Ali Abbas

There has been a lot of buzz lately on security layer when it comes to running services/open ports and how to step away from the security risk line, at least with just one step.

Port Knocking can be summarized in three steps

1. My service’s port is locked by default

2. My service’s port will not open unless you send some packets to a sequence of port I selected

3. My service’s port therefore remains unseen to brute force bots and script kiddies scanners.

In this first part of Firewall Security, I will go over the setup and configuration of a basic port knocking deployment on a Centos FTP server using knockd

knockd is available on rmpforge, so feel free to grab the rpm from the mirror or simply yum install knockd if you have the rpmforge mirror added to your repositories.

knockd uses a single configuration file which is /etc/knockd.conf

In this study case, we will focus on securing port 21 for our FTP server application.

(I am assuming, you currently have port 21 blocked on your firewall and you are using iptables)

[options]
logfile = /var/log/knockd.log

[openFTP]
sequence = 2000,3455,6789
seq_timeout = 10
tcpflags = syn
command = /sbin/iptables -I INPUT 1 -p tcp -s 192.168.2.107 -d 192.168.2.201 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT

[closeFTP]
sequence = 6789,3455,2000
seq_timeout = 10
tcpflags = syn
command = /sbin/iptables -D INPUT 1

start the knockd server with

/usr/sbin/knockd -d

(keep in mind, by default knockd will start listening on interface eth0)

and voila… port 21 will open on the firewall once, the corresponding port combinaison as specified in the configuration file will be met..

For testing, use knockd client (http://www.zeroflux.org/cgi-bin/cvstrac.cgi/knock/wiki) and knock on the port sequence of your ftp server.

—- Some piece of advises

1. Keep in mind, this setup provides you with only one single point of failure… whenever knockd fails, you will be left with no remote connectivity (especially for those locking out ssh port)… To prevent this, make sure to monitor the knockd daemon and to start it in case of failure

2. This security layer isn’t enough! and actually present with some potential security risks! the right port combinaison could easily be sniffed from the client to the server, thus resulting in an attacker knowing the exact port combinasion…

3. For each setup sequence, you will need to allocate a sequence of port, keep in mind, those ports need to be exclusively allocated to knockd… choose your sequences carefully!

Cheers,

I have come accross an interesting post from Pingdom, which I believe deserve a stop.

I am particular happy to see RedHat/Fedora/Centos in the first line

To read the full article, follow this link http://royal.pingdom.com/2008/11/19/linux-distros-and-apple-beat-microsofts-homepage-uptime/

The idea behind this hack is to log a syslog event, send to a fifo extension pipe, and through the use of socket client, send it to a server listening on a specific port.

I decided to write my “log notification” server in C#, actually it was destined for a Windows machine, so I though “why not”

So here it goes, in C#

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Net.Sockets;
using System.Net;
using System.Threading;

namespace ServerCli
{
class Program
{
static void Main(string[] args)
{
Thread myThread = new Thread(new ThreadStart(socketInit));
myThread.Start();
}

static void socketInit()
{
IPAddress ip = IPAddress.Parse("192.168.2.107");
TcpListener ListInit = new TcpListener(ip, 8085);
ListInit.Start();
Console.WriteLine("local End point is  :"  ListInit.LocalEndpoint);
while (Thread.CurrentThread.IsAlive)
{
try
{
Socket s = myList.AcceptSocket();
byte[] b = new byte[200];
int k = s.Receive(b);
String data = "";
for (int i = 0; i < k; i++)
data += Convert.ToChar(b[i]);
Console.WriteLine(data);
s.Close();
}
catch (Exception e)
{
Console.WriteLine("Error..... " + e.StackTrace);
}
}
ListInit.Stop();
}
}
}

Ok so, this could really be improved, but you get the picture… :p

Now we need to edit syslog.conf to set our event log to pipe to our fifo extension (which we still need to create)

So… mkfifo /var/log/mySecureLog

vi /etc/syslog.conf

and add

youreventLog. |/var/log/mySecureLog

In my case, i used authpriv.warning … so that I get a notification whenever a fail login takes place on the server.

