Some myths in computer security dispelled!

Some myths in computer security and why Linux is more secure than windows!

Another of my rants after recently speaking to a windows sys admin about computer security (they need to wake up)

1) Obfuscation isnt good

Yes it is in profiling a target i.e a port scan to a target doesent return anything on port 22? A bot/worm/automated or any scan of ranges wouldnt find your server.
Yes its bad if its your only defence mechanism, security especially computer security should always be enhanced by layers (the more you have to peel!)

2) Changing your SSH port is bad.

Ive seen some researchers who have said changing your SSH port is bad although partly true this is also partly bullshit.
You shouldnt change your port to a non privileged port (anything higher than 1024) because a non root user can listen on a non privaliged port anything higher than 1024.
i.e a web application gets compromised and enables write access to the htdocs compromised htdocs can now listen on 2222!

3) Linux is secure because its not targeted.

LMFAO The majority of the Internet is run on Unix/Linux so drop the target audience! But seeing all the web app exploits these days is showing IMHO yes users are a major compromise entry point but the OS still controls/contains the spread.
Arguably yes the user is possibly a fault and cause but Linux depending on dist is IMHO easier to use than Windows these days?

4) Windows is only insecure as its widly targeted and user exploitation.

Lets look at an example windows user visits a watering hole , probably compromised as thats the target audience We have root!
No user interaction would have been required to exploit the above method. The recently patched but unpatched in win 2k3 (and never will be) active directory smb exploit, imagine the damage!
Now a Linux user visits same site bam.
We have the limit of a user to a limited section of the os (this is where user exploitation comes in) yeah you could write a shell script to there home directory and then what?, its only going to do anything if the user is fooled or another method of execution is elevated but then steps in user limitation and SELinux/AppArmor!.

IMHO
windows was initially designed as a single user OS with no network connectivity (full of design flaws)
Unix/Linux was designed for and still dominates super computers, it was designed for network connectivity as well as multi user (alot of the design flaws in windows dont exist)!

Which is more secure?

Security, Ultra Paranoid Computing

The internet of things needs to slow down!

As a hobbyist honeypot admin I see some of the day to day hack attempts, script kiddies scanning ranges, researchers scanning/monitoring and the sophisticated black hats we see today.

The internet of things needs serious consideration before deployment, these days too many things are rushed out without testing mainly due to management or deadline goals.

In the last few years or so we have seen proof of exploitation’s/concepts that are dangerous not only to computers but human life (stuxnet, Bnarby Jack (RIP) The latter just before he was about to disclose his research to BlackHat2013 about pacemaker wireless exploit and died just before)

Yet we are looking at connecting fridges to the internet so they can order milk as it runs out, lol just look at the possible DoS/DDoS effect imagine getting the delivery driver with 20,000 pints of milk! If that doesent work lets overflow your wireless toaster or overload all the connected devices so they overload your mains circuit, fuse boxes work now!?

At the moment computers are controlled by humans who are prone to errors, the time will come that computers arent but the code is legacy (especially in embedded systems!, shellshock!)

Exploits always exist so are we really ready for Self driving cars? Especially as we already see security flaws, BMW have just patched a design flaw see http://grahamcluley.com/2015/02/bmw-security-patch/.

I also think us as the human race could also do with slowing down a little!?

Security, Ultra Paranoid Computing

Installing Psad Intrusion Detection CentOS 6

Psad is  a iptables log analysis and IDS tool, this guide shows how to install and basically configure this for a CentOS 6 box.

