Linux

Linux related stories

Source Disclosure vulnerability in Joomla – the dreaded single quote

We have started receiving reports from Joomla users that our ScanMyServer service is picking up an unknown and undocumented vulnerability on their web site.

The scanner is showing that they have one or more source disclosure/path disclosure vulnerabilities. Since they were using the latest and most up to date version of Joomla their reports looked odd and we started to investigate the matter.

We found out that the vulnerability is “hard” to trigger, as Firefox and Internet Explorer will escape the single quote in a URL to its encoded form, while Chrome will not. So while sending it under Chrome will show something like:
Fatal error: Uncaught exception 'InvalidArgumentException' with message 'Invalid URI detected.' in /home/content/41/9236541/html/libraries/joomla/environment/uri.php:194 Stack trace: #0 /home/content/41/9236541/html/libraries/joomla/application/application.php(248): JURI::getInstance() #1 /home/content/41/9236541/html/includes/application.php(135): JApplication->route() #2 /home/content/41/9236541/html/index.php(36): JSite->route() #3 {main} thrown in /home/content/41/9236541/html/libraries/joomla/environment/uri.php on line 194

The same URL under Firefox and Internet Explorer, will return:
404 - Article not found

Of course, the vulnerability is not in Chrome, but is a real issue caused by Joomla not properly escaping the URL.

The problem has been already spotted in a different section of Joomla, the search option, as can be seen by this post: http://joomlacode.org/gf/../?action=TrackerItemEdit&tracker_item_id=31036&start=0

So the problem isn’t just in the search, it also spans to other sections of the Joomla framework.

We will keep you posted when a fix is provided, or we have a workaround for this issue.

Hardening guide for Postfix 2.x

  1. Make sure the Postfix is running with non-root account:
    ps aux | grep postfix | grep -v '^root'
  2. Change permissions and ownership on the destinations below:
    chmod 755 /etc/postfix
    chmod 644 /etc/postfix/*.cf
    chmod 755 /etc/postfix/postfix-script*
    chmod 755 /var/spool/postfix
    chown root:root /var/log/mail*
    chmod 600 /var/log/mail*
  3. Edit using VI, the file /etc/postfix/main.cf and add make the following changes:
    • Modify the myhostname value to correspond to the external fully qualified domain name (FQDN) of the Postfix server, for example:
      myhostname = myserver.example.com
    • Configure network interface addresses that the Postfix service should listen on, for example:
      inet_interfaces = 192.168.1.1
    • Configure Trusted Networks, for example:
      mynetworks = 10.0.0.0/16, 192.168.1.0/24, 127.0.0.1
    • Configure the SMTP server to masquerade outgoing emails as coming from your DNS domain, for example:
      myorigin = example.com
    • Configure the SMTP domain destination, for example:
      mydomain = example.com
    • Configure to which SMTP domains to relay messages to, for example:
      relay_domains = example.com
    • Configure SMTP Greeting Banner:
      smtpd_banner = $myhostname
    • Limit Denial of Service Attacks:
      default_process_limit = 100
      smtpd_client_connection_count_limit = 10
      smtpd_client_connection_rate_limit = 30
      queue_minfree = 20971520
      header_size_limit = 51200
      message_size_limit = 10485760
      smtpd_recipient_limit = 100
  4. Restart the Postfix daemon:
    service postfix restart

The article can also be found at: http://security-24-7.com/hardening-guide-for-postfix-2-x

Hardening guide for BIND9 (Debian platform)

  1. Make sure the Bind is running with non-root account:
    ps aux | grep bind | grep -v '^root'
  2. Change permissions and ownership on the destinations below:
    chown -R root:bind /etc/bind
    chown root:bind /etc/bind/named.conf*
    chmod 640 /etc/bind/named.conf*
  3. Edit using VI, the file /etc/bind/named.conf.options and add the following settings under the “Options” section:
    • Add the line below to replace DNS version banner:
      version "Secured DNS server";
      Note: In-order to test, run the command below:
      dig +short @localhost version.bind chaos txt
    • Add the line below to restrict recursive queries to trusted clients:
      allow-recursion { localhost; 192.168.0.0/24; };
      Note 1: Replace 192.168.0.0/24 with the trusted internal segments and subnet mask.
      Note 2: In-order to test, run the command below:
      nslookup www.google.com <BIND_DNS_Server_IP>
    • Add the line below to restrict query origins to trusted clients:
      allow-query { localhost; 192.168.0.0/24; };
      Note: Replace 192.168.0.0/24 with the trusted internal segments and subnet mask.
    • Add the line below to Nameserver ID:
      server-id none;
    • Add the line below to restrict which hosts can perform zone transfers:
      allow-transfer { 192.168.1.1; };
      Note: Replace 192.168.1.1 with the trusted DNS server.
    • Add the line below to restrict the DNS server to listen to specific interfaces:
      listen-on port 53 { 127.0.0.1; 192.168.1.1; };
      Note: Replace 192.168.1.1 with the IP address of the DNS server.
  4. Restart the DNS daemon:
    service bind9 restart

