Linux, Windows and Other Tips and Tricks
Check the logs:
# nano /var/log messages PAM-hulk[13813]: Brute force detection active: 580 LOGIN DENIED
Check
cphulkd.log at /usr/local/cpanel/logs
# nano /usr/local/cpanel/logs/login_log 72.177.xxx.xx - root [11/04/2014:05:48:13 -0000] "POST /login/?login_only=1 HTTP/1.1" DEFERRED LOGIN whostmgrd: brute force attempt (user root) has locked out IP 72.177.xxx.xx
On Tuesday, October 14, 2014, iSIGHT Partners and Microsoft announced a Zero-Day vulnerability named “Sandworm” found in all versions of Microsoft Windows and Windows Server 2008 and 2012.
The vulnerability has been exploited in a small number of cyberespionage attacks against NATO, energy companies, a US academic organization and many others. Microsoft has since created a patch and released it as one of their security updates (CVE-2014-4114.).
If you have enabled automatic updating, the Microsoft security update will be downloaded and installed automatically. If you have not, it is critical that you run the security update from Microsoft, as well as all other important security updates through the Windows Updater immediately.
If you would like to learn more about the Sandworm vulnerability, in-depth information can be found on iSIGHT Partners blog and Microsoft’s Security TechCenter.
Because fail2ban is not available from CentOS, we should start by downloading the EPEL repository:
rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
Follow up by installing fail2ban:
yum install fail2ban
The default fail2ban configuration file is location at /etc/fail2ban/jail.conf. The configuration work should not be done in that file, however, and we should instead make a local copy of it.
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
After the file is copied, you can make all of your changes within the new jail.local file. Many of possible services that may need protection are in the file already. Each is located in its own section, configured and turned off.
Set up a few rules on a plesk server with CentOS
SSH
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=10222, protocol=tcp]
sendmail-whois[name=SSH, dest=root, sender=admin@domain.com, sendername="Fail2Ban"]
logpath = /var/log/secure
maxretry = 5
* Notice ssh is set up on port 10222
ProFTP
[proftpd-iptables]
enabled = true
filter = proftpd
action = iptables[name=ProFTPD, port=ftp, protocol=tcp]
sendmail-whois[name=ProFTPD, dest=admin@domain.com]
logpath = /var/log/secure
maxretry = 5
* Notice the log location. This is for a Plesk server as proftpd logs to /var/log/secure
Restart fail2ban
# service fail2ban restart
Postfix
# This jail forces the backend to "polling".
[sasl-iptables]
enabled = true
filter = postfix-sasl
backend = polling
action = iptables[name=sasl, port=smtp, protocol=tcp]
sendmail-whois[name=sasl, dest=admin@domain.com]
logpath = /usr/local/psa/var/log/maillog
Postfix
[postfix-tcpwrapper]
enabled = true
filter = postfix
action = hostsdeny[file=/etc/fail2ban/hosts.deny]
sendmail[name=Postfix, dest=admin@domain.com]
logpath = /usr/local/psa/var/log/maillog
bantime = 300
Apache Auth
[apache-tcpwrapper]
enabled = true
filter = apache-auth
action = iptables[name=apache, port=apache, protocol=tcp]
sendmail-whois[name=apache, dest=admin@domain.com]
logpath = /var/log/httpd/error_log
# /home/www/myhomepage/error.log
maxretry = 6
Whitelisting is setup in the jail.conf file using a space separated list.
[DEFAULT] # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not # ban a host which matches an address in this list. Several addresses can be # defined using space separator. ignoreip = 127.0.0.1 192.168.1.0/24 8.8.8.8
# This will ignore connection coming from common private networks. # Note that local connections can come from other than just 127.0.0.1, so # this needs CIDR range too. ignoreip = 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
Intrusion Detection Systems – this can be gaied by a Cisco or other firewall
The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store ortransmit credit card information maintain a secure environment. Essentially any merchant that has a Merchant ID (MID).
