security. computer center, cs, nctu 2 freebsd security advisories – (1)
TRANSCRIPT
SecuritySecurity
Com
pu
ter C
en
ter, C
S, N
CTU
2
FreeBSD Security Advisories – (1)FreeBSD Security Advisories – (1)
http://www.freebsd.org/security/advisories.html
Com
pu
ter C
en
ter, C
S, N
CTU
3
FreeBSD Security Advisories – (2)FreeBSD Security Advisories – (2)
Com
pu
ter C
en
ter, C
S, N
CTU
4
FreeBSD Security Advisories – (3)FreeBSD Security Advisories – (3)
freebsd-security-notifications Mailing list• http://lists.freebsd.org/mailman/listinfo/freebsd-security-notification
s
Com
pu
ter C
en
ter, C
S, N
CTU
5
FreeBSD Security Advisories – (4)FreeBSD Security Advisories – (4)
Example• compress
Com
pu
ter C
en
ter, C
S, N
CTU
6
FreeBSD Security Advisories – (5)FreeBSD Security Advisories – (5)
CVE-2011-2895• http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2895
Com
pu
ter C
en
ter, C
S, N
CTU
7
FreeBSD Security Advisories – (6)FreeBSD Security Advisories – (6)
Example• Problem Description
Com
pu
ter C
en
ter, C
S, N
CTU
8
FreeBSD Security Advisories – (7)FreeBSD Security Advisories – (7)
Example• Workaround
Com
pu
ter C
en
ter, C
S, N
CTU
9
FreeBSD Security Advisories – (8)FreeBSD Security Advisories – (8)
Example• Solution
Com
pu
ter C
en
ter, C
S, N
CTU
10
Common Security ProblemsCommon Security Problems
Unreliable wetware • Phishing site
Software bugs• FreeBSD security advisor
• portaudit (ports-mgmt/portaudit)
Open doors• Accounts’ password
• Disk share with the world
Com
pu
ter C
en
ter, C
S, N
CTU
11
portaudit (1)portaudit (1)
portaudit • Checks installed ports against a list of security vulnerabilities
• portaudit –Fda -F: Fetch the current database from the FreeBSD servers. -d: Print the creation date of the database. -a: Print a vulnerability report for all installed packages.
Security Output
Com
pu
ter C
en
ter, C
S, N
CTU
12
portaudit (2)portaudit (2)
portaudit -Fda
http://www.freshports.org/<category>/<portname>
auditfile.tbz 100% of 71 kB 92 kBpsNew database installed.Database created: Mon Dec 12 02:10:00 CST 2011Affected package: gnutls-2.12.7Type of problem: gnutls -- client session resumption vulnerability.Reference: http://portaudit.FreeBSD.org/bdec8dc2-0b3b-11e1-b722-001cc0476564.html
Affected package: apache-worker-2.2.19Type of problem: apache -- Range header DoS vulnerability.Reference: http://portaudit.FreeBSD.org/7f6108d2-cea8-11e0-9d58-0800279895ea.html
2 problem(s) in your installed packages found.
You are advised to update or deinstall the affected package(s) immediately.
Com
pu
ter C
en
ter, C
S, N
CTU
13
Common trick Common trick
Tricks • ssh scan and hack
ssh guard sshit …
• smtp-auth / pop3 / imap• Phishing • XSS & sql injection • …
Objective• Spam • Jump gateway • File sharing• …
Com
pu
ter C
en
ter, C
S, N
CTU
14
Process file system - procfsProcess file system - procfs
Procfs• A view of the system process table
# mount –t procfs proc /proc
Com
pu
ter C
en
ter, C
S, N
CTU
15
Simple SQL injection exampleSimple SQL injection example
User/pass authentication
No input validation
SELECT * FROM usrTableWHERE user =AND pass = ;
SELECT * FROM usrTableWHERE user = ‘test’AND pass = ‘a’ OR ‘a’ = ‘a’
Com
pu
ter C
en
ter, C
S, N
CTU
16
setuid programssetuid programs
passwd
• /etc/master.passwd is of mode 600 (-rw-------) !