The article can also be found at: http://security-24-7.com/hardening-guide-for-bind9-debian-platform/

Hardening guide for Drupal 7.7

This guide can also be found at http://security-24-7.com/hardening-guide-for-drupal-7-7/
Pre-installation notes The guide bellow is based on CentOS 5.5 (i386), Apache 2.2.19, MySQL 5.5.15

The guide bellow is based on the previous guides:

PHP installation phase

  1. Login to the server using Root account.
  2. Before compiling the PHP environment, install the following RPM from the CentOS 5.5 DVD source folder:
    rpm -ivh kernel-headers-2.6.18-194.el5.i386.rpm
    rpm -ivh glibc-headers-2.5-49.i386.rpm
    rpm -ivh glibc-devel-2.5-49.i386.rpm
    rpm -ivh gmp-4.1.4-10.el5.i386.rpm
    rpm -ivh libgomp-4.4.0-6.el5.i386.rpm
    rpm -ivh gcc-4.1.2-48.el5.i386.rpm
    rpm -ivh libxml2-2.6.26-2.1.2.8.i386.rpm
    rpm -ivh zlib-devel-1.2.3-3.i386.rpm
    rpm -ivh libxml2-devel-2.6.26-2.1.2.8.i386.rpm
    rpm -ivh pkgconfig-0.21-2.el5.i386.rpm
    rpm -ivh libpng-devel-1.2.10-7.1.el5_3.2.i386.rpm
    rpm -ivh libjpeg-devel-6b-37.i386.rpm
  3. Download MySQL development RPM from: http://download.softagency.net/MySQL/Downloads/MySQL-5.5/
  4. Download PHP 5.3.8 source files from: http://php.net/downloads.php
  5. Download the latest libxml2 for PHP from: http://xmlsoft.org/sources/
  6. Copy the MySQL development RPM using PSCP (or SCP) into /tmp
  7. Copy the PHP 5.3.8 source files using PSCP (or SCP) into /tmp
  8. Move to /tmp cd /tmp
  9. Install the MySQL development RPM:
    rpm -ivh MySQL-devel-5.5.15-1.rhel5.i386.rpm
  10. Remove MySQL development RPM:
    rm -f MySQL-devel-5.5.15-1.rhel5.i386.rpm
  11. Extract the php-5.3.8.tar.gz file: tar -zxvf php-5.3.8.tar.gz
  12. Extract the libxml2 source file: tar -zxvf libxml2-2.7.7.tar.gz
  13. Move the libxml2-2.7.7 folder: cd /tmp/libxml2-2.7.7
  14. Run the commands bellow to compile the libxml2: ./configuremakemake install
  15. Move to the PHP source folder: cd /tmp/php-5.3.8
  16. Run the commands bellow to compile the PHP environment:
    ./configure --with-mysql=mysqlnd --with-libdir=lib --prefix=/usr/local/apache2 --with-apxs2=/usr/local/apache2/bin/apxs --with-openssl --with-zlib --with-gd --with-jpeg-dir=/usr/lib --with-png-dir=/usr/lib --enable-pdo --with-pdo-mysql=mysqlnd --enable-ftp
    make
    make install
  17. Edit using VI, the file /usr/local/apache2/conf/httpd.conf Add the following string, to the end of the AddType section:
    AddType application/x-httpd-php .php       

    Replace the line from:
    DirectoryIndex index.html
    To:
    DirectoryIndex index.php index.html index.htm

    Replace the value of the string, from:
    LimitRequestBody 10000
    To:
    LimitRequestBody 600000

  18. Copy the PHP.ini file cp /tmp/php-5.3.8/php.ini-development /etc/php.ini
  19. Change the permissions on the php.ini file: chmod 640 /etc/php.ini
  20. Edit using VI, the file /etc/php.ini Replace the value of the string, from:
    mysql.default_host =
    To:
    mysql.default_host = 127.0.0.1:3306       

    Replace the value of the string, from:
    pdo_mysql.default_socket=
    To:
    pdo_mysql.default_socket=127.0.0.1

