yurisk.info » Linux

Time-based access limiting on Checkpoint or any Linux for that matter

Yuri — Mon, 14 Nov 2011 21:08:16 +0000

Time-based access-lists in Cisco world are available since … last century for sure. But is it possible that Linux doesn’t have anything like that ? No way – of course it can do and do it better. Here is how .
Access control based on time of the day is available via pam module, and as almost all software today supports working with pam modules, it means it is available universally.
Steps to do it are these:

Enable pam_time.so module for the software of interest in its config file in /etc/pam.d ;
Configure time range(s) when this service is accepting connections using file /etc/security/time.conf
Most probably restart the service and we are set.

E.g. Let’s restrict user ftp_user so that it is able to connect to vsftpd daemon only during working hours of the weekdays.
- Add to file /etc/pam.d/vsftpd the following line
account required /lib/security/pam_time.so
- Set time limits in /etc/security/time.conf with this line
vsftpd;*;ftp_user;Wk0800-1700
- Restart vsftpd to force it using pam_time.so module (need to do it just first time)
#service vsftpd restart
And now during the off-limit hours the ftp_user will not be able to connect by FTP, that is it .

For Checkpoint all the above holds true, but as you don’t have much servers there , the most probable candidate for such restrictions is ssh daemon. For example firewall that the client has access by ssh to it as well – while mail alerts for such access (see Mail alert on ssh access in Checkpoint) will warn me about such access, it does me no good if someone on client side accesses the firewall at 02:00 am at night and I get alert . But if it happens during working hours only, I can see such alert and act in real time.
Example for limiting ssh access to the firewall to working hours only.
/etc/security/time.conf :
sshd;*;client_user;Wk0900-1900
/etc/pam.d/sshd :
account required /lib/security/pam_time.so

Watch your DNS records day and night with Nagios

Yuri — Sun, 09 Oct 2011 10:11:22 +0000

Domain records are most visible vulnerable and many time crucial asset of the company.
Attackers need not break your firewall protection, find and develop exploits for software running on your server to cut off your company from mails – it is enough for them to cause a change of MX record and it’s done – no incoming mails.
I’ve seen real life example of this happening with huge company when due to human error made to MX record that went unnoticed the company didn’t get mails.
While there are companies making millions on protecting domains (do whois on Google.com,Facebook.com to see example) you can at least spot potential problems automatically in no time with Nagios.
The plugin to watch for DNS record is called check_dns and works this way – you configure which hostname to query and what the IP address for it should be , if the IP return doesn’t much the one configured the Critical condition occurs and alert is fired.
This is the simplest of possible checks – to check hostname to IP mapping, more advanced checks are possible with check_dig plugin.
Example – if IP of the hostname mx20.013net.net that handles mail for my provider changes from 194.90.9.19, the alert will be sent:
check_dns -H mx20.013net.net -a 194.90.9.19 -s 8.8.8.8

Two tips to secure SSH access from specific IPs to specific users in Checkpoint or any Linux

Yuri — Tue, 05 Apr 2011 07:06:06 +0000

Today I’ll bring you two tips to secure SSH access to the Checkpoint firewall beyond firewall rules itself. SSH access is the most powerful way to own the firewall so it should be secured to the paranoid level and even then it is never enough.
Tip 1 Change the listening port.
You may say obscurity is not security but I will not agree – any measure that makes attacking your system harder without much burden on you is valid. After all there is no such thing total security, only endless arms race. Checkpoint just being a Linux in disguise uses OPenSSH server so changing the port is done via :
NOTE before changing listening port don’t forget to allow incoming connection on this port in firewall rules.

