Thursday, November 25, 2010

Single Packet Authentication with fwknop

Imagine having services running on your computer, in order for other machines to access these services you would have to open up the relevant ports on your firewall. What if a zero day exploit comes out for one of these services is it game over? More than likely it is a game over situation, but it doesn't have to be.

Single Packet Authentication allows you to access services running on your machine and at the same time have your firewall filter block all incoming traffic, meaning have no ports open on your machine. How is this even possible? It just is and to learn more, google is your friend. Basically, you have a server but its no ordinary server running on your machine. Its a server that listens to all traffic like a sniffer. When it sees a specially crafted authentication packet it does something like execute commands or in our case open up a port. Whats kool about this and in particular fwknop is that we can setup our rules that when we open up the port, we do so for a certain amount of seconds then close back the port of the firewall. The already established connections continue to have connectivity (due to rules we set on the firewall to allow already established communications through).


OS: Backtrack 4 RC1

Simple IP tables firewall rule:
$IPTABLES -F -t nat
$IPTABLES -A INPUT -i ! lo -j LOG --log-prefix "DROP "
$IPTABLES -A FORWARD -i ! lo -j LOG --log-prefix "DROP "
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "iptables policy enabled"
pre-requisite for fwknop:
# apt-get install libgdbm-dev

Download and install fwknop(client and server)
# wget -c
# tar -zxvf fwknop-2.0.0rc2.tar.gz
# ./configure
# make
# make install

Configuration: (config files are located at /usr/local/etc/fwknop)

In the fwknop.conf file, you need to uncomment and set the option for your interface "PCAP_INTF eth0".

Set up your access.conf file to allow access to what users what ports, etc. A simple suitable config:
KEY: 123456789; //must be over 8 characters
OPEN_PORTS: tcp/22;
To run the server:
# fwknopd -f -vv

if you get the following error message when you try to run the server:
fwknop: error while loading shared libraries: cannot open shared object file: no such file or directory
then you may need to create a symlink in the /usr/lib directory for the library file:
# cd /usr/lib
# ln -s /usr/local/lib/

To authenticate using client:
# fwknop -D -s -A tcp/22

There is also a windows client you can get here

Resources / Good Reading:

Friday, November 19, 2010

Linux / Ubuntu hardening tips

Here are some tips that you can use to harden the security of your systems.

Its a good idea to divide your file system into various partitions to fine tune permissions and functionality. Also aids in linux OS migration and backup as well.

Set a BIOS password ONLY. Sure you can also set HDDlock passwords to password protect your hardisks which is good but there is one downside to doing so. If your computer was stolen and your system requires a password to bootup (or unlock the hard disks) , provided that you used a secure password, chances are that this predator would not be able to boot into your machine at all. He then may dispose of this machine or just simply get a new hard drive. When either of these happen, you can pretty much kiss this machine good bye as it would be almost impossible to recover. What i prefer to do is to just set a BIOS password so that no one can make changes into the BIOS but are able to still boot into the OS into a restricted account. Once the machine gets an internet connection our hidden "prey" software that i discussed in the previous blog post can do its job and start reporting information to us. This setup might not be applicable for businesses but for a typical home user, i think it should do fine (who wouldn't want to catch the culprit and recover their stolen goods in the process? :P ).

You would also want to set the boot priority to boot from your hard disk first and not removeable media. This aids in preventing the use of live linux CD's or removeable media from being able to boot and mount your hard disk. With your BIOS password set, modifying the boot sequence of your computer would become a daunting task to the average user trying to do so. Although you can get around this easily by taking out the hard disk so the computer boots from its next boot device, not everyone would think about doing so, therefore this helps in giving you some security.

Perform an update as soon as you install your new OS. These commands should do: # apt-get update && apt-get upgrade

Enable Automatic updates. Would want to schedule your updater to check for updates at least once a week. Would also suggest that you allow the OS to automatically download and install updates wihtout confirmation when available.

Download and install your preferred firewall (i recommend firestarter). Go ahead and block incomming connections. the only connections that should be allowed through your firewall is traffic that was originally initiated from your box.

Download and install a virus scanner (clamav should do). Most viruses are for windows so chances are you wont get infected. However, you can potentially be hosting a virus that may or may not spread onto other hosts. For instance, you may have an infected pdf file that you can open in linux and have to effect what so ever because the exploit was designed for a windows system. If you decide to carry this file with you on a usb key and copy it on the windows system that virus would now stand a much better chance to infect its windows host.

I recommended using firefox for the best web browsing security. You would want to install the "noscript" plug-in for added security against scripting attacks.

Refrain from using the root account. Create a new user and give priveleges to this user via the sudoer file using the command "visudo" to modify it. Try to be restrictive as possible. If you give yourself too much priveleges and your account was to be compromised, then its game over.

