hack 2002 rain forest puppy / wiretrip / rfp.labs [email protected]/ids/hack2002.pdf · hack...
Transcript of hack 2002 rain forest puppy / wiretrip / rfp.labs [email protected]/ids/hack2002.pdf · hack...
![Page 2: hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretriptjscott.net/ids/hack2002.pdf · hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretrip.net. Security is a war](https://reader034.fdocuments.us/reader034/viewer/2022051719/5a72d00a7f8b9aa7538dfbd6/html5/thumbnails/2.jpg)
![Page 3: hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretriptjscott.net/ids/hack2002.pdf · hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretrip.net. Security is a war](https://reader034.fdocuments.us/reader034/viewer/2022051719/5a72d00a7f8b9aa7538dfbd6/html5/thumbnails/3.jpg)
Security is a war as well as anart form: you need to be methodical
and militant, but also creativeand flexible.
- ancient rfp.labs proverb
![Page 4: hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretriptjscott.net/ids/hack2002.pdf · hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretrip.net. Security is a war](https://reader034.fdocuments.us/reader034/viewer/2022051719/5a72d00a7f8b9aa7538dfbd6/html5/thumbnails/4.jpg)
Assessing the web:
When a firewallis not enough
![Page 5: hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretriptjscott.net/ids/hack2002.pdf · hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretrip.net. Security is a war](https://reader034.fdocuments.us/reader034/viewer/2022051719/5a72d00a7f8b9aa7538dfbd6/html5/thumbnails/5.jpg)
Question:
What do allwebsites have in
common?
![Page 6: hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretriptjscott.net/ids/hack2002.pdf · hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretrip.net. Security is a war](https://reader034.fdocuments.us/reader034/viewer/2022051719/5a72d00a7f8b9aa7538dfbd6/html5/thumbnails/6.jpg)
Answer:
Unrestricted accessto port 80
![Page 7: hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretriptjscott.net/ids/hack2002.pdf · hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretrip.net. Security is a war](https://reader034.fdocuments.us/reader034/viewer/2022051719/5a72d00a7f8b9aa7538dfbd6/html5/thumbnails/7.jpg)
Why target the web?
• Everyone is using it
• Safe bet the protocol will not becomeobsolete anytime soon
• New technology is being implemented/retrofitted on top (e.g. SOAP, WebDAV)
• It’s everywhere! Mobile phones, cars,watches, toasters…
• Protocol fundamentally not suited to do amajority of what it’s doing today
![Page 8: hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretriptjscott.net/ids/hack2002.pdf · hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretrip.net. Security is a war](https://reader034.fdocuments.us/reader034/viewer/2022051719/5a72d00a7f8b9aa7538dfbd6/html5/thumbnails/8.jpg)
Problems with HTTP
• Multitude of involved technologies
• The involved protocols are extremely simple;therefore, it is easy to (mis)code services
• Lack of experience coding public-service,multi-user applications
• Stateless nature makes transaction-based systemstricky
![Page 9: hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretriptjscott.net/ids/hack2002.pdf · hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretrip.net. Security is a war](https://reader034.fdocuments.us/reader034/viewer/2022051719/5a72d00a7f8b9aa7538dfbd6/html5/thumbnails/9.jpg)
Sources of the problem
• Unskilled/robotic programmers (“code mills”)
• Lack of security-oriented programming training
• Tendancy to ‘code now, fix later’
• Current tools make it very easy to code insecurely
• Misconceptions about what ‘security’ really involves
![Page 10: hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretriptjscott.net/ids/hack2002.pdf · hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretrip.net. Security is a war](https://reader034.fdocuments.us/reader034/viewer/2022051719/5a72d00a7f8b9aa7538dfbd6/html5/thumbnails/10.jpg)
Common webvulnerability areas
![Page 11: hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretriptjscott.net/ids/hack2002.pdf · hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretrip.net. Security is a war](https://reader034.fdocuments.us/reader034/viewer/2022051719/5a72d00a7f8b9aa7538dfbd6/html5/thumbnails/11.jpg)
Buffer overflows
• Classic bug that’s been exploited for quite a while