/etc/ssh/sshd_config
#Port 22

You change the above line to (if say I want to change port to 5022):

Port 5022

Then save , then restart the SSH daemon:

[Expert@fireball]# service sshd restart

Now you connect to the firewall #ssh -p 5022 user@IP
Tip 2 Limit SSH access per user and per IP address
Openssh provides the possibility to restrict access for specific user to specific IP addresses. I will look here at few potential scenarios.
Case 1 Limit all SSH users to access from specific IP , here from network 99.19.19.0/24:
At the bottom of the same file /etc/ssh/sshd_config I add:

AllowUsers *@99.19.19.*

Save , restart SSH daemon and this will take effect – only users coming from network
99.19.19.0/24 will be able to login by ssh , any other source IP will always get “Wrong username or password”
Case 2 Limit some users to access from specific IPs but allow others from Any.
Checkpoint comes with default user admin that people often do not change, and I concluded over the years that changing people’s bad behavior is much harder than changing firewalls. So I do this:
When both me and client are managing the firewall, i create the username for me , here yurisk and restrict the username admin to internal nets (for emergency cases) and his specific IP.Here my user is yurisk, client’s user is admin and LAN is 10.88.88.0/24 and client’s WAN IP is 123.123.123.10

/etc/ssh/sshd_config
AllowUsers admin@123.123.123.10 admin@10.88.88.* yurisk

You can be Nmap hacker too – contribute new signatures in few easy steps and feel proud of yourself

Yuri — Thu, 24 Mar 2011 09:07:19 +0000

NMAP is probably the most known long standing and community involved security-related project in the Open Source universe ever. And it is quite naturally to think that there is nothing left to be done to improve it by end users like us, and of course the opposite is the case. If we forget for a second all the complex C/C++/Lua/etc coding involved to sharpen the algorithms and performance of the Nmap, after all it is a signature based network scanner that is as good as its signatures are. And here you can never get enough.
Just find some over the shelf network equipment, run a scan on it , be surprised that it is not recognized by Nmap and contribute its signature back to the Nmap communa, then buy yourself a beer and put a sign in your cube ” I contributed to Nmap”
– So how do you do this? Piece of cake.
When running scan with -sV option (version detection of the software) if the target is not known to the Nmap it will print out as the output the Nmap-style fingerprint of the scanned service. It is ok to just take copy and paste it here : http://insecure.org/cgi-bin/submit.cgi, but then I wouldn’t write this article. So let’s do some practice.
There is a nice anti-spam and anti-virus appliance called PineApp Mailsecure , produced by Israel company named (surprise ..) Pineapp and which is quite popular at least here in Israel. Unfortunately Nmap does not recognize it beyond having an opened port of 25.
Here is the result of the Nmap scan.

nmap -v -n -sV -P0 12.12.12.12

Starting Nmap 5.21 ( http://nmap.org ) at 2091-03-17 15:41 IST
NSE: Loaded 4 scripts for scanning.
Initiating SYN Stealth Scan at 15:41
Scanning 12.12.12.12 [1000 ports]
Discovered open port 25/tcp on 12.12.12.12
Completed SYN Stealth Scan at 15:41, 4.88s elapsed (1000 total ports)
Initiating Service scan at 15:41
Scanning 2 services on 12.12.12.12
Completed Service scan at 15:41, 13.88s elapsed (2 services on 1 host)
NSE: Script scanning 12.12.12.12.
NSE: Script Scanning completed.
Nmap scan report for 12.12.12.12
Host is up (0.015s latency).
Not shown: 996 filtered ports

PORT STATE SERVICE VERSION
25/tcp open smtp
113/tcp closed auth

1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port25-TCP:V=5.21%I=7%D=3/19%Time=4D14329D%P=i686-pc-linux-gnu%r(NULL,2
SF:5,”220\x20Ready\x20to\x20receive\x20mail\x20-=-\x20ESMTP\r\n”)%r(Hello,
SF:8E,”220\x20Ready\x20to\x20receive\x20mail\x20-=-\x20ESMTP\r\n250-Ready\
SF:x20to\x20receive\x20mail\x20-=-\r\n250-AUTH\x20LOGIN\x20PLAIN\r\n250-AU
SF:TH=LOGIN\x20PLAIN\r\n250-PIPELINING\r\n250\x208BITMIME\r\n”)%r(Help,28,
SF:”451\x20Rejected\x20due\x20to\x20illegal\x20pipelining\r\n”)%r(GenericL
SF:ines,28,”451\x20Rejected\x20due\x20to\x20illegal\x20pipelining\r\n”);

