loosebit
-
Posts
9 -
Joined
-
Last visited
Posts posted by loosebit
-
-
Keep Hackers Out Of Your Servers
Most web admins all ask the same question. How do I stop these hackers and spambots from trying to break into my server?
Your website is safe from hackers.
Of course if we only didn’t have to use SSH this wouldn’t be a problem for most of us. Sometimes we spend far to much time securing our web application then we do our own servers. Stick to the basics.
In our 100% uptime world turning off remote admin access is just not possible for most organizations, they need remote access 24/7 so wherever you might be, you can still fix problems.
Not every admin is going to have a dedicated Cisco ASA Intrusion Detection System at their disposal so we need to be realistic when we are mitigating security.
FAIL2BAN
Fail2Ban is a wonderful tool every web admin should familiarize themselves with. It’s a very simple daemon that runs in the background scouring all through your logs..
It looks at:
- apache
- vsftp
- lighthttpd
- sshd
- postfix
If you are reading this and using one of these services go ahead and take a peek at your logs. You are probably going to see a lot of failed login attempts from ip addresses and usernames you don’t recognize. Before I go on there is one thing I need to mention.
Never Allow Root Remote Logon for SSHDAs a secondary mitigation always change the port your sshd service is running on.
vi /etc/ssh/sshd_confPermitRootLogin noPort 1337Now we need to install fail2ban.
For Redhat based:
rpm -ivh wget http://mirror.us.leaseweb.net/epel/6/i386/epel-release-6-8.noarch.rpmfail2ban is not in the standard repo for redhat boxes so we need to add EPEL repos into yum.
yum install fail2banNow let’s make a new config file
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.localNow let’s look at our config. It might be wise to add known ip addresses so they will not accidentally get banned.
vi /etc/fail2ban/jail.local[DEFAULT]# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1
# "bantime" is the number of seconds that a host is banned.
bantime = 3600
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 600
# "maxretry" is the number of failures before a host get banned.
maxretry = 3
Once you have added one of your own trusted ip addresses into the config let’s go over what will happen next.
Essentially fail2ban crawls through all of your access logs you tell it to inside the config. If it recognizes an ip addresses trying to connect and getting a failed login, it will add them to a blacklist and apply the ban to iptables. You can preset criteria inside the config but it does a pretty good job out of the box on stopping spammers. You can also how long you want that ip address to be banned.
Instead of editing your .htaccess files on your servers with fail2ban you are only blocking malicous ip addresses, not bots trying to crawl your webpage. In that case you want bots to crawl your webpage so they know what’s on it.
Keep those shells locked down!
-
Configuring Active Directory Accounts For Linux
You may have followed our previous article detailing step by step how to integrate your RHEL 6 box into a Windows Active Directory environment Being able to authenticate users and services to active directory from linux is a big plus but it’s not where this journey ends.
We need to setup users default home directories and default shells before we can really allow users to login and start using your server. There are two ways to accomplish this, if you have Unix Identity Management Services installed on your domain controller you will have an easy way to set these configuration inside active directory.
From WindowsInside server manager select your Active Directory Domain Services, right click to Add Role Services.
Make sure these roles are installed.
Once you have installed these Role Services we can continue.
If you want to administer active directory from your workstation, make sure you have the correct AD Administrative tools installed.
Make sure you have local admin rights on your workstation.
Once you have the correct tools installed open up Active Directory Users and Computers. Find a “test” user and open their properties. You will now see a new tab called UNIX Attributes.
Specify Linux configs from Active Directory
From here you can specify the UID(which will be assigned upon logging into linux), Login Shell, Home Directory, and Primary Group. We aren’t going to go into detail on NIS domain because this is only important for older configuration of SSSD and ldap, krb5 etc.
Let’s run a getent and see what Linux pulls from Active Directory
[root@server tmp]# getent passwd testtest:*:940001114:940000513:test:/home/test@YOURDOMAIN.COM:/bin/bashDoesn’t match what’s in Active Directory? Read the linux part of this article to find out why.
From LinuxRemember that thing called SSSD? If not please go back and read this.
