tom's blog » Security

DNS-Server bei FRITZ!Box umstellen

tom — Fri, 05 Jun 2009 19:18:58 +0000

Getestet mit FRITZ!Box Fon WLAN 7170 & Firmware-Version 29.04.70

Wenn man etwas sucht, findet man schon einige Anleitungen, daher hier nur die Kurzfassung..

Telnet-Server auf der FRITZ!Box aktivieren (via Telefon):
#96*7* -> telnetd an

Via telnet konnektieren und mit dem Kennwort der Weboberfläche einloggen.
In der Konsole in das Verzeichnis /var/flash/ wechseln und mit nvi die Datei ar7.cfg bearbeiten.
Hier gibt es (bei meiner Box vier) Einträge für overwrite_dns.
Diese entsprechend anpassen (z.B. für OpenDNS):
overwrite_dns1 = 208.67.220.220; overwrite_dns2 = 208.67.222.222;

Speichern, beenden und anschliessend die Box mit reboot neustarten.

Aus Sicherheitsgründen Telnet-Server auf der Box wieder deaktivieren:
#96*8* -> telnetd aus

Ob das ganze geklappt hat, sieht man bei OpenDNS z.B. beim Aufruf der Startseite.
Hier sollte jetzt ein Hinweis “You’re using OpenDNS!” angezeigt werden.

PS: Basics über den Texteditor vim (oder dessen Ableger) sollten vorhanden sein.

Prevent SSH Brute Force attacks

tom — Sat, 28 Feb 2009 14:48:00 +0000

When checking logfiles, I often can see brute force attacks – especially against the ssh daemon.
Of course, best way would be to block all ssh traffic except from your office/home ip.
If this is not possible for various reasons, you can make life a little harder for “intruders” using iptables.

Aim:
If there are more than three connection attemps within 120 seconds,
all traffic from potential attacker to ssh port (tcp, 22) shall be blocked temporarily.

#!/bin/bash # IPTABLES=`which iptables` # ### if more than three new connections in 120 sec -> log $IPTABLES -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent \ --rcheck --seconds 120 --hitcount 3 --rttl --name SSH -j LOG --log-level 7 \ --log-prefix "Possible SSH breakin attemp: " # ### if more than three new connections in 120 sec -> drop requests $IPTABLES -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent \ --update --seconds 120 --hitcount 3 --rttl --name SSH -j DROP # ### remember new, established connections $IPTABLES -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent \ --set --name SSH -j ACCEPT # ### generally allow ssh connections $IPTABLES -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT # # --- # -I INPUT .. -> iptables chain # -i eth0 ... -> interface to apply rule to # -p tcp .... -> use tcp port # --dport ... -> destination port 22 (SSH) # -m recent . -> matching state # --state ... -> can be NEW, ESTABLISHED, RELATED or INVALID # -rcheck ... -> will check if the source address of the packet is currently in the list # ---

If it works, you should see entries like this in your firewall log
(i.e. in /var/log/firewall [ openSuSE ]):

Feb 28 15:14:20 cypher kernel: Possible SSH breakin attemp: IN=eth0 OUT= MAC=00:0c:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=123.xxx.xxx.xxx DST=223.xxx.xxx.xxx LEN=60 TOS=0x00 PREC=0x00 TTL=59 ID=52858 DF PROTO=TCP SPT=38220 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0

Fixing Astaro 7.202 (when upgrade fails)

tom — Wed, 24 Sep 2008 22:46:36 +0000

again …
if upgrading from ASG 7.202 to newer versions fails, apply the following fix [as root]:
auisys.plx --rpmargs --force

Maybe you’ll have to stay calm until your up2date packages get “re-new-ed” .. so, wait a few days if first try fails.

VMware Server 1.0.7 released

tom — Wed, 03 Sep 2008 10:22:26 +0000

A few days ago, VMware Server 1.0.7 has been released.
The update mainly cares about security issues:

Security Fix for VMware ISAPI Extension
Setting ActiveX killbit
Security Fix for Local Privilege Escalation on Host System
Update to Freetype 2.3.7

More info can be found in VMware’s Release Notes

Fixing Astaro 7.200 (when upgrade fails)

tom — Tue, 02 Sep 2008 22:15:10 +0000

If upgrading from ASG 7.200 to newer versions fails, apply the following fix [as root]:
rpm -q ep-asg && cd /tmp && wget http://www.astaro.com/content/download/5618/51408/version/1/file/ep-asg-7.2-23.i686.rpm && rpm -Uvh /tmp/ep-asg-7.2-23.i686.rpm

More info at Astaro Knowledge Base Article #288713.

