Category Archives: Security

Cisco, Network, Security

Cisco – perimeter security – EEM disable port

Leave a comment

Sometimes it is necessary to connect a device on your security permiters edge to your network. Doing so without any protection can be don, but might not be wise.

So how do you secure your PoE Surveillance-Cam which covers the from of your office or your IP-based intercom which are accessible by the public?

802.1x would be a good solution. However – for that you would require a CA/PKI + machine-certificates for the devices, would have to rotate them on a regular base which might not be possible and could be wuite some effort.

Furthermore – not all devices support 802.1x – so how could we secure these devices?

Before we start, lets analyse the threat:

A devices such as a PoE-Surveillance cam, an IP-InterCom or similar devices are located outside of a “protected” perimeter where anybody might have easy access to the device. An attacker could easily unplug the network-cable, add a switch in between and get access to the network.
MAC based ACLs could be used to ensure that only “allowlisted” devices (so devices with the correct MAC address) are granted access.
However running tcpdump, getting the allowed devices MAC and “cloning” it via macchanger --mac=XX:XX:XX:XX:XX:XX isn’t really that hard.
So that doesn’t really work! Yes, the network should be segmented anyways to reduce the impact of such a security incident. But still – there might be some interesting piece of hardware/software in that network which could be exploited by an attacker to get a foothold in the network or at least gather some additional information about other devices which are used.

So the best approach is, to do not even let the attacker in.

With Cisco we could do so by utilizing the EEM (Embeded Event Manager).
That piece of software allows us to react on events that are registered by the switch.

So what we want to archive is:

  • Given an (I)OT-device on the edge of your network perimeter
  • when the device is unplugged
  • then disable the port the device is attached to

Unplugging the network cable generates a port-down syslog entry on the switch, which can be utilized to execute a command/command set.

If we want to “secure” a device located on port 20 the following configuration could be used to manually shut down (disable) the port once a disconnect was detected. 

event manager applet Interface_Down_PoE-CAM
 event syslog pattern "Line protocol on Interface GigabitEthernet1/0/20, changed state to down"
 action 1.0 cli command "enable"
 action 1.5 cli command "config t"
 action 2.0 cli command "interface GigabitEthernet1/0/20"
 action 2.5 cli command "shutdown"
 action 3.0 cli command "end"
 action 3.5 cli command "who"

The above example will immediately set the port to shutdown, once the line protocol went down/device was unplugged from the network.

However – keep in mind, that a restart of the device (especially for devices which use external PowerSupplies might also cause a port-down event while restarting which will result in a disabled port.
Doing maintenance could also result in a port down event, if somebody shuts down/unplugs the device while doing the maintenance tasks!

So is using this method to secure the perimeter, it is very important to also have some monitoring in place which will notify about disabled ports.

If ports shall be automatically enabled again (e.g. when office hours start) the EEM + KRON can be used.
As it seemed that execution actions like with the EEM are not supported in the KRON-policies i used the workaround to generate another syslogevent via cron which does the “reset” (no shutdown) for the perimeter ports.

! define the cron-occurence - so when our job should be run. 
kron occurrence Daily_8AM at 8:00 recurring
 ! list policies which shall be excuted
 policy-list Policy_A
 policy-list Policy_B
!
kron policy-list Policy_A
 ! send the following message to syslog:
 cli send log 0 "set_port_Gi1/0/35_UP"
!
kron policy-list Policy_B
 ! send the following message to syslog:
 cli send log 0 "set_port_Gi1/0/20_UP"
!
! DISABLE the port when a defined syslog message is detected
event manager applet EEM_01
 event syslog pattern "Line protocol on Interface GigabitEthernet1/0/20, changed state to down"
 action 1.0 cli command "enable"
 action 1.5 cli command "config t"
 action 2.0 cli command "interface GigabitEthernet1/0/20"
 action 2.5 cli command "shutdown"
 action 3.0 cli command "end"
 action 3.5 cli command "who"
!
! DISABLE the port when a defined syslog message is detected
event manager applet EEM_02
 event syslog pattern "Line protocol on Interface GigabitEthernet1/0/35, changed state to down"
 action 1.0 cli command "enable"
 action 1.5 cli command "config t"
 action 2.0 cli command "interface GigabitEthernet1/0/35"
 action 2.5 cli command "shutdown"
 action 3.0 cli command "end"
 action 3.5 cli command "who"
!
! enable the port when a defined syslog message is detected
event manager applet EEM_03
 event syslog pattern "set_port_Gi1/0/35_UP"
 action 1.0 cli command "enable"
 action 1.5 cli command "config t"
 action 2.0 cli command "interface GigabitEthernet1/0/35"
 action 2.5 cli command "no shutdown"
 action 3.0 cli command "end"
 action 3.5 cli command "who"
!
! enable the port when a defined syslog message is detected
event manager applet EEM_04
 event syslog pattern "set_port_Gi1/0/20_UP"
 action 1.0 cli command "enable"
 action 1.5 cli command "config t"
 action 2.0 cli command "interface GigabitEthernet1/0/20"
 action 2.5 cli command "no shutdown"
 action 3.0 cli command "end"
 action 3.5 cli command "who"
!
end

References:

Security

Spam the Scammer

Leave a comment

Got a phising SMS this week whis lead me to a fake DHL-website and asked me for personal data, credit card data and so on.