Save your file, restart syslog and now, we need to write our client, which will “cat” the fifo extension and send it to our socket connection.

I used perl here…

#!/usr/bin/perl -w
use strict;
use IO::Socket;

my $uname = `uname -n`;

open(LOGFILE, "cat /var/log/mySecureLog |") || die "oups: $!";
while (my $line =

<LOGFILE>)
{
my $conn = IO::Socket::INET->new(
Proto    => "tcp",
PeerAddr => "192.168.2.107",
PeerPort => "8085",
) or die "cannot connect";

$conn->send($line);
}

Yes I know! pretty basic script, but you still get the picture

and that’s it… so what? lanch the server, launch the perl script (client)… try an ssh connection to the server with a false username/password and look

Any further mods are welcome! feel free to post back with your own tweaks! As I said earlier! this is just to give the idea for further possibilities.

One of the most annoying matter I have met when administrating a server was following and fixing messes other users (who happen to have root password) would do on the server.

Random users with root passwords often know two things… “sh” and “history -c”… and of course “I didn’t do it”.

Now, while it is important to keep logs of activities on the server, it is even better to be able to pull up logs of every single commands entered plus their arguments.

Here is a little C wrapper once can use to wrap /bin/sh so that every commands gets logged.

Now, we first need to backup our current sh executable…  so

mv /bin/sh /bin/shb

#include <pwd.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <unistd.h>

#define LOG_FILE     "/var/log/sh.log"
#define LOG_FLAGS    O_CREAT|O_APPEND|O_WRONLY
#define LOG_MODE     S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH
#define WRAPPER "/bin/shb"

int main (int argc, char **const argv)
{
FILE *        logfile         = fopen (LOG_FILE, "a");
const char *  program         = argv[0];
argv[0] = WRAPPER;
if (logfile)
{
struct passwd *pw         = getpwuid (geteuid ());
int            i          = 0;
fprintf (logfile, "(%s)", pw->pw_name);

for (i = 0; i < argc; ++i)
fprintf (logfile, " '%s'", argv[i]);

fprintf (logfile, "\n");
fclose (logfile);
chmod (LOG_FILE, LOG_MODE);
}

execv (argv[0], argv);

exit (EXIT_FAILURE);

}

Now, compile your code into an sh executable.

Move your newly compiled sh into /bin/

And voila … whenever someone executes /bin/sh… a log will be generated in /var/log/sh.log

Alright.. Alright! everbody have their own method to reverse engineer a subnet… Here is a technic and way that works for me and might work for you.

Let’s take a random private ip.

IP: 192.168.1.95/27

And let’s try to figure out its network range.

In such case, we will take the lowest subnet octect, which here is 224 (remember that a subnet bit of 27 is 255.255.255.224)… let’s therefore convert it into binary.

224 = 11100000 (decimal to binary)

[tip: a quicker way, would be since we have the bit size of the subnet, 27, we therefore know, we have have 27 bits.. which leaves us on the last octet with 3 bits of 1... which results in 11100000]

Now to find the increment that defines the IP range, we take the lowest network bit, which going from left to right is the third “1″… which results in 100000.

Now, let’s convert 100000 into decimal to find that network increment.

100000 = 32 (binary to decimal)

So our network range increment is 32. That means we have 30 possible hosts per network + the network IP + the broadcast IP.

To find the network range of our private IP 192.168.1.95, let’s start incrementing by creating the different possible ranges out of the 1.0 network

This gives us

192.168.1.0 – 192.168.1.31 (30 hosts)
192.168.1.32 – 192.168.1.63
192.168.1.64 – 192.168.1.95
—— etc….

Now we can see that our IP is found in the IP range 192.168.1.64 – 192.168.1.95, which gives us the information that the network of the subnet 255.255.255.224 and IP 192.168.1.95 is 192.168.1.64, which broadcast IP is 192.168.1.95.

Till later,