yurisk.info

Yuri Slobodyanyuk's blog on IT Security and Networking sharing experience and expertise

Category: Linux (page 2 of 4)

Time-based access limiting on Checkpoint or any Linux for that matter

Time-based access-lists in Cisco world are available since … last century for sure. But is it possible that Linux doesn’t have anything like that ? No way – of course it can do and do it better. Here is how .
Access control based on time of the day is available via pam module, and as almost all software today supports working with pam modules, it means it is available universally.
Steps to do it are these:

  • Enable pam_time.so module for the software of interest in its config file in /etc/pam.d ;
  • Configure time range(s) when this service is accepting connections using file /etc/security/time.conf
  • Most probably restart the service and we are set.
  • E.g. Let’s restrict user ftp_user so that it is able to connect to vsftpd daemon only during working hours of the weekdays.
    – Add to file /etc/pam.d/vsftpd the following line
    account required /lib/security/pam_time.so
    – Set time limits in /etc/security/time.conf with this line
    vsftpd;*;ftp_user;Wk0800-1700
    – Restart vsftpd to force it using pam_time.so module (need to do it just first time)
    #service vsftpd restart
    And now during the off-limit hours the ftp_user will not be able to connect by FTP, that is it .

    For Checkpoint all the above holds true, but as you don’t have much servers there , the most probable candidate for such restrictions is ssh daemon. For example firewall that the client has access by ssh to it as well – while mail alerts for such access (see Mail alert on ssh access in Checkpoint) will warn me about such access, it does me no good if someone on client side accesses the firewall at 02:00 am at night and I get alert . But if it happens during working hours only, I can see such alert and act in real time.
    Example for limiting ssh access to the firewall to working hours only.
    /etc/security/time.conf :
    sshd;*;client_user;Wk0900-1900
    /etc/pam.d/sshd :
    account required /lib/security/pam_time.so

All you need to know about networking in Checkpoint firewall SecurePlatform FAQ

[showmyads]
Q. How do I see available interfaces, errors on them , IP addresses .
Q. How do I see routing table of the firewall.
Q. How do I see duplex, speed, physical link status of the interface .
Q. How do I manually set duplex, speed, autonegotiation settings of an interface.
Q. How do I save changes to the interface duplex ,speed or autonegotiaiton permanently.
Q. How do I add, delete, change routes.
Q. How do I delete, change IP address on the interface.
Q. How do I add, change, delete VLAN .
Q. How do I see existing VLANs .
Q. Can I combine few interfaces into one logical interface .
Q. How do I shut and unshut an interface.

A. # ifconfig

A. # route -en

Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
19.247.195.20 0.0.0.0 255.255.255.252 U 0 0 0 External
10.123.123.0 0.0.0.0 255.255.255.224 U 0 0 0 Lan1

Legend:
Gateway – via which gateway this network is available, 0.0.0.0 means this network is configured locally on the interface
Iface – name of the interface via which this network is reachable

A. # ethtool <name of the interface you want to check, names are case-sensitive>
e.g. # ethtool External
Settings for External:
Supported ports: [ TP MII ]
Supported link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
Supports auto-negotiation: Yes
Advertised link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
Advertised auto-negotiation: Yes
Speed: 100Mb/s
Duplex: Full
Port: MII
PHYAD: 1
Transceiver: internal
Auto-negotiation: on
Supports Wake-on: g
Wake-on: g
Current message level: 0x00000007 (7)
Link detected: yes

A. # ethtool -s <name of interface> speed 100
ethtool -s <name of interface> duplex full
ethtool -s <name of interface> autoneg off
IMPORTANT: the changes above will be active until reboot of the firewall, to set them
permanently see below.

