## router interface shows on public, instead of hosted website (ehcp)

I used EHCP for quick setup since im new to this, just dont understand how to setup the ip…
basically i can access my router from public ip, and my website only from my machine…

what could be the error in ip config, do I need to change my router or my config in ehcp ? there are no errors or anything i will dump my config which should be pretty… amateur

EHCP

``````Array gosteriliyor:
Array
(
[dnsip] => 188.79.170.95
[ehcpdir] => /var/www/new/ehcp
[banner] => this is banner.. you may write here something using server settings

[defaulttemplate] => sky
[defaultlanguage] => en
[updatehostsfile] => Yes
[messagetonewuser] => Dns servers for our server:

87.216.1.65

87.216.1.66

(This will be sent to new users)
[backupdir] => /var/backup
[quotaupdateinterval] => 6
[webservertype] => apache2
[webservermode] => nonssl
[mysqlcharset] => DEFAULT CHARACTER SET utf8 COLLATE utf8_turkish_ci
[enablewebstats] => Yes
[versionwarningcounter] => 12
[initialize_domain_files] => Yes
[switchtoapacheonerror] => Yes
[localip] => 127.0.1.1
[lastquotaupdate] => 2018-10-08 09:19:33
[activewebserverip] => 188.79.170.95
[dnsipv6] =>
[updatednsipfromweb] => Yes
[morethanoneserver] =>
[server_id] =>
[disablecustomhttp] => Yes
[disableeditwebservertemplate] =>
[disableeditdnstemplate] =>
[userscansignup] =>
[enablewildcarddomain] =>
[freednsidentifier] =>
[defaultdnsserverips] =>
[defaultwebserverips] =>
[defaultmailserverips] =>
[singleserverip] => 188.79.170.95
)
``````

## Some index files failed to download / public key not available

When I try to use

``````sudo apt-get update
``````

it gives this error:

``````Fetched 5.530 kB in 53s (104 kB/s)
W: GPG error: http://extras.ubuntu.com precise Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 16126D3A3E5C1192
W: Failed to fetch http://dl.google.com/linux/chrome/deb/dists/stable/Release Unable to find expected entry 'main/binary-i386/Packages' in Release file (Wrong sources.list entry or malformed file)
``````

When I try to access to etc/apt folder, it said no such file or directory.

How can I fix this?

## Problem with apt-get update: Some index files failed to download (public key not available)

When I try to use

``````sudo apt-get update
``````

it gives this error:

``````Fetched 5.530 kB in 53s (104 kB/s)
W: GPG error: http://extras.ubuntu.com precise Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 16126D3A3E5C1192
W: Failed to fetch http://dl.google.com/linux/chrome/deb/dists/stable/Release Unable to find expected entry 'main/binary-i386/Packages' in Release file (Wrong sources.list entry or malformed file)
``````

When I try to access to etc/apt folder, it said no such file or directory.

How can I fix this?

## Setting up public key authentication to Linux server from Windows (ppk private key)

I created a public and private key using PuTTYgen and copied the public key to `.ssh/authorized_keys` under my user account.

Then I try to specify the private key when trying to log in, but apparently it doesn’t pick it up and keep asking for the username/password I originally had. I’m using WinSCP to connect and specify the private key in Advanced/Authentication section. Am I missing any steps in WinSCP?

The content of `authorized_keys` looks like as below

``````ssh-rsa AAAAB3NzaC1yc2EAAAABpEVSiiRXi7tOHpkOyFa9w2OLpBep31k9lePCK7RQxsdfs9u11+rdu0XCidRKOY5j4anD1eDaNBj87wqZbsreRe5cFcsakyGUAYXAvqgGApvsep31k9lePCK7RQxlOY5j4anD1eDaNBj8LJO++K3SkUN8E0srRBO8YyMT6Y03/F7+AAAAB3NzaC1yc2Q4h2RLGtr12CDKSBVAnFEc+JucuF4uF0WY4Sh66MSFI63mCQFu9iYNYwWyT6lUo6sks4WypEVSiiRXi7tOHpkOyFa9w2OLpBzAlTA/VSQwdNTFYUI1vquaufZ9ORzTa6dkbBRo/mLVdevYSRMSDw1BUcinYz/ogdxRvw==
``````

I changes the permission to `.ssh` to 700 and `authorized_keys` to 600.