General requirements for compliance
Firewall
Intrusion Drevention Systems
Intrusion Prevention Systems
Dedicated IP addresses
PCI Cage
According to The Register, a serious vulnerability in SSL v3 will be disclosed tomorrow on October 15th. Some people are recommending disabling SSL v3 in various daemons until further notice.
A vulnerability in the design of SSL version 3.0. This vulnerability allows the plaintext of secure connections to be calculated by a network attacker.
SSL 3.0 is nearly 18 years old, but support for it remains widespread. Most importantly, nearly all browsers support it and, in order to work around bugs in HTTPS servers, browsers will retry failed connections with older protocol versions, including SSL 3.0. Because a network attacker can cause connection failures, they can trigger the use of SSL 3.0 and then exploit this issue.
Disabling SSL 3.0 support, or CBC-mode ciphers with SSL 3.0, is sufficient to mitigate this issue, but presents significant compatibility problems, even today.
Detection (Linux)
The following script can be run against the server in question. The command will return ‘SSL 3.0 enabled’ if vulnerable and ‘SSL 3.0 disabled’ if not.
_______________
#!/bin/bash
ret=$(echo Q | timeout 5 openssl s_client -connect “${1-`hostname`}:${2-443}” -ssl3 2> /dev/null)
if echo “${ret}” | grep -q ‘Protocol.*SSLv3’; then
if echo “${ret}” | grep -q ‘Cipher.*0000’; then
echo “SSL 3.0 disabled”
else
echo “SSL 3.0 enabled”
fi
else
echo “SSL disabled or other error”
fi
_______________
NOTE: This script takes the hostname of the server to check as the first argument and an optional port as the second. By default it will check the local system, port 443.
Resolution
To avoid this vulnerability, Red Hat recommends disabling SSL and using only TLSv1.1 or TLSv1.2. Backwards compatibility can be achieved using TLSv1.0. Many products Red Hat supports have the ability to use SSLv2 or SSLv3 protocols, however it is strongly recommended against.
To mitigate this vulnerability as it affects httpd, set the SSLProtocol directive as follows in /etc/httpd/conf.d/ssl.conf:
Note: This directive must either be located at the topmost level of the configuration file, or inside the default virtual host configuration for an address.
Option 1: Disable SSLv2 and SSLv3 (Enable everything except SSLv2 and SSLv3)
SSLProtocol All -SSLv2 -SSLv3
Option 2: Disable everything except TLSv1.x
On RHEL 7 or RHEL 6.6 and later:
SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2
On other platforms:
SSLProtocol -All +TLSv1
Then restart httpd:
# service httpd restart
Resources:
For Microsoft
https://technet.microsoft.com/en-us/library/security/3009008.aspx
https://www.openssl.org/~bodo/ssl-poodle.pdf
http://forums.cpanel.net/f185/sslv3-vulnerability-432641.html
http://googleonlinesecurity.blogspot.co.uk/2014/10/this-poodle-bites-exploiting-ssl-30.html
Tests
Test your web server for SSLv2
https://www.ssllabs.com/ssltest/index.html
What you are looking for is:
TLS 1.2 Yes
TLS 1.1 Yes
TLS 1.0 Yes
SSL 3 No
SSL 2 No
For Nginx – there are other files to edit:
/usr/local/psa/admin/conf/templates/default/server/nginxVhosts.php /usr/local/psa/admin/conf/templates/default/nginxDomainVirtualHost.php /usr/local/psa/admin/conf/templates/default/domain/nginxDomainVirtualHost.php
Rebuild after any changes
# /usr/local/psa/admin/bin/httpdmng --reconfigure-all
Other Resources:
CPanel/WHM
https://documentation.cpanel.net/display/CKB/How+to+Adjust+Cipher+Protocols
http://www.cpanelkb.net/fix-poodle-sslv3-vulnerability/
http://thecpaneladmin.com/disabling-support-for-sslv3-on-a-cpanel-server/
Plesk
http://kb.sp.parallels.com/en/123160
http://www.percona.com/blog/2014/10/15/how-to-close-poodle-sslv3-security-flaw-cve-2014-3566/