setuid executables are especially apt to cause security holes• Minimize the number of setuid programs
/etc/periodic/security/100.chksetuid
• Disable the setuid execution on individual filesystems -o nosuid
zfs[~] -chiahung- ls -al /usr/bin/passwd-r-sr-xr-x 2 root wheel 8224 Dec 5 22:00 /usr/bin/passwd
Com
pu
ter C
en
ter, C
S, N
CTU
17
rlogin – (1)rlogin – (1)
sudo
Trusted remote host and user name database• /etc/hosts.equiv and ~/.rhosts• Allow user to execute shell (rsh), login (rlogin) and copy files (rcp)
between machines without passwords• Format:
Simple: hostname [username] Complex: [+-][hostname|@netgroup]
[[+-][username|@netgorup]]
• Example bar.com foo (trust user “foo” from host “bar.com”) +@adm_cs_cc (trust all from amd_cs_cc group) +@adm_cs_cc -@chwong
---s--x--x 2 root wheel /usr/local/bin/sudo
Com
pu
ter C
en
ter, C
S, N
CTU
18
rlogin – (2)rlogin – (2)
Becoming other users• A pseudo-user for services, sometimes shared by multiple users
• sudo –u wwwadm –s (?)
• /etc/inetd.conf login stream tcp nowait root /usr/libexec/rlogind rlogind
• ~wwwadm/.rhosts localhost pyhsu
• rlogin -l wwwadm localhost
User_Alias wwwTA=pyhsuRunas_Alias WWWADM=wwwadmwwwTA ALL=(WWWADM) ALL
Too dirty!
Com
pu
ter C
en
ter, C
S, N
CTU
19
Security toolsSecurity tools
nmap john, crack PGP CA …
Firewall TCP Wrapper …
Com
pu
ter C
en
ter, C
S, N
CTU
20
TCP Wrapper – (1)TCP Wrapper – (1)
TCP Wrapper• Provide support for every server daemon under its control
libwrap implements the actual functionality
• Before: inetd + tcpd with libwrap
Com
pu
ter C
en
ter, C
S, N
CTU
21
TCP Wrapper – (2)TCP Wrapper – (2)
Now…
$ ldd `which inetd`/usr/sbin/inetd: libutil.so.8 => /lib/libutil.so.8 (0x800651000) libwrap.so.6 => /usr/lib/libwrap.so.6 (0x800761000) libipsec.so.4 => /lib/libipsec.so.4 (0x80086a000) libc.so.7 => /lib/libc.so.7 (0x800971000)
$ ldd `which sshd`/usr/sbin/sshd: libssh.so.5 => /usr/lib/libssh.so.5 (0x800681000) libutil.so.8 => /lib/libutil.so.8 (0x8007cb000) libz.so.5 => /lib/libz.so.5 (0x8008db000) libwrap.so.6 => /usr/lib/libwrap.so.6 (0x8009f0000) libpam.so.5 => /usr/lib/libpam.so.5 (0x800af9000) .....