Although I go to authentication section in WinSCP and specify the private key (as shown in the screenshot) it looks like it still need username and password and doesn’t pick it up.

When I use PuTTY and specify the private key, after entering the login username it says

Server refused our key

Here is the log from PuTTY

``````2018-04-28 17:43:05 Connecting to 158.85.98.202 port 22
2018-04-28 17:43:05 We claim version: SSH-2.0-PuTTY_Release_0.70
2018-04-28 17:43:05 Server version: SSH-2.0-OpenSSH_7.4
2018-04-28 17:43:05 Using SSH protocol version 2
2018-04-28 17:43:05 Doing ECDH key exchange with curve Curve25519 and hash  SHA-256
2018-04-28 17:43:05 Server also has ecdsa-sha2-nistp256 host key, but we don't know it
2018-04-28 17:43:05 Host key fingerprint is:
2018-04-28 17:43:05 ssh-ed25519 256         6b:0d:e2:f6:c5:9e:15:84:0c:1b:2c:19:62:cd:5b:ef
2018-04-28 17:43:05 Initialised AES-256 SDCTR client->server encryption
2018-04-28 17:43:05 Initialised HMAC-SHA-256 client->server MAC algorithm
2018-04-28 17:43:05 Initialised AES-256 SDCTR server->client encryption
2018-04-28 17:43:05 Initialised HMAC-SHA-256 server->client MAC algorithm
2018-04-28 17:43:05 Reading key file "C:Users\Desktopprivate_key.ppk"
2018-04-28 17:43:09 Offered public key
2018-04-28 17:43:09 Server refused our key
2018-04-28 17:43:09 Using SSPI from SECUR32.DLL
2018-04-28 17:43:09 Attempting GSSAPI authentication
2018-04-28 17:43:09 GSSAPI authentication request refused
``````

## Assign public IP of /29 block directly to a connected device in pfSense

Ultimately what I want to do is connect a second physically separate gateway, and assign its WAN port one of the public IP addresses given by our ISP.

So I have the following setup currently and is working.

1. Fibre leased line from ISP.
2. Fibre comes to ISP box
3. Ethernet from ISP box plugs into pfSense WAN port
4. pfSense WAN port set as static IP assignment IP: xxx.xxx.xxx.99, GW: xxx.xxx.xxx.98/30
5. Add one of the public IP addresses as a virtual IP address in pfSense IP: xxx.xxx.xxx.105/29
6. Create a new private network and assign it to a spare ethernet port IP: 10.61.1.5/30
7. Connect the second gateway wan port to pfSense and assign the wan a static IP: 10.61.1.6
8. In pfSense setup 1:1 NAT and outbound NAT to connect all traffic xxx.xxx.xxx.105 <- between-> 10.61.1.6
9. Setup firewall rules in pfSense to allow all traffic between WAN xxx.xxx.xxx.105 and LAN 10.61.1.6

While this works and the new device talks over the public IP address, the actual gateway thinks it’s public IP address is 10.61.1.6, not xxx.xxx.xxx.105. This make configuration of VPN serves impossible for me as the device is wrongly thinking its public IP is a private one.

To clarify, which is my understanding, I might be wrong, the ISP gateway is xxx.xxx.xxx.98 on a /30 network and have given us a /29 block of IPs that are routable through xxx.xxx.xxx.98/30. From my testing the above rules out being able to connect a switch between the ISP box and pfSense WAN and just assign devices those public IPs of the /29 block.

Is there any way I can configure the WAN port on the secondary device with the public IP address, connect it to pfSense someway and just get pfSense to route it out to xxx.xxx.xxx.98?

## KDF Salt: How/When is it Okay for it to be public?

Post Structure:

1. Prior source material studied

2. Question & Details

3. Assumed threat model

4. Example

5. Assumptions

6. Clarifications

Prior source material studied

0.1. RFC 2898

0.2. HAC (Handbook of Applied Cryptography)

0.3. Crypto 101

0.4. SE answers (ex: If attacker knows salt and hash, how is salt effective?) and (Use of salt to hash a password)

0.5 2018 DBIR

Question:

How is a KDF using a known salt and a low-entropy password more secure than the so-called “completely broken and not at all secure” primitive hash with salt?