SUSE Linux 10.1 discontinued and out of support

tom — Thu, 21 Aug 2008 20:34:09 +0000

SUSE Linux 10.1 has reached End of Life : /

Quote from the opensuse-security-announce mailing list:

With the release of an mysql security fix on August 13 we have released
the last update for SUSE Linux 10.1. (Actually 10.1 was discontinued on
May 31st, but the queue took a bit longer to flush from all updates.)

See: http://lists.opensuse.org/opensuse-security-announce/2008-08/msg00004.html

Critical Bug in Joomla 1.5.5 (and older 1.5.x versions)

tom — Mon, 18 Aug 2008 11:35:52 +0000

The password of the user with the lowest ID (typically an administrator) can be reset by an unauthorized user in Joomla 1.5.x installations prior version 1.5.6 because of a bug in the password remind functionality.

All 1.5.x installations prior to and including 1.5.5 are affected

The Joomla developer team advises to upgrade to 1.5.6 (or patch the /components/com_user/models/reset.php file with the code below).

After global $mainframe; on line 113 of reset.php, add:
if(strlen($token) != 32) { $this->setError(JText::_('INVALID_TOKEN')); return false; }

See: Joomla! Developer – Password Remind Functionality

suPHP 0.6.3 released / security fix

tom — Fri, 11 Apr 2008 16:17:13 +0000

The latestet release of suPHP (v.0.6.3) has been published on Mar 30th, 2008.

It’s a security fix release eliminating two symlink race-conditions.
Users are strongly advised to update immediately.

Should I use DNSBL?

tom — Tue, 04 Mar 2008 23:18:25 +0000

RBLs – yes / no.. a big discussion always..
Right now, I can recommend zen.spamhaus.org & ix.dnsbl.manitu.net (<- especially for german MXs).
I’ve never seen a false positive on these lists ..

Nevertheless, use the lists for scoring (i.e. with spamassassin), not for instant blocking!

Nowadays, prosecuting “backscatter”, sender callouts, etc. seems to be a new trend – and it could be useful in future..
I’ve tested the only free list I know – backscatterer.org.
Don’t you use that one for immediate blocking!
Scoring can be ok, but even there – watch your logs!

Some “hits” (from a test run) to show what I found:
…
2008-03-04 17:17:42 H=lizzard.sbs.de [194.138.37.39] – possible backscatter
2008-03-04 17:21:59 H=mail.space.net [195.30.0.8] – possible backscatter
2008-03-04 17:25:33 H=relay4.ptmail.sapo.pt [212.55.154.24] – possible backscatter
2008-03-04 17:32:46 H=relay23.arbeitsagentur.de [212.204.77.151] – possible backscatter
2008-03-04 17:33:38 H=mout1.mail.vrmd.de [81.28.224.19] – possible backscatter
2008-03-04 17:48:33 H=dgate1.fujitsu-siemens.com [217.115.66.35] – possible backscatter
2008-03-04 17:50:05 H=mailout05.sul.t-online.de [194.25.134.82] – possible backscatter
2008-03-04 17:51:27 H=relay0-0.brigade.com [209.249.158.73] – possible backscatter
2008-03-04 18:04:42 H=mailout07.sul.t-online.de [194.25.134.83] – possible backscatter
2008-03-04 18:11:21 H=bay0-omc2-s24.bay0.hotmail.com [65.54.246.160] – possible backscatter
2008-03-04 18:13:37 H=mail.space.net [195.30.0.8] – possible backscatter
2008-03-04 18:13:42 H=smtp1.versatel.nl [62.58.50.88] – possible backscatter
2008-03-04 18:15:29 H=mailout09.sul.t-online.de [194.25.134.84] – possible backscatter
2008-03-04 18:16:33 H=ip17.be3a.com (be3a.com) [213.92.9.17] – possible backscatter
2008-03-04 18:18:12 H=gamwsm02.mwga.mailwatch.com [216.157.255.16] – possible backscatter
2008-03-04 18:20:15 H=aps67.muc.ec-messenger.com [195.140.186.67] – possible backscatter
2008-03-04 18:22:56 H=mout1.mail.vrmd.de [81.28.224.19] – possible backscatter
2008-03-04 18:25:46 H=mail.gmx.net [213.165.64.20] – possible backscatter
2008-03-04 18:27:56 H=mail004.thyssenkrupp.com [149.211.153.66] – possible backscatter
2008-03-04 18:30:43 H=mailout04.sul.t-online.de [194.25.134.18] – possible backscatter
2008-03-04 18:33:06 H=mailout03.sul.t-online.de [194.25.134.81] – possible backscatter
2008-03-04 18:39:33 H=mail.gmx.net [213.165.64.20] – possible backscatter
2008-03-04 18:45:20 H=mail.schule.bayern.de [194.95.207.92] – possible backscatter
2008-03-04 18:48:56 H=skibayf20.kirche-bayern.de [141.78.101.100] – possible backscatter
…