    Replace the value of the string, from:
    allow_url_fopen = On
    To:
    allow_url_fopen = OffReplace the value of the string, from:
    expose_php = On
    To:
    expose_php = Off

    To:Replace the value of the string, from:To:To:To:Replace the value of the string, from:To:To:To:Replace the value of the string, from:To:To:To:Replace the value of the string, from:To:To:To:Replace the value of the string, from:To:To:Replace the value of the string, from:To:Replace the value of the string, from:To:To:Replace the value of the string, from:To:Replace the value of the string, from:
    memory_limit = 128M
    To:
    memory_limit = 64MReplace the value of the string, from:
    ;open_basedir =
    To:
    open_basedir = "/www"

    Replace the value of the string, from:To:Replace the value of the string, from:
    post_max_size = 8M
    To:
    post_max_size = 2MReplace the value of the string, from:
    disable_functions =
    To:
    disable_functions = fpassthru,crack_check,crack_closedict,crack_getlastmessage,crack_opendict, psockopen,php_ini_scanned_files,shell_exec,chown,hell-exec,dl,ctrl_dir,phpini,tmp,safe_mode,systemroot,server_software, get_current_user,HTTP_HOST,ini_restore,popen,pclose,exec,suExec,passthru,proc_open,proc_nice,proc_terminate, proc_get_status,proc_close,pfsockopen,leak,apache_child_terminate,posix_kill,posix_mkfifo,posix_setpgid, posix_setsid,posix_setuid,escapeshellcmd,escapeshellarg,posix_ctermid,posix_getcwd,posix_getegid,posix_geteuid,posix_getgid,posix_getgrgid, posix_getgrnam,posix_getgroups,posix_getlogin,posix_getpgid,posix_getpgrp,posix_getpid, posix_getppid,posix_getpwnam,posix_getpwuid,posix_getrlimit,system,posix_getsid,posix_getuid,posix_isatty, posix_setegid,posix_seteuid,posix_setgid,posix_times,posix_ttyname,posix_uname,posix_access,posix_get_last_error,posix_mknod, posix_strerror,posix_initgroups,posix_setsidposix_setuid

    Replace the value of the string, from:To:Replace the value of the string, from:
    ;include_path = ".:/php/includes"
    To:
    include_path = "/usr/local/lib/php;/usr/local/apache2/include/php"

    Replace the value of the string, from:
    display_errors = On
    To:
    display_errors = Off

    Replace the value of the string, from:
    display_startup_errors = On
    To:
    display_startup_errors = Off

    Replace the value of the string, from:
    ;gd.jpeg_ignore_warning = 0
    To:
    gd.jpeg_ignore_warning = 1

  21. Run the commands bellow to restart the Apache service:
    /usr/local/apache2/bin/apachectl stop       

    /usr/local/apache2/bin/apachectl start

    /usr/local/apache2/bin/apachectl start

    /usr/local/apache2/bin/apachectl start

    /usr/local/apache2/bin/apachectl start

    /usr/local/apache2/bin/apachectl start

    /usr/local/apache2/bin/apachectl start

    /usr/local/apache2/bin/apachectl start

    /usr/local/apache2/bin/apachectl start

  22. Remove the PHP source and test files:
    rm -f /tmp/php-5.3.8.tar.gz
    rm -f /tmp/libxml2-2.7.7.tar.gz
    rm -rf /tmp/php-5.3.8
    rm -rf /tmp/libxml2-2.7.7
    rm -rf /tmp/pear
    rm -rf /usr/local/apache2/lib/php/test
    rm -rf /usr/local/lib/php/test

Drupal installation phase

  1. Login to the server using Root account.
  2. Run the command bellow to login to the MySQL:
    /usr/bin/mysql -uroot -pnew-password       

    Note: Replace the string “new-password” with the actual password for the root account.

     

  3. Run the following commands from the MySQL prompt:
    CREATE USER 'blgusr'@'localhost' IDENTIFIED BY 'password2'; SET PASSWORD FOR 'blgusr'@'localhost' = OLD_PASSWORD('password2');
    CREATE DATABASE Z5J6Dw1;
    GRANT ALL PRIVILEGES ON Z5J6Dw1.* TO "blgusr"@"localhost" IDENTIFIED BY "password2";
    FLUSH PRIVILEGES;
    quit       

    Note 1: Replace “blgusr” with your own MySQL account to access the database.
    Note 2: Replace “password2” with complex password (at least 14 characters).
    Note 3: Replace “Z5J6Dw1” with your own Drupal database name.

    Note 1: Replace “blgusr” with your own MySQL account to access the database.Note 2: Replace “password2” with complex password (at least 14 characters).Note 3: Replace “Z5J6Dw1” with your own Drupal database name.

