Octubre 29

PIX/ASA 7.2(1) and later: Intra-Interface Communications

Background Information

intra-interface-communications-1.gif

Note: The IP addressing schemes used in this configuration are not legally routable on the Internet. They are RFC 1918 leavingcisco.comaddresses that have been used in a lab environment.

<i><b>same-security-traffic permit intra-interface</b></i>

Intra-Interface Communications Enabled

Intra-interface communications are now enabled. The same-security-traffic permit intra-interface command is added to the previous configuration. Host 172.22.1.6 attempts to ping host 172.16.10.1. Host 172.22.1.6 sends an ICMP echo request packet to the default gateway (ASA). Host 172.22.1.6 records successful replies from 172.16.10.1. The ASA passes the ICMP traffic successfully.

intra-interface-communications-5.gif

 

Category: CISCO | Los comentarios están deshabilitados en PIX/ASA 7.2(1) and later: Intra-Interface Communications
Octubre 15

Instalando mod_security en Apache2 bajo Debian 6

Si tenés un servidor web, sabés lo complicado que es mantener tu servidor seguro, más aun cuando corres páginas en PHP, Python, etc.

No importa lo paranoico o prolijo que seas, siempre hay puntos vulnerables y si revisas los logs de tu servidor, de seguro encontrarás cientos de ataques XSS, Sql Injection, etc.

La idea de este mini tutorial es ayudarte a configurar ModSecurity en tu servidor Apache, para que puedas repeler un alto numero de estos ataques, sin estar volviéndote loco.


Vamos por partes… ¿Que es Mod_Security?

Según Wikipedia, modSecurity es una herramienta para detección y prevención de intrusos para aplicaciones Web.

Básicamente, es un módulo de Apache que se encarga de inspeccionar todo el trafico HTTP que pasa por tu webserver y en base a los resultados realizar acciones, como ser rechazar el pedido si es algo peligroso/mal intencionado.

Para mas información de mod_security, http://es.wikipedia.org/wiki/Mod_Security o mejor aún,http://www.modsecurity.org/.

Lamentablemente los paquetes de Debian de mod_security siempre estan pasados de moda (versiones viejisimas) o no estan disponibles para bajar (y más aun para debian6 / squeeze), así que aca vamos a proceder directamente a instalar mod_security desde su código fuente.

Lo primero es bajar la ultima versión. Al momento de hacer este documento, se trata de la version 2.6.0. Vos verificá que siga siendo la ultima entrando a http://www.modsecurity.org/download/.

# cd /usr/src/
# tar zxvf modsecurity-apache_2.6.0.tar.gz

Instalamos un par de herramientas & libs que vamos a necesitar para instalar todo esto ..

# apt-get install libxml2-dev liblua5.1-0 lua5.1 apache2-threaded-dev build-essential libxml2 libxml2-dev libcurl3 libcurl3-dev

Compilamos modsecurity & lo instalamos…

# cd modsecurity-apache_2.6.0
# ./configure
# make
# make install

Ahora debemos crear el archivo /etc/apache2/mods-available/mod_security2.load con el siguiente contenido:

LoadFile /usr/lib/libxml2.so
LoadFile /usr/lib/liblua5.1.so.0
LoadModule security2_module /usr/lib/apache2/modules/mod_security2.so

Hecho esto, habilitamos los módulos que usaremos.

# a2enmod mod_security2
# a2enmod unique_id

Configuramos lo minimo-necesario para correr el mod-security.

# cp modsecurity.conf-recommended /etc/apache2/conf.d/modsecurity.conf

Ahora bajamos el pack de reglas más actualizado & lo instalamos: (en este caso, al momento de armar este tutorial,era el modsecurity-crs_2.2.0, pero fijate en esta web http://sourceforge.net/projects/mod-security/files/modsecurity-crs/0-CURRENT/ para bajar el ultimo-actualizado ya que cambia constantemente)

# cd /etc/apache2/
# tar xzvf modsecurity-crs.tar.gz
# mv modsecurity-crs_2.2.0 /etc/apache2/modsecurity_crs
# rm -fr modsecurity-crs.tar.gz
# chown root.root /etc/apache2/modsecurity_crs/ -R
# cd /etc/apache2/modsecurity_crs
# mv modsecurity_crs_10_config.conf.example modsecurity_crs_10_config.conf

Ahora ajustaremos la configuracion de mod-security para apuntar los archivos de logs a donde queremos, e incluir el pack de rules que acabamos de bajar.
Para ello, editamos el archivo de configuracion:

