yurisk.info

Yuri Slobodyanyuk's blog on IT Security and Networking sharing experience and expertise

Category: Linux (page 3 of 4)

Query non-standard port of SNMP

August 11, 2010 / /

Sometimes the simple things are the ones to perplex you the most . Today I needed to add an SNMP monitoring of the Radware Linkproof listening on the port 7777 .Not a big deal, I thought. But before doing it in the monitoring system I just wanted to be sure and tried to query the Linkproof using snmpwalk . To much of my surprise in its help there was no mention how to do it . Searching the Google brought me –p <port> that didn’t work though. The solution is actually quite simple – just immediately after the
IP of the device put :<port> e.g.

root@darkstar# snmpwalk -v 2c -c notpublic 12.120.186.8:7777

MAC finder script

July 2, 2010 / / 2 Comments

While I don’t like going down to Layer 2 , recently I had to do it – I didn’t know IP address of the Cisco router I wanted to connect to but I had access to the Cisco router sitting in the same network. That would be pretty easy to do #show arp on this router and then search on Google to whom belongs each MAC if it wasn’t the subnet mask of /26. Copy pasting each entry of the ARP table into Google didn’t look like a lot of fun. So I wrote a python script that reads MAC addresses in bulk from command line and using downloaded beforehand database of MAC-vendor translations prints vendor for each MAC address. It works for #show arp on CIsco,#show mac-address-table on CIsco switches, #arp -en on Linux (means including Checkpoint), #arp -a on Freebsd ,#show arp of Junos from Juniper, #get sys arp on Fortigate.
Below is the script.
Here:
mac-database.txt – file containing MAC-vendor translation in format <MAC 6 hex digits as a sequence> <VENDOR>, I used standards.ieee.org/regauth/oui/oui.txt as the source with a bit of sed, but if you want ready to use file I recommend nmap-mac-prefixes from nmap source-code distribution http://nmap.org/svn/nmap-mac-prefixes
Download script (to make sure formatting is preserved, an important thing for Python)
http://yurisk.info/scripts/mac-finder.py
Script AND mac database from nmap project – http://yurisk.info/scripts/mac.tar.gz

#!/usr/bin/python
#This script accepts MAC addresses from the command line and
#prints vendor for each mac address
# Author:Yuri, yurisk@yurisk.info,06.2010
import sys
import re
#This function removes from MACs colon or dot and returns MAC as a sequence of HEX chars
def dotreplace(matchobj):
         if matchobj.group(0) == '.':
                return ''
         elif  matchobj.group(0) == ':':
                return ''
#open file with MAC addresses and vendors database,it has form xxxx <Vendor>
macs=open('mac-database.txt','r')
macs_lines=macs.readlines()
#Read from stdinput
data = sys.stdin.readlines()
for ppp in data:
       popa=re.search('.*([a-f0-9]{4}\.[a-f0-9]{4}\.[a-f0-9]{4}).*',ppp,re.IGNORECASE)
       if popa:
             newpopa=re.sub('\.', dotreplace,popa.group(1))[0:6]
             newpopa_re=re.compile(newpopa,re.IGNORECASE)
             for mac_db in macs_lines:
                 vendor=re.search(newpopa_re,mac_db)
                 if vendor:
                    print ppp.strip(),mac_db[7:]
       popalinux = re.search('.*([a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}).*',ppp,re.IGNORECASE)
       if popalinux:
             newpopalinux=re.sub(':',dotreplace,popalinux.group(1))[0:6]
             newpopalinux_re=re.compile(newpopalinux,re.IGNORECASE)
             for mac_db in macs_lines:
                 vendor=re.search(newpopalinux_re,mac_db)
                 if vendor:
                    print ppp.strip(),mac_db[7:]

       popadash = re.search('.*([a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}).*',ppp,re.IGNORECASE)
       if popadash:
             newpopadash=re.sub('-',dotreplace,popadash.group(1))[0:6]
             newpopadash_re=re.compile(newpopadash,re.IGNORECASE)
             for mac_db in macs_lines:
                 vendor=re.search(newpopadash_re,mac_db)
                 if vendor:
                    print ppp.strip(),mac_db[7:]

Running it:

[root@darkstar ]# ./mac-finder.py
<now I copy paste output from arp -a in BSD>
$ arp -a
(10.99.99.150) at 00:50:56:95:74:72 on em0 [ethernet]
(10.99.99.254) at 00:09:0f:31:c8:24 on em0 [ethernet]
<Hit CTRL+D to signal the end of input>
(10.99.99.150) at 00:50:56:95:74:72 on em0 [ethernet] VMware, Inc.
(10.99.99.254) at 00:09:0f:31:c8:24 on em0 [ethernet] Fortinet Inc.