Read data files from: /usr/local/share/nmap

So let’s fix this,but first some preliminary knowledge of importance.
All its service signatures Nmap keeps in the file nmap-service-probes that has some predefined keywords that are easy to remember and use :
-First we want to create a probe to define what string to which port to send, it goes like this:
In our case the target service is SMTP so no changes are due to the existing probe,

Probe TCP Hello q|EHLO\r\n|

The above means send word EHLO once connected.
Next line starts with the word rarity and its value. The higher the number the less is the probability of running this service probe, leave it as is in our case, as it will be run if previous port scanning reports port 25 as open.
rarity 8
The rarity line is followed by the list of ports for which this service probe will be triggered once they are reported as open. Again , in our case we leave it as is:
ports 25,587,3025
Then goes sslports keyword to specify SSL enabled ports, finally followed by totalwaitms also of no interest here .
Now we come to the good stuff – many lines doing matches of different vendors/equipment that all and each start with keyword match. let’s have a closer look at it:
match m|matching regex pattern Perl style| [version/device/hardware optional info]
The best way to get it is via an existing match in the file:

match smtp m|^220\s+(DP-\d+)\r\n250-Hello\r\n250-DSN\r\n| p/Panasonic smtpd/ v/$1/ i/Panasonic printer/ d/printer/

It basically says:
Send EHLO command to the target,check output the output from the target and look for string that starts with 220 followed by printable string of variable length, followed
by word DP- then decimal number, note – here () allow to later reference the matched part of the string inside (), followed by Return and New Line char (\r\n), followed by word “250-DSN” and finally followed by return + new line (\r\n). If such match is found then print to the terminal string “Panasonic smtpd” , in version field (v/$1/) print what was matched by (DP-\d+) and in device type field print printer (d/printer/).
That is it to it. Now let’s create a signature for the PineApp.
We have 2 options here – to actually run a scan against the PineApp target and decipher the output, or , what I do here, use the common sense.
First I will try to do what Nmap Probe EHLo does – namely connect by telnet to port 25 and issue EHLO command. After that I will try to compile a regex expression matching the output.

[root@darkstar ~]# telnet 12.12.12.12 25

Trying 12.12.12.12…
Connected to earth.planet.co (12.12.12.12).

Escape character is ‘^]’.
220 Ready to receive mail -=- ESMTP
helo a
250 Ready to receive mail -=-
quit
221 Ready to receive mail -=-
Connection closed by foreign host.

Well, the regex is not that hard to do here:
match smtp m|^220 Ready to receive mail -=- ESMTP\r\n| p/PineApp Mail-secure/ i/PineApp Av and Antispam mail gateway/ o/Linux/
I edit /usr/local/share/nmap/nmap-service-probes and insert the above regex under Probe TCP Hello where the matches start, save it and run the Nmap on the same host not recognized before:

nmap -n -sV -P0 12.12.12.12

Starting Nmap 5.21 ( http://nmap.org ) at 2091-03-17 15:46 IST
Nmap scan report for 12.12.12.12
Host is up (0.012s latency).

