Posts Tagged ‘hex’

Enable PSK encryption on Zabbix Agent (client) sent encrypted monitored datas to Zabbix server

Friday, April 7th, 2023

zabbix-client-server-encryption-public-key-exchange

Those concerned of security and in use of their Zabbix monitored data who communicate Zabbix collected agent
data over internet or via some kind of untrusted network might definitely not enjoy the fact that zabbix-agent sents
its collected data to server in a plain text. Clear text data is allowing any network sniffer to possibly collect your
monitored server and hardware devices data and exposes all data sent over the network to same problems like in the past
the old uencrypted SMTP protocol.

To mitigate those great security hole for the paranoid sys admin it is rather easy to enable PSK (Pre Shared Key) based encryption.
To generate Pre Shared key you have to had to important values present

1. PSK Identity
2. PSK Secret

PSK secret should be minimum of 128 bit (16-byte PSK, entered as 32 hexadecimal digits), and supports up to
2048 bit (256-byte PSK, entered as 512 hexadecimal digits)

Usually something like 256 bit PSK secret on the machine should be strong enough and simply generated by running

# openssl rand -hex 32

1. Agent to zabbix server or proxy connection config

In /etc/zabbix/zabbix_agentd.conf for a Server Active (e.g. server to actively request the client to sent its collected data)
On machine running zabbix-agent should have a configuration similar to:

# cat /etc/zabbix/zabbix_agentd.conf

PidFile=/var/run/zabbix/zabbix_agentd.pid
LogFile=/var/log/zabbix/zabbix_agentd.log
LogFileSize=0

# IP of the machine
SourceIP=10.10.10.30
# turn it on if you need to execute to remote machine commands
EnableRemoteCommands=0

# IP of the server
servers=10.30.50.80
ListenPort=10080

# IP of the machine
ListenIP=10.30.30.31

# IP of the server
ServerActive=10.30.50.80

HostMetadataItem=system.uname
BufferSize=5400
MaxLinesPerSecond=5
Timeout=10
AllowRoot=0
StartAgents=5
LogRemoteCommands=0


# Machine hostname
Hostname=fqdn-of-zabbix-data-collect-server.com
Include=/etc/zabbix/zabbix_agentd.d/*.conf

# Encryption
TLSConnect=psk
TLSAccept=psk
TLSPSKIdentity=PSK to Zabbix Server5
TLSPSKFile=/etc/zabbix/zabbix_agentd.psk


! Important security note

!!! The TLSPSKIdentity value you decide will not be encrypted on transport, so don't use anything sensitive.

Once you include the TSL config

2 Generate / Create Zabbix Agent Key

Generate the key with pseudo-random bites inside /etc/zabbix/zabbix_agentd_key.psk

# cd /etc/zabbix
# openssl rand -hex 32 > zabbix_agentd_key.psk
# chown zabbix:zabbix zabbix_agentd_key.psk
# chmod 600 zabbix_agentd_key.psk

3. Configure PSK encryption in Zabbix Server Web User interface

Go to Zabbix Server User interface in browser and configure the PSK encryption options for the host.

Select the:

'Connections to host' = PSK

'Connections from host' = PSK

'PSK Identity' = [public-value-configured-in-Zabbix-agent-config]

'PSK' = [paste the long hex string generated from the OpenSSL command above]


In some seconds up to a minute or two the Zabbix Server and Agent will successfully communicate using PSK encryption.
Making the monitored data unreadable in plain text for malignant sniffers hanging in the middle equipment between the zabbix-agent and zabbix-server hosts.

4. PSK encryption behind a Proxy

Many companies, nowadays use zabbix proxy for improvement of network infrastrucutre. For example it is used to offload the zabbix-server when multiple zabbix-agents have to report various datas or to monitor servers and devices that are phyisically in separate networks or data centers (are passing through paranoic built firewalls) or monitor locations are having unreliable communications between each other.
 

To enable PSK for communications between your Zabbix Server and Zabbix Proxy.

1. Create a new secret, and add the PSK Identity and Secret to

Administration ⇾ Proxies ⇾ [Your proxy] ⇾ Encryption

2. Adjust the settings inside the zabbix proxies configuration file at /etc/zabbix/zabbix_proxy.conf


If setting up PSK encryption for agents behind a Zabbix proxy, ensure your have

Zabbix Server ⇽⇾ Proxy PSK enabled
first in Zabbix Server UI.

This is because, when you start the Proxy, or do some testing to send some key value to Zabbix server via the proxy with commands :

# zabbix_get -s 127.0.0.1 -k system.hostname
# zabbix_server -R config_cache_reload


config_cache_reload, the Proxy will download all its host settings from the server, and this also includes the servers copy of the secret.

The proxy needs to know the secret since it is now managing the communications on behalf of the server.

3. To add PSK encryption for any Agents behind a proxy, then you continue to set up the Agents as normal by creating a new secret, editing

Configuration ⇾ Hosts ⇾ [Your Host] ⇾ Encryption page

and also editing /etc/zabbix/zabbix_agentd.conf.