After you do a fresh install of Ubuntu and did all the updates, you would want to generate a list of all installed programs as a baseline. You can do this again later then compare it to your baseline and note the differences. Chances are you may spot some programs that shouldn't be there. The command that i use to generate this list is :
# dpkg --get-selections | grep -v "deinstall" > Installed_Baseline-`date +%F`.lst

Remove unecessary services especially the ones that start on boot. Identify the services that you do not need and remove them.
example: # sudo /etc/init.d/cups stop && update-rc.d -f cups remove

As mentioned above, i would recommend having some sort of locked down guest account. This way, if my laptop was to get stolen, its in me best interest to want to allow them easy access into my system where they can connect to the internet and browse the web. This way my "prey" software can report on my laptops where abouts so i have a great chance of recovering my PC

Install "prey". You can read about it in my previous post. This here puts your mind at ease knowing that if your machine gets stolen, there is still hope that you can recover it.

Always try to have some type of log management strategy. Search or create scripts that would parse through your log files and extract relevant information. Getting this right can be time consuming but may pay off one day. Try to log as much as possible. The more data you have, the more you have to work with.

By default all user home directories created with the adduser utility will have world read/execute permissions. This is not very desirable from a security stand point. To verify every users home directory permissions: # ls -ld /home/*.
Far added security do : # sudo chmod 0750 /home/username

Avoid using default service ports. For example, your default ssh server install will more than likely listen on port 22. Its in your best interest to put this on some random port number like 26374. Hackers may see port 22 and automatically assume that theres an ssh server running in the background but seeing port 26374 might make there lives a little bit harder in trying to identify the type of service listening on this port. Sometimes they might just not bother putting in the extra effort into getting into that system as things aren't as trivial for them.

Lock down your services and applications. As an example with ssh, i like to restrict root logons, restrict password authentication once i get public key authentication working and force the usage of ssh protocol version 2.

Resources/Good Reading:

Thursday, November 18, 2010 - Things you can do to aid recovering one's stolen laptop part 2

Continuing from my last post, i wanted to speak on an open source project called prey.
From the website itself,, it states "Prey lets you keep track of your phone or laptop at all times, and will help you find it if it ever gets lost or stolen. It's lightweight, open source software, and free for anyone to use. And it just works."

It is available for Linux, Windows, Mac OS and the Android platform as well.

These are the steps involved in getting it set-up for Windows:
  1. Download and install the software
  2. In configuration, choose to set up reporting method
  3. Choose the recommended option "Prey + control panel"
  4. Create a new user and follow remaining steps
  5. Log into newly created account on
  6. Click on your device
  7. Make necessary changes here then goto "Modules" to configure those (very important)
  8. The Modules section is where you tell prey what information to collect if your PC is stolen. Make necessary changes here
  9. Click on "Save changes"
  10. To test your system out, switch back to "Configuration" view and turn on the "Missing?" option. This tells prey to start doing its thing and start reporting the information you requested.

For Ubuntu linux users:
  1. Download the .deb installer from the main website
  2. install using: # dpkg -i prey_0.4.4-ubuntu2_all.deb
  3. If the install complains about dependencies like mines install them. For example, i installed my dependencies like this: # apt-get scrot streamer mpg123. Scrot is a screeshot capture program, streammer is a video and audio capture utility and mpg123 is a command line mp3 player.
  4. Verify your crontab entry: # crontab -l
  5. Verifythat the cron service is running: # /etc/init.d/cron status. If cron is not running it may not be configured to run on system bootup unless you purposely disabled it. You can add it to the startup scripts like so: # update-rc.d cron defaults. Then verify again that its running: # /etc/init.d/cron status
  6. If the GUI configurator tool does not launch, you will have to manually configure the options. Edit the /usr/share/prey/config file (make a backup of original before). You would want to add the api_key and the device_key values that you get when you're in your prey account. I also set randomize_check_host='y' and commented all the ssh, smtp, sftp and scp options near the bottom as well.

The way the prey system works is that when your stolen laptop is connected to the internet, the prey client that was previously installed will be silently and stealthily be periodically phoning home to the mothership looking for instructions (Even when you are not connected to the internet it periodically attempts this as well). The intervals in which prey does this "phoning home" can be configured on your machine "Goto start menu -> All programs ->" prey -> Configuration". When it phones home it checks for instructions, specifically if that "Missing?" option that we set in step 10 is set to on. If its set to off then it does nothing and goes back to sleep until its next periodic cycle. If when it phones home and see that the missing option is set to "on", then it starts collection the information that you configured in the modules (step 8) and send them to the prey servers where you and only you can review them when you log into your account. This information can include its location, hardware and network status and optionally trigger specific actions on it such as locking the computer (a pre-assigned password would be required to unlock it) or deleting browser cookies and cached stored passwords.

