WTF *Nix

Going to break these down into parts for each of you to understand if you are new in this area… I know for a fact there are some gurus out there that may read this and say something along the lines… “What a waste of time…” Well this this isn’t for you ole Mighty Gurus

So lets start with…

Web and FTP Servers

Every network that has an internet connection is at risk of being compromised. While there are several steps that you can take to secure your LAN, the only real solution is to close your LAN to incoming traffic, and restrict outgoing traffic.

However some services such as web or FTP servers require incoming connections. If you require these services you will need to consider whether it is essential that these servers are part of the LAN, or whether they can be placed in a physically separate network known as a DMZ (demilitarized zone). Ideally all servers in the DMZ will be stand alone servers, with unique logons and passwords for each server. If you require a backup server for machines within the DMZ then you should acquire a dedicated machine and golden rule is to keep the backup solution separate from the LAN backup solution.

The DMZ will come directly off the firewall, which means that there are two routes in and out of the DMZ, traffic to and from the internet, and traffic to and from the LAN. Traffic between the DMZ and your LAN would be treated totally separately to traffic between your DMZ and the Internet. Incoming traffic from the internet would be routed directly to your DMZ.

Then if any hacker were to compromise a machine within the DMZ, then the only network they would have access to would be the DMZ. The hacker would have little or no access to the LAN. It would also be the case that any virus infection or other security compromise within the LAN would not be able to migrate to the DMZ.

In order for the DMZ to be effective, you will have to keep the traffic between the LAN and the DMZ to a minimum. In the majority of cases, the only traffic required between the LAN and the DMZ is FTP. If you do not have physical access to the servers, you will also need some sort of remote management protocol such as terminal services (SSH, RDC and etc..) or VNC.

Database servers

If your web servers require access to a database server, then you will need to consider where to place your database. The most secure place to locate a database server is to create yet another physically separate network called the “secure zone,” and to place the database server there!!! Not in the UNSECURED ZONE!

The “secure zone” is also a physically separate network connected directly to the firewall. The Secure zone is by definition the most secure place on the network. The only access to or from the secure zone would be the database connection from the DMZ (and LAN if required).

Exceptions to the rule

The dilemma faced by network engineers (monkeys) is where to put the email server. It requires SMTP connection to the internet, yet it also requires domain access from the LAN. If you where to place this server in the DMZ, the domain traffic would compromise the integrity of the DMZ, making it simply an extension of the LAN.  My opinion, the only place you can put an email server is on the LAN and allow SMTP traffic into this server. However I would recommend against allowing any form of HTTP access into this server. If your users require access to their mail from outside the network, it would be far more secure to look at some form of VPN solution. (a brief on why using the VPN solution, is to have the firewall handle the VPN connections. LAN based VPN servers allow the VPN traffic onto the network before it is authenticated, which is NEVER a good practice.)

I know this doesn’t cover EVERYTHING under the sun for security on web servers, however this is just a “brief” overview on why to secure and what to place where in my own experiences…  So get secured and if you have any questions, you know this blog is WIDE-OPEN for you to post up to seek help, and surely I don’t know EVERYTHING yet… I’ll damn sure try to find the answer for you regardless. =)

WTF get’r done!!!

Since by now you may or may not have the NTP package installed and ready to go, I highly recommend to install it via RPM if you can find one for your *nix flavor. Check with your vendor or better yet Google.com, rpmbone and etc… =)

It is TIME for the /etc/ntp.conf file and getting NTP started:

As we know, 99.9% of the time the conf file is better known as the configuration file of a certain program within *nix, and we can’t go wrong unless we set a setting or two wrong… Well here we will do a basic setup as such:

First you want to find your way over to Finding some local time servers, and by doing this the fastest way is here: http://support.ntp.org/bin/view/Servers/WebHome#Finding_A_Time_Server

• Now you need to first open up your ntp.conf file in your favorite editor such as vim, nano, or whatever one you use. Then specify your first set of NTP servers as an example:

1. • server    somentp.serverat.org     #A stratum 1 server at serverat.org
   • server    ntp.research.gov              #A stratum 2 server at research.gov

• Then you will need to restrict a bit of access and allow these servers. In the example, the servers are not allowed to modify the run-time configuration or query back your Linux NTP Server that’s running, it would be a nightmare trust me on a DSL connection

1. • restrict    somentp.serverat.org    mask 255.255.255.255    nomodify notrap noquery
   • restrict    ntp.research.gov    mask 255.255.255.255    nomodify notrap noquery

The mask 255.255.255.255 statement is really a subnet mask limiting access to the single IP address of the remote NTP servers.