How to choose the password that noone can guess and you cant remember

June 9, 2010 / /

How to choose the password that noone can guess and you cant remember Of course you know what the good password should be – random letters including capitals, peppered with numbers and enhanced with printable control characters.
The only small but important detail these recommendations seem to forget is that there are may be few hundreds in the world that can memorize such incomprehensible sequence of chars. So if someone does decide to follow it such passwords end up being written on the paper and stuck to the monitor (on its back).
I never followed such recommendations but nevertheless found the way to come up with hard to break passwords. Here it is – I just take easily memorizeable sentence from some verse/prose , take first letters of each word, capitalize first letter and then add some predefined number that doesn’t chnage from password to password .Example follows.
This is how the 1st sentence from e.e. cummings turns into password:
Anyone lived in a pretty how town -> Aliapht7722
As I said previously these are passwords I use also for SSH user access and for the last year brute force efforts went down the drains (so far).
The topic of passwords is actually a big one , and more of human psychology kind rather than crypto-randomness sort of things.
For more about that look for example here:
www.schneier.com
Another way to come up with random but easy to pronounce words for passwords can be done with scientific approach:
www.multicians.org

Top 10 usernames used in SSH brute force

June 4, 2010 / / 2 Comments

In continuation to yesterday’s post I thought it would be interesting to know statistics of the usernames used in those bruteforce probes. I thought and I did . Find below awk/sed script to get usernames for failed ssh login attempts and sort it for statistics and also list of the usernames I got from my server. The full list of usernames can be found at the end.
The script:

awk '/Failed password for/ ' /var/log/secure* | sed 's/.* \([[:print:]]\+\) from .*/ \1 /g ' | sort | uniq -c | sort -n -k1

And the winners are:

The table listing top 10 usernames used in real cracking attampts on SSH service
Username Number of times seen
mysql 232
info 252
postgres 317
guest 435
nagios 452
user 459
oracle 598
admin 884
test 1017
root 22058

Full list of the usernames Usernames.log

SSH brute force is on the rise

June 3, 2010 / / 1 Comment

SSH brute forcing is still in high demand. I have , for my own testing and pleasure, virtual servers scattered around the world. All of them being of the Linux/BSD family I manage by SSH. The other quirk of mine is that I have on purpose no static IP at home for various reasons (saving me money being one of them). And to manage those servers by SSH I implement a very simple security rule – from Any to SSH port allow. Port is left to be standard one – 22. After all that time my server was broken into just once , when I gave access by SSH to the colleague of mine and later he changed the password to something crackable in 5 secs. Since then I – first don’t give ssh access to colleagues :), and second – look from time to time at ssh failed attempts logs for amusement.

My observations so far are :
– ssh brute forcing is still/yet/again extremely popular and increasing . On average after unfirewalled access to port 22 is discovered it goes to ~ 5000-6000 attempts per day .
– crackers do have some means of communicating between them (market economy ?) – my servers have static IPs and first days after its set up brute force login attempts are as low as 2-10 a day. But once the server IP has been discovered by determined crackers it goes up in numbers very quickly.
– origins of the attacks correlate pretty well with the known sources of Spam/Malware : Brazil, China, US etc.
If you’d like to look at your SSH logs and do some stats on failed attempts here is the awk one-liner I use. Enjoy.

awk --re-interval '/authentication failure/ {}
/[0-9]+\.[0-9]+\.[0-9]+\.[0-9]/ {match($0,/[0-9]+\.[0-9]+\.[0-9]+\.[0-9]/,IP); IPS[IP[0]]++ } END { for (cracker_ips in IPS) print cracker_ips " " IPS[cracker_ips]}' /var/log/secure.1 | sort -n -k2
190.202.85.3 1
194.192.14.7 1
212.111.199.3 1
222.124.195.1 1
210.71.71.1 2
89.138.195.1 5
212.156.65.7 25
202.117.51.2 32
210.51.48.7 32
115.146.138.5 47
60.191.98.5 88
174.120.208.5 107
61.129.60.2 165
202.103.180.4 175
213.251.192.2 239
91.82.101.4 242
220.173.60.6 264
12.11.210.3 271
144.16.72.1 291
212.118.5.1 360
66.11.122.1 384
211.160.160.1 703
190.12.66.1 999
83.19.184.3 1176
67.213.8.2 4955
199.187.120.2 5312
95.0.180.2 6680
85.131.163.5 7685