Resources / Good Reading:

Things you can do to aid recovering one's stolen laptop part 1

I was inspired by a presentation i saw on, "Pwned by the owner", presented at defcon 18 by Zoz. The presenter gave us his story of an incident where his laptop was stolen by an individual and the series of the things that he was able to do that led to its recovery. It was a very interesting and eye opening presentation that i would encourage all to watch.

In summary, as a result of a few services that were running silently in the background, he already had a foot into his system. He had some sort of dyndns client running on his system that sent all updated public IP addresses to his dyndns account. What this means is that whenever his laptop was connected to internet at any location, the dyndns client will detect any changes to its public IP address and update your dyndns account record. With this IP address you can do a reverse lookup of the IP address, find out location information and the current ISP of the connected node (Can also contact the ISP and report this to authorities). In some cases given the right software, if your laptop is connected via wifi, it is possible to get an idea , within reasonable distance, of where your laptop is on the map (like phone navigation with no built-in gps reciever).

When Zoz discovered that his dyndns account recorded a new IP, he proceed to do nslookups did pings at multiple times until he recieved a response (this can be scripted as well so you can be notified when the host is up. Think of a bash script with a cron job). When he finally got ping replys and his host was up, he then attempted to connect to some of the services that he had running on his box before it was stolen. These services included ssh and vnc. As it was his laptop he knew all the required passwords so he eventually had inside access. From then on here, he did some recon. He was able to find out pictures of the criminal that were stored on the hard drive. A history of his browser cookies and browser history cache gave us a profile of this criminal (seems like he was into dating sites and lots of porn). What was left to do at this point was to get a street address. Although the public IP can give you the city that the individual resides in, it more than likely will not give you more than that. Finding an exact location was next on Zoz's to do list.

A keylogger was implemented on his system and as you would guess, all usernames and passwords were obtained for the sites he was registerd to, including porn sites and ebay. By investigating the return shipping address of his ebay account, the relevant addressing information was obtained and the authorities then were able to detain the thief.

As soon as i completed watching this presentation i was a little paranoid and wanted to immediately prepare myself for such an incident. Zoz was lucky to obtain the Public IP from his dyndns provider. Without that, he would have no apparent lead and would've been left with a broken heart and lots of regret.

Resources / Good Reading:
pwned by the owner

Wednesday, November 17, 2010

Dyndns client (ddclient) for linux

Ddclient is a small piece of software that you install to your computer that updates your dyndns account with your current IP address. If your external IP address changes, this program will automatically notify of the change and update your account information seamlessly.

To install: # apt-get install ddclient

After you install it and provide the relevant information on setup, you will want to verify and or modify the config file (/etc/ddclient.conf)

This is what mines look like

# Configuration file for ddclient
# /etc/ddclient.conf

daemon=300 # check every 300 seconds
syslog=yes # log update msgs to syslog
### Select one of these options to determine your IP address
## via hardware interface (if you don't have a router/firewall)

## For local IPs. You probly wouldn' have any use for this unless your computer was connected directly to the modem.
#use=if, if=eth0
## via our CheckIP server. This is a good choice that i use
use=web,, web-skip='Current IP Address: '

## from the status page for a linksys router/firewall

#use=linksys, fw=linksys, fw-login=admin, fw-p

## settings for DynDNS account holders

## settings for OpenDNS account holders

You may also need to verify one setting in the /etc/defaults/ddclient file. You would want to confirm that "run_daemon=true" is set.

After you made all changes, restart the daemon: # /etc/init.d/ddclient restart The service will start on system boot and continue to run in the background.

# /etc/init.d/ddclient status
Status of Dynamic DNS service update utility: ddclient is running

Every few minutes (configurable) the service will check to see if there is a change in your external IP address and if there is, it will send that updated information to your dyndns service provider using your already provided account credentials.

You would then want to log into your dynamic DNS service provider account and verify that your external IP now is up to date.

I've ran into an issue where one of my ddclients refused to update my dyndns account. I ran it in debug mode like so:
# sudo ddclient -debug -login=username -password='pass' -noquiet -verbose

The ouput of the command was impying that my ip address hasn't changed so it was skipping the update process. However when i log into my dyndns account, my ip address was different. This is because im running the ddclient on a netbook that i take everywhere and when its connected to the internet, it updates that record. The reason that my other machine was not update my dyndns account is becasue of a cache file that was stored. By removing this cache file, it fixed my problem.

# sudo rm /var/cache/ddclient/ddclient.cache