• Lack of bounds-checking is really poor programmingpractice
• Can exist in the web server, application server,database server, or the CGI programs
• Fortunately it’s a well-advertised problem
• Many scripting languages (ASP, PHP, Perl, .NET, etc)are generally immune, as they have auto-expandingelements
![Page 12: hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretriptjscott.net/ids/hack2002.pdf · hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretrip.net. Security is a war](https://reader034.fdocuments.us/reader034/viewer/2022051719/5a72d00a7f8b9aa7538dfbd6/html5/thumbnails/12.jpg)
Cross-site scripting
• Reprinting user data without filtering it for web-specificcharacters
• Potential to trick users into executing javascript invulnerable site’s context
• Partly a ‘social engineering’ technique
• More of a liability than a vulnerability—it’s a way to hackthe users, not the server
![Page 13: hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretriptjscott.net/ids/hack2002.pdf · hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretrip.net. Security is a war](https://reader034.fdocuments.us/reader034/viewer/2022051719/5a72d00a7f8b9aa7538dfbd6/html5/thumbnails/13.jpg)
SQL tampering
• Web server already has/allows access to the databaseserver
• Attacker can cause arbitrary SQL to be executed
• Results vary from data exposure to full systemcompromise
• Does not require direct database access!
• Many applications are vulnerable
• Stems from CGIs/scripts making assumptions aboutuser input and not double-checking/filtering
![Page 14: hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretriptjscott.net/ids/hack2002.pdf · hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretrip.net. Security is a war](https://reader034.fdocuments.us/reader034/viewer/2022051719/5a72d00a7f8b9aa7538dfbd6/html5/thumbnails/14.jpg)
File includes
• It’s common for a CGI to open and display/manipulatethe contents of a file on the server
• If the filename is composed of user-supplied elements,an attacker may be able to trick the server into openinganother file
• Can lead to info disclosure or script/command execution
![Page 15: hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretriptjscott.net/ids/hack2002.pdf · hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretrip.net. Security is a war](https://reader034.fdocuments.us/reader034/viewer/2022051719/5a72d00a7f8b9aa7538dfbd6/html5/thumbnails/15.jpg)
Authentication weaknesses
• CGIs can fail to check credentials with every request
• Thus you bypass the login script and directly access thefollowing scripts, without needing username/password
• Or, certain actions/functions may not check for theproper authentication
![Page 16: hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretriptjscott.net/ids/hack2002.pdf · hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretrip.net. Security is a war](https://reader034.fdocuments.us/reader034/viewer/2022051719/5a72d00a7f8b9aa7538dfbd6/html5/thumbnails/16.jpg)
Weak session mechanism
• The session/state mechanism uses predictable token IDs
• Or, the ID keyspace is too small for the number of users
• Either way, an attacker can ‘guess’ a valid token andhijack the session
![Page 17: hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretriptjscott.net/ids/hack2002.pdf · hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretrip.net. Security is a war](https://reader034.fdocuments.us/reader034/viewer/2022051719/5a72d00a7f8b9aa7538dfbd6/html5/thumbnails/17.jpg)
Other vulnerability areas
• Format strings, signed conversion, double-free, …
• All tend to be limited to low(er)-level languages
![Page 18: hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretriptjscott.net/ids/hack2002.pdf · hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretrip.net. Security is a war](https://reader034.fdocuments.us/reader034/viewer/2022051719/5a72d00a7f8b9aa7538dfbd6/html5/thumbnails/18.jpg)
Bugs, bugs,everywhere bugs
![Page 19: hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretriptjscott.net/ids/hack2002.pdf · hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretrip.net. Security is a war](https://reader034.fdocuments.us/reader034/viewer/2022051719/5a72d00a7f8b9aa7538dfbd6/html5/thumbnails/19.jpg)
Finding the bugs in your site
• Best place to start is with a vulnerability scanner: Nessus,ISS Scanner, etc.