A. # eth_set <interface> [10h|10f|100h|100f|1000h|1000f|autoneg]
e.g # eth_set Lan1 100f

A. Using #sysconfig utility and its interactive menu (option 6) .

A. # sysconfig then option 5 .

A. # sysconfig , then option 5 .

A Either via #sysconfig , then option 5 or ifconfig, VLAN interfaces will have format of <physical interface name>.<vlan number> .
e.g. # ifconfig
eth7.301 Link encap:Ethernet HWaddr 00:1B:4A:CF:26:71

A. Yes , such interface is called Bond. Note that out of all interfaces added to the Bond interface, only one will be active and passing the traffic, the rest will be in standby mode in case active interface fails.
NOTE 2 In new versions it is possible to have bond in Load Sharing mode.

A. #ifconfig <interface name > down
# ifconfig <interface name > up

Watch your DNS records day and night with Nagios

Domain records are most visible vulnerable and many time crucial asset of the company.
Attackers need not break your firewall protection, find and develop exploits for software running on your server to cut off your company from mails – it is enough for them to cause a change of MX record and it’s done – no incoming mails.
I’ve seen real life example of this happening with huge company when due to human error made to MX record that went unnoticed the company didn’t get mails.
While there are companies making millions on protecting domains (do whois on Google.com,Facebook.com to see example) you can at least spot potential problems automatically in no time with Nagios.
The plugin to watch for DNS record is called check_dns and works this way – you configure which hostname to query and what the IP address for it should be , if the IP return doesn’t much the one configured the Critical condition occurs and alert is fired.
This is the simplest of possible checks – to check hostname to IP mapping, more advanced checks are possible with check_dig plugin.
Example – if IP of the hostname mx20.013net.net that handles mail for my provider changes from 194.90.9.19, the alert will be sent:
check_dns -H mx20.013net.net -a 194.90.9.19 -s 8.8.8.8

Two tips to secure SSH access from specific IPs to specific users in Checkpoint or any Linux

[showmyads]
Today I’ll bring you two tips to secure SSH access to the Checkpoint firewall beyond firewall rules itself. SSH access is the most powerful way to own the firewall so it should be secured to the paranoid level and even then it is never enough.
Tip 1 Change the listening port.
You may say obscurity is not security but I will not agree – any measure that makes attacking your system harder without much burden on you is valid. After all there is no such thing total security, only endless arms race. Checkpoint just being a Linux in disguise uses OPenSSH server so changing the port is done via :
NOTE before changing listening port don’t forget to allow incoming connection on this port in firewall rules.

/etc/ssh/sshd_config
#Port 22

You change the above line to (if say I want to change port to 5022):

Port 5022

Then save , then restart the SSH daemon:

[Expert@fireball]# service sshd restart

Now you connect to the firewall #ssh -p 5022 user@IP
Tip 2 Limit SSH access per user and per IP address
Openssh provides the possibility to restrict access for specific user to specific IP addresses. I will look here at few potential scenarios.
Case 1 Limit all SSH users to access from specific IP , here from network 99.19.19.0/24:
At the bottom of the same file /etc/ssh/sshd_config I add:

AllowUsers *@99.19.19.*

Save , restart SSH daemon and this will take effect – only users coming from network
99.19.19.0/24 will be able to login by ssh , any other source IP will always get “Wrong username or password”
Case 2 Limit some users to access from specific IPs but allow others from Any.
Checkpoint comes with default user admin that people often do not change, and I concluded over the years that changing people’s bad behavior is much harder than changing firewalls. So I do this:
When both me and client are managing the firewall, i create the username for me , here yurisk and restrict the username admin to internal nets (for emergency cases) and his specific IP.Here my user is yurisk, client’s user is admin and LAN is 10.88.88.0/24 and client’s WAN IP is 123.123.123.10

/etc/ssh/sshd_config
AllowUsers admin@123.123.123.10 admin@10.88.88.* yurisk

You can be Nmap hacker too – contribute new signatures in few easy steps and feel proud of yourself

