astrozinger


Vulnerability audits Part 2
April 23, 2013, 3:55 pm
Filed under: centOS, Linux, security | Tags: , , ,

As I explained in my first post about Vulnerability Scans, the results don’t necessarily tell the whole story.  Unfortunately the burden of proof is on the owner of the system rather than the auditor when trying to verify if a machine is vulnerable to the flagged list of vulnerabilities.  For this purpose I created a script to help alleviate some of the work required to do this check on an rpm based linux system – I have only tested it on CentOS but have no reason to believe it won’t work on others.

To use it you copy the code into a file – make it executable to root:

chmod 700 <filename>

Create another file called vulns.txt with the CVE list and run the code.  It will sort the output into patched, unconfirmed – with a url to read more about the CVE and incorrect format sections.  Tabs are not included in the pasted code, so if you would like it to look good, add your own tabs.

#!/bin/bash
################################################################
#
# This script is designed to check CVE vulnerabilities against the rpm install database.
# Vulnerability scanners scan against release versions of software which don’t correlate
# to backported security fixes in the CentOS rpms. Therefore there will be several
# false positives when running a vulnerability scan. Place this file along with a
# file called vulns.txt with the cve-xxxx-xxxx list, one per line.
#
################################################################

#Variables
NOW=$(date +”%m-%d-%Y-%H-%M”)
PATCHED=Patched$NOW.tmp
NOTPATCHED=NotPatched$NOW.tmp
PATCH_DETAIL=PatchedDetail$NOW.tmp
OUTPUT=Out$NOW.txt
INCORRECT=Incorrect$NOW.tmp
FILENAME=vulns.txt
BAD=0

#check for root, exit if not
if [[ $EUID -ne 0 ]]; then
echo “This script must be run as root”
exit 1
fi

#verify that vulns.txt exists
if [ ! -f $FILENAME ]
then
echo “$FILENAME does not exist. Please copy the CVE list into $FILENAME and run this again.”
exit 1
fi

#####Intro
echo “This script will search the rpm database for CVE patches.”
echo “Please press 1 for a quick overview of patched vulnerabilities”
echo “Please press 2 for an in depth query of vulnerabilties ~ 15seconds per entry”
read CHOICE

while [[ $CHOICE != “1” && $CHOICE != “2” ]]
do
echo “Please choose 1 or 2 or hit ctrl+v to exit”
read CHOICE
done

#####Quick
if [ $CHOICE -gt 0 ]
then
CVE=`rpm -qa –changelog | grep CVE`
while read line
do
if [ -n “${line}” ]
then
if [[ $line == CVE\-[0-9][0-9][0-9][0-9]-[0-9][0-9][0-9][0-9] ]]
then
OUT=`echo $CVE | grep -i $line`
RESULTS=$?
if [ $RESULTS -eq 0 ]
then
echo $line >> $PATCHED
echo $line – Patched
else
echo $line – http://web.nvd.nist.gov/view/vuln/detail?vulnId=$line >> $NOTPATCHED
echo $line – Needs further research
fi
else
echo $line – Incorrect format
echo $line >> $INCORRECT
BAD=1
fi
fi
done < $FILENAME
fi

#####Super Slow
if [ $CHOICE -eq 2 ]
then
echo “Matching CVE numbers to packages, this will take a few minutes.”
while read line
do
for pkg in `rpm -qa`;
do
OUT=`rpm -q –changelog ${pkg} | grep -i $line`
RESULTS=$?
if [ $RESULTS -eq 0 ]
then
echo $line – $pkg >> $PATCH_DETAIL
fi
done
done < $PATCHED

rm $PATCHED
mv $PATCH_DETAIL $PATCHED
fi

echo “These are confirmed patched” >> $OUTPUT
cat $PATCHED >> $OUTPUT
echo -e “\n” >> $OUTPUT
echo “These are unconfirmed and will require more research, a url is attached that might provide details” >> $OUTPUT
cat $NOTPATCHED >> $OUTPUT
echo -e “\n” >> $OUTPUT

if [ $BAD == “1” ]
then
echo “These lines were not in the correct format. Please fix them and run it again.” >> $OUTPUT
cat $INCORRECT >> $OUTPUT
rm $INCORRECT
fi
echo -e “\n\nYour output is in $OUTPUT”

rm $PATCHED
rm $NOTPATCHED

Advertisements


Vulnerability audits
April 22, 2013, 4:48 pm
Filed under: centOS, Linux, security | Tags: , , , ,

