng 3.3.7 is now part of the release. I installed it and gave it a quick try and everything worked as expected. A big thanks goes to JPO (José Pedro Oliveira) and Mrunge (Matthias Runge), who maintain the package inside Fedora!

This story might also become part of my FOSDEM presentation next February about upstream – downstream relations: syslog-ng 3.3 used a forked version of the ivykis library instead of upstream. The syslog-ng package could not be updated to 3.3.X in Fedora until this problem was resolved and upstream ivykis worked instead of the bundled forked version. This needed a lot of work both on the syslog-ng and the ivykis side, but version 3.3.6 solved this problem and 3.3.7 entered Fedora last week.

If you want to see why to upgrade to this latest version, see the announcement blog at http://bazsi.blogs.balabit.com/2011/10/syslog-ng-3-3-1-released/

Looking forward to the next Fedora release – in my opinion will be awesome.

After I’m helping to search new applications for our Security spin, I couldn’t resist to learn always something new. Around, about security. Something like what is an rainbow table, password hashes, or how can you test your user database – make an security audit. How things are working, and so on. As I getting more and more deeper into the theme, I feel that I should learn new ways to keep secure my freedom, and independency and prevent loss of  my personal data. If we are put out more our (private) life / files /data to on-line who will ensure that won’t be used or reused from storages, from clouds by an 3rd party? Trust or not trust? Good question, right? But, at least our data /partition encryption or our passwords must be enough to keep our data in safer place. Or both together. Time just passed, and we are not anymore back in the ’80es, we all almost have one or more multi-core electronic device, that’s already chained into an network – and guess what: with it’s own operating system, that capable to do the same as our desktop machine. Not to mention, that if one machine is not enough, and the attacker is connected…. no password can stand in it’s way for long. That’s why it’s recommended to turn on encryption at many place… But how can we have a nice complex password that slows down the attacker?

In a hypothetically perfect world, we’d be able to remember infinite numbers of passwords, but the truth is for the most people: not possible. Instead of it this can be followed, I think:

• Do not use passwords that are easy to guess, e.g anything directly related to you, like your name or names of family/friends/pets/etc; or date of birth; or favourite colour,band,etc..
• Ideally, use a longish random string as your password, of at least 10 characters (but longer is better).
• The same applies for password-recovery questions, which often ask for information that is in the public domain (e.g. mother’s maiden name, date of birth). Do not provide real answers! Instead just make something up, or use another random string if possible.
• Do not re-use passwords across different websites, unless you truly do not care about what is on those sites, and what they can do in your name with that password.
• Do not be afraid to write them down if you can store them securely. E.g. if your home is reasonably secure, it’s fine to store most passwords on paper there. IF it’s just a limited amount you need to store.
• If you trust that a computer or device is sufficiently secure, it’s perfectly fine to store passwords on it, e.g. in a text-file. Also, many programmes support saving passwords and if you trust those programmes then it’s perfectly OK to use those features.
• Consider using disk-encryption products like PGPDisk, TrueCrypt, LUKS or the other built-in capabilities of many Linux/Unix distributions (some of which offer this at install time) to protect your data with a master key. This is particularly recommended for laptops.
• Any computer running MS Windows likely can not be considered secure and should not trusted with more sensitive information. Portable devices should not be considered secure, unless their contents are known to be encrypted, and they automatically lock themselves after a small period of unuse (i.e. don’t trust your phone too much for storing sensitive data).

Yes – Ideally, all your day-to-day passwords for your various, online accounts should be unguessable, random strings;  you’d never have to remember any of them; you would just, at certain times, have to enter a master pass-phrase (which should be unguessable, but still memorable and much longer than a password) without which the passwords would effectively not be accessible. But here also can be trouble – if you go to the trouble of memorizing a highly-secure, random password, you’re going to *want* to recycle it. And so many web sites now ask you to create a user account and a password, it’s practically impossible to create strong passwords for the multitude of needs, so you can either create simple, easy-to-remember passwords that are easy to crack, or recycle.

It also doesn’t help that various sites are in conflict with each other as to what they allow. e.g., some sites require a letter, number, special character, and capital letter, while other sites *can’t accept* special characters, and others require you to start with a letter only, while others let you start with a number, while others require a minimum of X characters, while there is some that actually have a *maximum* number of characters! This is the sort of thing that leads to passwords like “qwerty”,” 1212″ and “xyzzy” and such…..

Even when I think to Fedora – when I install the system, and drops the message at password page -”This password is exists in database. Use it anyway?” – makes me thinking. Who has composed this database, and what is the source of this? Moreover,  if char based security so weak (has so many flaws), do we have stronger, better solution? Is there any visual security feature or other methods for anaconda? We writing 2012 – what can be the optimum solution?