Install psad from the EPEL repo (Extra packages for enterprise Linux provided by the Fedora project)

Add the EPEL repo.

 yum install epel-release

Install psad.

 yum install psad

Change some settings in the psad.conf.

 nano -w /etc/psad/psad.conf 

EMAIL_ADDRESSES to_your_email;

Optional settings. This sets psad to auto enforce (I personally never use it in this mode so have no experience with any false positives but use at your own risk!) The official documentation for Auto IDS is here http://cipherdyne.org/psad/docs/config.html#ENABLE_AUTO_IDS

### If “Y”, enable automated IDS response (auto manages
### firewall rulesets).
ENABLE_AUTO_IDS Y;

Add the logging to iptables.

iptables -A INPUT -j LOG
iptables -A FORWARD -j LOG

Now restart psad update the sinature file and load in the new signatures (the below is prettified as it obfuscates the –.

psad -R

psad --sig-update

psad -H

Add a cronjob to update the signatures.

crontab -e

And add the following

0       0       *       *       7       /usr/sbin/psad –sig-update && /usr/sbin/psad -H

The official documentation for psad can be found here http://cipherdyne.org/psad/docs/

Linux, Security

Issues installing/upgrading Flash Ubuntu 12.04 behind a proxy.

I recently came across an issue whilst updating the flashplugin-installer on Ubuntu 12.04 behind a network proxy (apt was configured to use the proxy and all other updates worked fine just not Flash).

I got the following error whilst attempting to update,

Preparing to replace flashplugin-installer 11.2.202.310ubuntu0.12.04.1 (using …/flashplugin-installer_11.2.202.310ubuntu0.12.04.1_amd64.deb) …
Unpacking replacement flashplugin-installer …
Processing triggers for update-notifier-common …
flashplugin-installer: downloading http://archive.canonical.com/pool/partner/a/adobe-flashplugin/adobe-flashplugin_11.2.202.310.orig.tar.gz
Traceback (most recent call last):
File “/usr/lib/update-notifier/package-data-downloader”, line 234, in process_download_requests
dest_file = urllib.urlretrieve(files[i])[0]

File “/usr/lib/python2.7/urllib.py”, line 93, in urlretrieve
return _urlopener.retrieve(url, filename, reporthook, data)
File “/usr/lib/python2.7/urllib.py”, line 239, in retrieve
fp = self.open(url, data)
File “/usr/lib/python2.7/urllib.py”, line 207, in open
return getattr(self, name)(url)
File “/usr/lib/python2.7/urllib.py”, line 344, in open_http
h.endheaders(data)
File “/usr/lib/python2.7/httplib.py”, line 954, in endheaders
self._send_output(message_body)
File “/usr/lib/python2.7/httplib.py”, line 814, in _send_output
self.send(msg)
File “/usr/lib/python2.7/httplib.py”, line 776, in send
self.connect()
File “/usr/lib/python2.7/httplib.py”, line 757, in connect
self.timeout, self.source_address)
File “/usr/lib/python2.7/socket.py”, line 571, in create_connection
raise err
IOError: [Errno socket error] [Errno 110] Connection timed out
Setting up flashplugin-installer (11.2.202.310ubuntu0.12.04.1) …

The fix was to download the file manually.

wget http://archive.canonical.com/pool/partner/a/adobe-flashplugin/adobe-flashplugin_xx.x.x.x.orig.tar.gz

Then modifying /usr/lib/update-notifier/package-data-downloader.

You might want to back this file up first. The ‘x’ represent version numbers.

cp -v /usr/lib/update-notifier/package-data-downloader /usr/lib/update-notifier/package-data-downloader.bak

Then open the file and look for dest_file = urllib.urlretrieve(files[i])[0]

And replace with dest_file = urllib.urlretrieve(“/pathtofile/adobe-flashplugin_xx.x.x.x.orig.tar.gz”)[0]

Now run,

aptitude install flashplugin-installer

to install Flash using the recently downloaded source.

 

Linux, Ubuntu , ,

ClamAV detected duplicate datbases.

ClamAV detected duplicate datbases

If you restart the clamav service and you receive the following warning or you get an email from crond after updating because ClamAV detected duplicate datbases.

[LibClamAV] Detected duplicate databases /var/lib/clamav/main.cvd and /var/lib/clamav/main.cld, please manually remove one of them

Just remove the oldest of the two files and restart clamd.