• If this server of yours is also going to provide time for other computers on your local network or other networks, such as PC’s, Linux servers, and certain types of networking devices, then you will HAVE TO create and define the network(s) from which this NTP server of yours will accept NTP sync requests. You can do this by simply using a modified request type of statement which with the noquery replaced with the notrust keyword that’s accepted by ntp. This will allow the certain network you are allowing to query the LOCAL NTP server, but it will not be trusted to be a “SOURCE” type of NTP synchronization data, so the proper way of doing this is as follows: (i.e. our local network is 192.168.0.0, which our DHCP server is assigning IPs as such: 192.168.0.100, 192.168.0.101 and etc…)
  • restrict    192.168.0.0    mask    255.255.255.0    notrust nomodify notrap
• Make sure that your CORE NTP server that’s acting as the central “BIG BEN” A.K.A. localhost (which is the universal IP Address used to refer to a *nix server itself) has full access without having any restricting keywords as follows:
  • restrict    127.0.0.1
• Save your ntp.conf file and it’s time to restart the NTP server daemon for the settings to take immediate effect.

Right now you are wondering since all the other *nix servers on this local network can sync up to this server now? Well yes, because all you need to do is create the same scenerio as you did above but in a shorter fashion by simply replacing the “server   somentp.serverat.org” and restrict statements to reflect your local “BIG BEN” NTP server in lieu of having to always keep calling out on the net for time if you have one server that allows connections to sync up with. Remember port 123 is used for NTP and this can only happen if your firewall allows NTP through this port using the UDP Here is your answer to allowing this through if you are using IPTABLES:

iptables -I INPUT -p udp –dport 123 -j ACCEPT

Enjoy and get’r done, we will touch basis some”TIME” soon in regards to how to troubleshoot NTP, but if you have problems in the meantime, feel free on posting a comment here in this blog thread.

WTF Get’r Done and it’s TIME for lunch 12:10:25

It’s NTP Server Time!

So what is NTP you may ask? It’s what we call Network Time Protocol, which helps us all synchronize our *nix system’s clock with an accurate time source. There are a number of websites that allow the public to access and sync up with them. They are divided into two types Stratum 1 and Stratun 2

What are these so called Stratum’s you may ask?

Stratum 1 = NTP websites using an atomic clock for timing

Stratum 2 = NTP websites with slightly but accurately LESS time sources (NOT ACCURATE to the REAL ATOMIC CLOCKS)

You may get a list of available NTP Stratum type servers from: www.ntp.org

It is only a valid and good practice to keep at least one *nix server on your local network be tthe “local time server” for all of your other devices… This only makes and keeps the correlation of system events on different systems much easier to maintain a “central but local” time. It not only helps there but also helps in bandwidth usage, due to the NTP traffic and reduces the need to manage firewall rules for “EACH” of the NTP clients that you have running if you have more than one on your network…

Sometimes, (majority of the time) not all of your servers will have NET access which in such cases you’ll need a central “TIME SERVER” / “SERVER” that any and all can access off your local network. That being said you can have a “Gateway” server to do all this for you if configured properly and accordingly.

That’s all for now on the NTP servers, it’s time to head out and party in Seattle it’s 9:56:44PM PST per my NTP server, and I will be back later to discuss on how the ntp.conf file works But you need to get ntp yourself from a reliable source if you don’t have it installed on your server already… Use Google.com to find it for your *nix flavor.

Well, well, well, I guess it’s time to release yet another helping hand to the Newedge Community!!! WOOHOO they say? Heck no! I say WTF Get ‘r Done!

Here you have a release of a full fledged “by the book” (HAHA NOT REALLY) manual by I myself from the Newedge Community Forums epctechno

I would like you to know, I’m not wanting you to read this off my website, I have uploaded the the PDF which is 9.1+ MB BIG in low compression in zip, tar.gz, .rar, and .7z here:

zip

tar.gz

rar

7z

You pick the format to download, it’s up to you.

Hope you enjoy this and if you find it in your heart to donate, please do! Took sometime on putting all of this together in a two-day span of time.

I for one don’t condone going on and bashing an Author, I would love to go and point out, hey why not post the remedy instead of just posting hey this is not a secure app, it’s vulnerable, well here take this for instance:

Five ‘must-secure’ Web app vulnerabilities

http://blogs.zdnet.com/security/?p=3268

Security holes in the Apache Geronimo Application Server and SAP cFolders headline a list of five serious Web app vulnerabilities that demand immediate attention.

According to Mark Painter from the HP Security Laboratory, the Geronimo flaws expose users to a variety of attack vectors that could lead to the theft of sensitive information and cookie-based authentication credentials. Here’s the top-five list from this past week:

1. Apache Geronimo Application Server

The free, open-source Apache Geronimo Application Server 2.1 through 2.1.3 is prone to multiple remote vulnerabilities.