Let’s add a few lines to our sssd.conf
override_homedir = /home/%f override_shell = /bin/bash
**Must restart SSSD to take effect**
service sssd restartOnly add these lines if you desire this functionality, either way is fine, however if you have a more complex AD environment it sometimes is easier inside SSSD to implicitly imply what configurations you want for your users. In this example we have told SSSD that each AD user that logs in home directory is /home/username(will be created by oddjob) and that we want their default shell to be /bin/bash.
Most Linux users will expect this to be their default environment.
There you have it. Go forth and shell with your active directory accounts.
-
Red Hat Linux Active Directory Integration
Can Linux boxes exist in a Windows Active Directory domain? The answer has been yes for a long time. However until very recently this has been a very painful and tedious process. Exporting certifications, trial and error config files, changing security settings on domain controller, a major headache.
Thankfully RedHat has actually realized this was a problem. It’s funny that while Server 2012 is already released RedHat just not added a simple method to integrate authentication with a Windows Active Directory domain.
We are a release behind, better now than ever.
The real OS of choice.
NOTE: All Sample Configs are located at the bottom of this page.To start this article ONLY applied to:
- Red Hat Enterprise Linux 6.4
CENTOS 6.4You can find out your verion by using
cat /etc/system-release (CENTOS)cat/etc/redhat-release (Red Hat)
If you are not familiar with SSSD(System Security Services Daemon) then I suggest you do some reading before you dive into this article. Also this is more gear towards Linux admins and not Windows admins. With these new changes you won’t have access your windows admin for anything, well unless you need that domain admin access of course.
BEFORE WE DO ANYTHING ALWAYS BACKUP YOUR CONFIGSauthconfig --savebackup=mybackup
First to get started let’s check what version of SSSD you have installed on your box.
NOTE: If a domain name is in CAPS it is on purpose. This was not done for show.
rpm -q sssd
You will need at least SSSD 1.9.2 for this.
Let’s go ahead and setup all of the nessesary nss and pam config files.
authconfig --enablesssd --ldapserver=ldap://dc1.youdomain.com --ldapbasedn="dc=YOURDOMAIN,dc=COM" --enablerfc2307bis --enablesssdauth --krb5kdc=dc1.youdomain.com --krb5realm=YOURDOMAIN.COM --disableforcelegacy --enablelocauthorize --enablemkhomedir --updateallvi /etc/krb5.conf[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log[libdefaults]
default_realm = YOURDOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true#These encryption types are required for ntvlmi and krb5i(packet signing)default_tgs_enctypes = rc4-hmac aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96default_tkt_enctypes = rc4-hmac aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96permitted_enctypes = rc4-hmac aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
[realms]
YOURDOMAIN.COM = {
kdc = domaincontroller.yourdomain.com:88
admin_server = domaincontroller.yourdomain.com:749
default_domain = yourdomain.com
}[domain_realm]
.yourdomain.com = YOURDOMAIN.COM
yourdomain.com = YOURDOMAIN.COM
Next
vi /etc/samba/smb.conf[global]
workgroup = YOURDOMAIN
client signing = yes
client use spnego = yes
kerberos method = secrets and keytab
log file = /var/log/samba/%m.log
realm = YOURDOMAIN.COM
security = adsvi /etc/sssd/sssd.conf[sssd]
config_file_version = 2
services = nss, pam
domains = YOURDOMAIN.COM[nss]
nss_filter_groups = root
nss_filter_users = root
nss_entry_cache_timeout = 30
nss_enum_cache_timeout = 30
[domain/YOURDOMAIN.COM]id_provider = ad
ad_server=domaincontroller.yourdomain.com
ad_domain=yourdomain.com
Now you will need a active directory account with administrator privledges to add a machines to the domain. Before you run kinit make sure you update your time with a domain controller.
ntpdate dc1.youdomain.com
Once Time is synced continue with..
kinit administrator
Type your password.
Confirm that you have received a kerberos ticket but using
klist
If you do not see any tickets please refer to your logs. SSSD is some what helpful inside /var/log/messages
Now we have a ticket we need to add this machine to the domain.
net ads join -k
If you receive a success message your new linux box should be inside active directory inside the default Computers Group. Verify with an Active Directory Admin to make sure your server object was created. Let’s run:
service sssd restart
If you did not receive any warning messages inside /var/log/messages we should be good to go.
Test by running
id yourusernamead
and
getent passwd yourusernamead
You should be able to look up accounts at this point.