    Note 1: Replace “blgusr” with your own MySQL account to access the database.Note 2: Replace “password2” with complex password (at least 14 characters).Note 3: Replace “Z5J6Dw1” with your own Drupal database name.

    Note 1: Replace “blgusr” with your own MySQL account to access the database.Note 2: Replace “password2” with complex password (at least 14 characters).Note 3: Replace “Z5J6Dw1” with your own Drupal database name.

    Note 1: Replace “blgusr” with your own MySQL account to access the database.Note 2: Replace “password2” with complex password (at least 14 characters).Note 3: Replace “Z5J6Dw1” with your own Drupal database name.

    Note 1: Replace “blgusr” with your own MySQL account to access the database.Note 2: Replace “password2” with complex password (at least 14 characters).Note 3: Replace “Z5J6Dw1” with your own Drupal database name.

    Note 1: Replace “blgusr” with your own MySQL account to access the database.Note 2: Replace “password2” with complex password (at least 14 characters).Note 3: Replace “Z5J6Dw1” with your own Drupal database name.

    Note 1: Replace “blgusr” with your own MySQL account to access the database.Note 2: Replace “password2” with complex password (at least 14 characters).Note 3: Replace “Z5J6Dw1” with your own Drupal database name.

  4. Download Drupal 7.7 from: http://drupal.org/project/drupal
  5. Copy the Drupal 7.7 source files using PSCP (or SCP) into /www
  6. Move to /www cd /www
  7. Extract the file bellow:
    tar -zxvf drupal-7.7.tar.gz
  8. Remove Drupal source file:
    rm -f /www/drupal-7.7.tar.gz
  9. Rename the Drupal folder:
    mv /www/drupal-7.7 /www/drupal
  10. Remove default content:
    rm -f /www/drupal/CHANGELOG.txt
    rm -f /www/drupal/COPYRIGHT.txt
    rm -f /www/drupal/INSTALL.pgsql.txt
    rm -f /www/drupal/LICENSE.txt
    rm -f /www/drupal/UPGRADE.txt
    rm -f /www/drupal/INSTALL.mysql.txt
    rm -f /www/drupal/INSTALL.sqlite.txt
    rm -f /www/drupal/INSTALL.txt
    rm -f /www/drupal/MAINTAINERS.txt
    rm -f /www/drupal/sites/example.sites.php
  11. Edit using VI, the file /usr/local/apache2/conf/httpd.conf
    Replace the line from:
    DocumentRoot "/www"
    To:
    DocumentRoot "/www/drupal"
  12. Run the commands bellow to restart the Apache service:
    /usr/local/apache2/bin/apachectl stop  /usr/local/apache2/bin/apachectl start    

     

     

  13. Create the following folders:
    mkdir /www/drupal/sites/default/files  mkdir /www/private    

     

     

  14. Copy the settings.php file:
    cp /www/drupal/sites/default/default.settings.php /www/drupal/sites/default/settings.php
  15. Change permissions on the settings.php file:
    chmod a+w /www/drupal/sites/default/settings.php       

    chmod -R 777 /www/drupal/sites/default/fileschmod -R 777 /www/private

  16. Open a web browser from a client machine, and enter the URL bellow:
    http://Server_FQDN/install.php
  17. Select “Standard” installation and click “Save and continue”.
  18. Choose the default “English” and click “Save and continue”.
  19. Specify the following details:
    • Database type: MySQL
    • Database name: Z5J6Dw1
    • Database username: blgusr
    • Database password: password2
    • Click on Advanced Options
    • Database host: 127.0.0.1
    • Table prefix: Z5J6Dw1_

    Note 1: Replace “Z5J6Dw1” with your own Drupal database name.
    Note 2: Replace “blgusr” with your own MySQL account to access the database.
    Note 3: Replace “password2” with complex password (at least 14 characters).

  20. Click “Save and Continue”.
  21. Specify the following information:
    • Site name
    • Site e-mail address (for automated e-mails, such as registration information)
    • Username (for the default administrator account)
    • E-mail address
    • Password
  22. Select “Default country” and “Default time zone”.
  23. Unselect the “Update Notifications” checkboxes.
  24. Click “Save and Continue”.
  25. Close the web browser.
  26. Create using VI the file /www/config.php with the following content:
    $databases = array ( ‘default’–>  $databases = array (
    ‘default’ =>
    array (
    ‘driver’ => ‘mysql’,
    ‘database’ => ‘Z5J6Dw1’,
    ‘username’ => ‘blgusr’,
    ‘password’ => ‘password2’,
    ‘host’ => ‘127.0.0.1’,
    ‘port’ => ”,
    ‘prefix’ => ‘Z5J6Dw1_’,
    ),
    ),
    );
    ?>    

    Note 1: Make sure there are no spaces, newlines, or other strings before an opening ” tag.
    Note 2: Replace “blgusr” with your own MySQL account to access the database.
    Note 3: Replace “password2” with complex password (at least 14 characters).
    Note 4: Replace “Z5J6Dw1” with your own Drupal database name.