NMAP is probably the most known long standing and community involved security-related project in the Open Source universe ever. And it is quite naturally to think that there is nothing left to be done to improve it by end users like us, and of course the opposite is the case. If we forget for a second all the complex C/C++/Lua/etc coding involved to sharpen the algorithms and performance of the Nmap, after all it is a signature based network scanner that is as good as its signatures are. And here you can never get enough.
Just find some over the shelf network equipment, run a scan on it , be surprised that it is not recognized by Nmap and contribute its signature back to the Nmap communa, then buy yourself a beer and put a sign in your cube ” I contributed to Nmap” 🙂
— So how do you do this? Piece of cake.
When running scan with -sV option (version detection of the software) if the target is not known to the Nmap it will print out as the output the Nmap-style fingerprint of the scanned service. It is ok to just take copy and paste it here : http://insecure.org/cgi-bin/submit.cgi, but then I wouldn’t write this article. So let’s do some practice.
There is a nice anti-spam and anti-virus appliance called PineApp Mailsecure , produced by Israel company named (surprise ..) Pineapp and which is quite popular at least here in Israel. Unfortunately Nmap does not recognize it beyond having an opened port of 25.
Here is the result of the Nmap scan.

nmap -v -n -sV -P0 12.12.12.12
Starting Nmap 5.21 ( http://nmap.org ) at 2091-03-17 15:41 IST
NSE: Loaded 4 scripts for scanning.
Initiating SYN Stealth Scan at 15:41
Scanning 12.12.12.12 [1000 ports]
Discovered open port 25/tcp on 12.12.12.12
Completed SYN Stealth Scan at 15:41, 4.88s elapsed (1000 total ports)
Initiating Service scan at 15:41
Scanning 2 services on 12.12.12.12
Completed Service scan at 15:41, 13.88s elapsed (2 services on 1 host)
NSE: Script scanning 12.12.12.12.
NSE: Script Scanning completed.
Nmap scan report for 12.12.12.12
Host is up (0.015s latency).
Not shown: 996 filtered ports

PORT STATE SERVICE VERSION
25/tcp open smtp
113/tcp closed auth

1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port25-TCP:V=5.21%I=7%D=3/19%Time=4D14329D%P=i686-pc-linux-gnu%r(NULL,2
SF:5,”220\x20Ready\x20to\x20receive\x20mail\x20-=-\x20ESMTP\r\n”)%r(Hello,
SF:8E,”220\x20Ready\x20to\x20receive\x20mail\x20-=-\x20ESMTP\r\n250-Ready\
SF:x20to\x20receive\x20mail\x20-=-\r\n250-AUTH\x20LOGIN\x20PLAIN\r\n250-AU
SF:TH=LOGIN\x20PLAIN\r\n250-PIPELINING\r\n250\x208BITMIME\r\n”)%r(Help,28,
SF:”451\x20Rejected\x20due\x20to\x20illegal\x20pipelining\r\n”)%r(GenericL
SF:ines,28,”451\x20Rejected\x20due\x20to\x20illegal\x20pipelining\r\n”);

Read data files from: /usr/local/share/nmap

So let’s fix this,but first some preliminary knowledge of importance.
All its service signatures Nmap keeps in the file nmap-service-probes that has some predefined keywords that are easy to remember and use :
-First we want to create a probe to define what string to which port to send, it goes like this:
In our case the target service is SMTP so no changes are due to the existing probe,

Probe TCP Hello q|EHLO\r\n|

The above means send word EHLO once connected.
Next line starts with the word rarity and its value. The higher the number the less is the probability of running this service probe, leave it as is in our case, as it will be run if previous port scanning reports port 25 as open.
rarity 8
The rarity line is followed by the list of ports for which this service probe will be triggered once they are reported as open. Again , in our case we leave it as is:
ports 25,587,3025
Then goes sslports keyword to specify SSL enabled ports, finally followed by totalwaitms also of no interest here .
Now we come to the good stuff – many lines doing matches of different vendors/equipment that all and each start with keyword match. let’s have a closer look at it:
match m|matching regex pattern Perl style| [version/device/hardware optional info]
The best way to get it is via an existing match in the file:

match smtp m|^220\s+(DP-\d+)\r\n250-Hello\r\n250-DSN\r\n| p/Panasonic smtpd/ v/$1/ i/Panasonic printer/ d/printer/