• Or, you can use a web-centric scanner: Nitko, whisker
• Goal is to identify as many known problems as can befound
• Also be concerned with what configuration informationthese tools find: server banners, software versions, etc.
• However, none of these will help when it comes to yourcustom CGI applications…
![Page 20: hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretriptjscott.net/ids/hack2002.pdf · hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretrip.net. Security is a war](https://reader034.fdocuments.us/reader034/viewer/2022051719/5a72d00a7f8b9aa7538dfbd6/html5/thumbnails/20.jpg)
Useful free tools
• NMAPhttp://www.insecure.org/nmap/nmap_download.html
• Niktohttp://www.cirt.net/
• Whisker 2.0http://www.wiretrip.net/rfp/
• Nessushttp://www.nessus.org/
![Page 21: hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretriptjscott.net/ids/hack2002.pdf · hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretrip.net. Security is a war](https://reader034.fdocuments.us/reader034/viewer/2022051719/5a72d00a7f8b9aa7538dfbd6/html5/thumbnails/21.jpg)
Custom scripts
• Checking custom CGIs/applications is not as easy asrunning a scanner…
• Automated tools are unaware of how to interoperate withyour site, applications, forms, etc.
• Therefore, you will typically need to involve a human inthe review/analysis process
• This can be a drawback, as you will need someone whois skilled enough in web vulnerabilities to make sure theyknow what they are doing/looking for
![Page 22: hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretriptjscott.net/ids/hack2002.pdf · hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretrip.net. Security is a war](https://reader034.fdocuments.us/reader034/viewer/2022051719/5a72d00a7f8b9aa7538dfbd6/html5/thumbnails/22.jpg)
Custom analysis tools
• WHArsenal
• WebSleuth
• @Stake WebProxy
• AppScan
![Page 23: hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretriptjscott.net/ids/hack2002.pdf · hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretrip.net. Security is a war](https://reader034.fdocuments.us/reader034/viewer/2022051719/5a72d00a7f8b9aa7538dfbd6/html5/thumbnails/23.jpg)
Looking by hand
• SQL tampering: insert ‘ into dynamic parameters
• CSS: insert <TEST> into form fields
• Buffer overflows: submit large amounts of data
• Try to directly access all CGIs (without authentication)
• Attempt to gather sequential session ID tokens and lookfor a pattern
• Look at the source code itself
All of this is easier said than done…
![Page 24: hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretriptjscott.net/ids/hack2002.pdf · hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretrip.net. Security is a war](https://reader034.fdocuments.us/reader034/viewer/2022051719/5a72d00a7f8b9aa7538dfbd6/html5/thumbnails/24.jpg)
Questions?
![Page 25: hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretriptjscott.net/ids/hack2002.pdf · hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretrip.net. Security is a war](https://reader034.fdocuments.us/reader034/viewer/2022051719/5a72d00a7f8b9aa7538dfbd6/html5/thumbnails/25.jpg)
Protecting yourwebservers
![Page 26: hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretriptjscott.net/ids/hack2002.pdf · hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretrip.net. Security is a war](https://reader034.fdocuments.us/reader034/viewer/2022051719/5a72d00a7f8b9aa7538dfbd6/html5/thumbnails/26.jpg)
Available protections
• Historical record---what problems have others had?
• Code reviews
• Third-party pen tests and assessments
Keep in mind pen-tests may not find all bugs!
![Page 27: hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretriptjscott.net/ids/hack2002.pdf · hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretrip.net. Security is a war](https://reader034.fdocuments.us/reader034/viewer/2022051719/5a72d00a7f8b9aa7538dfbd6/html5/thumbnails/27.jpg)
Commercial protections
• Sanctum AppShield
• KaVaDo Interdo
• eEye SecureIIS
However, you can do a lot on your own…
![Page 28: hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretriptjscott.net/ids/hack2002.pdf · hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretrip.net. Security is a war](https://reader034.fdocuments.us/reader034/viewer/2022051719/5a72d00a7f8b9aa7538dfbd6/html5/thumbnails/28.jpg)
Tip #1:
Want to getrid of IIS?