    Note 1: Make sure there are no spaces, newlines, or other strings before an opening ” tag. Note 2: Replace “blgusr” with your own MySQL account to access the database. Note 3: Replace “password2” with complex password (at least 14 characters).Note 4: Replace “Z5J6Dw1” with your own Drupal database name.

    Note 1: Make sure there are no spaces, newlines, or other strings before an opening ” tag. Note 2: Replace “blgusr” with your own MySQL account to access the database. Note 3: Replace “password2” with complex password (at least 14 characters).Note 4: Replace “Z5J6Dw1” with your own Drupal database name.

    Note 1: Make sure there are no spaces, newlines, or other strings before an opening ” tag. Note 2: Replace “blgusr” with your own MySQL account to access the database. Note 3: Replace “password2” with complex password (at least 14 characters).Note 4: Replace “Z5J6Dw1” with your own Drupal database name.

    Note 1: Make sure there are no spaces, newlines, or other strings before an opening ” tag. Note 2: Replace “blgusr” with your own MySQL account to access the database. Note 3: Replace “password2” with complex password (at least 14 characters).Note 4: Replace “Z5J6Dw1” with your own Drupal database name.

    Note 1: Make sure there are no spaces, newlines, or other strings before an opening ” tag. Note 2: Replace “blgusr” with your own MySQL account to access the database. Note 3: Replace “password2” with complex password (at least 14 characters).Note 4: Replace “Z5J6Dw1” with your own Drupal database name.

  27. Edit using VI, the file /www/drupal/sites/default/settings.php Add the following line:
    include('/www/config.php');       

    Remove the following section:
    $databases = array ( 'default' => array ( 'default' => array ( 'driver' => 'mysql', 'database' => 'Z5J6Dw1', 'username' => 'blgusr', 'password' => 'password2', 'host' => '127.0.0.1', 'port' => '', 'prefix' => 'Z5J6Dw1_', ), ), );Replace the string from:
    ini_set('session.cookie_lifetime', 2000000);
    To:
    ini_set('session.cookie_lifetime', 0);

    To:To:To:To:To:Remove the following section:To:Replace the string from:To:

  28. Change permissions on the settings.php file:
    chmod a-w /www/drupal/sites/default/settings.php
  29. Add the following lines to the /www/drupal/.htaccess file:
    # Block any file that starts with "."

         Order allow,deny


         Order allow,deny

    # Allow "." files with safe content types

         Order deny,allow
  30. Run the command bellow to change permissions on the /www/drupal/.htaccess file:
    chmod 444 /www/drupal/.htaccess
  31. Download into /www/drupal/sites/all/modulesthe latest build of the modules bellow:
  32. From SSH session, move to the folder /www/drupal/sites/all/modules.
  33. Extract the downloaded above modules:
    tar zxvf dfw-7.x-1.1.tar.gz       

    tar zxvf spamspan-7.x-1.1-beta1.tar.gz

    tar zxvf spamspan-7.x-1.1-beta1.tar.gztar zxvf content_security_policy-7.x-1.x-dev.tar.gz

    tar zxvf spamspan-7.x-1.1-beta1.tar.gztar zxvf content_security_policy-7.x-1.x-dev.tar.gztar zxvf goaway-7.x-1.2.tar.gz

    tar zxvf spamspan-7.x-1.1-beta1.tar.gztar zxvf content_security_policy-7.x-1.x-dev.tar.gztar zxvf goaway-7.x-1.2.tar.gztar zxvf ip_anon-7.x-1.0.tar.gz

    tar zxvf spamspan-7.x-1.1-beta1.tar.gztar zxvf content_security_policy-7.x-1.x-dev.tar.gztar zxvf goaway-7.x-1.2.tar.gztar zxvf ip_anon-7.x-1.0.tar.gztar zxvf flood_control-7.x-1.0.tar.gz