Though if they like collecting data so much I might help them and wrote the following script to help them collecting credit card data:

#!/bin/python3
import requests
import ccard
import pprint
import random
from termcolor import colored


target_addr="https://<SCAMMERS-DOMAIN>/PHP/send.php"
counter=0
while 1:
    cc=str(ccard.visa())
    cc_str=cc[0:4]+" "+cc[4:8]+" "+cc[8:12]+" "+cc[12:16]+" "
    cvv=(random.randint(100, 999))
    year=(random.randint(23, 27))
    month=(random.randint(1, 12))
    valid_date=str("{:02d}".format(month))+"/"+str("{:02d}".format(year))
    cc_data={"cc":cc_str,"exp":valid_date,"cvv":cvv,"type":"livraison"}
    r=requests.post(target_addr,json=cc_data)
    if r.status_code != 200:
        print(colored("ERROR - statuscode: "+r.status_code, "red"))
    else:
        counter=counter+1
        print(counter, end="\r")

The script will just generate face credit card numbers CVVs and face validation-dates and post it to the script, the scammer used to receive the data from the phising-site.

Linux, Red Hat, Security, Webserver, Zabbix

(35) error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small

Leave a comment

When using Zabbix on a Centos8/RHEL8 machine the following error occurred whil trying to monitor an HTTPS-website via the build in web scenarieos:

(35) error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small

The error itself also shows up when trying to use curl to connect to the website:

$ curl -D - https://<some-legacy-website-> -k
curl: (35) error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small

That error occurs if the server uses an older cipher-suite that’s considered unsafe by the default crypto policy used in Centos8/RHEL8.

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening

To work around that problem, the legacy cipher suites must be enabled by:

# update-crypto-policies --set LEGACY

Although a restart is recommended after issuing the command, for me it also worked without the need of issuing a reboot.

Powershell, Security, Tools, Windows

Start PS-Admin session from an unprivileged user

Leave a comment 
 runas  /user:administrator 'powershell -command Start-Process powershell -verb runas'
Linux, Security, Zabbix

Zabbix SELinux policy generation

Leave a comment

Commands to query the auditlog for Zabbix relevant queries and create/import a compiled policy file within Zabbix

Could be adapted to generate policies for any other system.

The suggestion is to set SELinux to permissive (setenforce=0) execute the action and afterwards create the policy based on the logged events. If the policy does not work on the first try after re-enabeling SELinux again it it could happen that a call was blocked (which is also logged within the auditlog) that was not blocked with SELinux in permissive mode. Therefore it could help creating a new human readable policy (.te-file) and checking the first version vs. the second version + merging them. 

filename=zabbix-server
cat /var/log/audit/audit.log  | grep zabbix | audit2allow -m $filename >> $filename.te
checkmodule -M -m -o $filename.mod $filename.te
semodule_package -o $filename.pp -m $filename.mod
semodule -i $filename.pp
 
 
#restorecon -R -v /run/zabbix/zabbix_server_alerter.sock    #suggested by the policygenerator
Linux, Security, Tools

Get CVE information from NIST NVD and RHEL

Leave a comment

Just two littel scripts that come handy if you want to download all the CVE info in JSON format for offline use.

[pastacode lang=”bash” manual=”%23!%2Fbin%2Fbash%0Aurls%3D%24(curl%20https%3A%2F%2Fnvd.nist.gov%2Fvuln%2Fdata-feeds%23JSON_FEED%20%7C%20grep%20’https%3A%2F%2F’%20%7C%20grep%20-i%20json.gz%20%7C%20sed%20’s%2F.*href%3D%2F%2Fg’%20%7C%20cut%20-d%5C’%20%20-f2)%0A%0Amkdir%20-p%20.%2FnistNvdJson%0Acd%20nistNvdJson%0Afor%20l%20in%20%24urls%3B%0Ado%0Awget%20%24l%0Adone%0Agunzip%20*%0A” message=”Donwload NIST NVD CVEs in JSON” highlight=”” provider=”manual”/]

 

