Last night at the NE Ohio Information Security Forum I gave a presentation on Detecting Malicious PDFs. I'm still not sure if I'm going to release the presentation, but I am going to release a Snort signature that I've found useful for detecting evil PDFs.
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Potential Malicious PDF (OpenAction JavaScript)"; flow:from_server,established; content:"%PDF-"; content:"
This signature looks for the PDF header (indicating we're dealing with a PDF) then an /OpenAction followed by /JS. This indicates that JavaScript will be executed as soon as the document is open.
Yes, I realize this signature can be easily bypassed with PDF obfuscation. However, I've found that attackers are not yet using this very much. Let me know if this is useful to you.
Sunday, May 31, 2009
Tuesday, May 19, 2009
Reducing load on web server by using reverse proxy - squid
Many large organizations use caching proxy servers to save on network bandwidth utilization (and costs) and improve browsing response times. In fact, an entire industry has grown up around caching proxy appliances. But in the open source world, we’ve had one of the most advanced proxy servers for many, many years. Squid (http://www.squid-cache.org) is to caching proxy servers as Apache is to web servers.
A quick-win method of reducing load on a Web site is to use a reverse proxy, which intercepts requests from clients and then proxies those requests on to the Web server, caching the response itself as it sends it back to the client.
This is useful because it means that for static content the proxy doesn't have to always contact the Web server, but can often serve the request from its own local cache. This in turn reduces the load on the Web server. This is especially the case when the Web server also serves dynamic content, since the Web server hardware can be less tuned to static content (when it is cached by a front-end proxy) and more tuned to serving dynamic content. It is also sometimes the case that although the Web server is serving dynamically created pages, these pages are cachable for a few seconds or maybe a few minutes. By using a reverse proxy, the serving of these pages speeds up dramatically.
Reverse proxying in this manner can also be used alongside the simple load balancing system, where static and dynamic content are split across separate servers. Obviously the proxy would be used on only the static content Web server.
Squid Configuration for Reverse Proxy:
The reverse proxy has to intercept every request, in order to compare it with its cache content. Let's assume we have two machines:
* Web server serving http://www.example.net/ (192.168.0.1)
* squid.example.net (192.168.0.2)
In squid.conf file we begin with the IP addresses, and tell it to listen for incoming requests on port 80.
http_port 192.168.0.2:80 vhost vport
http_port 127.0.0.1:80
icp_port 0
cache_peer 192.168.0.1 parent 80 0 originserver default
A reverse proxy for a public Web server has to answer requests for everybody so we need to add some ACL.
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl reverseproxy dst 192.168.0.1 192.168.0.2
http_access allow reverseproxy
http_access allow manager localhost
http_access deny manager
http_access deny all
deny_info http://www.example.net/ all
You can change your configuration as per your needs.
A quick-win method of reducing load on a Web site is to use a reverse proxy, which intercepts requests from clients and then proxies those requests on to the Web server, caching the response itself as it sends it back to the client.
This is useful because it means that for static content the proxy doesn't have to always contact the Web server, but can often serve the request from its own local cache. This in turn reduces the load on the Web server. This is especially the case when the Web server also serves dynamic content, since the Web server hardware can be less tuned to static content (when it is cached by a front-end proxy) and more tuned to serving dynamic content. It is also sometimes the case that although the Web server is serving dynamically created pages, these pages are cachable for a few seconds or maybe a few minutes. By using a reverse proxy, the serving of these pages speeds up dramatically.
Reverse proxying in this manner can also be used alongside the simple load balancing system, where static and dynamic content are split across separate servers. Obviously the proxy would be used on only the static content Web server.
Squid Configuration for Reverse Proxy:
The reverse proxy has to intercept every request, in order to compare it with its cache content. Let's assume we have two machines:
* Web server serving http://www.example.net/ (192.168.0.1)
* squid.example.net (192.168.0.2)
In squid.conf file we begin with the IP addresses, and tell it to listen for incoming requests on port 80.
http_port 192.168.0.2:80 vhost vport
http_port 127.0.0.1:80
icp_port 0
cache_peer 192.168.0.1 parent 80 0 originserver default
A reverse proxy for a public Web server has to answer requests for everybody so we need to add some ACL.