    tar zxvf spamspan-7.x-1.1-beta1.tar.gztar zxvf content_security_policy-7.x-1.x-dev.tar.gztar zxvf goaway-7.x-1.2.tar.gztar zxvf ip_anon-7.x-1.0.tar.gztar zxvf flood_control-7.x-1.0.tar.gztar zxvf password_policy-7.x-1.0-beta1.tar.gz

    tar zxvf spamspan-7.x-1.1-beta1.tar.gztar zxvf content_security_policy-7.x-1.x-dev.tar.gztar zxvf goaway-7.x-1.2.tar.gztar zxvf ip_anon-7.x-1.0.tar.gztar zxvf flood_control-7.x-1.0.tar.gztar zxvf password_policy-7.x-1.0-beta1.tar.gztar zxvf persistent_login-7.x-1.x-dev.tar.gz

    tar zxvf spamspan-7.x-1.1-beta1.tar.gztar zxvf content_security_policy-7.x-1.x-dev.tar.gztar zxvf goaway-7.x-1.2.tar.gztar zxvf ip_anon-7.x-1.0.tar.gztar zxvf flood_control-7.x-1.0.tar.gztar zxvf password_policy-7.x-1.0-beta1.tar.gztar zxvf persistent_login-7.x-1.x-dev.tar.gztar zxvf secure_permissions-7.x-1.5.tar.gz

    tar zxvf security_review-7.x-1.x-dev.tar.gz

    tar zxvf system_perm-7.x-1.x-dev.tar.gz

    tar zxvf blockanonymouslinks-7.x-1.1.tar.gz

  34. Remove the modules source files:
    rm -f /www/drupal/sites/all/modules/dfw-7.x-1.1.tar.gz       

    rm -f /www/drupal/sites/all/modules/spamspan-7.x-1.1-beta1.tar.gz

    rm -f /www/drupal/sites/all/modules/spamspan-7.x-1.1-beta1.tar.gzrm -f /www/drupal/sites/all/modules/content_security_policy-7.x-1.x-dev.tar.gz

    rm -f /www/drupal/sites/all/modules/spamspan-7.x-1.1-beta1.tar.gzrm -f /www/drupal/sites/all/modules/content_security_policy-7.x-1.x-dev.tar.gzrm -f /www/drupal/sites/all/modules/goaway-7.x-1.2.tar.gz

    rm -f /www/drupal/sites/all/modules/spamspan-7.x-1.1-beta1.tar.gzrm -f /www/drupal/sites/all/modules/content_security_policy-7.x-1.x-dev.tar.gzrm -f /www/drupal/sites/all/modules/goaway-7.x-1.2.tar.gzrm -f /www/drupal/sites/all/modules/ip_anon-7.x-1.0.tar.gz

    rm -f /www/drupal/sites/all/modules/spamspan-7.x-1.1-beta1.tar.gzrm -f /www/drupal/sites/all/modules/content_security_policy-7.x-1.x-dev.tar.gzrm -f /www/drupal/sites/all/modules/goaway-7.x-1.2.tar.gzrm -f /www/drupal/sites/all/modules/ip_anon-7.x-1.0.tar.gzrm -f /www/drupal/sites/all/modules/flood_control-7.x-1.0.tar.gz

    rm -f /www/drupal/sites/all/modules/spamspan-7.x-1.1-beta1.tar.gzrm -f /www/drupal/sites/all/modules/content_security_policy-7.x-1.x-dev.tar.gzrm -f /www/drupal/sites/all/modules/goaway-7.x-1.2.tar.gzrm -f /www/drupal/sites/all/modules/ip_anon-7.x-1.0.tar.gzrm -f /www/drupal/sites/all/modules/flood_control-7.x-1.0.tar.gzrm -f /www/drupal/sites/all/modules/password_policy-7.x-1.0-beta1.tar.gz

    rm -f /www/drupal/sites/all/modules/spamspan-7.x-1.1-beta1.tar.gzrm -f /www/drupal/sites/all/modules/content_security_policy-7.x-1.x-dev.tar.gzrm -f /www/drupal/sites/all/modules/goaway-7.x-1.2.tar.gzrm -f /www/drupal/sites/all/modules/ip_anon-7.x-1.0.tar.gzrm -f /www/drupal/sites/all/modules/flood_control-7.x-1.0.tar.gzrm -f /www/drupal/sites/all/modules/password_policy-7.x-1.0-beta1.tar.gzrm -f /www/drupal/sites/all/modules/persistent_login-7.x-1.x-dev.tar.gz

