Nasser Heidari

2009-12-14

IIS reveal its internal IP in the Content-Location header via a request to the root file

Filed under: Security Tips and Issues — Nasser Heidari @ 06:29

It’s actually an easy fix. The appropriate Knowledge Base article is “FIX: IP address is revealed in the content-location field in the TCP header in IIS 6.0

1. Click Start, click Run, type cmd, and then click OK to open a command prompt.
2. Change to the folder where the Adsutil.vbs tool is located. By default, this folder is the following:
%SYSTEMROOT%\Inetpub\AdminScripts
3. Type the following command, where x is your site identifier and hostname is the alternate host name that you want to use:
cscript adsutil.vbs set w3svc/x/SetHostName hostname

E.g:
cscript adsutil.vbs set w3svc/70762098/SetHostName linax.wordpress.com


How to find the your site identifier ???
In IIS 5 or 6, view the properties of the website and in the Web Site tab, click on the Properties button for the logging. At the bottom of the Extended Logging Properties window is the Log file name. It will be something like this: W3SVCXXXXX\exyymmdd.log.
XXXXX is your site identifier .

Disabling HTTP TRACE method in Apache and IIS

Filed under: Linux,Security Tips and Issues — Nasser Heidari @ 05:57

Apache

Traditionally experts will suggest to disable this using some rewrite rules like:

RewriteEngine On RewriteCond %{REQUEST_METHOD} ^TRACE RewriteRule .* - [F]

(this needs to be added somewhere in your main apache config file outside of any vhost or directory config).

Still this has the disadvantage that you need to have mod_rewrite enabled on the server just to mention one.
But for apache versions newer than 1.3.34 for the legacy branch, and 2.0.55 (or newer) for apache2 this can be done very easily,
because there is a new apache variable that controls if TRACE method is enabled or not:

TraceEnable off

This needs to be added in the main server config and the default is enabled (on).
TraceEnable off causes apache to return a 403 FORBIDDEN error to the client.

Microsoft IIS

In Microsoft Windows TRACE is controlled by a registry key.
Create a DWORD value called EnableTraceMethod in

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters

This should be 1 for on, and 0 for off.

Enjoy!

2009-07-10

Netcat: The TCP/IP Swiss army knife

Filed under: freebsd,Linux,Miscellaneous,Security Tips and Issues — Nasser Heidari @ 13:44


Netcat is a featured networking utility which reads and writes data across network connections, using the TCP/IP protocol.
It is designed to be a reliable “back-end” tool that can be used directly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and exploration tool, since it can create almost any kind of connection you would need and has several interesting built-in capabilities.

In this little guide I’ll quickly cover some very helpful usage’s of netcat .

Simple Chat:

The simplest example of netcat usage is to create a server-client chat system. In the following example it is assumed that the machine that creates the listening socket (server) has the 192.168.0.1 IP address. So, create the chat server on this machine and set it to listen to 12345 TCP port:

# nc -lp 12345

or

# nc -l 12345

If you now connect to port 12345 on that host, everything you type will be sent to the other party, which leads us to using netcat as a chat server.
Connect to it from another machine by entering this command:

# nc 192.168.0.1 12345

Now both parties can chat!

Port Scanner:

Netcat can be a port scanner. It does not have as many features as say nmap, but if you just want to see what ports are open on a given machine, you can simply do:

# nc -vzw 1 localhost 1-1000

Transferring Files:

Let’s say you want to transfer a file from machine A to machine B . you can use netcat as a file transfer software.
On machine A do the following, where 12345 is some unused port on which you want to send the file:

# nc -lp 12345 < myfile.tar.bz2

OR

# nc -l 12345 < myfile.tar.bz2

then go to the machine B and run this command: (192.168.0.1 is machine A IP address)

# nc 192.168.0.1 12345 > myfile.tar.bz2

Aanother Examples:

# tar -czf - /etc/ | nc -lp 12345

and then:

 # nc 192.168.0.1 12345 > mybackup.tar.gz

Simple Single page Web Server:

# while true; do nc -lp 8080 -q 1 < test.html; done

now if you connect to http://YOUR-IP-ADDRESS:8080 , you will see contents of test.html page .

