Ali Abbas

There has been a lot of buzz lately on security layer when it comes to running services/open ports and how to step away from the security risk line, at least with just one step.

Port Knocking can be summarized in three steps

1. My service’s port is locked by default

2. My service’s port will not open unless you send some packets to a sequence of port I selected

3. My service’s port therefore remains unseen to brute force bots and script kiddies scanners.

In this first part of Firewall Security, I will go over the setup and configuration of a basic port knocking deployment on a Centos FTP server using knockd

knockd is available on rmpforge, so feel free to grab the rpm from the mirror or simply yum install knockd if you have the rpmforge mirror added to your repositories.

knockd uses a single configuration file which is /etc/knockd.conf

In this study case, we will focus on securing port 21 for our FTP server application.

(I am assuming, you currently have port 21 blocked on your firewall and you are using iptables)

[options]
logfile = /var/log/knockd.log

[openFTP]
sequence = 2000,3455,6789
seq_timeout = 10
tcpflags = syn
command = /sbin/iptables -I INPUT 1 -p tcp -s 192.168.2.107 -d 192.168.2.201 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT

[closeFTP]
sequence = 6789,3455,2000
seq_timeout = 10
tcpflags = syn
command = /sbin/iptables -D INPUT 1

start the knockd server with

/usr/sbin/knockd -d

(keep in mind, by default knockd will start listening on interface eth0)

and voila… port 21 will open on the firewall once, the corresponding port combinaison as specified in the configuration file will be met..

For testing, use knockd client (http://www.zeroflux.org/cgi-bin/cvstrac.cgi/knock/wiki) and knock on the port sequence of your ftp server.

—- Some piece of advises

1. Keep in mind, this setup provides you with only one single point of failure… whenever knockd fails, you will be left with no remote connectivity (especially for those locking out ssh port)… To prevent this, make sure to monitor the knockd daemon and to start it in case of failure

2. This security layer isn’t enough! and actually present with some potential security risks! the right port combinaison could easily be sniffed from the client to the server, thus resulting in an attacker knowing the exact port combinasion…

3. For each setup sequence, you will need to allocate a sequence of port, keep in mind, those ports need to be exclusively allocated to knockd… choose your sequences carefully!

Cheers,

The idea behind this hack is to log a syslog event, send to a fifo extension pipe, and through the use of socket client, send it to a server listening on a specific port.

I decided to write my “log notification” server in C#, actually it was destined for a Windows machine, so I though “why not”

So here it goes, in C#

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Net.Sockets;
using System.Net;
using System.Threading;

namespace ServerCli
{
class Program
{
static void Main(string[] args)
{
Thread myThread = new Thread(new ThreadStart(socketInit));
myThread.Start();
}

static void socketInit()
{
IPAddress ip = IPAddress.Parse("192.168.2.107");
TcpListener ListInit = new TcpListener(ip, 8085);
ListInit.Start();
Console.WriteLine("local End point is  :"  ListInit.LocalEndpoint);
while (Thread.CurrentThread.IsAlive)
{
try
{
Socket s = myList.AcceptSocket();
byte[] b = new byte[200];
int k = s.Receive(b);
String data = "";
for (int i = 0; i < k; i++)
data += Convert.ToChar(b[i]);
Console.WriteLine(data);
s.Close();
}
catch (Exception e)
{
Console.WriteLine("Error..... " + e.StackTrace);
}
}
ListInit.Stop();
}
}
}

Ok so, this could really be improved, but you get the picture… :p

Now we need to edit syslog.conf to set our event log to pipe to our fifo extension (which we still need to create)

So… mkfifo /var/log/mySecureLog

vi /etc/syslog.conf

and add

youreventLog. |/var/log/mySecureLog

In my case, i used authpriv.warning … so that I get a notification whenever a fail login takes place on the server.

Save your file, restart syslog and now, we need to write our client, which will “cat” the fifo extension and send it to our socket connection.