    rm -f /www/drupal/sites/all/modules/spamspan-7.x-1.1-beta1.tar.gzrm -f /www/drupal/sites/all/modules/content_security_policy-7.x-1.x-dev.tar.gzrm -f /www/drupal/sites/all/modules/goaway-7.x-1.2.tar.gzrm -f /www/drupal/sites/all/modules/ip_anon-7.x-1.0.tar.gzrm -f /www/drupal/sites/all/modules/flood_control-7.x-1.0.tar.gzrm -f /www/drupal/sites/all/modules/password_policy-7.x-1.0-beta1.tar.gzrm -f /www/drupal/sites/all/modules/persistent_login-7.x-1.x-dev.tar.gzrm -f /www/drupal/sites/all/modules/secure_permissions-7.x-1.5.tar.gz

    rm -f /www/drupal/sites/all/modules/security_review-7.x-1.x-dev.tar.gz

    rm -f /www/drupal/sites/all/modules/system_perm-7.x-1.x-dev.tar.gz

    rm -f /www/drupal/sites/all/modules/blockanonymouslinks-7.x-1.1.tar.gz

  35. Open a web browser from a client machine, and enter the URL bellow:
    http://Server_FQDN/?q=user/login
  36. From the upper menu, click on Configuration -> People -> Account Settings -> “Who can register accounts”: select Administrators only -> click on “Save configuration”.
  37. From the upper menu, click on Configuration -> Media -> File system -> “Private file system path”: specify /www/private -> click on “Save configuration”.
  38. From the upper menu, click on Configuration -> Development -> Logging and errors -> “Error messages to display”: select None -> click on “Save configuration”.
  39. From the upper menu, click on Modules -> from the list of modules, select “Update manager” -> click on “Save configuration”.
  40. From the upper menu, click on Modules -> from the main page, select the following modules:
    • Drupal firewall
    • SpamSpan
    • Content Security Policy
    • Content Security Policy Reporting
    • GoAway
    • IP anonymize
    • Flood control
    • Password change tab
    • Password policy
    • Persistent Login
    • Secure Permissions
    • Security Review
    • System Perms
    • BlockAnonymousLinks
  41. Click on Save configuration.

Drupal SSL configuration phase

  1. Add the following line to the /www/drupal/sites/default/settings.php file:
    $conf['https'] = TRUE;
  2. Download into /www/drupal/sites/all/modulesthe latest build of the modules bellow:
  3. From SSH session, move to the folder /www/drupal/sites/all/modules.
  4. Extract the downloaded above modules:
    tar zxvf securepages-7.x-1.x-dev.tar.gz       

    tar zxvf securelogin-7.x-1.2.tar.gz

    tar zxvf securelogin-7.x-1.2.tar.gz

    tar zxvf securelogin-7.x-1.2.tar.gz

    tar zxvf securelogin-7.x-1.2.tar.gz

    tar zxvf securelogin-7.x-1.2.tar.gz

    tar zxvf securelogin-7.x-1.2.tar.gz

    tar zxvf securelogin-7.x-1.2.tar.gz

    tar zxvf securelogin-7.x-1.2.tar.gz

  5. Remove the modules source files:
    rm -f /www/drupal/sites/all/modules/securepages-7.x-1.x-dev.tar.gz       

    rm -f /www/drupal/sites/all/modules/securelogin-7.x-1.2.tar.gz

    rm -f /www/drupal/sites/all/modules/securelogin-7.x-1.2.tar.gz

    rm -f /www/drupal/sites/all/modules/securelogin-7.x-1.2.tar.gz

    rm -f /www/drupal/sites/all/modules/securelogin-7.x-1.2.tar.gz

    rm -f /www/drupal/sites/all/modules/securelogin-7.x-1.2.tar.gz

    rm -f /www/drupal/sites/all/modules/securelogin-7.x-1.2.tar.gz

    rm -f /www/drupal/sites/all/modules/securelogin-7.x-1.2.tar.gz

    rm -f /www/drupal/sites/all/modules/securelogin-7.x-1.2.tar.gz

  6. Open a web browser from a client machine, and enter the URL bellow:
    https://Server_FQDN/?q=user/login
  7. From the upper menu, click on Modules -> from the main page, select the following modules:
    • Secure Login
    • Secure Pages
  8. Click on Save configuration.
  9. From the upper menu, click on Configuration -> from the main page, click on the link Secure Pages -> under Enable Secure Pages -> choose Enabled -> click on Save configuration.

 

Backtrack – The Future, The Funding, The Roadmap

Great news, Backtrack now has funding to move ahead with scheduled releases, and a roadmap moving forward up to Backtrack 5. You can view the roadmap here. It seems that the worlds leader in penetration testing training, namely Offensive Security is going to be funding the BackTrack Linux distribution’s development going forward. No need to worry though, BackTrack is still going to remain an Open Source distro.