Com
pu
ter C
en
ter, C
S, N
CTU
22
TCP Wrapper – (3)TCP Wrapper – (3)
libwrap – hosts_access(3)• In sshd source code
Com
pu
ter C
en
ter, C
S, N
CTU
23
TCP Wrapper – (4)TCP Wrapper – (4)
There are something that a firewall will not handle• Sending text back to the source
TCP wrapper• Provide support for every server daemon under its control
• Logging support
• Return message
• Permit a daemon to only accept internal connections
Configuration files• /etc/hosts.allow, /etc/hosts.deny(optional)
Com
pu
ter C
en
ter, C
S, N
CTU
24
Super Server – inetdSuper Server – inetd
To see what daemons are controlled by inetd, see /etc/inetd.conf
In /etc/rc.conf• inetd_enable="YES"
#ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l#ftp stream tcp6 nowait root /usr/libexec/ftpd ftpd -l#telnet stream tcp nowait root /usr/libexec/telnetd telnetd#telnet stream tcp6 nowait root /usr/libexec/telnetd telnetdshell stream tcp nowait root /usr/libexec/rshd rshd#shell stream tcp6 nowait root /usr/libexec/rshd rshdlogin stream tcp nowait root /usr/libexec/rlogind rlogind#login stream tcp6 nowait root /usr/libexec/rlogind rlogind
Com
pu
ter C
en
ter, C
S, N
CTU
25
/etc/hosts.allow – (1)/etc/hosts.allow – (1)
In /etc/hosts.allow• Format: daemon : address : action
daemon is the daemon name which inetd started address can be hostname, IPv4 addr, IPv6 addr, net/prefixlen action can be “allow” or “deny” Keyword “ALL” can be used in daemon and address fields to means
everything
First rule match semantic• Meaning that the configuration file is scanned in ascending order
for a matching rule
• When a match is found, the rule is applied and the search process will stop
Com
pu
ter C
en
ter, C
S, N
CTU
26
/etc/hosts.allow – (2)/etc/hosts.allow – (2)
Example
TCP wrapper should not be considered a replacement of a good firewall• Instead, it should be used in conjunction with a firewall or other
security tools
• Good at rpc based services
ALL : localhost, loghost @adm_cc_cs : allowptelnetd pftpd sshd: @sun_cc_cs, @bsd_cc_cs, @linux_cc_cs : allowptelnetd pftpd sshd: zeiss, chbsd, sabsd : allowidentd : ALL : allowportmap : 140.113.17. ALL : allowsendmail : ALL : allowrpc.rstatd : @all_cc_cs 140.113.17.203: allowrpc.rusersd : @all_cc_cs 140.113.17.203: allowALL : ALL : deny
Com
pu
ter C
en
ter, C
S, N
CTU
27
/etc/hosts.allow – (3)/etc/hosts.allow – (3)
Advance configuration• External commands (twist option)
twist will be called to execute a shell command or script (exec)
• External commands (spawn option) spawn is like twist, but it will not send a reply back to the client
(fork/exec)
# The rest of the daemons are protected.telnet : ALL \ : severity auth.info \ : twist /bin/echo "You are not welcome to use %d from %h."
# We do not allow connections from example.com:ALL : .example.com \ : spawn (/bin/echo %a from %h attempted to access %d >> \ /var/log/connections.log) \ : deny
Com
pu
ter C
en
ter, C
S, N
CTU
28
/etc/hosts.allow – (4)/etc/hosts.allow – (4)
• Wildcard (PARANOID option) Match any connection that is made from an IP address that differs from
its hostname
See• hosts_access(5)
• hosts_options(5)
# Block possibly spoofed requests to sendmail: sendmail : PARANOID : deny
Com
pu
ter C
en
ter, C
S, N
CTU
29
tcpdmatchtcpdmatch
In /etc/hosts.allow
tcpdmatch(8) example
ALL : localhost 127.0.0.1 [::1] : allowALL : cshome2 : allowsshd : csduty linuxhome cshome : allowrpc.lockd : 140.113.235.0/255.255.255.0 : allowrpc.statd : 140.113.235.0/255.255.255.0 : allowrpcbind : 140.113.235.0/255.255.255.0 : allowALL : ALL : deny
$ tcpdmatch ssh 140.113.12.34warning: ssh: no such process name in /etc/inetd.confclient: address 140.113.12.34server: process sshmatched: /etc/hosts.allow line 12option: denyaccess: denied
Com
pu
ter C
en
ter, C
S, N
CTU
30
When you perform any change.When you perform any change.
Philosophy of SA• Know how things
really work
• Plan it before you do it
• Make it reversible
• Make changes incrementally
• Test before you unleash it