![Page 29: hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretriptjscott.net/ids/hack2002.pdf · hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretrip.net. Security is a war](https://reader034.fdocuments.us/reader034/viewer/2022051719/5a72d00a7f8b9aa7538dfbd6/html5/thumbnails/29.jpg)
ASP HTTP Servers
• iASPhttp://www.halcyonsoft.com/products/iasp.asp
• Sun Chili!ASPhttp://www.chilisoft.com/chiliasp/
• You’re not stuck with IIS for your ASP needs
![Page 30: hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretriptjscott.net/ids/hack2002.pdf · hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretrip.net. Security is a war](https://reader034.fdocuments.us/reader034/viewer/2022051719/5a72d00a7f8b9aa7538dfbd6/html5/thumbnails/30.jpg)
Tip #2
Securely configure theHTTP server
![Page 31: hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretriptjscott.net/ids/hack2002.pdf · hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretrip.net. Security is a war](https://reader034.fdocuments.us/reader034/viewer/2022051719/5a72d00a7f8b9aa7538dfbd6/html5/thumbnails/31.jpg)
IIS
• Clean out your /scripts/ dir• Remove unused virtual dirs
• Lower your connection timeout• Remove unused app mappings• Disable parent paths• Don’t send detailed error messages• Disable NTLM auth if allowing
anonymous access• Put content on a different drive
![Page 32: hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretriptjscott.net/ids/hack2002.pdf · hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretrip.net. Security is a war](https://reader034.fdocuments.us/reader034/viewer/2022051719/5a72d00a7f8b9aa7538dfbd6/html5/thumbnails/32.jpg)
Apache
• Remove unused modules
• Double check Alias and ScriptAlias• Be wary of MultiViews• Double check /cgi-bin/ for samples
Minimal: access, actions, alias, autoindex,cgi, dir, env, log_config, mime, setenvif, so
• Remove /cgi-bin/ if not used
![Page 33: hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretriptjscott.net/ids/hack2002.pdf · hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretrip.net. Security is a war](https://reader034.fdocuments.us/reader034/viewer/2022051719/5a72d00a7f8b9aa7538dfbd6/html5/thumbnails/33.jpg)
Netscape
• Double check all ‘pfx2dir’ and‘assign-name’ NameTrans in obj.conf
• Netware folk: put content on differentvolume
![Page 34: hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretriptjscott.net/ids/hack2002.pdf · hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretrip.net. Security is a war](https://reader034.fdocuments.us/reader034/viewer/2022051719/5a72d00a7f8b9aa7538dfbd6/html5/thumbnails/34.jpg)
PHP
• Tweak php.ini values
• No register_globals!!
register_globals = Offsafe_mode = Onexpose_php = Offdisplay_errors = Offfile_uploads = Offallow_url_fopen = Off
![Page 35: hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretriptjscott.net/ids/hack2002.pdf · hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretrip.net. Security is a war](https://reader034.fdocuments.us/reader034/viewer/2022051719/5a72d00a7f8b9aa7538dfbd6/html5/thumbnails/35.jpg)
Anti-CSS
• You can prevent cross-site scripting on a server level!
