Tag Archives: Hardening

Linux Login Detection Redux

Have almost forgotten how fun it is to mess around with a Linux server. Building another Linux server did indeed bring back some memories ūüėõ

This is another scratchpad post: little to no explanation/breakdown on the script involved (unless there’s the “impetus” to elaborate in future). Feel free to ask/discuss in the comments section below though.

Any user who logs in should trigger the sending of the notification email from the server immediately, and if it wasn’t an expected login, well at least you’d know it’s time to trigger some incident response processes.

As an improved version of the old post on the same topic, this script similarly is to be appended to /etc/profile or the relevant ~/.bash_profile per user.

echo -e "$(hostname) shell access\n$(date)\n$(who)\n\
$(for i in $(who|cut -d"(" -f2|cut -d")" -f1|cut -d":" -f1|sort -u);
do echo -e "==========\nwhois $i"; whois $i;
echo -e "\n=====\nreverse $i"; dig -x $i;
done;)" | \
mail -s "$(hostname) alert: shell access from \
$(who|cut -d"(" -f2|cut -d")" -f1|cut -d":" -f1|tr "\n" " ")" \

Changes namely are the adding of whois and reverse IP (DNS PTR) lookups for all IP addresses currently logged on via SSH, and also the use of the more readable $() Bash command substitution expansion rather than the backtick (`).

You will need to have installed the mailutils package (apt-get install mailutils), and probably a MTA like postfix or exim too.


Edit 30 Apr 2012: small bug fix in the sequence to extract all IPs from the who command output.

Added Layer Of Obscurity: Finding a non-standard port for your service

Designing your security model using only obscurity is always a bad idea, but after sound measures have been put in place, an added layer of obscurity might make the service/account harder to find for the malicious, and lower the resources wasted by their brute forcing, etc.

An example would be the changing of private services (e.g. SSH) to run on non-standard ports (I see this frequently recommended as part of hardening guides anyway; there’s port knocking too which could be even better, but that’s not the point of this post).

In the example of hiding SSH ports, the question then comes: what port to use? One of the many ways is to make use of nmap’s frequently used ports list to help make a decision.¬† Nmap scans using the top 1000 frequently used ports in a normal scan (although we change the scan to scan based on any top n used ports too).¬† So we run this in a shell to list the top 1000 (or n of your fancy) used ports:

cat /usr/share/nmap/nmap-services | 
awk '{print $3 "t" $2 "tt" $1}' | 
sort -nr | head -n1000 | less

Let’s break this command down:

cat /usr/share/nmap/nmap-services prints out the contents of the nmap-services file (used to track the probabilities of the ports used) to STDOUT.

awk ‘{print $3 “t” $2 “tt” $1}’ formats the contents of the nmap-services for the sort command to work on.

sort -nr sorts the entries by reverse numerical order.

head -n1000 shows only the top 1000 lines of output (change to any number you wish, or remove altogether to see the full list)

less displays the output in a scrollable, searchable manner.

On an ending note, it probably would be a bad idea to go straight for the last entries in the sorted list for your port selections.  Remember: we want to be unpredictable, and not simply different.

DNS rebinding defense with Nginx

DNS rebinding’s a particularly nasty attack, having similar characteristics as CSRF attacks where the user’s browser can be used to access/attack sites on behalf of the attacker.

I’m not going to describe how it works here, there’s plenty of literature out there that talks about it. ¬†And if that’s not enough, Google Is Your Friend.

One of the simpler ways to defend against it is to have the server only serve requests with legit Host headers, which is what Wikipedia says anyway. ¬†(No I didn’t edit that portion myself) ¬†This can be simply done with virtual hosts (HTTP/1.1), and can work for servers serving one domain, or two, or three, or many many many.

For nginx, a default catchall virtual host might look like this:

server {
    listen 80 default;
    server_name can-be-anything-not-served;

    access_log /path/to/log/weird/access.log;
    error_log /path/to/log/weird/error.log;

    root /path/with/only/an/empty/index/html/file;
    index index.html;

Note that this is configured to be the default listener on port 80 for this virtual host. Make sure your actual virtual host(s) configuration does not have the ‘default’ option.

The server_name can be anything other than the actual virtual host(s) that the server is serving on port 80.

I usually put nothing (only empty index.html files) in that root folder for this catchall virtual host,but you’re free to put other files to serve indicators to your users, or just to taunt them when they get subjected to DNS rebinding attacks unknowingly. ¬†Just kidding about the taunting.

With this default catchall virtual host in place, you have a simple yet effective defense against DNS rebinding attacks!  Now watch the attacks get thwarted like eggs against a steel wall.

Note that this is helpful in situations where you don’t expect HTTP/1.0 requests, which is usually the case in today’s world. ¬†If you have a case where you have ¬†work with HTTP/1.0 requests, then you really shouldn’t use this defense method in the exact same manner.