#cd /var/lib/clamav
# ls -l
total 249272
clam clam 345088 Oct 5 03:37 bytecode.cld
clam clam 26438656 Oct 17 03:16 daily.cld
clam clam 163468288 Sep 18 10:02 main.cld
clam clam 64720632 Sep 27 00:14 main.cvd
clam clam 156 Oct 17 10:00 mirrors.dat
#rm -rf main.cld 

Depending on your distro of Linux (CentOS in this example)

#service clamd restart
Linux , ,

Linux Tee command examples

Linux Tee command examples.

In Linux Tee is a command to redirect standard out (stdout) to a file as well as the terminal.

Tee redirects to the terminal as well as to standard out (stdout) so its activity can be visual as well as redirected to a log file, for later viewing. Using yum in this example and compiling from source and a way of keeping track of updates. (The default yum log should do this but just an example). If you are compiling from source this could be invaluable as nothing keeps track off compiled packages (check install is an exception).

yum update -y | tee yumupdate.txt

An example compiling from source.

This example assumes you have all the dependencies, but you can check the logs outputted by tee for dependency errors.

Youve downloaded the needed source and you have cd into that directory.

./configure | tee configure.txt
make | tee make.txt
make install | tee install.txt

This can help if any of the outputs overrun your terminal buffer and you cant scroll back to see enough but also a log you can look back to incase of any future issues, you can check the configure make and install files for any errors as well as where the files were installed to.

Bash Scripting, Linux

SCP bash script

SCP bash script

A SCP bash script I wrote for SCP transfer via SSH. Any explanations needed please post a comment.

Have been really busy lately so haven’t done many updates so am sharing a script I wrote, although the script can be useful for automating scp its aimed as howto use scp example as well as learning howto use a Linux (Bash) shell.

#!/bin/bash

echo “Enter Filename  if in the same directory (relative path) if not use the full path to the file (absolute path) i.e /bin/bash instead of bash”

read SOURCE

echo “Enter destination server”

read DESTINATION

echo “Enter destination directory, must include / i.e /root not root”

read DESTINATIONDIR

echo “SSH Port?”

read PORT

echo “Username?”

read USER

scp -P $PORT $SOURCE $USER@$DESTINATION:$DESTINATIONDIR
In English or direct syntax to enter would be.

scp -P 22 file root@someserver.com:/root

Bash Scripting, Linux , , ,

Plesk stale pidfile control panel failing to start Linux

Plesk stale pidfile error Plesk wont start or gives 500 error on loading in browser.

service sw-cp-server start

You will see.

Starting SWsoft control panels server… stale pidfile. [FAILED]

Check the Plesk error log /var/log/sw-cp-server/error_log.

tail -f /var/log/sw-cp-server/error_log

2012-06-02 11:43:27: (network.c.300) can’t bind to port: 127.0.0.1 10001 Address already in use
2012-06-02 11:43:27: (log.c.75) server started
2012-06-02 11:43:27: (network.c.300) can’t bind to port: 127.0.0.1 10001 Address already in use
2012-06-02 11:43:31: (log.c.75) server started
2012-06-02 11:43:31: (network.c.300) can’t bind to port: 127.0.0.1 10001 Address already in use
2012-06-02 11:43:31: (log.c.75) server started
2012-06-02 11:43:31: (network.c.300) can’t bind to port: 127.0.0.1 10001 Address already in use

Check what is open on port 10001.

lsof -i tcp:10001

COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
sw-cp-ser 3179 sw-cp-server 5u IPv4 9026 TCP localhost.localdomain:scp-config (LISTEN)

Stop The Plesk service.

service sw-cp-server stop

Stoppping SWsoft control panels server… not running. [ OK ]

Remove the Plesk PID.

rm -rf /var/run/sw-cp-server.pid

Check if the Plesk process is still running.
ps ax | grep sw-cp-server | grep -v grep
3179 ? S 0:23 /usr/sbin/sw-cp-serverd -f /etc/sw-cp-server/config

Kill the process.
ps ax | grep sw-cp-server | grep -v grep | awk {‘print $1′} | xargs kill -9
Start Plesk.

service sw-cp-server start

Linux, Plesk Linux, Virtual & Dedicated Servers ,

Reset Linux root password. Guide to reset Linux root password.