A lot of the BIG players (german companies in this example mainly) are found on the list ..
So don’t get yourself in trouble with users that complain all day long and think about what you’re blocking ..

Any suggestion/comment ist highly appreciated.

Howto: Single Sign On with Squid Proxy and Active Directory

tom — Wed, 12 Dec 2007 18:30:55 +0000

Tested on: openSUSE 10.2, Squid 2.6 <-> Windows Server 2003
Goal: User authentication should be possible without “extra login” on the squid proxy.

Here we go …

First of all, disable nscd (name service cache daemon)!
Install winbind, samba client and kerberos tools

In this test enviroment, the Domain is “D1COMP”; the realm “D1COMP.LAN”

Edit /etc/krb5.conf

[libdefaults] default_realm = D1COMP.LAN clockskew = 300[realms] D1COMP.LAN = { kdc = 172.31.7.27 ## One of your Domain Controllers default_domain = d1comp.lan admin_server = 172.31.7.27 }[logging] kdc = FILE:/var/log/krb5/krb5kdc.log admin_server = FILE:/var/log/krb5/kadmind.log default = SYSLOG:NOTICE:DAEMON[domain_realm] .d1comp.lan = D1COMP.LAN[appdefaults] pam = { ticket_lifetime = 1d renew_lifetime = 1d forwardable = true proxiable = false retain_after_close = false minimum_uid = 1 }

obtain Kerberos ticket

# kinit Administrator@D1COMP.LAN Password for Administrator@D1COMP.LAN: #

check Kerberos ticket

# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: Administrator@D1COMP.LAN -------- Valid starting Expires Service principal 12/12/07 16:16:01 12/13/07 02:16:45 krbtgt/D1COMP.LAN@D1COMP.LAN renew until 12/13/07 16:16:01 -------- Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached

Adjust /etc/samba/smb.conf

[global] workgroup = D1COMP printing = cups printcap name = cups printcap cache time = 750 cups options = raw map to guest = Bad User include = /etc/samba/dhcp.conf logon path = \\%L\profiles\.msprofile logon home = \\%L\%U\.9xprofile logon drive = P: usershare allow guests = No idmap gid = 10000-20000 idmap uid = 10000-20000 realm = D1COMP.LAN security = ADS template homedir = /home/%D/%U template shell = /bin/bash winbind refresh tickets = yes

Join the Active Directory

# net join -S d1comp -UAdministrator%Password Using short domain name -- D1COMP Joined 'SERVER' to realm 'D1COMP.LAN'# /etc/init.d/winbind start Starting Samba WINBIND daemon ... done

Basic Check:

# wbinfo -t checking the trust secret via RPC calls succeeded# wbinfo -g D1COMP\domain guests D1COMP\domain users D1COMP\...

Check support of ntlm authentication:

# wbinfo -a d1comp\\user%password plaintext password authentication succeeded challenge/response password authentication succeeded
ntlm_auth requires access to the privileged winbind pipe in order to function properly.

Enable this by changing group of the winbind_privileged directory to the group you run Squid as (cache_effective_group setting in squid.conf).

chgrp squid /var/lib/samba/winbindd_privileged

Edit squid.conf to enable both the winbind basic and ntlm authenticators. IE will use ntlm and everything else basic:

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 10 #auth_param ntlm max_challenge_reuses 0 #auth_param ntlm max_challenge_lifetime 2 minutes #auth_param ntlm use_ntlm_negotiate off auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm Domain Proxy Server auth_param basic credentialsttl 2 hours auth_param basic casesensitive off authenticate_cache_garbage_interval 10 seconds ## # Credentials past their TTL are removed from memory authenticate_ttl 0 seconds ## ## acl entries to require authentication: acl AuthorizedUsers proxy_auth REQUIRED http_access allow all AuthorizedUsers

This howto is no guarantee to get it work, but kind of reminder for me : /
Special thanks to Adrian Chadd and the wiki @ squid-cache.org!