Not shown: 996 filtered ports
PORT STATE SERVICE VERSION
25/tcp open smtp PineApp Mail-secure (PineApp Av and Antispam mail gateway)
113/tcp closed auth
Service Info: OS: Linux

Convert mb4 to mp3 files in one run with ffmpeg

Yuri — Sat, 23 Oct 2010 08:38:40 +0000

Folks at Defcon.org have been somewhat inconsistent in publishing their conference audio archives – once they do it in mb4 format, once in mp3 . As I listen to them on my mobile phone during my commuting to the work and it doesn’t accept anything but mp3 I had to first convert all audio files from mb4 to mp3 format. Not a problem though, the one-liner below will find all files ending with .mb4 in the current folder and convert them to .mp3 files preserving the filenames.

find . -iname "*.m4b" -exec ffmpeg -i {} -acodec libmp3lame {}.mp3 \;

List of valid domain names for load testing DNS

Yuri — Sat, 14 Aug 2010 09:45:19 +0000

I am currently running a bunch of tests on DNS resolver software called Unbound to see what it is worth and for that needed a list of valid domain names in different but controllable TLDs. The only resource to download such list I could find was 3 million records file from Nominum Sample query data file for use with resperf . Only that it contains all kinds of record types : A, PTR, AAAA and I want list of domain names where I can modify query type but also that it will be of a specific TLD sample.
Say all domains in .ASIA only TLD . To compile such list I took a word list , added to each word specific extensions and then run against some DNS server. Then I filtered the answers to include only existing resolvable domains that return at least 1 answer to query ANY. So far I did it for extensions : .ASIA .COM .CA .BIZ .EDU .EU .FR .INFO .MIL .NET .ORG .RU and it brought 831903 valid domains.
You can download the final list of those domains here : Domain list 831903 domains

Query non-standard port of SNMP

Yuri — Wed, 11 Aug 2010 06:14:45 +0000

Sometimes the simple things are the ones to perplex you the most . Today I needed to add an SNMP monitoring of the Radware Linkproof listening on the port 7777 .Not a big deal, I thought. But before doing it in the monitoring system I just wanted to be sure and tried to query the Linkproof using snmpwalk . To much of my surprise in its help there was no mention how to do it . Searching the Google brought me –p that didn’t work though. The solution is actually quite simple – just immediately after the
IP of the device put : e.g.

root@darkstar# snmpwalk -v 2c -c notpublic 12.120.186.8:7777

MAC finder script

Yuri — Fri, 02 Jul 2010 05:35:37 +0000

While I don’t like going down to Layer 2 , recently I had to do it – I didn’t know IP address of the Cisco router I wanted to connect to but I had access to the Cisco router sitting in the same network. That would be pretty easy to do #show arp on this router and then search on Google to whom belongs each MAC if it wasn’t the subnet mask of /26. Copy pasting each entry of the ARP table into Google didn’t look like a lot of fun. So I wrote a python script that reads MAC addresses in bulk from command line and using downloaded beforehand database of MAC-vendor translations prints vendor for each MAC address. It works for #show arp on CIsco,#show mac-address-table on CIsco switches, #arp -en on Linux (means including Checkpoint), #arp -a on Freebsd ,#show arp of Junos from Juniper, #get sys arp on Fortigate.
Below is the script.
Here:
mac-database.txt – file containing MAC-vendor translation in format , I used standards.ieee.org/regauth/oui/oui.txt as the source with a bit of sed, but if you want ready to use file I recommend nmap-mac-prefixes from nmap source-code distribution http://nmap.org/svn/nmap-mac-prefixes
Download script (to make sure formatting is preserved, an important thing for Python)
http://yurisk.info/scripts/mac-finder.py
Script AND mac database from nmap project – http://yurisk.info/scripts/mac.tar.gz