Netcat as a Backdoor !!!

netcat can be used as a backdoor! You can specify the shell (or for that matter any executable) you want netcat to run at a successful connection with the -e parameter:

# nc -lp 54321 -e /bin/bash

now if you connect to the port 54321 , you will have a shell :

Getting System Information

# while true; do nc -lp 12345 -e /usr/bin/uptime; done

The user who wants to obtain system information has to issue the following command:

# nc 192.168.0.1 12345 

2009-07-08

Send E-mail When sudo Runs

Filed under: freebsd,Linux,Security Tips and Issues — Nasser Heidari @ 06:41

Sudo can be configured to to send e-mail when the sudo command is used.
Edit /etc/sudoers file:

mailto "me@example.com"
mail_always on

* mailto “me@example.com” : Admin email Address.
* mail_always : Send mail to the mailto user every time a users runs sudo.

Additional options:

Option Description
mail_badpass Send mail to the mailto user if the user running sudo does not enter the correct password. This flag is off by default.
mail_no_host If set, mail will be sent to the mailto user if the invoking user exists in the sudoers file, but is not allowed to run commands on the current host. This flag is off by default.
mail_no_perms If set, mail will be sent to the mailto user if the invoking user is allowed to use sudo but the command they are trying is not listed in their sudoers file entry or is explicitly denied. This flag is off by default.
mail_no_user If set, mail will be sent to the mailto user if the invoking user is not in the sudoers file. This flag is on by default.

2009-06-19

Linux Kernel RTL8169 NIC Remote Denial of Service

Filed under: Security Tips and Issues — Nasser Heidari @ 05:27

The Linux Kernel is exposed to a remote denial of service issue in the NTL6269 driver. This issue occurs when a large packet is sent to a computer with NTL6269 NIC installed. Specifically, the driver permits frame sizes of up to 16383 bytes, but allocates only “skb” to “rx” rings of 1536 bytes.

Linux Kernel versions prior to 2.6.30 are affected.

Ref: http://lkml.org/lkml/2009/6/8/194

2009-06-12

Securing Apache against HTTP DoS and/or Brute Force attacks

Filed under: Linux,Security Tips and Issues — Nasser Heidari @ 05:12

There are some native Apache directives that can be configured to help mitigate the effects of a Denial of Service (DoS) attack. The directives included Timeout, KeepAlive, and KeepAliveTimeout.

TimeOut

One way of attacking web servers is to try and exhaust the target systems resources by opening multiple connections and then never closing them. The more connections the server has open at once, the more resources are tied up holding details of those connections, which can lead to increased load and eventually to the server running out of resources.

The TimeOut directive tells the server how long to wait to receive a GET request, the amount of time between receipt of TCP packets on a POST or PUT request, or the amount of time between ACKs on transmissions of TCP packets in responses. Basically, this is the total time it takes to receive and respond to an http request.

In order to prevent a DoS attack from shutting down our web server, we need to change the default setting of 300 (which is 5 minutes) to something more reasonable such as 60 (which is 1 minute). You may even adjust this setting to be lower than 60. Think about this for a minute.

KeepAlive
How many individual graphics files do you think there are in the average web page? Last check on the Amazon.com home page showed approximately 58 graphics files (gif and jpg) being referenced. Now imagine if your web browser had to create a brand-new connection for every one of those files. The overhead associated with initializing the HTTP connection would increase the time to fully load a web page significantly. This is where the concept of KeepAlives and “pipelining” web requests came from. The idea is simple: to allow multiple requests from the same client to utilize the same established HTTP connection. This efficient use of this capability dramatically decreases the amount of time it takes to fully download and display a web page. It is for this reason that the KeepAlive directive should be turned on.

KeepAliveTimeout
Much in the same way that the Timeout directive limited the amount of time that the established HTTP connection would be valid, the KeepAliveTimeout directive will expire a socket after the designated amount of time. The difference between the Timeout and the KeepAliveTimeout directives is that the timeout setting designates the amount of time that the entire connection will be open and the KeepAliveTimeout directive states how long the server will wait for a subsequent request from the client. This means that the KeepAliveTimeout setting should always be less then the timeout setting. The default setting for KeepAliveTimeout is 15 seconds, which is reasonable; however, you could lower this just a bit if desired.

While these directives help with the performance of Apache and will lessen the impact of a DoS attack, there is another third-party module that is extremely effective.

mod_evasive is an evasive maneuvers module for Apache whose purpose is to react to HTTP DoS and/or Brute Force attacks. It was developed by Jonathan Zdziarski.

