Archive for the ‘ Security ’ Category

0 day exploits

Zero day exploits, best explained here, will be coming out daily for the month of January, it seems, due to a security research firm in Russia. No matter what you think about their methods, this does highlight a fact that is sometimes forgotten, every running service presents the potential for an exploit. But without those services a computer is just an overpriced electric heater. So how do we protect ourselves against the unknown and unpatched? By being very careful about what our servers are running, only allowing access to the minimum number of resources required to get the job done, and having a plan for when your monitoring reports the service is down.

     Since linux distributions are varied in their installs I won’t go through each but most of the “friendly” distributions start, by default, a variety of services that may not be required but could potentially have exploits. While most of these don’t have a network component, combined with other exploits they could help open the server to attack. For example, Red Hat starts processes to monitor the software raid and logical volume manager even if you aren’t using them. It also starts processes for handling bluetooth devices, HP printers, and command line mouse support, even if you don’t have them. None of these should cause you any concern but if you don’t need them they don’t need to run at all.

     Most Apache HTTP server installs suffer from the same desire for usability, many modules are made available to the server by default. For example, you probably aren’t using LDAP authentication or WebDAV as part of your server but the modules for them are preloaded on most default installs. Identifying the modules that are required for your web site or application to run and then disabling the ones that are not will reduce your apache httpd footprint and therefore reduce your exposure.

     MySQL server doesn’t have the modular nature of our prior two examples but there are some steps that you can take to reduce your exposure. First off, after doing the install and setting the root password, remove the test user and database. These have no known exploits but aren’t needed. Second, ensure that your users are bound to a host instead of a wild card address, this makes sure that connections are only authorized from known hosts. Finally, if you are running mysql on the same host as your webserver and this is the only server that needs to access it, configure it to only listen on localhost ( There is no place like 127.0.0.1 ), this ensures that remote hosts cannot connect to your database even if your firewall fails.

     While I did focus on some of the more simple things that can be done to a LAMP server, this should give you an idea of what kind of changes can be made that won’t effect your service but will reduce your exposure footprint. Remember that before you make any changes you should do a backup and make copies of the files you are editing. We will see what this month brings as far as unpublished exploits and should also take this time to remember that not all exploits are published or patched, or even discovered yet.

Reblog this post [with Zemanta]
2010
01/13
CATEGORY
Linux
Monitoring
Security
TAGS











40 comments

Love, Sex, Secret, and … God

This post originally written for my personal blog on January 11, 2009.

This past week saw two high profile security breaches on twitter.com and macrumorslive.com, each one a classic example of poor login management by websites. For full disclosure, I do not know anyone at either site but have read about each here and here as well as other websites. The short version on twitter is that an admin at twitter had a common word password and twitter has no limit on the times you can try your login. The short on Mac Rumors Live is that they either had no password on their admin interface or that the login page was sniffed, either way it was a bummer for them.

As a system administrator it is a constant challenge to keep our systems and the web applications that run on them secure while still keeping the usability that our great developers have created. So when I see things like the twitter and mac rumors issues I get very frustrated because the prevention of this is so simple. If you develop a website with user accounts, and most of them do, please consider the following.

Complex password requirements. Google returns about 232,000 results for javascript to check for strong passwords so you don’t even need to invent the wheel to add this to your change / create password page. If you don’t want to bother your users with this at least take some time to require it on admin accounts.

HTTPS, the S is for secure. Developers, please use ssl to encrypt your login page and use redirects to ensure that users don’t accidentally end up there without ssl. As more of us move out of the office and into the coffee shop we are also moving off of a private network and onto a public one. We log into twitter, brightkite, our blog, our email and most people give no thought to the idea that everyone else in that coffeeshop could now have your account and password, unless we use something secure like https. Webmail sites learned this lesson long ago and it’s time for the rest of the web to learn it too. The worst part of this is that most sites already have an https version of their site and it would be a very simple fix for them to redirect to it. For those sites that don’t ( I’m looking at you brightkite ), it’s time to step up, spend the money and get https going. For you wordpress users, setup a self-signed certificate (or purchase one) and wordpress has a plugin to do all the wp-admin encryption redirects for you.

More services are being provided via websites and as users of these we need to demand that they are secure. Give them feedback asking that logins be secure by default so that what happened with twitter and mac rumors doesn’t happen to you.

Reblog this post [with Zemanta]
2009
01/11
CATEGORY
Security
TAGS






6 comments