[pastacode lang=”bash” manual=”%23!%2Fbin%2Fbash%0A%0A%0AloopVar%3D1%0AdataDir%3D%22rhelCveData%22%0Amkdir%20%24dataDir%20-p%0Aecho%20%22getting%20data%3A%22%0AT%3D%22%24(date%20%2B%25s)%22%0Awhile%20%5B%5B%20%24loopVar%20-ne%200%20%5D%5D%3B%0Ado%0A%20%20%20%20%20%20%20%20echo%20-n%20%22-%24loopVar-%20%22%0A%20%20%20%20%20%20%20%20data%3D%24(curl%20-s%20https%3A%2F%2Faccess.redhat.com%2Flabs%2Fsecuritydataapi%2Fcve.json%3Fpage%3D%24loopVar)%0A%20%20%20%20%20%20%20%20if%20%5B%5B%20%22%24data%22%20%3D%3D%20%22%5B%5D%22%20%5D%5D%3B%20then%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20loopVar%3D0%0A%20%20%20%20%20%20%20%20else%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20toFile%3D%24toFile%24%7Bdata%3A1%3A-1%7D%22%2C%20%22%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20let%20loopVar%3DloopVar%2B1%0A%20%20%20%20%20%20%20%20fi%0Adone%0AT%3D%22%24((%24(date%20%2B%25s)-T))%22%0Aecho%20%22%5B%24%7BtoFile%3A%3A-2%7D%5D%22%20%3E%3E%20%22%24dataDir%2FrhelCve.json%22%0Ased%20-i%20’s%2F%5E%5C%5B%5C%5D%24%2F%2Fg’%20%22%24dataDir%2FrhelCve.json%22%0Aprintf%20%22Got%20data%20in%3A%20%2502dd%3A%2502dh%3A%2502dm%3A%2502ds%5Cn%22%20%22%24((T%2F86400))%22%20%22%24((T%2F3600%2524))%22%20%22%24((T%2F60%2560))%22%20%22%24((T%2560))%22%0A” message=”Get CVE infos for RHEL” highlight=”” provider=”manual”/]

 

Additional information:
If you query the NIST NVD Data and search for RHEL CPEs you won’t get a lot of hits as only a smal percentage of the CVEs that affect Red Hat software has the correct CPE attached. However – NIST NVD is nice to have because in the Red Hat CVEs only the total CVSS score is listed but no detailed vulnerability metrics are included.

Linux, Security, Webserver

Apache – force autocomplete=off for password fields

Leave a comment

If 3rd party software is installed it is quite likely that the autocomplete attribute for password fields is not set to off. Editing such settings directly in the sourceode is possible most of the time, but it’s not the nicest way and you also run into the problem that everything could be gone again after an update of the software.

A nice workaround is to use the substitute module to accomplish that.

[pastacode lang=”markup” manual=”%3CLocation%20%22%2F%22%3E%0A%20%20%20%20AddOutputFilterByType%20SUBSTITUTE%20text%2Fhtml%0A%20%20%20%20Substitute%20%22s%7C%3Cinput%20type%3Dpassword%7C%3Cinput%20type%3Dpassword%20autocomplete%3Doff%7Ci%22%0A%3C%2FLocation%3E” message=”disable autocomplete for password fields” highlight=”” provider=”manual”/]

Linux, Security, Webserver

Webserver certificate -creation script

Leave a comment

Today I got some time to take care of my server so i installed the latest updates checkt the system for attacks and when I checkt my SSL-certificates i found out, that they were just valid till April 2015 … UPS … ok they are not officially signed and i just use them to encrypt sensitive communication with my server but i wanted to fix that issue and some other little issues i found when checking my blog with https://www.ssllabs.com/ssltest/analyze.html?d=blog.fawcs.info.

Because I also had to regenerate the certificates for my other subdomains I wrote a little script to do that for me (and to use it in the future, because I always have to look up the SSL-certificat generation)

 

So here is the script:

[pastacode lang=”bash” message=”SSL cert-generation” highlight=”” provider=”manual”]

#!/bin/bash

if [ -z $1 ];
then
        echo "Parameter 1 for Domain is missing";
        exit;
fi

openssl genrsa -out $1.key 2048
openssl req -x509 -new -nodes -key $1.key -days 1024 -out $1.crt -subj "/C=AT/ST=Vienna/L=Vienna/O=fawCS.info/CN=$1"

[/pastacode]

 

I also updated the security settings in my virtual host configuration files for some settings. The DH-KeyExchange cipher got excluded from the available ciphers because there is a new attack against DH which makes it vulnerable to MITM-attacks.
http://www.heise.de/security/meldung/Logjam-Attacke-Verschluesselung-von-zehntausenden-Servern-gefaehrdet-2657502.html [German]

Extract of settings:

TraceEnable off
ServerSignature Off
ServerTokens Prod
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite “EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH !EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS”

And it’s always a good idea to to use htaccess with extra users or IP-ACLs to secure specific directories. (for example the wp-admin directory 🙂 )

Some other interesting settings to macke apache more secure can be found her: http://www.tecmint.com/apache-security-tips/