An additional capability of the module is that it is also able to execute system commands when DoS attacks are identified. This provides an interface to send attacking IP addresses to other security applications such as local host-based firewalls to block the offending IP address.

Installing mod_evasive on Centos 5.3:

( you can find lots of documents that explains how to install mod_evasive on other distributions )
# rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-3.noarch.rpm
# yum install mod_evasive

Configuring  mod_evasive :

/etc/httpd/conf.d/mod_evasive.conf is main configuration file for mod_evasive :

LoadModule evasive20_module modules/mod_evasive20.so

<IfModule mod_evasive20.c>
 DOSHashTableSize    3097
 DOSPageCount        5
 DOSSiteCount        100
 DOSPageInterval     1
 DOSSiteInterval     1
 DOSBlockingPeriod   10
 DOSEmailNotify      nasser@mydomain.com
 #DOSSystemCommand    "su - someuser -c '/sbin/... %s ...'"
 DOSLogDir           "/var/lock/mod_evasive"
 #DOSWhitelist   127.0.0.1

</IfModule>

We will now discuss each of the mod_evasive directives. Most of this information is taken directly from the README file of mod_evasive, so proper credit should be given to the developer of this module.

DosHashTableSize

This directive specifies the number of top-level nodes for each apache child process’s hash table. Increasing this number will provide faster performance by decreasing the number of iterations required to get to the record, but consume more memory for table space. You should increase this if you have a busy web server.

DOSPageCount

This is the threshold for the number of requests for the same page (or URI) per page interval. Once the threshold for that interval has been exceeded, the IP address of the client will be added to the blocking list.

DOSSiteCount

This is the threshold for the total number of requests for any object by the same client on the same listener per site interval. Once the threshold for that interval has been exceeded, the IP address of the client will be added to the blocking list.

DOSPageInterval

The interval for the page count threshold; defaults to 1 second intervals.

DOSSiteInterval

The interval for the site count threshold; defaults to 1 second intervals.

DOSBlockingPeriod

The blocking period is the amount of time (in seconds) that a client will be blocked for if they are added to the blocking list. During this time, all subsequent requests from the client will result in a 403 (Forbidden) and the timer being reset (e.g., another 10 seconds). Because the timer is reset for every subsequent request, it is not necessary to have a long blocking period; in the event of a DoS attack, this timer will keep getting reset.

DOSEmailNotify

If this value is set, an email will be sent to the address specified whenever an IP address becomes blacklisted. A locking mechanism using /var/lock/mod_evasive prevents continuous emails from being sent.
Note: Requires /bin/mail (provided by mailx)

DOSSystemCommand

If this value is set, the system command specified will be executed whenever an IP address becomes blacklisted. This is designed to enable system calls to ip filter or other tools. Use %s to denote the IP address of the blacklisted IP.

DOSLogDir

Choose an alternative temp directory. By default, “/tmp” will be used for the locking mechanism, which opens some security issues if your system is open to shell users. refer to => http://security.lss.hr/index.php?page=details&ID=LSS-2005-01-01

WhiteListing

IP addresses of trusted clients can be whitelisted to ensure they are never denied. The purpose of whitelisting is to protect software, scripts, local searchbots, or other automated tools from being denied for requesting large amounts of data from the server. Whitelisting should not be used to add customer lists or anything of the sort, as this will open the server to abuse. This module is very difficult to trigger without performing some type of malicious attack, and for that reason, it is more appropriate to allow the module to decide on its own whether or not an individual customer should be blocked.
To whitelist an address (or range), add an entry to the Apache configuration in the following fashion:
DOSWhitelist    127.0.0.1

DOSWhitelist    127.0.0.*
Wildcards can be used on up to the last three octets if necessary. Multiple DOSWhitelist commands may be used in the configuration.

Testing

mod_evasive comes with a PERL script called test.pl. Without editing the file, if you execute it, it will send a total of 100 requests for incrementing URLs (based on 0-100) to the localhost address on port 80.

