Tuesday, March 1, 2016

DROWN - Decrypting RSA using Obsolete and Weakened eNcryption

Background Information

A group of security researchers discovered that SSLv2 (Secure Sockets Layer protocol version 2.0) is vulnerable to the Bleichenbacher RSA padding oracle attack, which can be used to decrypt RSA cipher text without the knowledge of the matching private RSA key. This can be done by observing responses from a server that has the private key and performs the decryption of attacker-provided cipher texts using that key. The researchers also demonstrated a new cross-protocol attack which allows decryption of SSL/TLS sessions using newer protocol versions - SSLv3 or any current TLS (Transport Layer Security) version (1.0 - 1.2) - using this SSLv2 weakness. This flaw is a SSLv2 protocol issue and affects all implementations of the protocol. Researchers refer to this attack as general DROWN.
Additionally, flaws were found in the SSLv2 protocol implementation in the OpenSSL cryptography and SSL/TLS library, which make it possible to perform a more efficient variant of the DROWN attack, referred to as special DROWN. These issues were assigned CVE-2016-0703 and CVE-2016-0704 , and were already recently corrected as part of the fix for CVE-2015-0293 .
Further details of this attack can be found in the researchers' paper titled DROWN: Breaking TLS using SSLv2 at https://drownattack.com/

Impact to systems

A server is vulnerable to the DROWN attack if it enables SSLv2 protocol in addition to SSLv3 or TLSv1.x, and if it uses RSA key exchange cipher suites. Server that does not enable SSLv2 can also be vulnerable if it does not enable SSLv2, but shares its private RSA key with another server. For example, DROWN attack can still be used to decrypt HTTPS sessions to a web server that does not enable SSLv2 if it shares its RSA key with e.g. IMAP server, possibly running on the same host, that does enable SSLv2. Use of weak or export SSLv2 ciphers is required to efficiently perform the attack.
SSL/TLS connections using non-RSA key exchange, such as Diffie-Hellman or Elliptic Curve Diffie-Hellman, can not be decrypted using the DROWN attack. 

Wednesday, September 2, 2015

How to enable User and Group Disk Quota on CentOS 7 & RHEL 7

As a Linux system admin we generally face low disk space issues. By implementing the user and group disk quota on the file system we can resolve the space issue.
Quota restricts the users to use only allowed disk and inodes on the particular file system. In this post we will discuss how to enable user & group disk quota on /home File system on CentOS 7 & RHEL 7

Step:1 Add usrquota & grpquota option on /home in /etc/fstab file.

[root@linuxtechi ~]# vi /etc/fstab

Save & exit the file.
In this example I have add user and group quota options on /home

Tuesday, September 1, 2015

Configure NIC(Network Interface Card) bonding in CentOS 7 / RHEL 7

NIC(Network Interface Card) bonding is also known as Network bonding. It can be defined as the aggregation or combination of multiple NIC  into a single bond interface. It’s main purpose is to provide high availability and redundancy.
In this article we will learn how to configure nic or netwok bonding in CentOS 7 & RHEL 7. In my case I have two interface cards (enp0s3 & enp0s8) and will form a bond interface (bond0).


If bonding module is not loaded on your linux box then use the below command to load.
If bonding module is not loaded on your linux box then use the below command to load.
[root@openstack ~]# modprobe bonding
To list the bonding module info, use following command.
[root@openstack ~]# modinfo bonding
Output will be something like below

Thursday, February 5, 2015

Installing oVirt 3.5 on CentOS 7 (Hosted Engine)

I have had many people come to my blog looking how to install oVirt 3.5 software on the new CentOS 7. Much of this content is the same as my 3.4 post, but I thought I would keep it separate. Below are simple step by step instructions for installing the node and getting it configured for the hosted engine.

Installation Requirements

Please Note: Installing Hosted Engine on CentOS 7 requires oVirt 3.5.1
Please Note: Both the node and engine will be running CentOS 7 (Minimal Installation)
Please Note: Ensure the host is fully updated via “yum update” and rebooted before proceeding


Ensure you have set up hostnames for the host and engine. If you do not have a DNS server configured and you are only testing oVirt on a single server, you can use /etc/hosts instead. I have the following:
Engine: Hostname: engine.xrsa.net, IP Address:
Hostname: ovirt01.xrsa.net, IP Address:
Ensure you have set up NFS mount points for the engine and virtual machines. If you do not have a shared NFS server and you are only testing oVirt, you can configure NFS locally on the host instead.

Saturday, January 31, 2015

The GHOST vulnerability - what you need to know

The funkily-named bug of the week is GHOST.
Its official moniker is the less catchy CVE-2015-0235, and it's a vulnerability caused by a buffer overflow in a system library that is used in many, if not most, Linux distributions.
A buffer overflow is where you assume, for example, that when you handle a four-byte network number written out as decimal digits, you will never get anything longer than 255.​255.​255.​255.
That takes up 15 characters, so you may decide that you'll never need more than 15 bytes of memory.
So, if you add a spare byte for luck and allocate 16 bytes, you're bound to have enough space.
And then, one day, a malicious user decides to see what happens if he ignores the rules, and uses a network number like, say, 1024.​10224.​102224.​1022224.
That network number is nonsense, of course, but your program might not hold out long enough to reject it.
Your code will probably crash right away, because the attacker's 25 bytes will overflow your 16 bytes of available memory.

GHOST explained

As it happens, the GHOST vulnerability is connected with network names and numbers.
The spooky name comes from the system functions where the vulnerable code was found.
The functions are called gethostby­name() and gethostby­name2(), and they do what the names suggest.

RHEL7: Access a virtual machine’s console.

Standard procedure

With KVM, to access the virtual machine’s console under X Window, type:

# virt-manager

If you aren’t under X Window, there is another way to access a virtual machine’s console: you can go through a serial console.
On the virtual machine, add ‘console=ttyS0‘ at the end of the kernel lines in the /boot/grub2/grub.cfg file:

# grubby --update-kernel=ALL --args="console=ttyS0"

Now, reboot the virtual machine:
# reboot

With KVM, connect to the virtual machine’s console (here vm.example.com):
# virsh console vm.example.com 

Monday, December 29, 2014

CentOS 7: The perfect gift for the Linux do-it-yourselfer

linux enterprise

 Although differentiation is tough in Linux distributions today, CentOS 7 has carved out a niche as the free and open alter ego to Red Hat Enterprise Linux (RHEL). We found that CentOS, which is mandated to be binary-compatible with Red Hat 7, shares about 95% of the features of its commercial enterprise-class sibling.  
There’s no IBM System z port, and special variants for cloud and virtualization are more limited than with Red Hat 7. But for many common and generic applications, it’s a drop-in replacement.
The primary differences for most IT admins, systems people, and engineers/developers will be a (purchased) relationship with Red Hat and Red Hat’s army of supported applications, working partnership projects and management skills.
CentOS 7 is perhaps most aptly put as the DIY twin of RHEL7—who lives in the distro ghetto across the railroad tracks.
Still, in testing different deployment payloads, and also where we chose GUIs, the look and feel between Red Hat Enterprise Linux and CentOS 7 instances were essentially the same. And the same mistakes made to either usually cause the same explosions.
You might or might not find the fix faster in a Red Hat resource. The Centos.org website doesn't have Red Hat’s polish, and has many odd links to nowhere or nothing—not 404s, rather, unfinished projects. The CentOS site seemed comparatively untended to us.