Working in IT while ignoring security is a recipe for disaster.  Security audits therefore become a necessary evil.  Vulnerabilities exist and there are people all over the world finding them and exploiting them.  Unfortunately, security auditing software is often a mechanized sham.  Here is what I mean:

When I first started at my new company, there was a customer who ran a security scan against our appliance.  I stepped in and volunteered to research the output to verify if we were in fact unacceptably insecure (I understand that secure does not exist).  The main concerns were against the version of Apache that we were running.  For the sake of the argument I will say that we were running CentOS 5.8 and httpd-2.2.3-65.el5.centos from the disk.

One of the vulnerabilities reported was as follows:

Apache HTTPD: mod_proxy_ftp FTP command injection (CVE-2009-3095)  Critical 1

For anyone not able to interpret that, it has package, the vulnerability name, the CVE # (which is database of “common vulnerabilities and exposures”), and the 1 meaning very critical.  For information about this vulnerability you can look right on the Apache page: http://httpd.apache.org/security/vulnerabilities_22.html – which clearly states it has been fixed in version 2.2.14.  Of course the vulnerability scanner is going to complain that I was vulnerable since I was only running 2.2.3.

Fortunately RedHat and all other major linux distributions backport security fixes into their packages.  Here is a great explanation on their website: https://access.redhat.com/security/updates/backporting/?sc_cid=3093.  This makes a disconnect between the numbering of a mainstream Apache release and the RedHat-Apache release.  The difference being that they will fix vulnerabilities but not introduce changes to the product – since the software is meant to be running on stable servers.

While testing this issue, I came across a website (unfortunately it was too long ago to be able to find and link back to) that offered the solution of turning off the versioning information from Apache by making the following change:

/etc/httpd/conf/httpd.conf
#ServerTokens OS
ServerTokens Prod

*I do realize that we might have should have had that turned off in the first place, but that is a different discussion

The original scan declared there were 39 vulnerabilities, enough to put any businessman over the edge.  After making that change, it only returned 10 total vulnerabilities.  I furthered my testing by looking at the rpm changelogs:  `rpm -qa httpd –changelog` and looking for the following section:

* Wed Dec 16 2009 Joe Orton <jorton@redhat.com> – 2.2.3-33.el5
– add security fixes for CVE-2009-3555, CVE-2009-3094,
CVE-2009-3095 (#534042)

Good old Joe Orton Saved the day by adding a fix to it back in 2009.  This was enough evidence to show that the security scan was just comparing a database of potential vulnerabilities against whatever information it could gather then pumping that information out in a nifty report to make the customer feel like they really got their money’s worth.  Unfortunately, there isn’t a simple solution for scanning for vulnerabilities without actually testing the vulnerabilities in question with something like metasploit – which is very dangerous to the server.

I then suggested to the customer that we rely on the rpm changelogs to verify the validity of the test, rather than just turning off the Apache Versioning info.  I created a list of all the CVE numbers and put them in a file called vulns.txt on the server.  I then ran this:

for i in $(cat vulns.txt); do echo $i; rpm -qa –changelog | grep -i $i; done

This will output the line related to the CVE fix in the rpm changelogs – and leave a blank next to the ones that are not mentioned.  Then it is a manual process from there to verify the remainder of the vulnerabilities.  Fast forward to today and I came up with a better solution – but that will have to wait until I have more time.



prime bash script
February 20, 2012, 5:57 pm
Filed under: math, prime | Tags: , ,

A couple of months ago I taught my 5 year old son about prime numbers and had him go through the exercise of calculating all of the prime numbers up to the number 13 (the point at which we ran out of marshmallows and his attention wavered).  I thought he did an exceptionally good job considering I haven’t yet taught him the necessary skill of division and he sorta figured it out ad-hoc by taking the number of marshmallows in question and trying to divide them into equal groups.  This of course is pretty simple until you reach 9, which he confidently did with little effort.   Because of this experiment with my son I have since been mildly fascinated with prime numbers and have spent a bit of time thinking about them and even reading the wikipedia page about them.

