Securing Ajax and Web Services

It is undeniable that Web services and AJAX-ified interfaces are the trend now. Application that utilizes internet to retrieve data (such as mobile application or other thin client) uses web services alongside with its data format. AJAX-ified interface and website gives a modern and edgy look can make websites more attractive and can create great impression to the users.

However the issue of the web application security would still remain the same, if not more challenging, since there are so many ways to exploit the vulnerability of websites that utilizes Web Services and AJAX transfers on the background.

Therefore, it is imperative to use the right technique in order to evaluate the security of these services before deploying them out in the open.

For that matter, now I’m currently reading Ajax Security (Hoffman,B. & Sullivan, B.) and Securing Ajax applications (Wells, C.) which in my opinion is a pretty good start for somebody like me to understand common methods for securing web services and websites which uses AJAX heavily.

Hopefully the situation would improved as there are a lot of campaigns around to raise the state of awareness of web application security.

Iptables rule to safeguard SSH server from crackers

Secured Shell or SSH is a service to enable users to access remote system securely. However, SSH servers depending on password-based authentication might be vulnerable to dictionary-based (or brute-force) attacks by crackers.

Luckily iptables can be used with ‘–limit-burst‘ and ‘–limit’ option to reduce the number of attempts and connection that a cracking tool can make in a period of time.

For example, in order to limit an IP address to making only 5 connections per minute in burst of 2 connections, you can use this iptables rules:

iptables -A INPUT -p tcp --dport ssh -m limit --limit 5/minute --limit-burst 2 -j ACCEPT

This will result in the iptables will only allow up to 5 connections per minute with 2 maximum initial number of connections, which will make any brute-force or dictionary-based attack uneconomical/unfeasible for the server.

Read more about iptables –limit and –limit-burst in Linux Iptables Limit the number of incoming tcp connection / syn-flood attacks

ssh-vulkey : How to test weak SSH keys on your server

This might be stale news by most security alert people, but I felt compelled to write this post nevertheless. Byy this time most security alert people have realised that a serious security vulnerability has been discovered in the random number generator used by OpenSSL on Debian and Ubuntu systems, and there are a lot of sites have published information about it. [1] [2] [3] [4] [5].

This vulnerability caused OpenSSL to generate “common” and predictable keys, which is easily crackable by using brute-force algorithm. In the extreme case, some of the keys are successfully cracked in 2 hours time. Longer keys 8192-bit RSA keyset might take as short as 129 days to generate as opposed to hundred of years if the keys were generated securely.

Which Ubuntu Linux system are affected ?
As Ubuntu linux operating system is based on Debian, it inherited Debian vulnerability problem. Users who has generated keys under (before updating to the new OpenSSL package via automatic updates, which is before May 13 2008) — Ubuntu 7.04 Ubuntu 7.10 Ubuntu 8.04 LTS are all affected by this vulnerability

Other system which uses the keys generated by Debian and the above mentioned Ubuntu system is also affected as the keys might allow malicious 3rd party user to abuse the system. SSH login which uses these keys will not be considered secure anymore, and are advised to update their SSH keys immediately.

How to check against weak SSH keys ?
A system is as strong as its security measures (in this case, the key) to protect it. By using ssh-vulkey as detailed in Ubuntu Security Notice 612-2, you can detect weak keys in your system, and updates them accordingly.

Run “sudo ssh-vulnkey -a” command to check against weak keys :

ssh-vulnkey -a

ssh-vulnkey -a
Not blacklisted: 2048 fa:2e:1d:a6:84:64:a1:80:c4:31:68:5a:b0:1a:cb:fe /etc/ssh/ssh_host_rsa_key.pub
Not blacklisted: 1024 f4:34:04:85:58:a0:6b:0a:a1:b9:2d:3b:e6:19:5a:76 /etc/ssh/ssh_host_dsa_key.pub
COMPROMISED: 2048 5c:10:8a:c0:55:8c:1f:d9:4b:05:f0:35:0a:0d:2f:5c /home/someuser/.ssh/authorized_keys
Not blacklisted: 2048 a7:b4:3e:41:18:cb:f7:68:5e:4f:ae:30:14:d2:17:fd /home/someuser/.ssh/authorized_keys

More information about OpenSSL in Debian / Ubuntu security vulnerability :