# vim /etc/apache2/conf.d/modsecurity.conf

Buscamos las lineas:

# SecDebugLog /opt/modsecu
# SecDebugLogLevel 3

las descomentamos & las dejamos de la siguiente forma:

SecDebugLog /var/log/apache2/modsec_debug.log
SecDebugLogLevel 3

Luego buscamos las lineas:

# SecAuditLogType Serial
# SecAuditLog /var/log/modsec_audit.log

las descomentamos & las dejamos de la siguiente forma:

SecAuditLogType Serial
SecAuditLog /var/log/apache2/modsec_audit.log

Y al final de todo el archivo, agregamos las siguientes lineas, que servirán para cargar todas las reglas del pack que bajamos:

Include /etc/apache2/modsecurity_crs/*.conf
Include /etc/apache2/modsecurity_crs/base_rules/*.conf

Guardamos el archivo & salimos.

A continuacion preparamos los logs que vamos a usar & seteamos los permisos necesarios:

# touch /var/log/apache2/modsec_debug.log
# touch /var/log/apache2/modsec_audit.log
# chown root.root /var/log/apache2/modsec_*
# chmod 660 /var/log/apache2/modsec_*

Eso es todo, ahora podemos decirle a Apache que verifique si todo esta OK en la config:

# apache2ctl configtest

Si todo esta OK, veremos un hermoso:

Syntax OK

Si no es así y algo falló, deberemos revisar toda la configuración.

NO CONTINUES HASTA VER EL “Syntax OK”!.

Ahora si .. si todo esta OK, podemos reinicar Apache2:

# /etc/init.d/apache2 restart

Luego de reiniciar, podemos mirar el errorlog de Apache, para ver si efectivamente cargo el ModSecurity.

# tail /var/log/apache2/error.log

Y deberíamos ver algo similar a …

[Wed Jun 15 19:15:59 2011] [notice] ModSecurity for Apache/2.6.0 (http://www.modsecurity.org/) configured.
[Wed Jun 15 19:16:00 2011] [notice] ModSecurity: APR compiled version="1.2.12"; loaded version="1.2.12"
[Wed Jun 15 19:16:00 2011] [notice] ModSecurity: PCRE compiled version="7.6"; loaded version="7.6 2008-01-28"
[Wed Jun 15 19:16:00 2011] [notice] ModSecurity: LIBXML compiled version="2.6.32"
[Wed Jun 15 19:16:01 2011] [notice] Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny10 with Suhosin-Patch configured -- resuming normal operations

Eso es todo!  tenemos mod-security funcionando en nuestro Apache!.

Category: MOD_SECURITY | Los comentarios están deshabilitados en Instalando mod_security en Apache2 bajo Debian 6
Octubre 3

RECUPERAR CONTRASEÑA DE ROOT EN DEBIAN

Probado en debian wheezy / squeeze

1-Cuando inicias la net o pc y estando en el grub, selecciona editar con la letra e.

 


2-En la ventana de edición que nos aparece:

 

Ubicamos la parte que dice:
linux /boot/vmlinuz-3.2.0-4-686-pae  root=UUID=04064ae3XXXXXXXX ro quiet

y agregamos al final:      init=/bin/bash

Nota: como en el grub queda con el teclado en ingles el signo igual   =     en mi teclado esta en la tecla ¿/¡

3-Ya con esto presionamos f10 para que continué con la carga del sistema, y nos aparece la terminal o consola, como root, y donde escribiremos los siguiente:

mount -o remount –rw /

Nota en donde dice -o es la letra o (no numero cero).

4-Luego ya procedemos a cambiar la contraseña de root, ejecutamos el comando:
passwd root
ponemos la nueva contraseña, y el sistema nos pide que la volvamos a escribir para confirmar que sea igual. (cuando ponemos la contraseña por seguridad en linux no aparece lo que tecleamos y al terminar de poner la contraseña damos enter.

Vemos que el sistema nos confirma que la contraseña a sido cambiada (password update successfully)

5- Solo queda reiniciar el sistema para que entremos “normal” y ya con la nueva clave de root (administrador-superusuario), ejecutamos.
shutdown now -arn

Category: DEBIAN, TIPS AND TRICKS | Los comentarios están deshabilitados en RECUPERAR CONTRASEÑA DE ROOT EN DEBIAN
Octubre 1

Reduce SPAM and improve security – Amavis + SpamAssassin + ClamAV + Procmail + PostScreen

Installation

and we will also add some compression tools to be able to scan the archives for viruses too.