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl reverseproxy dst 192.168.0.1 192.168.0.2
http_access allow reverseproxy
http_access allow manager localhost
http_access deny manager
http_access deny all
deny_info http://www.example.net/ all
You can change your configuration as per your needs.
Sunday, May 17, 2009
(R)ecovery (I)s (P)ossible Linux rescue system
Recovery Is Possible (RIP) is a Slackware-based CD boot/rescue/backup/maintenance system. It has support for a lot of filesystem types (Reiserfs, Reiser4, ext2/3, iso9660, UDF, XFS, JFS, UFS, HPFS, HFS, MINIX, MS DOS, NTFS, and VFAT) and contains a bunch of utilities for system recovery. It also has IDE/SCSI/SATA, PCMCIA, RAID, LVM2, and Ethernet/DSL/cable/PPP/PPPOE network support.
RIPLinux come with lots of tools:
* Programas like fetchmail , curl, wget, ssh/sshd, mutt, links, msmtp, tmsnc, slrn, lftp, Firefox
* Includes packages like cdrwtool, mkudffs and pktsetup for writing backups & files to optical media.
* system monitoring: lshw, atop, htop, dmesg, dmidecode, mount utility (of course, these tools come with most of the Linux distros today but they could be useful to detect I/O errors, BIOS warnings, damaged partitions)
* partitioning: fdisk, cfdisk, Ghost For Linux, GParted, Grub, Partimage, Testdisk (the list of supported partition types includes EXT4, Reiser4 and NTFS)
* fsck.reiserfs and 'fsck.reiser4 to check and repair filesystem ReiserFS and Reiser4.
* xfs_repair to repair a Linux file system xfs.
* jfs_fsck to check and repair a Linux file system JFS.
* e2fsck to check and repair a Linux file system ext2 or ext3.
* ntfsresize for resizing the Windows NTFS without losing data.
* ntfs-3g to write to Windows NTFS.
* chntpw can view information and user passwords on Windows systems.
* cmospwd allows you to retrieve password from CMOS / BIOS.
RIPLinux come with lots of tools:
* Programas like fetchmail , curl, wget, ssh/sshd, mutt, links, msmtp, tmsnc, slrn, lftp, Firefox
* Includes packages like cdrwtool, mkudffs and pktsetup for writing backups & files to optical media.
* system monitoring: lshw, atop, htop, dmesg, dmidecode, mount utility (of course, these tools come with most of the Linux distros today but they could be useful to detect I/O errors, BIOS warnings, damaged partitions)
* partitioning: fdisk, cfdisk, Ghost For Linux, GParted, Grub, Partimage, Testdisk (the list of supported partition types includes EXT4, Reiser4 and NTFS)
* fsck.reiserfs and 'fsck.reiser4 to check and repair filesystem ReiserFS and Reiser4.
* xfs_repair to repair a Linux file system xfs.
* jfs_fsck to check and repair a Linux file system JFS.
* e2fsck to check and repair a Linux file system ext2 or ext3.
* ntfsresize for resizing the Windows NTFS without losing data.
* ntfs-3g to write to Windows NTFS.
* chntpw can view information and user passwords on Windows systems.
* cmospwd allows you to retrieve password from CMOS / BIOS.
Wednesday, May 13, 2009
How to set Access/Restrictions on users logins
Time Based Restrictions
These examples will limit the login times of certain users. See /etc/security/time.conf for more information/examples. In order to place time restrictions on user logins, the following must be placed in /etc/pam.d/login:
account required /lib/security/pam_time.so
The remaining lines should be placed in /etc/security/time.conf.
1. Only allow user nikesh to login during on weekdays between 7 am and 5 pm.
login;*;nikesh;Wd0700-1700
2. Allow users A & B to login on all days between 8 am and 5 pm except for Sunday.
login;*;A|B;AlSu0800-1700
If a day is specified more than once, it is unset. So in the above example, Sunday is specified twice (Al = All days, Su = Sunday). This causes it to be unset, so this rule applies to all days except Sunday.