I used perl here…

#!/usr/bin/perl -w
use strict;
use IO::Socket;

my $uname = `uname -n`;

open(LOGFILE, "cat /var/log/mySecureLog |") || die "oups: $!";
while (my $line =

<LOGFILE>)
{
my $conn = IO::Socket::INET->new(
Proto    => "tcp",
PeerAddr => "192.168.2.107",
PeerPort => "8085",
) or die "cannot connect";

$conn->send($line);
}

Yes I know! pretty basic script, but you still get the picture

and that’s it… so what? lanch the server, launch the perl script (client)… try an ssh connection to the server with a false username/password and look

Any further mods are welcome! feel free to post back with your own tweaks! As I said earlier! this is just to give the idea for further possibilities.

One of the most annoying matter I have met when administrating a server was following and fixing messes other users (who happen to have root password) would do on the server.

Random users with root passwords often know two things… “sh” and “history -c”… and of course “I didn’t do it”.

Now, while it is important to keep logs of activities on the server, it is even better to be able to pull up logs of every single commands entered plus their arguments.

Here is a little C wrapper once can use to wrap /bin/sh so that every commands gets logged.

Now, we first need to backup our current sh executable…  so

mv /bin/sh /bin/shb

#include <pwd.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <unistd.h>

#define LOG_FILE     "/var/log/sh.log"
#define LOG_FLAGS    O_CREAT|O_APPEND|O_WRONLY
#define LOG_MODE     S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH
#define WRAPPER "/bin/shb"

int main (int argc, char **const argv)
{
FILE *        logfile         = fopen (LOG_FILE, "a");
const char *  program         = argv[0];
argv[0] = WRAPPER;
if (logfile)
{
struct passwd *pw         = getpwuid (geteuid ());
int            i          = 0;
fprintf (logfile, "(%s)", pw->pw_name);

for (i = 0; i < argc; ++i)
fprintf (logfile, " '%s'", argv[i]);

fprintf (logfile, "\n");
fclose (logfile);
chmod (LOG_FILE, LOG_MODE);
}

execv (argv[0], argv);

exit (EXIT_FAILURE);

}

Now, compile your code into an sh executable.

Move your newly compiled sh into /bin/

And voila … whenever someone executes /bin/sh… a log will be generated in /var/log/sh.log

Here are just few things to keep in mind when setting up Apache and undergoing a quick security audit.

1. Turn off TRACE or TRACK Methods on Apache

A Trace or Track method is a debug method used to debug webserver connections. A server supporting Trace connections can be subject to cross-site scripting attacks, dubbed XST for “Cross-Site Tracing” (cf to http://www.apacheweek.com/issues/03-01-24)

To disable Trace or Track methods… make sure first that mod_rewrite is enabled, then

RewriteCond %{REQUES_METHOD]^(TRACE|TRACK)
RewriteRule .* – [F]

Read more…

If you are like me, or a very experienced admin, you will realize that while running servers in production, you are more likely prompt to modify configuration files on the fly.

Now, one advise I give to any junior administrator, is to first of all backup any files they wish to modify. Running the cp command before editing a file, could be an hassle, especially when we are in a hurry.

The following tip isn’t a Bash scripting lesson as you will see but merely a safe guard concept, every admin could adopt to prevent downtime and headaches .

Here is a little bash script that I usually set up on servers whenever I am prompted to modify configuration files on the fly.

#!/bin/bash
stamp=$(date +%s)
/bin/cp $1 $1.$stamp
/bin/vi $1
echo "Would you like to delete $1.$stamp ?"
read choice
if [ "$choice" = "yes" ]; then
rm -f $1.$stamp
fi

As you can see the script is very basic and straight forward, whenever the script is called such as “./vis filenameA”, it will make a copy of filenameA to filenameA. + the number of elapsed seconds since 01/01/1970 … it then opens up the file in my favorite editor ‘vi’ and prompt me later on if I wish to delete the backup file…

Now, you could modify this file, add more check conditions, spice up things but the idea behind it, is to create the automatic backup of files when they are being edited.

Save this script in a file.. chmod +x thescript (let’s call it vis)

Move it into the /bin folder and create an alias (alias vi=”vis”)

There you go…from now on, whenever you edit a file, you shouldn’t fear if you make a mistake or delete any important variable options.

Cheers,