Postscreen is part of Postfix and does not require additional package.

Configuration

  • ClamAV:

Per default, ClamAV will automatically update its database every hour. If you want to update it now, you can run:

Then, to avoid ownership issues during scans from ClamAV and Amavis, we need to add ClamAV and Amavis users to each others’ groups:

  • Amavis:

You will need to make Amavis and Postfix communicate.

In /etc/postfix/master.cf, below the line:

add:

to looks like that:

And at the end of the file add:

then in /etc/postfix/main.cf, add:

Now you need to configure Amavis directly. In /etc/amavis/conf.d/15-content_filter_mode, make sure the 2 variables

are uncommented. You’re now good to go to SpamAssassin

  • SpamAssassin:

I suggest to create a dedicated user to run spamassassin to better control the process and have dedicated logs.

In root (su) type:

Its configuration file is located in /etc/default/spamassassin. You will need to modify few things to enable SpamAssassin:

and change the following to 1

You will also need to modify the OPTION line to become:

and add a new line with:

Now you need to configure Postfix to use SpamAssassin

At the line:

add below (new line):

then at the end of the file, add:

Finally restart all the services you have touched to.

If any issue happen during the restart, it should tell you what to do. If no issue, you should now be protected from Spam and Viruses.

You can try if it works by sending a fake spam to your mail box. Simply send you an email with the content:

or try with a inoffensive virus from The European Expert Group For IT-Security.

  • Procmail:

You may want to make sure they are store in your Junk box to separate them from your regular inbox. Here is where Procmail enter. (Although Sieve in Dovecot could do the same)

First, you will need to tell postfix to use procmail.

add the following line:

then, we need to config the rules.

From the Dovecot wiki, it states that Procmail seems to have some intermittent delivery problems if you use the system-wide configuration with Maildir style mailboxes. (/etc/procmailrc) and thus should use $HOME/.procmailrc instead.

Hence, to avoid having to configure that at every new email/user we will use the skel system to ensure our .procmailrc is copied to every new user.

In root, create the /etc/skel/.procmailrc file

and copy this simple configuration:

This will route the SPAM in the .Junk folder. (You should be able to subscribe to this folder using your favourite email client like Thunderbird,…)

When you will create a new user, the user will have this .procmailrc in its home and should be able to have it email running directly.

As explained in the first part of this tutorial, to create a new user: (In root)

A long tutorial but you should now have access to a secure mail system.

A New CAPTCHA Approach

If you want to use Postscreen to have an additional layer of Spam protection, you can follow below tutorial:

  • Postscreen:

In your /etc/postfix/main.cf, add a section for Postscreen as following:

Few explanation:

greet_banner

When a client connect to Postscreen, it will start to communicate by sending a first banner “Please wait to be seated” and 6 seconds later, the remaining information on the SMTP identity. According to SMTP protocol, the client needs to wait to receive the entire banner. Spam bots will probably not wait (as they are configured to send as many mails as possible) and Postscreen will not accept its mail.

pipelining_enable

Initially, before the ESMTP (Extended SMTP), the protocol was half-duplex, mining the server and client needed to send 1 command at a time and wait for the answer of the other. Enabling this option will indicate to the client that he needs to send 1 command at the time as Postscreen “does not” support ESMTP. Here again, most probably Spam bots will not respect that and send the entire set of commands directly.

non_smtp_command_enable

This test is a simple filter that block the commands CONNECT, GET and POST, used by spam bots when they use proxies. This filter is actually already implemented in Postfix (Since version 2.2) but having at the upstream should help reduce the load on the smtp daemon.

bare_newline_enable

This test is still very simple but a lot of Spam bots don’t respect it….in the SMTP protocol implementation, each line should finish by <CR><LF> for “Carriage Return & Line Feed”. But a lot of zombies only use the <LF> at the end of their line.

Obviously many more options exists and you should read the official documentation to learn more.

Then you need to modify the /etc/postfix/master.cf to enable Postscreen and allow him to route the validated mails to smtpd.(In root)

and replace the line

by

and then restart postfix

However you will receive mails with a delay from few minutes (5mn from Hotmail and 20mn from Gmail based on my previous test) to few hours depending on the client side….that’s why I don’t use Postscreen in fact.

Category: POSTFIX | Los comentarios están deshabilitados en Reduce SPAM and improve security – Amavis + SpamAssassin + ClamAV + Procmail + PostScreen