Access Based Restrictions
/etc/security/access.conf can be used to restrict access by terminal or host. The following must be placed in /etc/pam.d/login in order for these examples to work:
account required /lib/security/pam_access.so
1. Deny nikesh login access on all terminals except for tty1:
-:nikesh:ALL EXCEPT tty1
2. Users in the group operator are only allowed to login from a local terminal:
-:operator:ALL EXCEPT LOCAL
3. Allow user A to only login from a trusted server:
-:A:ALL EXCEPT trusted.somedomain.com
These examples will limit the login times of certain users. See /etc/security/time.conf for more information/examples. In order to place time restrictions on user logins, the following must be placed in /etc/pam.d/login:
account required /lib/security/pam_time.so
The remaining lines should be placed in /etc/security/time.conf.
1. Only allow user nikesh to login during on weekdays between 7 am and 5 pm.
login;*;nikesh;Wd0700-1700
2. Allow users A & B to login on all days between 8 am and 5 pm except for Sunday.
login;*;A|B;AlSu0800-1700
If a day is specified more than once, it is unset. So in the above example, Sunday is specified twice (Al = All days, Su = Sunday). This causes it to be unset, so this rule applies to all days except Sunday.
Access Based Restrictions
/etc/security/access.conf can be used to restrict access by terminal or host. The following must be placed in /etc/pam.d/login in order for these examples to work:
account required /lib/security/pam_access.so
1. Deny nikesh login access on all terminals except for tty1:
-:nikesh:ALL EXCEPT tty1
2. Users in the group operator are only allowed to login from a local terminal:
-:operator:ALL EXCEPT LOCAL
3. Allow user A to only login from a trusted server:
-:A:ALL EXCEPT trusted.somedomain.com
Sunday, May 10, 2009
Fighting Spam mails
Spam is flooding the Internet with many copies of the same message, in an attempt to force the message on people who would not otherwise choose to receive it. Most spam is commercial advertising, often for dubious products, get-rich-quick schemes, or quasi-legal services. Spam costs the sender very little to send -- most of the costs are paid for by the recipient or the carriers rather than by the sender.
Spammers get your e-mail addresses from webpages, news groups or domain records (if you have your own domain). There are individuals who use robots to extract the addresses, burn them on CDs and sell them very cheap to other Spammers. If you write your e-mail address in clear text onto your homepage today such that programs can extract it, then you will have a major problem in a few months time and you can't stop it. The problem will be growing every day!
Now lets discuss some common filter techniques and how they work. I will not describe how to configure them exactly in each MTA. Instead I suggest you to read the documentation that comes with the MTA that you have installed. Postfix and Exim are well documented
Realtime Block lists:
These are DNS based lists. You check the IP address of the mailserver that wants to send mail to your server against a blacklist of known spammers. Common lists are www.spamhaus.org. You should however not be too enthusiastic about it and carefully choose the lists since there are also some which block entire IP ranges simply because one spammer had used a dialup connection from this ISP at one point in time.
8 bit characters in subject line:
About 30% of the spam origins in China, Taiwan or other Asian countries these days. If you are sure that you can't read Chinese then you can reject mail which has a lot of 8 bit characters (not ASCII) in the subject. Some MTAs have a separate configuration option for this but you can also use regular expression matching on the header:
/^Subject:.*[^ -~][^ -~][^ -~][^ -~]/
This will reject email which has more than 4 consecutive characters in the subject line which are not in the ASCII range space to tilde. Both exim and postfix can be compiled with perl regular expression support. This method is quite good and keeps out 20-30% of the spam-mail.
Lists with "From" addresses of known spammers:
Forget it. This used to work back in 1997. Spammers today use faked addresses or addresses of innocent people.
Reject non FQDN (Fully Qualified Domain Name) sender and unknown sender domain:
Some spammers use non existent addresses in the "From". It is not possible to check the complete address but you can check the hostname/domain part of it by querying a DNS server.