• Apache: mod_rewrite configuration in httpd.conf:RewriteEngine onRewriteCond %{QUERY_STRING} [<>]RewriteRule ^/.* - [F]
• Netscape: use a custom filter
• IIS: Eeye SecureIIS will allow you to define a filter;Microsoft URLScan does not appear to be capable
![Page 36: hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretriptjscott.net/ids/hack2002.pdf · hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretrip.net. Security is a war](https://reader034.fdocuments.us/reader034/viewer/2022051719/5a72d00a7f8b9aa7538dfbd6/html5/thumbnails/36.jpg)
Tip #3
Hide your head(ers) inthe sand
![Page 37: hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretriptjscott.net/ids/hack2002.pdf · hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretrip.net. Security is a war](https://reader034.fdocuments.us/reader034/viewer/2022051719/5a72d00a7f8b9aa7538dfbd6/html5/thumbnails/37.jpg)
Apache header
• Search for “Server” insrc/main/http_protocol.c
• Remove following line:ap_send_header_field(r, “Server”,
ap_get_server_version());
• Optionally, change it to something else:ap_send_header_field(r, “Server”,
“Microsoft-IIS/4.0”);
![Page 38: hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretriptjscott.net/ids/hack2002.pdf · hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretrip.net. Security is a war](https://reader034.fdocuments.us/reader034/viewer/2022051719/5a72d00a7f8b9aa7538dfbd6/html5/thumbnails/38.jpg)
PHP header
• Search for _VERSION_HEADER inmain/main.c
• Remove following lines:if (PG(expose_PHP)) {sapi_add_header(
SAPI_PHP_VERSION_HEADER,sizeof(SAPI_PHP_VERSION_HEADER)-1,1);
}
• Or just set expose_php=Off
![Page 39: hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretriptjscott.net/ids/hack2002.pdf · hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretrip.net. Security is a war](https://reader034.fdocuments.us/reader034/viewer/2022051719/5a72d00a7f8b9aa7538dfbd6/html5/thumbnails/39.jpg)
IIS header
• Use Microsoft’s free UrlScan.exeISAPI fitler
• In urlscan.ini set:RemoveServerHeader=0
• Optionally, change it by:AlternateServerName=Apache/1.3.23
![Page 40: hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretriptjscott.net/ids/hack2002.pdf · hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretrip.net. Security is a war](https://reader034.fdocuments.us/reader034/viewer/2022051719/5a72d00a7f8b9aa7538dfbd6/html5/thumbnails/40.jpg)
Tip #4
Take advantage ofkernel/systemenhancements
![Page 41: hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretriptjscott.net/ids/hack2002.pdf · hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretrip.net. Security is a war](https://reader034.fdocuments.us/reader034/viewer/2022051719/5a72d00a7f8b9aa7538dfbd6/html5/thumbnails/41.jpg)
Stackguard/Immunix
• Compiler that prevents buffer overflows and format stringvulns
• Immunix is RedHat Linux compiled with Stackguard
• Attackers usually wind up crashing your app, rather thanexploiting it to gain root
• Currently limited to x86 ELF arch• Free from:
http://www.immunix.org/
![Page 42: hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretriptjscott.net/ids/hack2002.pdf · hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretrip.net. Security is a war](https://reader034.fdocuments.us/reader034/viewer/2022051719/5a72d00a7f8b9aa7538dfbd6/html5/thumbnails/42.jpg)
Solaris stack protection
• Solaris 2.6 and later come with built inbuffer overflow protection—you justhave to enable it
• Add the following to /etc/system:set noexec_user_stack =1set noexec_user_stack_log =1
• Not foolproof, but better than nothing
![Page 43: hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretriptjscott.net/ids/hack2002.pdf · hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretrip.net. Security is a war](https://reader034.fdocuments.us/reader034/viewer/2022051719/5a72d00a7f8b9aa7538dfbd6/html5/thumbnails/43.jpg)
Access control systems
• LIDS – Linux patch
• Engarde – RedHat with LIDShttp://www.engardelinux.org/
http://www.lids.org/
• Argus Pitbull for Linux, AIX, Solarishttp://www.argus-systems.com/
• Trusted Solaris, HP VirtualVault,NSA’s SELinux
![Page 44: hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretriptjscott.net/ids/hack2002.pdf · hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretrip.net. Security is a war](https://reader034.fdocuments.us/reader034/viewer/2022051719/5a72d00a7f8b9aa7538dfbd6/html5/thumbnails/44.jpg)
Bastille
• Perl lockdown scripts for various linux distros (RedHat andMandrake) and HPUX
• Does everything: filesystem perms, daemon shutoff,service configs, etc.