Remember that, since your Agents Host configuration in the Zabbix UI will be set as Monitored by Proxy, the PSK settings will be applicable for communications happening between the Zabbix Proxy and the Agent that it is monitoring, not between the Zabbix Server and the Agent behind the proxy.

You can also add PSK Encryption between your Zabbix Proxy and its own local Agent if you want.
You would set its PSK settings in the Proxy Agents host configuration at

Configuration ⇾ Hosts ⇾ [Your proxy] ⇾ Encryption

and modify the settings in the agents on configuration file at /etc/zabbix/zabbix_agentd.conf.
Keep in mind, this is only applicable to communications between the Zabbix Proxy, and its own Agent process.

When setting up PSK encryption for the Zabbix Server, Proxy and Agents, you may see an error in the Proxy logs,

cannot send proxy data to server at "zabbix.your-domain.tld": connection of type "TLS with PSK" is not allowed for proxy "your-proxy".

If you hit this, check that your

Zabbix Server ⇽⇾ Proxy PSK settings

are correct first.

Don't get confused between the Proxies own optional agent process, and its main Proxy process which is required.

Editting binary files in console and GUI on FreeBSD and Linux

Thursday, April 26th, 2012

I’ve recently wanted to edit one binary file because there was compiled in the binary a text string with a word I didn’t liked and therefore I wanted to delete. I know I can dig in the source of the proggie with grep and directly substitute my “unwatned text” there but I wanted to experiment, and see what kind of hex binary text editors are for Free OSes.
All those who lived the DOS OS computer era should certainly remember the DOS hex editors was very enjoyable. It was not rare case, where in this good old days, one could simply use the hex editor to “hack” the game and add extra player lives or modify some vital game parameter like put himself first in the top scores list. I even remember some DOS programs and games was possible to be cracked with a text editor … Well it was times, now back to current situation as a Free Software user for the last 12 years it was interesting to see what is the DOS hexeditor like alternatives for FreeBSD and Linux and hence in this article I will present my findings:

A quick search in FreeBSD ports tree and Debian installable packages list, I’ve found a number of programs allowing one to edit in console and GUI binary files.

Here is a list of the hex editors I will in short review in this article:

  • hexedit
  • dhex
  • chexedit
  • hte
  • hexer
  • hexcurse
  • ghex
  • shed
  • okteta
  • bless
  • lfhex

1. hexedit on Linux and BSD – basic hex editor

I’ve used hexedit already on Linux so I’ve used it some long time ago.

My previou experience in using hexedit is not too pinky, I found it difficult to use on Redhat and Debian Linux back in the day. hexedit is definitely not a choice of people who are not “initiated” with hex editting.
Anyways if you want to give it a try you can install it on FreeBSD with:

freebsd# cd /usr/ports/editors/hexedit
freebsd# make install clean

On Debian the hexedit, install package is named the same so installation is with apt:

debian:~# apt-get –yes install hexedit

hexedit screenshot Debian Linux Squeeze

2. Hex editting with chexedit

I’ve installed chexedit the usual way from ports:

freebsd# cd /usr/ports/editors/chexedit
freebsd# make install clean

chexedit is using the ncurses text console library, so the interface is very similar to midnight commander (mc) as you see from below’s screenshot:

Chexeditor FreeBSD 7.2 OS Screenshot

Editting the binary compiled in string was an easy task with chexedit as most of the commands are clearly visible, anyways changing a certain text string contained within the binary file with some other is not easy with chexedit as you need to know the corresponding binary binary value representing each text string character.
I’m not a low level programmer, so I don’t know the binary values of each keyboard character and hence my competence came to the point where I can substitute the text string I wanted with some unreadable characters by simply filling all my text string with AA AA AA AA values…

chexedit on Debian is packaged under a deb ncurses-hexedit. Hence to install it on Deb run:

debian:~# apt-get –yes install ncurses-hexedit

Further on the binary to run chexedit on binary contained within ncurses-hexedit is:

debian:~# hexeeditor

3. Hex Editting on BSD and Linux with hte

Just after trying out chexedit, I’ve found about the existence of one even more sophisticated hexeditor console program available across both FreeBSD and Linux.
The program is called hte (sounds to me a bit like the Indian word for Elephant “Hatti” :))

hte is installable on Debian with cmd:

debian:~# apt-get install ht

On FreeBSD the port name is identical, so to install it I execed:

freebsd# cd /usr/ports/editors/hte
freebsd# make install clean

hte is started on Debian Linux (and presumably other Linux distros) with:

$ hte

On FreeBSD you need to run it with ht command:

freebsd# ht

You see how hte looks like in below screenshot:

ht has the look & feel like midnight commander and I found it easier to use than chexedit and hexeditor
4. hexer VI like interface for Linux

As I was looking through the available packages ready to install, I’ve tried hexer

debian:~# apt-get install –yes hexer

hexer does follow the same standard commands like VIM, e.g. i for insert, a for append etc.