• Multiple directory traversal vulnerabilities (see advisory)
• A cross-site scripting vulnerability (see advisory)
  
• Multiple HTML-injection vulnerabilities
• A cross-site request-forgery vulnerability (see advisory)

It’s important to note that attackers can exploit these issues to obtain sensitive information, upload arbitrary files, execute arbitrary script code, steal cookie-based authentication credentials, and perform certain administrative actions.

2. SAP cFolders

SAP cFolders is vulnerable to several cross-site scripting and HTML-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data.  Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible.

• SAP Cfolders Multiple Stored XSS Vulnerabilies (Digital Security)
• SAP Cfolders Multiple Linked XSS Vulnerabilities (Digital Security)
• SAP Cfolders Multiple Linked XSS Vulnerabilities (”Digital Security Research Group \[DSecRG\]” )
• SAP Cfolders Multiple Stored XSS Vulnerabilies (”Digital Security Research Group \[DSecRG\]” )
• SAP note 1284360 (SAP)
• SAP note 1292875 (SAP)

3. CS Whois Lookup

CS Whois Lookup is prone to a remote command-execution vulnerability because the software fails to adequately sanitize user-supplied input.  Successful attacks can compromise the affected software and possibly the computer.

An attacker can exploit this issue using a browser. The following example URI is available.

There are not patches available yet.  Contact CS Whois Lookup for information.

4. phpMyAdmin

There is a remote PHP code-injection vulnerability (PMASA-2009-4) affecting phpMyAdmin.

An attacker can exploit this issue to inject and execute arbitrary malicious PHP code in the context of the webserver process. This may facilitate a compromise of the application and the underlying system; other attacks are also possible.

This issue affects phpMyAdmin 3.x (prior to 3.1.3.2). Attackers can launch exploits issue via a browser.  Patches are available.

5. Novell Teaming

A user-enumeration weakness and multiple cross-site scripting vulnerabilities expose users of Novell Teaming to a range of attack scenarios.

• A remote attacker can exploit the user-enumeration weakness to enumerate valid usernames and then perform brute-force attacks; other attacks are also possible.
• The attacker may leverage the cross-site scripting issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

To exploit the cross-site scripting issue, the attacker must entice an unsuspecting victim to follow a malicious URI. The following example URI is available.

• Multiple Vulnerabilities in Novell Teaming (Bernhard Mueller )
• Novell Teaming username enumeration vulnerability fix (Novell)
• Novell Teaming Cross-Site Scripting Vulnerability fix (Novell)

Novell Teaming 1.0.3 is vulnerable; other versions may also be affected.

As you see above, this guy that works for Kaspersky Lab, great Author and all, still it kind of makes your wonder who you have behind the scenes at these sorts of joints such as Norton and etc…

Well if you read here was my answer:

RE: Five ‘must-secure’ Web app vulnerabilities

The number one golden rule of keeping your whole box secure for this is??? Don’t run it as a privileged user… that’s what useradd is good for.

To note, why post just on five ‘must-secure’ without posting how to secure them? It’s pointless if your end-reader that’s new to the world of securing their apps, so here for example, how to secure your phpMyAdmin is simple and effective by adding a couple lines in their Apache Module conf file:

order deny,allow
deny from all
allow from 127.0.0.1
allow from 192.168.0.90

All from 192.168.0.90 is a WS here that I’m at writing this reply, and that and localhost to the server is the ONLY ones allowed to use phpMyAdmin everyone else will be denied.

Alias /phpMyAdmin /usr/share/phpMyAdmin
Alias /phpmyadmin /usr/share/phpMyAdmin

normally by default when installing phpMyAdmin you create an Alias on how it should be called, well I would make it more secure by changing the name as such:

Alias /fuhaX0rz /usr/share/phpMyAdmin

However it’s totally up to you, on what you want, but the first one of allowing access to the phpMyAdmin area via IP address is ample enough. Simple 1 minute fix and any haX0r out there can try to run his bot day and night getting to this directory.

The rest is simple, a guy has to only go and use google.com to fix the rest, I’m not the author of the blog, but if you post something about security and how to secure the apps, I would highly recommend for the end-user(reader) to have a how-to fix them…

Moral of it all is this, don’t post something they having bottom-lines saying, no patches are available, patches are available and etc… I for one don’t care to see this kind of stuff, you just gave 50% away, now give the other 50% to the end-reader and they’ll keep coming back too you. Well all the Authors at zdnet are great people, and one person namely Paula, which is very extraordinary and a well-rounded creature, but you know it’s about the reader-base.

I for one would love to see Authors ellaborate more especially to the end-reader on what to do to even beef up your security, yes we know this is not a PERFECT world and we will always have haX0rz, crackerz, keygenners and etc… I believe this is why you (as an Author) get such foul mooded readers (humans) people and hatemail. I don’t receive it only unless it’s from the IRS or something.

t3h l337 |-|4×02 473 m4h 54|\||)vv1[|-|

So WTF Get ‘r done!