http://bobcares.com/blog/protecting-your-cpanel-whm-server-from-sslv3-poodle-vulnerability-guide-to-mitigate-cve-2014-3566-by-disabling-ssl-3-0-in-exim-apache-nginx-pure-ftp-proftpd-dovecot-and-courier-imap
| Product/Channel | Fixed in package | Remediation details |
|---|---|---|
| Red Hat Enterprise Linux 7 | bash-4.2.45-5.el7_0.2 | Red Hat Enterprise Linux |
| Red Hat Enterprise Linux 6 | bash-4.1.2-15.el6_5.1 | Red Hat Enterprise Linux |
| bash-4.1.2-15.el6_5.1.sjis.1 | Red Hat Enterprise Linux | |
| bash-4.1.2-9.el6_2.1 | Red Hat Enterprise Linux 6.2 AUS | |
| bash-4.1.2-15.el6_4.1 | Red Hat Enterprise Linux 6.4 EUS | |
| Red Hat Enterprise Linux 5 | bash-3.2-33.el5.1 | Red Hat Enterprise Linux |
| bash-3.2-33.el5_11.1.sjis.1 | Red Hat Enterprise Linux | |
| bash-3.2-24.el5_6.1 | Red Hat Enterprise Linux 5.6 LL | |
| bash-3.2-32.el5_9.2 | Red Hat Enterprise Linux 5.9 EUS | |
| Red Hat Enterprise Linux 4 | bash-3.0-27.el4.2 | Red Hat Enterprise Linux 4 ELS |
Check the version:
[root@server]# rpm -qa | grep bash bash-completion-1.3-7.el6.noarch bash-4.1.2-15.el6_4.x86_64
Diagnostic Steps:
There are a few different ways to test if your system is vulnerable to shellshock. Try running the following command in a shell.
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
If you see “vulnerable” you need to update bash. Otherwise, you should be good to go.
Even after upgrading bash you may still be vulnerable to this exploit. Try running the following code.
env X='() { (shellshocker.net)=>' bash -c "echo date"; cat echo ; rm -f echo
If the above command outputs the current date (it may also show errors), you are still vulnerable.
Here is another variation of the exploit. Please leave a comment below if you know the CVE of this exploit.
env -i X=' () { }; echo hello' bash -c 'date'
If the above command outputs “hello”, you are vulnerable.
bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' || echo "CVE-2014-7186 vulnerable, redir_stack"
A vulnerable system will echo the text “CVE-2014-7186 vulnerable, redir_stack”.
(for x in {1..200} ; do echo "for x$x in ; do :"; done; for x in {1..200} ; do echo done ; done) | bash ||
echo "CVE-2014-7187 vulnerable, word_lineno"
A vulnerable system will echo the text “CVE-2014-7187 vulnerable, word_lineno”.
Run update:
[root@server ~]# yum update bash Loaded plugins: downloadonly, fastestmirror, priorities Loading mirror speeds from cached hostfile epel/metalink | 16 kB 00:00 * base: mirror.hmc.edu * epel: mirrors.solfo.com * extras: centos.sonn.com * updates: linux.mirrors.es.net base | 3.7 kB 00:00 extras | 3.3 kB 00:00 updates | 3.4 kB 00:00 updates/primary_db | 5.3 MB 00:00 81 packages excluded due to repository priority protections Setting up Update Process Resolving Dependencies --> Running transaction check ---> Package bash.x86_64 0:4.1.2-15.el6_4 will be updated ---> Package bash.x86_64 0:4.1.2-15.el6_5.1 will be an update --> Finished Dependency Resolution Dependencies Resolved ================================================================================ Package Arch Version Repository Size ================================================================================ Updating: bash x86_64 4.1.2-15.el6_5.1 updates 905 k Transaction Summary ================================================================================ Upgrade 1 Package(s) Total download size: 905 k Is this ok [y/N]: y Downloading Packages: bash-4.1.2-15.el6_5.1.x86_64.rpm | 905 kB 00:00 Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Updating : bash-4.1.2-15.el6_5.1.x86_64 1/2 Cleanup : bash-4.1.2-15.el6_4.x86_64 2/2 Verifying : bash-4.1.2-15.el6_5.1.x86_64 1/2 Verifying : bash-4.1.2-15.el6_4.x86_64 2/2 Updated: bash.x86_64 0:4.1.2-15.el6_5.1 Complete!