#!/usr/bin/python
#This script accepts MAC addresses from the command line and
#prints vendor for each mac address
# Author:Yuri, yurisk@yurisk.info,06.2010
import sys
import re
#This function removes from MACs colon or dot and returns MAC as a sequence of HEX chars
def dotreplace(matchobj):
         if matchobj.group(0) == '.':
                return ''
         elif  matchobj.group(0) == ':':
                return ''
#open file with MAC addresses and vendors database,it has form xxxx 
macs=open('mac-database.txt','r')
macs_lines=macs.readlines()
#Read from stdinput
data = sys.stdin.readlines()
for ppp in data:
       popa=re.search('.*([a-f0-9]{4}\.[a-f0-9]{4}\.[a-f0-9]{4}).*',ppp,re.IGNORECASE)
       if popa:
             newpopa=re.sub('\.', dotreplace,popa.group(1))[0:6]
             newpopa_re=re.compile(newpopa,re.IGNORECASE)
             for mac_db in macs_lines:
                 vendor=re.search(newpopa_re,mac_db)
                 if vendor:
                    print ppp.strip(),mac_db[7:]
       popalinux = re.search('.*([a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}).*',ppp,re.IGNORECASE)
       if popalinux:
             newpopalinux=re.sub(':',dotreplace,popalinux.group(1))[0:6]
             newpopalinux_re=re.compile(newpopalinux,re.IGNORECASE)
             for mac_db in macs_lines:
                 vendor=re.search(newpopalinux_re,mac_db)
                 if vendor:
                    print ppp.strip(),mac_db[7:]

       popadash = re.search('.*([a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}).*',ppp,re.IGNORECASE)
       if popadash:
             newpopadash=re.sub('-',dotreplace,popadash.group(1))[0:6]
             newpopadash_re=re.compile(newpopadash,re.IGNORECASE)
             for mac_db in macs_lines:
                 vendor=re.search(newpopadash_re,mac_db)
                 if vendor:
                    print ppp.strip(),mac_db[7:]

Running it:

[root@darkstar ]# ./mac-finder.py

$ arp -a
(10.99.99.150) at 00:50:56:95:74:72 on em0 [ethernet]
(10.99.99.254) at 00:09:0f:31:c8:24 on em0 [ethernet]

(10.99.99.150) at 00:50:56:95:74:72 on em0 [ethernet] VMware, Inc.
(10.99.99.254) at 00:09:0f:31:c8:24 on em0 [ethernet] Fortinet Inc.

How to choose the password that noone can guess and you cant remember

Yuri — Wed, 09 Jun 2010 10:29:21 +0000

How to choose the password that noone can guess and you cant remember Of course you know what the good password should be – random letters including capitals, peppered with numbers and enhanced with printable control characters.
The only small but important detail these recommendations seem to forget is that there are may be few hundreds in the world that can memorize such incomprehensible sequence of chars. So if someone does decide to follow it such passwords end up being written on the paper and stuck to the monitor (on its back).
I never followed such recommendations but nevertheless found the way to come up with hard to break passwords. Here it is – I just take easily memorizeable sentence from some verse/prose , take first letters of each word, capitalize first letter and then add some predefined number that doesn’t chnage from password to password .Example follows.
This is how the 1st sentence from e.e. cummings turns into password:
Anyone lived in a pretty how town -> Aliapht7722
As I said previously these are passwords I use also for SSH user access and for the last year brute force efforts went down the drains (so far).
The topic of passwords is actually a big one , and more of human psychology kind rather than crypto-randomness sort of things.
For more about that look for example here:
www.schneier.com
Another way to come up with random but easy to pronounce words for passwords can be done with scientific approach:
www.multicians.org

Top 10 usernames used in SSH brute force

Yuri — Fri, 04 Jun 2010 09:08:23 +0000

In continuation to yesterday’s post I thought it would be interesting to know statistics of the usernames used in those bruteforce probes. I thought and I did . Find below awk/sed script to get usernames for failed ssh login attempts and sort it for statistics and also list of the usernames I got from my server. The full list of usernames can be found at the end.
The script:

awk '/Failed password for/ ' /var/log/secure* | sed 's/.* $[[:print:]]\+$ from .*/ \1 /g ' | sort | uniq -c | sort -n -k1

And the winners are:

The table listing top 10 usernames used in real cracking attampts on SSH service
Username	Number of times seen
mysql	232
info	252
postgres	317
guest	435
nagios	452
user	459
oracle	598
admin	884
test	1017
root	22058

Full list of the usernames Usernames.log