NB Crackers IPs are not sanitized

IP Options are evil – drop them , drop them on Cisco Asa/IOS Microsoft ISA Juniper or Checkpoint

January 23, 2010 / / 1 Comment

As you probably noticed IP header has variable length placeholder for the IP Options field. It has been there since the beginning , once a good idea for debug now turned into trouble. RFC 791 states that hosts/routers supporting IP protocol must implement Ip Options filed . It is up to the vendor to decide what to do with this optional field, but it must understand it. Still, wouldn’t be a problem if not modern architecture of the routing equipment that was designed to do most efficiently Routing , i.e. pass from interface to interface gigabytes of traffic. Therefore routing functions are highly optimized and most of the time are implemented in hardware . All other types of traffic unfortunately are not, and in most of the cases processing , lets call it Control traffic, is being left to poor router CPU and done in software. That brought the troubles into the IP world – relatively small amounts of control traffic (including Ip Options packets) may bring down otherwise
powerful router in just minutes.
To prevent this attack vendors implemented protection measures to drop entirely or selectively IP packets that has Ip Options filed set. Below is quick cheat sheet how to do it in some gear :
Checkpoint firewall NG/NGX – packets with Ip Options are dropped by default except for the “Router Alert” option (0x94) for the IGMPv2 and PIM protocols [or so CP claim, will have to verify later] and not even logged. To start logging dropped packets go to Policy -> Global Properties -> Log and Alerts -> check Ip dropped packets : Log
There is a value related to it that is on by default : Global Properties -> SmartDashboard customization -> Advanced Configuration -> Configure -> Firewall 1 -> Stateful inspection -> enable_ip_options (check/uncheck) but unchecking it removes from firewall VM chain module that inspects these Options at all and all Ip Options packets are dropped . So all packets bearing Ip Options are happily dropped even before security rules , here:

[Expert@splat60]# fw ctl chain
in chain (9):
0: -7f800000 (9095dd60) (ffffffff) IP Options Strip (ipopt_strip)
1: – 1fffff6 (9095ee80) (00000001) Stateless verifications (asm)

Also Checkpoint say you can decide which Ip Options will be allowed later BUT only when installing the firewall: “The set of permitted options must be configured during installation … the enable_ip_options setting in SmartDashboard is then used to enable or disable this functionality. Contact Check Point support for instructions on configuring the set of allowed IP options.”

Microsoft ISA 2000 server:
– If Enable Packet Filtering is not checked then do it in IP Packet Filters -> Properties – > General tab. On the Packet Filters tab check Enable Filtering IP Options .
Microsoft ISA 2004 Server:
– IP options filtering is enabled by default
– Go to Configuration node of the server in question in Management console -> General -> Additional Security Policy
Define IP Preferences . Here you will have 3 options to deal with Ip Options packets:
a) Deny packets with any IP options;
b) Deny packets with selected IP options;
c) Deny packets with all except selected IP options
The same options are available in ISA 2006 , click on Configure IP Protection link – > IP Preference settings
IOS Cisco router :
Juniper router:
You just add ip-options term to the filter and apply it to the interface of interest. In the example below I block only Route Record type of Ip Options, if you use any then it will block any type:
[edit firewall family inet filter NOICMP term 3]
firewall {
    family inet {
        filter NOICMP {
            term 1 {
                from {
                    address {
                        192.168.2.100/32;
                    }
                }
                then {
                    reject;
                }
            }
            term 2 {
                from {
                    ip-options route-record;
                }
                then {
                    reject;
                }
            }
            term 3 {
                from {
                    address {
                        192.168.2.0/24;
                    }
                }
                then accept;
            }
        }
    }
}

Apply to the interface:

interfaces {
    em0 {
        unit 0 {
            enable;
            family inet {
                filter {
                    input NOICMP;
                }
                address 192.168.2.133/24;
            }
        }
    }

Other possible arguments to ip-options clause:

set term 3 from ip-options ?