Last week I was in a very time consuming and important business meeting.  It was of the meeting-type that doesn’t allow for you to have your laptop for fear that you will multitask your way out of listening.  All I had was a pen and a blank piece of paper to keep me from internalizing the content being presented.

The first thing I decided to do was to try and calculate all of the prime numbers < 100 without using a calculator or doing calculations on the paper.  Unfortunately the task didn’t take up nearly enough time and I still had hours and hours of talking to ignore.  I then proceeded to write down the logic around a bash script that would calculate all of the prime numbers less than a user inputted whole number.  Today while working diligently to forget everything I didn’t listen to in the meeting I committed the script to a linux bash script that looks like the following:

#!/bin/bash
##This script will calculate prime numbers less than an input number and time the process.
time (
###Variables
n=0 ##This is a counter to find if each divides into the original number
primes=prime.txt
notprime=0  ##if this is 0 then the number is prime, 1 and it is not

##make sure the number is more than 2.
#if [ $number -lt 2 ]; then
if [ $1 -lt 2 ]; then
        cat /dev/null > prime.txt
        exit 1
        else
        ##start off by adding 2 as the first prime number
                echo “2” > $primes;
                n=3
fi

##cycle through all of the numbers less than the number added
while [ $n -lt $1 ]; do
                ##This checks to see if any of the prime numbers in the list divide into the counter
                for i in `cat $primes`; do
                        if (( $n % $i == 0 ));  then
                                notprime=1
                        fi              

                done

                if [ $notprime == 0 ]; then
                        echo $n >> $primes
                fi

        let n=n+1
        notprime=0
done
)

It doesn’t do any sort of error checking, but it does work for the purpose intended.  In my opinion it turned into a decent exercise and well worth the time to figure out.



pxe boot and network cleanup
December 17, 2011, 8:01 pm
Filed under: centOS, Linux, pxe, tftp, Uncategorized, yum | Tags: , , , ,

I recently learned that work is going to send me to a week long RHCSA/RHCE training, something I have been wanting to do for quite a while now.  I am pretty sure I could pass the RHCSA test with a little review, but the RHCE seems like it is going to be more difficult than all of my MBA classes combined.

The first thing I decided to do is clean up my network.  I had taken my cisco router out of the loop and temporarily turned it into an all-in-one router/webserver/media center for a group I have been working with over at ipadenclosures.  The router that I had been using in its place was the one that came from centurylink, which surprisingly enough has gig ethernet ports.  I am planning on dumping Centurylink and replacing it with Comcast entirely due to the slow upload speed at Centurylink.  I wasn’t planning on re-implementing my cisco router until that change happened, however I decided to hurry that process along and did it today.  Along with that I organized all of my devices and gave the important ones static ip addresses to make it easier to keep track of them.

The thing that kicked me into gear was an attempt last night to install a pxe server so I wouldn’t have to dig up the dvd/cd every time I wanted to install a new test environment.  Of course I am using vmware esxi and all of my cds/dvds are in the datashare, but that is beside the point.  I wanted to learn pxe and the only way to learn something is to try it until your head hurts, and then stay up all night until it stops hurting.