It basically says:
Send EHLO command to the target,check output the output from the target and look for string that starts with 220 followed by printable string of variable length, followed
by word DP- then decimal number, note – here () allow to later reference the matched part of the string inside (), followed by Return and New Line char (\r\n), followed by word “250-DSN” and finally followed by return + new line (\r\n). If such match is found then print to the terminal string “Panasonic smtpd” , in version field (v/$1/) print what was matched by (DP-\d+) and in device type field print printer (d/printer/).
That is it to it. Now let’s create a signature for the PineApp.
We have 2 options here – to actually run a scan against the PineApp target and decipher the output, or , what I do here, use the common sense.
First I will try to do what Nmap Probe EHLo does – namely connect by telnet to port 25 and issue EHLO command. After that I will try to compile a regex expression matching the output.

[root@darkstar ~]# telnet 12.12.12.12 25
Trying 12.12.12.12…
Connected to earth.planet.co (12.12.12.12).

Escape character is ‘^]’.
220 Ready to receive mail -=- ESMTP
helo a
250 Ready to receive mail -=-
quit
221 Ready to receive mail -=-
Connection closed by foreign host.

Well, the regex is not that hard to do here:
match smtp m|^220 Ready to receive mail -=- ESMTP\r\n| p/PineApp Mail-secure/ i/PineApp Av and Antispam mail gateway/ o/Linux/
I edit /usr/local/share/nmap/nmap-service-probes and insert the above regex under Probe TCP Hello where the matches start, save it and run the Nmap on the same host not recognized before:

nmap -n -sV -P0 12.12.12.12
Starting Nmap 5.21 ( http://nmap.org ) at 2091-03-17 15:46 IST
Nmap scan report for 12.12.12.12
Host is up (0.012s latency).

Not shown: 996 filtered ports
PORT STATE SERVICE VERSION
25/tcp open smtp PineApp Mail-secure (PineApp Av and Antispam mail gateway)
113/tcp closed auth
Service Info: OS: Linux

Convert mb4 to mp3 files in one run with ffmpeg

Folks at Defcon.org have been somewhat inconsistent in publishing their conference audio archives – once they do it in mb4 format, once in mp3 . As I listen to them on my mobile phone during my commuting to the work  and it doesn’t accept anything but mp3 I had to first convert all audio files from mb4 to mp3 format. Not a problem though, the one-liner below will find all files ending with .mb4 in the current folder and convert them to .mp3 files preserving the filenames.

find . -iname "*.m4b" -exec ffmpeg -i {} -acodec libmp3lame {}.mp3 \;

List of valid domain names for load testing DNS

I am currently running a bunch of tests on DNS resolver software called Unbound to see what it is worth and for that needed a list of valid domain names in different but controllable TLDs. The only resource to download such list I could find was 3 million records file from Nominum Sample query data file for use with resperf . Only that it contains all kinds of record types : A, PTR, AAAA and I want list of domain names where I can modify query type but also that it will be of a specific TLD sample.
Say all domains in .ASIA only TLD . To compile such list I took a word list , added to each word specific extensions and then run against some DNS server. Then I filtered the answers to include only existing resolvable domains that return at least 1 answer to query ANY. So far I did it for extensions : .ASIA .COM .CA .BIZ .EDU .EU .FR .INFO .MIL .NET .ORG .RU and it brought 831903 valid domains.
You can download the final list of those domains here : Domain list 831903 domains

Older posts Newer posts

© 2016 yurisk.info

Theme by Anders NorenUp ↑