• Free from:http://www.bastille-linux.org
• Interactive; undo option
![Page 45: hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretriptjscott.net/ids/hack2002.pdf · hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretrip.net. Security is a war](https://reader034.fdocuments.us/reader034/viewer/2022051719/5a72d00a7f8b9aa7538dfbd6/html5/thumbnails/45.jpg)
Solaris ASET
• Solaris 8 includes basic lockdown scripts
• Allows three security levels
• Checks system file perms, user/groupdata, eeprom, and systemenvironment
• Basically checks system againstdefault installation/factory settings
![Page 46: hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretriptjscott.net/ids/hack2002.pdf · hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretrip.net. Security is a war](https://reader034.fdocuments.us/reader034/viewer/2022051719/5a72d00a7f8b9aa7538dfbd6/html5/thumbnails/46.jpg)
Titan
• Various shell scripts to secure Solaris(beta does Linux and FreeBSD too)
• Does all kinds of system lockdown(over 60 various areas!)
• Free from:http://www.fish.com/titan/
![Page 47: hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretriptjscott.net/ids/hack2002.pdf · hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretrip.net. Security is a war](https://reader034.fdocuments.us/reader034/viewer/2022051719/5a72d00a7f8b9aa7538dfbd6/html5/thumbnails/47.jpg)
Windows SCM
• Security Configuration Manager• Optional on NT; comes with 2000
(Local Security Policy in ControlPanel)
• Default policies provided for variousnetwork roles (DC, workstation, etc)
![Page 48: hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretriptjscott.net/ids/hack2002.pdf · hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretrip.net. Security is a war](https://reader034.fdocuments.us/reader034/viewer/2022051719/5a72d00a7f8b9aa7538dfbd6/html5/thumbnails/48.jpg)
Tripwire
• Commercial and free versions• Takes fingerprints of all your files,
and does comparisons to detectchanges
• Free unix version from:http://sourceforge.net/projects/tripwire
• Unix and Windows
![Page 49: hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretriptjscott.net/ids/hack2002.pdf · hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretrip.net. Security is a war](https://reader034.fdocuments.us/reader034/viewer/2022051719/5a72d00a7f8b9aa7538dfbd6/html5/thumbnails/49.jpg)
AIDE
• Opensource Tripwire alternative
• Free from:http://www.cs.tut.fi/~rammer/aide.html
![Page 50: hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretriptjscott.net/ids/hack2002.pdf · hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretrip.net. Security is a war](https://reader034.fdocuments.us/reader034/viewer/2022051719/5a72d00a7f8b9aa7538dfbd6/html5/thumbnails/50.jpg)
Tip #5
Use the source, Luke
![Page 51: hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretriptjscott.net/ids/hack2002.pdf · hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretrip.net. Security is a war](https://reader034.fdocuments.us/reader034/viewer/2022051719/5a72d00a7f8b9aa7538dfbd6/html5/thumbnails/51.jpg)
ITS4
• Free for personal use (can’t competewith author’s code review services)
• Free from:http://www.cigital.com/its4/
• C/C++ code review
![Page 52: hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretriptjscott.net/ids/hack2002.pdf · hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretrip.net. Security is a war](https://reader034.fdocuments.us/reader034/viewer/2022051719/5a72d00a7f8b9aa7538dfbd6/html5/thumbnails/52.jpg)
Flawfinder
• Free opensource Python script
• Free from:http://www.dwheeler.com/flawfinder
• C/C++ code review• Handles internationalized code
![Page 53: hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretriptjscott.net/ids/hack2002.pdf · hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretrip.net. Security is a war](https://reader034.fdocuments.us/reader034/viewer/2022051719/5a72d00a7f8b9aa7538dfbd6/html5/thumbnails/53.jpg)
RATS
• Opensource C program