I used the following guides:

http://wiki.centos.org/HowTos/PXE/PXE_Setup
http://www.server-world.info/en/note?os=CentOS_6&p=pxe&f=2

http://www.server-world.info/en/note?os=CentOS_6&p=pxe

Here is what I think I ended up doing on a centos6.1 minimum install from the minimal cd:

yum install syslinux xinetd tftp-server httpd
mkdir /var/lib/tftpboot/pxelinux.cfg
cp /usr/share/syslinux/pxelinux.0 /var/lib/tftpboot/
vi /etc/xinetd.d/tftp
disable = no/etc/rc.d/init.d/xinetd start
chkconfig xinetd on

I then made the mistake of creating a dhcp server which ended up taking control of my network and breaking everything.  I didn’t realize anything was broken until this morning.  To fix it, I ended up disabling dhcp, following these instructions and doing the following on my router running tomato:

advanced->dnsmasq

dhcp-boot=pxelinux.0,,192.168.1.2
where 1.2 is my pxe server.

I also auto-mounted my dvd in /etc/fstab

/home/iso/CentOS-6.1-i386-bin-DVD1.iso     /var/pxe/centos6    iso9660 loop,ro 0 3

I then did the following:

mkdir -p /var/pxe/centos6
mkdir /var/lib/tftpboot/centos6
cp /var/pxe/centos6/images/pxeboot/vmlinuz /var/lib/tftpboot/centos6/
cp /var/pxe/centos6/images/pxeboot/initrd.img /var/lib/tftpboot/centos6/
cp /usr/share/syslinux/menu.c32 /var/lib/tftpboot/

Here is another spot I deviated from the guide – as I didn’t want it to auto boot to an install, but rather default to doing nothing:

vi /var/lib/tftpboot/pxelinux.cfg/default
timeout 100
default menu.c32
menu title ########## PXE Boot Menu ##########
label 1
menu label ^1) Boot from local drive
localboot
label 2
menu label ^2) Install CentOS 6
kernel centos6/vmlinuz
append initrd=centos6/initrd.img method=http://192.168.11.2/centos6 devfs=nomount

I then followed this exactly from the guide:
vi /etc/httpd/conf.d/pxeboot.confAlias /centos6 /var/pxe/centos6
<Directory /var/pxe/centos6>
Options Indexes FollowSymLinks
Order Deny,Allow
Deny from all
Allow from 127.0.0.1 192.168.1.0/24    # Ip address you allow
</Directory>

/etc/rc.d/init.d/httpd start

At this point I ran into some serious problems in that my pxe server didn’t appear to be working correctly.  I finally turned off the firewall and everything worked.  I searched high and low to figure out exactly what needed to be opened on iptables to get it working and nothing appeared to work.  I finally installed:

 yum install system-config-firewall

which added a bunch of stuff I didn’t necessarily want so I could go in and enable tftp through the gui interface and I did http at the same time.  It turns out that this is all it did:

-A INPUT -m state –state NEW -m tcp -p tcp –dport 80 -j ACCEPT
-A INPUT -m state –state NEW -m udp -p udp –dport 69 -j ACCEPT

Now I have a fully functioning pxe server to install centos6.1 for all of my tests.  Next steps add a few other distros of linux for good measure, and then create a custom kickstart install so I don’t have to do anything but select the install and walk away.



sendmail dyndns
September 16, 2011, 10:50 am
Filed under: Linux, sendmail, Uncategorized | Tags: , ,

I have had to borrow my dd-wrt router for another project (more on that later) which means that I no longer have the ability to run dyndns update from my stock centurylink router.   I figured I would take matters into my own hands and come up with a simple solution to get this fixed.

First of all I don’t run my server 24/7 like I used to since I rarely need it while I am away.   So I decided that my best bet is to have the server email me my external ip address every time I boot it.