Hexer Debian Linux vim like binary editor screenshot

It was interesting to find out hexer was written by a Bulgarian fellow Petar Penchev 🙂
(Proud to be Bulgarian)

http://people.freebsd.org/~roam/ – Petar Penchev has his own page on FreeBSD.org

As a vim user I really liked the idea, the only thing I didn’t liked is there is no easy way to just substitute a string within the binary with another string.

5. hexcurse another ncurses library based hex editor

On Deb install and run via:

debian:~# apt-get –yes install hexcurse
debian:~# hexcurse /usr/bin/mc

Hexcurse Debian Linux text binary editor screenshot

hexcurse is also available on FreeBSD to install it use cmd:

freebsd# cd /usr/ports/editors/hexcurse
freebsd# make install clean
….

To access the editor functions press CTRL+the first letter of the word in the bottom menu, CTRL+H, CTRL+S etc.
Something I disliked about it is the program search is always in hex, so I cannot look for a text string within the binaries with it.

6. ghex – Editting binary files in graphical environment

If you’re running a graphical environment, take a look at ghex. ghex is a gnome (graphical hex) editor.Installing ghex on Debian is with:

debian:~# apt-get –yes install ghex
….

To run ghex from terminal type:

debian:~# ghex2

GHex2 GNOME hex binary editor screenshot

To install ghex on FreeBSD (and I assume other BSDs), install via port:

freebsd# cd /usr/ports/editors/ghex
freebsd# make install clean

Gnome hex editor have plenty of tools, useful for developers to debug binary files.

Some nice tools one can find are under the the menus:

Windows -> Character Table

This will show a complete list of each keyboard sent character in ASCII, Hex, Decimal, Octal and Binary

Screenshot ghex Character table Debian Linux

Another useful embedded tool in ghex is:

Windows -> Type Convertion Dialog

Ghex type convertion dialog screenshot

Note that if you want to use the Type Convertion Dialog tool to find the representing binary values of a text string you will have to type in the letters one by one and save the output within a text file and later you can go and use the same editor to edit the text string within the binary file you like.

I’m not a programmer but surely for programmers or people who want to learn some binary counting, this 2 ghex edmebbed tools are surely valuable.

To conclude even though there are plenty of softwares for hex editting in Linux and BSD, none of them is not so easy to use as the old DOS hexdedit tool, maybe it will be a nice idea if someone actually rewrites the DOS tool and they package it for various free operating systems, I’m sure many people will find it helpful to have a 1:1 equivalent to the DOS tool.

7. Shed pico like interfaced hex editor

For people, who use pico / nano as a default text editor in Linux shed will probably be the editor of choice as it follows the command shortcuts of picoOn Deb based distros to install it run:

debian:~# apt-get install –yes shed

shed pico like hex binary editor Linux

Shed has no BSD port as of time of writting.8. Okteta a KDE GUI hex editor

For KDE users, I found a program called okteta. It is available for Deb based Linuxes as deb to install it:

debian:~# apt-get –yes install okteta

Screenshot Okteta Debian GNU / Linux Squeeze

As of time of writting this article there is no okteta port for BSDs.
Okteta has plenty of functions and even has more of a functions than ghexedit. Something distinctive for it is it supports opening multiple files in tabs.

9. lfhex a large file text editor

lfhex is said to be a large (binary) file text editor, I have not tested it myself but just run it to see how it looks like. I don’t have a need to edit large binary files too, but I guess there are people with such requirements too 🙂

lfhex - Linux The Large file hex editor

To install lfhex on Debian:

debian:~# apt-get install –yes lfhex

lfhex has also a FreeBSD port installable via:

freebsd# cd /usr/ports/editors/lfhex
freebsd# make install clean

10. Bless a GUI tool for editting large hex (binary) files

Here is the description directly taken from the BSD port /usr/ports/editors/bless

Bless is a binary (hex) editor, a program that enables you to edit files asa sequence of bytes. It is written in C# and uses the Gtk# bindings for theGTK+ toolkit.

To install and use ot on deb based Linuxes:

debian:~# apt-get install –yes bless
….

On BSD installation is again from port:

freebsd# cd /usr/ports/editors/bless
freebsd# make install clean
….

Something that makes bless, maybe more desirable choice for GUI users than ghex is its availability of tabs. Opening multiple binaries in tabs will be useful only to few heavy debuggers.

Bless GUI hex editor Debian Linux tabs opened screenshot

11. Ghextris – an ultra hard hacker tetris game 🙂

For absolute, hacker / (geeks), there is a tetris game called ghextris. The game is the hardest tetris game I ever played in my life. It requires more than regular IQ and a lot of practice if you want to become really good in this game.

To enjoy it:

debian:~# apt-get –yes install ghextris

Ultra hrad hardcore hackers game ghextris screenshot

Unfortunately there is no native port of ghextris for BSD (yet). Anyhow, it can be probably run using the Linux emulation or even compiled from source.
Well that’s all I found for hexedit-ing, I’ll be happy to hear if someone can give me some feedback on his favourite editor.