Anyway for FreeRADIUS to rotate secrets based on lifetimes? - freeradius

Even if it's not natively supported, I hope someone might have a novel way of implementing a time based rotation for a FreeRADIUS secret. Or even better, similar to how certain networking device do it, a receive-lifetime and a transmit-lifetime.
I can't find anything that seems to do what I'm looking for, hopefully someone has some idea or pointers?
Or maybe a different RADIUS implementation that supports it?
I've tried a basic mix of a wildcard and specific IP but it seems to go the specific each time. I thought maybe when the client rotates, it will fail at the wildcard and move to the more specific, but it just picks the more specific all the time, and then fails when the client rotates.
client all-clients {
ipaddr = *
secret = secret1
}
client devA {
ipaddr = 1.1.1.1
secret = secret2
}
Thanks :-)

Related

Is the Broker able to Block unwanted topic spammers?

I have a MQTT environment like this:
there is One (gray) sensor and one Observer that are related by the topic room/temp, so far so good, sensor can publish and the Observer can get the info as it should.
the Issue I have is now: I need to block IN THE BROKER that a 2nd undesired client comes(the orange one),and start to publish into the same topic, as far as I know, MQTT is loose coupled so that observer doesn't care who is pushing the temp values, but I find a security flawless when someone hack my environment and publish non sense triggering my alarms...
any suggestion?
am using eMQTTd by the way and according to this there is nothing in the etc/emqttd.config file I can do to avoid that...
Thanks!
I only have experience with Mosquitto but, from a quick read of the document linked, it looks like there are several ways you could achieve this.
I am unclear if you are talking about an incidental problem here--i.e. bad information is being accidentally sent--or if you are protecting against an active threat.
If you are concerned with incidental overwriting of a value, then the simple clientid solution on (pg. 38) would work.
But my impression is that it would still be transmitted in the clear and thus be of little use to you if you are facing an actual adversary (hacker etc.). If that is your concern simply setup SSL and remove all non-SSL listeners. (See pg. 24). That should limit all traffic to an encrypted channel. Then if you wish add password / user authentication (pg. 38) to complete the security.
Alternatively, depending on your configuration, you could block unapproved ip addresses at the firewall level (i.e. block access to the port that your broker is listening on to all addresses except for the temperature sensor) or using eMQTTd's built in ACL facility (pg. 25). That would be less secure than a full SSL setup but depending upon your needs it might be enough.

Does iOS store DNS and if so, how do I reset it after a server transfer?

Does iOS store DNS and if so, how do I reset it after a server transfer? I have an App that is released, and before I migrate by server to a different IP, I want to make sure I know if the people using my App will have any issues with the API calls in the App. Any knowledge would be appreciated. Thank You for your time!
I'm a DNS expert, but not so much for iOS. So this answer is how the DNS is intended to work. I can't say whether or not iOS got this right (but they have a better reputation for rightness than some others I won't mention).
In the DNS each RR (that's Resource Record, the basic unit in the DNS, your address [assuming you only have one] is in a single RR) has a TTL, which specifies how long it will be good for. In normal operation you set these to a fairly long time (at least a few hours, often several days). When things aren't changing, this says how long the DNS client should hold the data before querying again. When you're contemplating a change, you set the TTL down low (say a few minutes) in advance, and then you can make the change at the right time and since no hosts should hold on to the old data for longer than that lowered TTL, you know that everyone should have the new data within that time. The reason you use higher TTLs normally is to lower the demands on both your server and your (and everyone who connects to you) Internet connection.

How To SSH From IPhone App

So I have been looking every where, and so far i haven't been able to find anything that allows me to ssh from an iPhone app, and have finally resorted to posting a new pos.
So I am trying to make an app to manage servers and part of the tasks that I need to be able to do it to be able to some how remotely connect over the internet to a server with either an ip address or a DNS name.
The connection to the server does not necessarily need to be a SSH connection, it could be a telnet although because of the security issues i would prefer SSH (if it is a lot less code I would accept telnet), but on the other hand it could be some other type of connection.
The application just needs to be able to run a script on the server end and if a SSH or telnet I would not need any help but if some other type of connection i may need a bit of help. Also the server on the other end is intended to be linux server (either ubuntu or gentoo, but not sure which yet but all i can say is will almost certainly be a linux server operating system).
I have already looked at the libssh/2 and would welcome any other similar demos as have not been able to work out how get the frameworks to work as well as licensing issues with using the frameworks in it.
PS. I am relatively new to programming and although i have some basic knowledge of coding some type of tutorial or sample code would be greatly appreciated.
Many Thanks For Any Help
Thomas
SSH is a hugely complicated beast. As long as you only need to execute one command without interactivity, it sounds like you could achieve the same thing by running a web server on the server and posting the commands via HTTP from the device. You can use SSL to achieve security. You'll need a mechanism that allows you to authenticate the device (you'd need something with ssh, too). And you'll have to have something in the web server on the server that figures out and runs the desired script. But all that is still hugely easier than dealing with libssh.

Secure communication across a LAN

I want to make a small app that collects data from a device attached to a serial port and passes it across a LAN to another app which stores it in a database.
I have done this already in one app on a single PC, so will effectively be splitting the app in half.
I have zer0 experience of network programming.
I want something "secure" meaning that the data are in some way encrypted and relatively straightforward to implement.
At the moment communication is one way, but I might want so send control data in the return direction later.
Can someone please recommend a protocol (preferably one which is commonly used for this sort of thing) and post a small code snippet of how to send and receive - let's say a data structure with a string for user name and an integer for age.
Or, just point me at a URL.
Thanks in advance.
Answer: I'm going with IpSec and Exchanging Data over the Network using Delphi
You can simply use IPSec between the two computer and the operating system will encrypt the channel without any need of changing the applications.
Other option may be DCOM (if you use the Enterprise version of Delphi Datasnap supports it) that can also encrypt the communication (must be set in the configuration, works best in a domain).
Both options don't need certificates or the like, and the OS will take care of storing the keys safely.

Skipping DNS and using IP adress in web dev as opposed to URLs

How much time would be saved in skipping the request for the IP of a domain name? Would it be noticeable. Before anyone gets to excited i know there could be problems with using an IP as opposed to a URL in web dev like if you have multiple servers, but im just curious.
Assuming they have to use the domain name to get to your site in the first place, their PC will cache the name and address, so anything you do after that won't make much difference. It's not like it does a lookup over the net for every click.
DNS resolution is cached at multiple levels. You would just be saving yourself a single roundtrip per session. Considering the hassles involved (IPs change more often than we'd like, and often not when we have control over them), I would seriously advice against it.
About the only thing it will do for you is insulate you from DNS failure. When your user experiences DNS problems, your site will be one the few that mysteriously keeps working for them!
You can still run multiple servers and load balance them behind a single IP, so that needn't be a worry. Generally though, there are far less pros than cons to this approach.
You could also add the ip and hostname to you local hosts file if you want to be save from DNS failure and slow lookups.
Although I don't think there is much merit in it, since it kind of defeats the purpose of having dns :)

Resources