The first thing I did was find an external ip address service like whatismyip.com or ipchicken.com that I could get the information while stuck behind my firewall on a NAT.  I failed to keep track of which blog I found out about this, it was in the comments as one that just gives the ip no other junk with it:

wget -qO – http://cfaj.freeshell.org/ipaddr.cgi

From there I used this website as a cheat sheet for writing my script.

http://theos.in/shell-scripting/send-mail-bash-script/

However when I tried to send the email to myself at either yahoo or gmail I received the following:

(reason: 553 5.7.1 [BL21] Connections will not be accepted from xx.xx.xx.xx, because the ip is in Spamhaus’s list; see http://postmaster.yahoo.com/550-bl23.html)

That was less than ideal.  I figured out how to send via my gmail account via the commandline from here:

http://www.cyberciti.biz/tips/linux-use-gmail-as-a-smarthost.html

I then edited my final script to look something like this:

#!/bin/bash

##get the external ip address of your server
newip=`wget -qO - http://cfaj.freeshell.org/ipaddr.cgi`
email="email@yahoo.com"
subject="ip --- `date`"

echo $newip | mail -s "$subject" "$email"

I put that script under /usr/local/getip.sh and added that to rc.local so now everytime I boot I get the email with my latest ip address.  One day I might have it sent to my phone – but for now I am still boycotting the SMS system due to the price.



CentOS 5.5 and Xen for virtualization
September 24, 2010, 10:10 am
Filed under: centOS, Linux, xen | Tags: , ,

I just rebuilt my server with an AMD Athlon II x4 640, on an Asus M4A78T-E motherboard, with 4 gigs of ram and a 1 TB hard drive.  The purpose of this server is to provide a location to do testing various virtual machines – some of which will be 64-bit.  My old server doesn’t have the virtualization abilities needed, so it was time to upgrade, plus my mother needed a new computer and rather than build her one I built myself one and will give her my other machine (which is of decent quality).

To serve this purpose I decided to use CentOS 5.5 and Xen rather than VMware ESXi.  Unfortunately the chipset for the Ethernet card didn’t work natively with CentOS so I had to get a driver from elrepo.  For some reason this started a peth0 and an eth0 for the card and DHCP wouldn’t work, but when disabling the peth0 I was able to get on the network.

During the install I just chose the default settings for just about everything, including the checkbox for virtualization.  However I have found with most versions of Linux, although small footprints, still install way too much stuff.

Here are all of the processes that are installed by default and if they are actually critical:

[root@localhost ~]# chkconfig –list | grep :on | awk ‘{print $1}’
acpid – not needed on a server but suggested on a desktop
anacron – not needed on a server or desktop
atd – not needed on server or desktop
auditd – not needed on server or desktop – but may be useful since it saves audit records from the kernel
autofs – not needed on server but useful on a desktop
avahi-daemon
bluetooth – not needed on server or desktop
cpuspeed – not needed on server or desktop
crond – necessary
cups – not needed
firstboot – not needed after first boot
gpm – necessary
haldaemon – not needed on server but needed on desktop
hidd – not needed
hplip – not needed
ip6tables – not needed
iptables – needed
irqbalance – I would recommend on a multiprocessor system
iscsi – not needed
iscsid – not needed
isdn – not needed
kudzu – detects changes in hardware
libvirtd – its a xen thing
lvm2-monitor – leave it for lvm
mcstrans – leaving
mdmonitor – not needed unless using software raid
messagebus – not needed for server but useful for desktop
netfs – needed
network – needed
nfslock – needed
ntpd – keep
pcscd
portmap – keep
rawdevices – not needed
readahead_early
readahead_later
– keep
restorecond
rpcgssd – keep
rpcidmapd – keep
sendmail – not needed
smartd – keep
sshd – keep
syslog – keep
xend – keep
xendomains – keep
xfs – keep
yum-updatesd – keep

As is common, as soon as I finished cherrypicking the easy services from this list and adding a link to the man pages, I found the following link that does a pretty good job in describing all of the services.  I was searching for something like this before I started, but at least I made it through a good excersize.



yum repo
September 2, 2010, 7:58 pm
Filed under: Linux, yum | Tags: , ,

A quick and dirty way to add an iso of the install cd as a yum repo to redhat:

first mount the cd:

mount -o loop file.iso /mnt/

then create an iso file at /etc/yum.repos/iso.repo

add the following to the file:

[iso-repo]
name=rhel5.5 iso
baseurl=file:///mnt/Server
enabled=1
gpgcheck=0

Sure it is quick and dirty, but it gets the job done.