Possible completions:

<range>              Range of values
  [                    Open a set of values
  any                  Any IP option
  loose-source-route   Loose source route
  route-record         Route record
  router-alert         Router alert
  security             Security
  stream-id            Stream ID
  strict-source-route  Strict source route
  timestamp            Timestamp

 

Windows 2008.
By default it doesnt allow/forward packets with Source Routing set, and that’s good. For completeness
here is how to enable (or check whether it is enabled) source-routed forwarding:
BillG> netsh interface ipv4 set global sourceroutingbehavior=drop| forward| dontforward
– or-
Registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameter
Key: DisableIPSourceRouting
DWORD value: 0
Verify:
In Security any measure/protection/method is as good as the proof you can present that it actually works.
Windows:
– Ping with Record Route field set:
BillG> ping –r 9 192.2.2.1
– Ping with Strict Routing field set:
BillG> ping –k <1st_hop_router_IP> <2nd_hop_router_IP…> <target>
– Ping with Loose Routing field set:
BillG> ping -j <1st_hop_router_IP> <2nd_hop_router_IP…> <target>
– Ping with Timestamp option set:
BillG> ping –s 3 8.8.8.8
Linux:
– Ping with Record Route field set:
root@darktstar:~/nmap# ping -R 8.8.8.8
– Ping with Timestamp option set:
root@darkstar:~/nmap# ping -T tsonly 8.8.8.8
Linux,BSD,Unix :
This handy utility sends bunch of packets to the target to test what Ip Options the target supports:
freebsd# fragtest ip-opt 192.168.2.133
ip-opt: sec lsrr ts esec cipso satid ssrr
I run fragroute above against Juniper (8.3) that was configured in the example earlier to block only Record Route option, as you can see it is indeed missing in the output list that enumerates what Ip Options the target supports [ see Reference for fragroute details]

References for further details:
Juniper: JUNOS Enterprise Routing, 1st Edition, By Doug Marschke; Harry Reynolds, 2008
Microsoft ISA : Microsoft® ISA Server 2006 Unleashed ,By Michael Noel, 2007
Fragroute http://monkey.org/~dugsong/fragroute/
Windows 2008: Windows® Server 2008 TCP/IP Protocols and Services,By Joseph Davies, 2008

ARP table overflow in Checkpoint and Linux in general

December 15, 2009 / / 5 Comments

Not specific to the Checkpoint but rather any Linux-based system issue, still people often
forget  about that and look for the Checkpoint-specific solutions to that , so to help with  this search I wrote the note 
how  to fix it  below:
Problem  usually shows itself in randomly distributed inability of stations to pass the firewall, slowness and other network problems follow.
In /var/log/message you see the following record:

kernel: Neighbour table overflow.
That means ARP table has reached its maximum allowed limit and no new ARP entries are being learnt.

You can either find reason for sudden ARP requests influx or adjust ARP table limits accordingly.
You adjust ARP table limits either editing  this file (then change survives reboot):

/etc/sysctl.conf
If not present add these lines at the end, and try not to delete by mistake anything:
net.ipv4.neigh.default.gc_thresh1 = 1024
net.ipv4.neigh.default.gc_thresh2 = 4096
net.ipv4.neigh.default.gc_thresh3 = 16384

 – Then issue command:
  # sysctl -p
– Or if you want to increase it temporarily until reboot:
#echo 1024 > /proc/sys/net/ipv4/neigh/default/gc_thresh1
#echo 4096 > /proc/sys/net/ipv4/neigh/default/gc_thresh2
#echo 16384 > /proc/sys/net/ipv4/neigh/default/gc_thresh3

And the short explanation follows.
gc in the above means Garbage Collector (GC).
net.ipv4.neigh.default.gc_thresh1  – sets minimum number of ARP entries in the cache.
Until this value is reached GC doesnt run at all.
net.ipv4.neigh.default.gc_thresh2  – sets soft maximum number of ARP entries in the cache.
GC allows ARP cache to pass this limit for 5 seconds and then starts cleaning.
net.ipv4.neigh.default.gc_thresh3  –  sets hard limit of ARP entries in the cache.
After it is reached no more ARP entries are being added.

Older posts Newer posts

© 2016 yurisk.info

Theme by Anders NorenUp ↑