Other news on this front is that the Exploit Database now has new EDB Research and Development teams that are actively working on vulnerability discovery and development, so watch this space for more news and good things to come. It’s also very worthwhile checking out the Exploit Database Blog.

I am carrier


The swine flu craze in Asia is almost becoming ridiculous. Flying into Beijing a doctor came on board to check everyone’s temperature before they would let us out of the plane. Before passing immigration we were checked again and filled in forms to prove we are all in top health.

Ironically, on the inbound flight to Beijing I caught the flu from the Chinese girl sitting next to me (I’m talking about the regular flu. No need to call an emergency medical team on me). I spent the week gobbling Chinese medicine herbs which did a great job in preventing me from crashing sick. But the problem is that I am about to fly out back to San Francisco through Tokyo, and I’m trying to think how to convince the Narita officials that my germs are pure and genuine Asian bodies and are were not carried with me from any American pigs (political innuendos not intended).

It seems I’m also a carrier of something else, and again it’s not my fault. All I did was connect my USB stick to a computer on the business center in my Beijing hotel. I just wanted to print a document but didn’t bother locking the stick to ‘read only’. Apparently that was enough to have a Trojan infect the USB stick from the malware infested public computer.

Not that it would matter, really, since my machine runs Ubuntu. In fact, I wouldn’t have noticed it unless someone that borrowed the USB stick from me showed me the Virus warning that popped up as they plugged the stick into their Windows machine. I could have infected dozens of machines by the time I found out about it – all those poor Windows machine, Trojaned just for borrowing my USB stick; I really don’t need that on my conscience.

Once I know the Trojan is there, the cleanup is easy, I will ‘rm’ the files and the stick will be healthy again and stop be a carrier for defenseless Windows machines. Now if only it was that easy to recover from this damn flu.

DNSSolutions

evilgrade

The flaw discovered by Dan Kaminsky put a forthright scare into the entire internet community — and it should have. This attack, which is trivial in nature, could make the difference between sending all your private data to the secure server across the ocean, or to a happy hacker filling his/her eye balls with goodies.

But now, since everyone was woken up, there are two mainstream, proposed solutions in hopes of ending the insecurity in DNS: DNSSEC and DNSCurve. Which one should you bet your network’s integrity on? Better hope your patched or you might get bailiwicked. Let the enlightenment begin.

DNSSEC, or Domain Name System Security Extensions, is a suite of IETF specifications for securing certain kinds of information in DNS. Recently, lots of companies have been gearing up to implement DNSSEC, as a means of securing DNS on the Internet. One man, that opposes DNSSEC, has written his own code to provide a nicer, more secure solution, and far better than DNSSEC. He calls it DNSCurve.

DNSCurve uses high-speed, high-security elliptic cryptography to improve and secure DNS. Daniel J. Bernstein, the creator of DNSCurve and many other high security servers such as qmail and djbdns servers, doesn’t want DNSSEC implemented, but DNSCurve instead. And it is no question which one is the better choice after looking at the comparisons Bernstein makes between the two now rivals.

Some huge advantages with DNSCurve vs DNSSEC are encrypting DNS requests and responses, not publishing lists of DNS records, much stronger cryptography for detecting forgeries, (some) protection against denial of service attacks, and other improvements.

There is one quick, unrelated issue that I disagree with Mr. Bernstein about. After offering $500 “to the first person to publish a verifiable security hole in the latest version of qmail”, he states: “My offer still stands. Nobody has found any security holes in qmail”. But in 2005, Georgi Guninski found one and has confirmed exploitability on 64 bit platforms with a lot of memory.

Bernstein denied his claim and then stated “In May 2005, Georgi Guninski claimed that some potential 64-bit portability problems allowed a remote exploit in qmail-smtpd.” This claim is denied. Nobody gives gigabytes of memory to each qmail-smtpd process, so there is no problem with qmail’s assumption that allocated array lengths fit comfortably into 32 bits.”. Now, to me, and I am sure to many other people as well, an exploitable bug in an exploitable bug. Conditions have to sometimes be met and “can be carried too far”, one might put it, but in this case, it is clear that Guninski found at least one exploitable bug in qmail. Game over. No disrespect to Mr. Bernstein or his code; he does have both great code and concepts. On with my main literature.

So, if I were a betting man (and I am), I would gamble on Bernstein’s all around great approach to making DNS safer, more resilient against attacks, and definatly more secure. Hopefully, people will realize money can’t solve all our problems, but the guys that know what they are doing, can, and might just make some things happen pretty soon.