[root@server ~]# rpm -qa | grep bash bash-4.1.2-15.el6_5.1.x86_64 bash-completion-1.3-7.el6.noarch
Test after update:
[root@server ~]# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
For Ubuntu Systems:
apt-get update; apt-get install --only-upgrade bash
For Arch Linux:
pacman -Sy bash
A reboot is not required after the update.
Resources:
https://access.redhat.com/articles/1200223
http://www.reuters.com/article/2014/09/24/us-cybersecurity-bash-idUSKCN0HJ2FQ20140924
Also, for CentOS: http://www.tecmint.com/ssh-two-factor-authentication/
Want to secure your SSH server with easy-to-use two-factor authentication? Google provides the necessary software to integrate Google Authenticator’s time-based one-time password (TOTP) system with your SSH server. You’ll have to enter the code from your phone when you connect.
Check the server if it is root compromised.
lsattr /usr/bin
Root compromised output. All of those files are set to immutable and append only. That’s what the “ia” you see is.
[root@mail ~]# lsattr /usr/bin s---ia------- /usr/bin/bzcmp s---ia------- /usr/bin/getkeycodes s---ia------- /usr/bin/enc2xs s---ia------- /usr/bin/mail-files s---ia------- /usr/bin/chage s---ia------- /usr/bin/mdeltree s---ia------- /usr/bin/nslookup s---ia------- /usr/bin/semodule_link s---ia------- /usr/bin/mbchk s---ia------- /usr/bin/rpcgen s---ia------- /usr/bin/lkbib s---ia------- /usr/bin/dig s---ia------- /usr/bin/webazolver s---ia------- /usr/bin/pstruct s---ia------- /usr/bin/spfd s---ia------- /usr/bin/linux64 s---ia------- /usr/bin/semodule_expand s---ia------- /usr/bin/readlink s---ia------- /usr/bin/as s---ia------- /usr/bin/makedb s---ia------- /usr/bin/seq s---ia------- /usr/bin/id s---ia------- /usr/bin/colcrt s---ia------- /usr/bin/pod2man s---ia------- /usr/bin/zipnote s---ia------- /usr/bin/hcitool s---ia------- /usr/bin/lftp s---ia------- /usr/bin/run-with-aspell s---ia------- /usr/bin/[ s---ia------- /usr/bin/perl s---ia------- /usr/bin/mailstat s---ia------- /usr/bin/ecryptfs-setup-swap s---ia------- /usr/bin/lpstat.cups s---ia------- /usr/bin/linux32 s---ia------- /usr/bin/ipcclean s---ia------- /usr/bin/pkill s---ia------- /usr/bin/mzip s---ia------- /usr/bin/mcookie s---ia------- /usr/bin/pm-restart s---ia------- /usr/bin/rcp s---ia------- /usr/bin/fgconsole
Non root compromised
[root@austin ~]# lsattr /usr/bin -------------e- /usr/bin/pigz -------------e- /usr/bin/isosize -------------e- /usr/bin/php -------------e- /usr/bin/system-config-firewall -------------e- /usr/bin/ftpdctl -------------e- /usr/bin/berkeley_db_svc -------------e- /usr/bin/wftopfa -------------e- /usr/bin/yum-builddep -------------e- /usr/bin/tic -------------e- /usr/bin/ptardiff
Other checks:
I would check the following:
Logs. If you have root access you should check things like history which will give you command history and log files in /var/logs.
Baseline. If you have a baseline like file hashes to work with for application and system files this will help a lot. You can also use backups to compare a previous state. If using a backup to compare files, use a slightly older one if you can. The site may have been compromised a while before and it is only now that the redirect has been activated.
Check any includes. The files may not be on your server. They may be script includes such as