Reset Linux root password

Resetting Linux root password. Guide to reset Linux root password.

First off you need some sort of “physical access to this box” to be able to reset linux root password if its not your desktop then some sort of remote kvm access (kvm keyboard video and mouse)

Note these instructions are based on CentOS so should work for any Red Hat based distro although may differ.

At the grub prompt press e to enter edit mode.

Select the second line press e again.

At the end of a similar entry, Your Grub entry will probablly not look the same as this.

kernel /vmlinuz-2.6.18-308.4.1.el5 ro root=/dev/sda3

Add init=/bin/sh (The steps so far should work on Debian/Ubuntu although with Debian/Ubuntu you might need to use /bin/bash instead of /bin/sh, due to Debian/Ubuntu symlinking /bin/sh to /bin/dash rather than /bin/bash)

kernel /vmlinuz-2.6.18-308.4.1.el5 ro root=/dev/sda3 init=/bin/sh

Now press the enter key and then b to boot.

This will take you into single user mode.

Now mount the root partition in read and write mode so that the changes can be committed.

mount -o remount,rw /

Once the file system is mounted type the following.

passwd root

You will prompted for the new password and then to confirm.

You have now reset Linux root password so reboot.

Alternatively this can be done with a livecd.

1. Boot the livecd.

2. Mount the partition (replace * with the drive letter).

mount /dev/sd* /mnt/point

3. Use chroot to reset the root password on the disk (rather than the livecd)

chroot /mnt/point passwd root

You will now be prompted to change password, but as this is chrooted it only affects the partition you mounted and not the host. So you could do this from a desktop or server also over nfs and maybe samba.

chroot

chroot creates a isolated environment. So if you chroot /mnt/mountpoint it locks /mount/mountpoint into a chroot jail (so the same as a htdocs basically. Restricts the user to a directory that is “there root” they cant go above).

So chroot /mnt/point yum check-update (If yum is installed within /mnt/mountpoint)

Would check for updates to the mounted chroot jail .

So if you ran  chroot /mnt/point yum check-update && yum update, the system you mounted it on will not be updated. But the system that’s within the chroot jail will.

Linux, Virtual & Dedicated Servers , , , , , , ,

Disabling phpMyAdmin Plesk Linux

Disabling phpMyAdmin Plesk Linux.

In the Plesk control panel I have never been able to find an option to disable it within the panel. This guide will show how to prevent it from running or howto remove.

To disable.

Login via ssh and run the following.

chmod 000 /usr/local/psa/admin/htdocs/domains/databases/phpMyAdmin

To re-enable.

chmod 755 /usr/local/psa/admin/htdocs/domains/databases/phpMyAdmin

To remove.

rm /usr/local/psa/admin/htdocs/domains/databases/phpMyAdmin

Bash script to enable/disable.

#!/bin/bash

#Author Phil Bond box-admin www.box-admin.com

echo “Permissions currently set on Plesk phpMyAdmin”

stat /usr/local/psa/admin/htdocs/domains/databases/phpMyAdmin
echo

echo “Usage enter enable to enable phpMyAdin or disable to disable it”

read CHOICE

case $CHOICE in

disable) chmod 000 /usr/local/psa/admin/htdocs/domains/databases/phpMyAdmin;;
enable) chmod 755 /usr/local/psa/admin/htdocs/domains/databases/phpMyAdmin;;
esac

echo “Permissions now set on Plesk phpMyAdmin”

stat /usr/local/psa/admin/htdocs/domains/databases/phpMyAdmin

exit 0

Bash Scripting, Linux, Plesk Linux, Virtual & Dedicated Servers , ,