1.1 Details:

Based on the available subject material, the KDF salt is not required to be kept a secret.

Does the recommendation imply a starting assumption in the threat model that the user-provided secret-key/password will always have sufficiently high entropy, or won’t be an instance of weak one? Or does the recommendation only apply to specific instances where the same or different data is encrypted regularly with a different salt/key each time?

The author of Crypto101 writes this about generic Crypto Hash Primitives:

“While this [rainbow tables based on a known single salt] would have been prevented by using a different salt for each user, systems that use a cryptographic hash with a per-user salt are still considered fundamentally broken today; they are just harder to crack, but not at all secure.”

If the threat model always assumes (as it should) that the user-provided secret key could be weak, then how does using KDF with a known salt become more secure than the aforementioned broken pattern of using a Hash Primitive with unknown (high-entropy) salt? (see Clarifications for answer to an obvious counter here)

(Aspects of) Assumed threat model for the question:

2.1 The user creates a low entropy password (TW37VE), which needs to be stored, and used for login.

2.2 The threat actor will use the same kdf (with correctly-guessed iteration) to compute the key from this common low-entropy password.

2.3 Salt needed to add entropy to the user-provided password (edit: a typo originally stated ‘secret key’ instead of password here) — which is assumed to be from low-entropy space — will be assumed here to be known to the threat actor (based on the recommendations in the documents).

2.4 The slow-computation/high-memory cost of KDF is bearable, if only for access to even a single user data: for instance, it could be a case of an insider-threat actor willing to access data for a specific user.

2.5 Internal/Insider threat actors: Based on 2018 DBIR, 28% of all the reported data breaches involved an insider/internal actor. The threat model thus accounts for an internal actor as a potential threat even in the absence of an external one. Thus, the need to secure the salt as well. (See clarifications for answer to the obvious counter)

Example:

Used KDF:

Say for password TW37VE, PBKDF2_SHA256 generates a key with the random salt 0CE@N’s, and 100000 iterations, such that the derived key is:

kdf(TW37VE, 0CE@N’s, 100000) :
pbkdf2-sha256$$100000$$OCE@N’s\$!@#%^&

Threat KDF:
kdf(harvested-weak-password = TW37VE, not-secret-salt = 0CE@N’s, guessed-iterations = 100000):

pbkdf2-sha256$$100000$$OCE@N’s\$!@#%^&

If a legitimate user could validate itself using the known low-entropy password and the retrieved salt, what would be the deterrant in case of an attacker armed with (a) the harvested password (or it’s precomputed dictionary/rainbow hash), and (b) the not-kept-a-secret salt?

Even if it is trivial for the threat actor to scan-and-match the password against the, say 64-bit, salt key space, the resulting potential delay wouldn’t hurt.

4.1. The non-random part of the derived key is irrelevant to the security model strength.

4.2. The attacker could just as well use pbkdf2-sha256 with the known salt, the harvested secret key, and the correctly-guessed iterations.

Clarification

5.1 The drawbacks of using certain primitive-based approaches are understood; and, so are and the advantages of random-salt KDF’s in differentiating similar contents.

5.2 The question focuses on why a primitive-based pattern under the assumed threat model is said to be broken, whereas the KDF pattern which simply yields to similar threat models under similar conditions is considered as an improvement over the former.

5.3 The DBIR reported “28% internal actors” figure includes different types of actors with different actions, which — although likely to be small — in this case is assumed to be a developer from the application-server team gone rogue (or maybe it was always bad?).

5.4 The home-grown roll: there is a way to keep the salt encrypted without the threat actor having the access to the salt-decryption key unless the entire database server is compromised.

Summary:

To reiterate, how does NOT keeping the kdf salt a secret help, when exposing it could have the potential to be harmful, and security-equivalent of an unsecure primitive method?

## “Public relationship”

What does the author of this sentence (from a GRE practice test) mean by “public relationship”? :

The governor has long been obsessed with excising the media from the politician public relationship. That’s been the unifying aim of all her seemingly disconnected ventures since entering public life: a determination to erode, and eventually end, the media’s hold on political communication.

## Public relationship? I don’t understand at all what the author want to say

The governor has long been obsessed with excising the media from the politician public relationship. That’s been the unifying aim of all her seemingly disconnected ventures since entering public life: a determination to erode, and eventually end, the media’s hold on political communication.