This keeps out about 10-15% of the spam and you don't want these mails anyhow because you would not be able to reply to them even if they were not spam.
IP address has no PTR record in the DNS:
This checks that the IP address from where you get the mail can be reverse resolved into a domain name. This is a very powerful option and keeps out a lot of mail. I would not recommend it! This does not test if the system administrator of the mail server is good but if he has a good backbone provider. ISPs buy IP addresses from their backbone providers and they buy from bigger backbone providers. All involved backbone providers and ISPs have to configure their DNS correctly to make the whole chain work. If somebody in between makes a mistake or does not want to configure it then it does not work. It says nothing about the individual mail server at the end of the chain.
Require HELO command:
When 2 MTAs (mail servers) talk to each other (via smtp) then they first say who they are. Some spam software does not do that. This keeps out 1-5% of the spam.
Require HELO command and reject unknown servers:
You take the name that you get in the HELO command and then you go to DNS and check if this is a correctly registered server. This is very good because a spammer who uses just a temporary dialup connection will usually not configure a valid DNS record for it.
This blocks about 70-80% of all spam but rejects also legitimate mail which comes from sites with multiple mail servers where a sloppy system administrator forgot to put the hostnames of all servers into DNS.
Some MTAs have even more options but the above are quite commonly available in a good MTA. The advantage of all those checks is that they are not CPU intensive. You will usually not need to update your mailserver hardware if you use those checks.
Spammers get your e-mail addresses from webpages, news groups or domain records (if you have your own domain). There are individuals who use robots to extract the addresses, burn them on CDs and sell them very cheap to other Spammers. If you write your e-mail address in clear text onto your homepage today such that programs can extract it, then you will have a major problem in a few months time and you can't stop it. The problem will be growing every day!
Now lets discuss some common filter techniques and how they work. I will not describe how to configure them exactly in each MTA. Instead I suggest you to read the documentation that comes with the MTA that you have installed. Postfix and Exim are well documented
Realtime Block lists:
These are DNS based lists. You check the IP address of the mailserver that wants to send mail to your server against a blacklist of known spammers. Common lists are www.spamhaus.org. You should however not be too enthusiastic about it and carefully choose the lists since there are also some which block entire IP ranges simply because one spammer had used a dialup connection from this ISP at one point in time.
8 bit characters in subject line:
About 30% of the spam origins in China, Taiwan or other Asian countries these days. If you are sure that you can't read Chinese then you can reject mail which has a lot of 8 bit characters (not ASCII) in the subject. Some MTAs have a separate configuration option for this but you can also use regular expression matching on the header:
/^Subject:.*[^ -~][^ -~][^ -~][^ -~]/
This will reject email which has more than 4 consecutive characters in the subject line which are not in the ASCII range space to tilde. Both exim and postfix can be compiled with perl regular expression support. This method is quite good and keeps out 20-30% of the spam-mail.
Lists with "From" addresses of known spammers:
Forget it. This used to work back in 1997. Spammers today use faked addresses or addresses of innocent people.
Reject non FQDN (Fully Qualified Domain Name) sender and unknown sender domain:
Some spammers use non existent addresses in the "From". It is not possible to check the complete address but you can check the hostname/domain part of it by querying a DNS server.
This keeps out about 10-15% of the spam and you don't want these mails anyhow because you would not be able to reply to them even if they were not spam.
IP address has no PTR record in the DNS:
This checks that the IP address from where you get the mail can be reverse resolved into a domain name. This is a very powerful option and keeps out a lot of mail. I would not recommend it! This does not test if the system administrator of the mail server is good but if he has a good backbone provider. ISPs buy IP addresses from their backbone providers and they buy from bigger backbone providers. All involved backbone providers and ISPs have to configure their DNS correctly to make the whole chain work. If somebody in between makes a mistake or does not want to configure it then it does not work. It says nothing about the individual mail server at the end of the chain.