#!/usr/bin/perl
# test.pl: small script to test mod_evasive's effectiveness
use IO::Socket;
use strict;

for(0..100) {
 my($response);
 my($SOCKET) = new IO::Socket::INET( Proto   => "tcp",
 PeerAddr=> "127.0.0.1:80");

 if (! defined $SOCKET) { die $!; }
 print $SOCKET "GET /?$_ HTTP/1.0\n\n";
 $response = <$SOCKET>;
 print $response;
 close($SOCKET);
}

If you run the script, you should see output similar to the following:

# ./test.pl

HTTP/1.1 200 OK

HTTP/1.1 200 OK

HTTP/1.1 200 OK

HTTP/1.1 200 OK

HTTP/1.1 200 OK

HTTP/1.1 200 OK

HTTP/1.1 200 OK

HTTP/1.1 200 OK

HTTP/1.1 200 OK

HTTP/1.1 200 OK

HTTP/1.1 200 OK

HTTP/1.1 200 OK

HTTP/1.1 200 OK

HTTP/1.1 200 OK

HTTP/1.1 200 OK

HTTP/1.1 200 OK

HTTP/1.1 200 OK

HTTP/1.1 200 OK

HTTP/1.1 403 Forbidden

HTTP/1.1 403 Forbidden

HTTP/1.1 403 Forbidden

HTTP/1.1 403 Forbidden

HTTP/1.1 403 Forbidden

–CUT–

2009-06-11

Hide PHP version (X-Powered-By) Header

Filed under: Linux,Miscellaneous,Security Tips and Issues — Nasser Heidari @ 09:09

In your php.ini (based on your Linux distribution this can be found in various places, like /etc/php.ini, /etc/php5/apache2/php.ini, etc.) locate the line containing “expose_php On” and set it to Off:

expose_php = Off

After making this change PHP will no longer add it’s signature to the web server header. Doing this, will not make your server more secure… it will just prevent remote hosts to easily see that you have PHP installed on the system and what version you are running.

2009-04-11

Protecting Server Against TCP Syn-Flood Attack !!!

Filed under: Linux,Security Tips and Issues — Nasser Heidari @ 00:24
#iptables -I INPUT -m state --state NEW -p tcp -m tcp --syn -m recent --name synflood 
--update --seconds 1 --hitcount 60 -j DROP

iptables -N syn-flood 

iptables -A syn-flood -m limit --limit 10/s --limit-burst 24 -j RETURN 

iptables -A syn-flood -j DROP 

iptables -I INPUT -i eth0 -p tcp --syn -j syn-flood

These rules limit new inbound TCP Connections (Packets with SYN bit set) to 10 per second after 24 connections per second have been seen .

2009-04-01

Block ssh brute force attacks with iptables

Filed under: Linux,Security Tips and Issues — Nasser Heidari @ 12:22
 # iptables -N SSH_CHECK
 # iptables -I INPUT -p tcp --dport 22 -m state --state NEW -j SSH_CHECK
 # iptables -A SSH_CHECK -m recent --set --name SSH
 # iptables -A SSH_CHECK -m recent --update --seconds 180 --hitcount 5 --rttl --name SSH -j LOG --log-prefix "SSH_brute_force "
 # iptables -A SSH_CHECK -m recent --update --seconds 180 --hitcount 5 --rttl --name SSH -j DROP

2009-02-15

Hide Apache Information

Filed under: Linux,Security Tips and Issues — Nasser Heidari @ 12:06

Just set this two directive in the main config:
FileETag None
ServerTokens ProductOnly

ServerSignature Off

Description :

ServerTokens

This directive controls whether Server response header field which is sent back to clients includes a description of the generic OS-type of the server as well as information about compiled-in modules.

ServerTokens Prod[uctOnly]
Server sends (e.g.): Server: Apache
ServerTokens Major
Server sends (e.g.): Server: Apache/2
ServerTokens Minor
Server sends (e.g.): Server: Apache/2.0
ServerTokens Min[imal]
Server sends (e.g.): Server: Apache/2.0.41
ServerTokens OS
Server sends (e.g.): Server: Apache/2.0.41 (Unix)
ServerTokens Full (or not specified)
Server sends (e.g.): Server: Apache/2.0.41 (Unix) PHP/4.2.2 MyMod/1.2

The ServerSignature directive allows the configuration of a trailing footer line under server-generated documents.

like this:


Apache/1.3.41 Ben-SSL/1.59 Server at 127.0.0.1:80 Port 80