• Free from:http://www.securesw.com/rats/
• Understands C/C++, Python, Perl,and PHP
![Page 54: hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretriptjscott.net/ids/hack2002.pdf · hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretrip.net. Security is a war](https://reader034.fdocuments.us/reader034/viewer/2022051719/5a72d00a7f8b9aa7538dfbd6/html5/thumbnails/54.jpg)
FrontEnd Plus
• Disassembler for Java classes
• Free from:http://kpdus.tripod.com/jad.html
• Basically a GUI around JAD
![Page 55: hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretriptjscott.net/ids/hack2002.pdf · hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretrip.net. Security is a war](https://reader034.fdocuments.us/reader034/viewer/2022051719/5a72d00a7f8b9aa7538dfbd6/html5/thumbnails/55.jpg)
Tip #6
Don’t depend onjust your firewall
![Page 56: hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretriptjscott.net/ids/hack2002.pdf · hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretrip.net. Security is a war](https://reader034.fdocuments.us/reader034/viewer/2022051719/5a72d00a7f8b9aa7538dfbd6/html5/thumbnails/56.jpg)
Windows firewalling
• Comes native with Windows NT/2000
• Windows 2000 allows more optionswith IP Security Policies
• Look under ‘Options’ in the AdvancedTCP/IP properties menu
• Let’s you only allow incoming trafficto certain ports
• Slightly klunky, but better than nothing
![Page 57: hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretriptjscott.net/ids/hack2002.pdf · hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretrip.net. Security is a war](https://reader034.fdocuments.us/reader034/viewer/2022051719/5a72d00a7f8b9aa7538dfbd6/html5/thumbnails/57.jpg)
Linux ipchains/iptables
• Comes native with Linux 2.2/2.4• Highly flexible in letting you block or
allow traffic based on various properties• How to deny all incoming connections
except to SSH and HTTP server:ipchains -A input -p tcp --destination-port 80 \
-j ACCEPT # allow HTTPipchains -A input -p tcp --destination-port 22 \
-j ACCEPT # allow SSH# Now we deny all other incoming SYNsipchains -A input -p tcp --syn -j DENY
![Page 58: hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretriptjscott.net/ids/hack2002.pdf · hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretrip.net. Security is a war](https://reader034.fdocuments.us/reader034/viewer/2022051719/5a72d00a7f8b9aa7538dfbd6/html5/thumbnails/58.jpg)
Ipfilter
• Works with *BSD, Solaris, HPUX, IRIX• Extremely flexible; has tons of features• Deny traffic except to HTTP and SSH:
block in proto tcp from any to any flags S/Spass in proto tcp from any to any port = 22 flags Spass in proto tcp from any to any port = 80 flags S
![Page 59: hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretriptjscott.net/ids/hack2002.pdf · hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretrip.net. Security is a war](https://reader034.fdocuments.us/reader034/viewer/2022051719/5a72d00a7f8b9aa7538dfbd6/html5/thumbnails/59.jpg)
Tip #7
Stay informed
![Page 60: hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretriptjscott.net/ids/hack2002.pdf · hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretrip.net. Security is a war](https://reader034.fdocuments.us/reader034/viewer/2022051719/5a72d00a7f8b9aa7538dfbd6/html5/thumbnails/60.jpg)
Security mailing lists
• Bugtraq: vulnerability patch announcements and discussionhttp://www.securityfocus.com/
• VulnWatch: only the major stuffhttp://www.vulnwatch.org/
• Security Alert Consensus: pick your poisonhttp://www.sans.org/
• Vendor mailing lists!
![Page 61: hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretriptjscott.net/ids/hack2002.pdf · hack 2002 rain forest puppy / wiretrip / rfp.labs rfp@wiretrip.net. Security is a war](https://reader034.fdocuments.us/reader034/viewer/2022051719/5a72d00a7f8b9aa7538dfbd6/html5/thumbnails/61.jpg)
Other info
• SANS lockdown documentshttp://www.sans.org/
• Vendor guidelines (especially Microsoft)• General internet (viva la Google)