Require HELO command:
When 2 MTAs (mail servers) talk to each other (via smtp) then they first say who they are. Some spam software does not do that. This keeps out 1-5% of the spam.
Require HELO command and reject unknown servers:
You take the name that you get in the HELO command and then you go to DNS and check if this is a correctly registered server. This is very good because a spammer who uses just a temporary dialup connection will usually not configure a valid DNS record for it.
This blocks about 70-80% of all spam but rejects also legitimate mail which comes from sites with multiple mail servers where a sloppy system administrator forgot to put the hostnames of all servers into DNS.
Some MTAs have even more options but the above are quite commonly available in a good MTA. The advantage of all those checks is that they are not CPU intensive. You will usually not need to update your mailserver hardware if you use those checks.
Sunday, May 3, 2009
Windows7/Vista/XP中的自动运行功能均将被取消
据报微软正计划取消其各款操作系统的一部分自动运行功能。在不久的将来,闪盘等插入PC的移动存储设备将不会在连接到PC上时自动运行。自动运行功能唯一得以保留的地方是在光盘载体上,据调查表明光盘受到病毒感染的几率比闪盘等载体小许多。
微软总是宣称自己的自动运行功能是安全的,不过一直以来却不断有病毒软件通过这项功能疯狂传播。尽管禁用这种自动运行功能对某些电脑小白来说可能会带来使用上的困扰,但现在微软依然决心在Windows7,Windows Vista以及Windows XP操作系统中禁用这项功能。
微软总是宣称自己的自动运行功能是安全的,不过一直以来却不断有病毒软件通过这项功能疯狂传播。尽管禁用这种自动运行功能对某些电脑小白来说可能会带来使用上的困扰,但现在微软依然决心在Windows7,Windows Vista以及Windows XP操作系统中禁用这项功能。
Monitoring Bandwidth Usage - iftop
iftop does for network usage what top(1) does for CPU usage. It listens to network traffic on a named interface and displays a table of current bandwidth usage by pairs of hosts.
Overview of IFTOP
* iftop (interface top) derives the name from the standard unix top command. top command displays real-time CPU Usage. iftop command displays real-time network bandwidth usage.
* iftop displays the network usage of a specific interface on the host.
* Using iftop you can identify which host is responsible for slowing down your network.
* To find out which process is causing the problem, note down the port number from the iftop and use netstat -p to identify the process.
* iftop monitors your network activity, and displays a table of current bandwidth.
Download the source code form the iftop website - here and compile/install iftop using following commands
# tar -zxvf iftop-0.17.tar.gz
# cd iftop-0.17
# ./configure
# make
# make install
Using:
Go to your cosole and use command: iftop to start monitoring the bandwidth usage.
you can also specify a particular interface with the -i option: iftop -i eth1, some other options ..
* -p Enables promiscuous mode, so the traffic on any interface (if there is more than once) is checked and counted
* -P Shows also the port that connection is using both on both side
* -N Do not resolve port names, which is the default behavior when you enable the -P option, so it will shows you :www or :80
Overview of IFTOP
* iftop (interface top) derives the name from the standard unix top command. top command displays real-time CPU Usage. iftop command displays real-time network bandwidth usage.
* iftop displays the network usage of a specific interface on the host.
* Using iftop you can identify which host is responsible for slowing down your network.
* To find out which process is causing the problem, note down the port number from the iftop and use netstat -p to identify the process.
* iftop monitors your network activity, and displays a table of current bandwidth.
Download the source code form the iftop website - here and compile/install iftop using following commands
# tar -zxvf iftop-0.17.tar.gz
# cd iftop-0.17
# ./configure
# make
# make install
Using:
Go to your cosole and use command: iftop to start monitoring the bandwidth usage.
you can also specify a particular interface with the -i option: iftop -i eth1, some other options ..
* -p Enables promiscuous mode, so the traffic on any interface (if there is more than once) is checked and counted
* -P Shows also the port that connection is using both on both side
* -N Do not resolve port names, which is the default behavior when you enable the -P option, so it will shows you :www or :80
Subscribe to:
Posts (Atom)