Now the best part of this. Let’s setup Putty and SSHD to use your kerberos key to authenticate into your linux box. As you noted inside our sssd.conf we have added root accounts not to use AD authentication.
First let’s make some changes to our SSHD configs.
vi /etc/ssh/sshd_conf
Make sure you have this line un commented
GSSAPIAuthentication yesvi /etc/ssh/ssh_confGSSAPIAuthentication yes GSSAPIDelegateCredentials yes
Also before trying to use Putty make sure you have a newer release and make sure your authentication settings are setup as follows:
Make sure this is enabled.
Now open a new session to your linux box. Type in your active directory username and press enter. If kerberos negotiation is successful you will NOT be prompted for a password.
Happy Shelling
Sample Config Files
ssh_conf
sshd_confIf you are a RedHat subscriber you can read their article on this subject here.
-
#Grabs user in current domain. Trap {"Error: $_"; Break;} $D = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain() $Domain = [ADSI]"LDAP://$D" $Searcher = New-Object System.DirectoryServices.DirectorySearcher $Searcher.PageSize = 200 $Searcher.SearchScope = "subtree" $Searcher.Filter = "(&(objectCategory=person)(objectClass=user))" $Searcher.PropertiesToLoad.Add("distinguishedName") > $Null $Searcher.PropertiesToLoad.Add("lastLogon") > $Null # Create hash table of users and their last logon dates. $arrUsers = @{} # Enumerate all Domain Controllers. ForEach ($DC In $D.DomainControllers) { $Server = $DC.Name $Searcher.SearchRoot = "LDAP://$Server/" + $Domain.distinguishedName $Results = $Searcher.FindAll() ForEach ($Result In $Results) { $DN = $Result.Properties.Item("distinguishedName") $LL = $Result.Properties.Item("lastLogon") If ($LL.Count -eq 0) { $Last = [DateTime]0 } Else { $Last = [DateTime]$LL.Item(0) } If ($Last -eq 0) { $LastLogon = $Last.AddYears(1600) } Else { $LastLogon = $Last.AddYears(1600).ToLocalTime() } If ($arrUsers.ContainsKey("$DN")) { If ($LastLogon -gt $arrUsers["$DN"]) { $arrUsers["$DN"] = $LastLogon } } Else { $arrUsers.Add("$DN", $LastLogon) } } } # Output latest last logon date for each user. $Users = $arrUsers.Keys ForEach ($DN In $Users) { $Date = $arrUsers["$DN"] "$Date;$DN" }I wrote this to grab the last time a user authenticated with any of the domain controllers in the domain. You can use | sort etc or what not viewing the data.
Hope this helps!
-
If only other organization would post their infosec like that...
User Education, can't say I've seen that work but maybe it does at some places.
If you see something say something.
-
Question: Why do you want to use a NIC team in your config?
@deception Server 2012 has native NIC teaming (finally)
-
I am going to agree wtih you Ducky, DansGuardian, but I will take it a step further.
For my "current" enviroment I am using ClearOS(uses DansGuardian) as my proxy, content filter, and ids & ips. I am not sure how scalable it is but it can tie into AD if you pay for the module... Currently only using for about 20 developers.
I don't know of any off the shelf software for process monitoring and the likes.. however I do have some PowerShell Scripts that might point you in the right direction, I'll try and share some when I get back into the "lab" tomorrow. Of course I can't have svn accessible outside...
-
Hey Hak5, been a viewer or a while, since season 3? Finally getting back into the scene after a long hiatus.Looking forward to chatting with you guys and rambling.Been working on mostly Data projects as of late but it's time I go back to my roots..Favourite game: BF3(PC)
Favourite OS: CentOS
Nationality: ThePirateBay
Favourite band: Choppin
Favourite book: The Lions Game(DeMille)
Favourite author: Porter Stansberry
Favourite movie: Margin Call
Favourite TV Show: Dexter
Car: BMW 335I / VW GTI (Daily Driver)
Occupation: MagicianYou may have heard me on theblitzbit Maybe...
Simple Mitigation For VPS Against Botnets
in Business and Enterprise IT
Posted
Sorry it's not an add I didn't write fail2ban.
I would hope you would use this with a firewall in front....
You can install fail2ban on any distro of your liking but yes this was written with RHEL in mind.