Tag Archives: security

Cisco, Network, Security

Cisco – perimeter security – EEM disable port

Leave a comment

Sometimes it is necessary to connect a device on your security permiters edge to your network. Doing so without any protection can be don, but might not be wise.

So how do you secure your PoE Surveillance-Cam which covers the from of your office or your IP-based intercom which are accessible by the public?

802.1x would be a good solution. However – for that you would require a CA/PKI + machine-certificates for the devices, would have to rotate them on a regular base which might not be possible and could be wuite some effort.

Furthermore – not all devices support 802.1x – so how could we secure these devices?

Before we start, lets analyse the threat:

A devices such as a PoE-Surveillance cam, an IP-InterCom or similar devices are located outside of a “protected” perimeter where anybody might have easy access to the device. An attacker could easily unplug the network-cable, add a switch in between and get access to the network.
MAC based ACLs could be used to ensure that only “allowlisted” devices (so devices with the correct MAC address) are granted access.
However running tcpdump, getting the allowed devices MAC and “cloning” it via macchanger --mac=XX:XX:XX:XX:XX:XX isn’t really that hard.
So that doesn’t really work! Yes, the network should be segmented anyways to reduce the impact of such a security incident. But still – there might be some interesting piece of hardware/software in that network which could be exploited by an attacker to get a foothold in the network or at least gather some additional information about other devices which are used.

So the best approach is, to do not even let the attacker in.

With Cisco we could do so by utilizing the EEM (Embeded Event Manager).
That piece of software allows us to react on events that are registered by the switch.

So what we want to archive is:

  • Given an (I)OT-device on the edge of your network perimeter
  • when the device is unplugged
  • then disable the port the device is attached to

Unplugging the network cable generates a port-down syslog entry on the switch, which can be utilized to execute a command/command set.

If we want to “secure” a device located on port 20 the following configuration could be used to manually shut down (disable) the port once a disconnect was detected. 

event manager applet Interface_Down_PoE-CAM
 event syslog pattern "Line protocol on Interface GigabitEthernet1/0/20, changed state to down"
 action 1.0 cli command "enable"
 action 1.5 cli command "config t"
 action 2.0 cli command "interface GigabitEthernet1/0/20"
 action 2.5 cli command "shutdown"
 action 3.0 cli command "end"
 action 3.5 cli command "who"

The above example will immediately set the port to shutdown, once the line protocol went down/device was unplugged from the network.

However – keep in mind, that a restart of the device (especially for devices which use external PowerSupplies might also cause a port-down event while restarting which will result in a disabled port.
Doing maintenance could also result in a port down event, if somebody shuts down/unplugs the device while doing the maintenance tasks!

So is using this method to secure the perimeter, it is very important to also have some monitoring in place which will notify about disabled ports.

If ports shall be automatically enabled again (e.g. when office hours start) the EEM + KRON can be used.
As it seemed that execution actions like with the EEM are not supported in the KRON-policies i used the workaround to generate another syslogevent via cron which does the “reset” (no shutdown) for the perimeter ports.

! define the cron-occurence - so when our job should be run. 
kron occurrence Daily_8AM at 8:00 recurring
 ! list policies which shall be excuted
 policy-list Policy_A
 policy-list Policy_B
!
kron policy-list Policy_A
 ! send the following message to syslog:
 cli send log 0 "set_port_Gi1/0/35_UP"
!
kron policy-list Policy_B
 ! send the following message to syslog:
 cli send log 0 "set_port_Gi1/0/20_UP"
!
! DISABLE the port when a defined syslog message is detected
event manager applet EEM_01
 event syslog pattern "Line protocol on Interface GigabitEthernet1/0/20, changed state to down"
 action 1.0 cli command "enable"
 action 1.5 cli command "config t"
 action 2.0 cli command "interface GigabitEthernet1/0/20"
 action 2.5 cli command "shutdown"
 action 3.0 cli command "end"
 action 3.5 cli command "who"
!
! DISABLE the port when a defined syslog message is detected
event manager applet EEM_02
 event syslog pattern "Line protocol on Interface GigabitEthernet1/0/35, changed state to down"
 action 1.0 cli command "enable"
 action 1.5 cli command "config t"
 action 2.0 cli command "interface GigabitEthernet1/0/35"
 action 2.5 cli command "shutdown"
 action 3.0 cli command "end"
 action 3.5 cli command "who"
!
! enable the port when a defined syslog message is detected
event manager applet EEM_03
 event syslog pattern "set_port_Gi1/0/35_UP"
 action 1.0 cli command "enable"
 action 1.5 cli command "config t"
 action 2.0 cli command "interface GigabitEthernet1/0/35"
 action 2.5 cli command "no shutdown"
 action 3.0 cli command "end"
 action 3.5 cli command "who"
!
! enable the port when a defined syslog message is detected
event manager applet EEM_04
 event syslog pattern "set_port_Gi1/0/20_UP"
 action 1.0 cli command "enable"
 action 1.5 cli command "config t"
 action 2.0 cli command "interface GigabitEthernet1/0/20"
 action 2.5 cli command "no shutdown"
 action 3.0 cli command "end"
 action 3.5 cli command "who"
!
end

References:

Security

Spam the Scammer

Leave a comment

Got a phising SMS this week whis lead me to a fake DHL-website and asked me for personal data, credit card data and so on.

Though if they like collecting data so much I might help them and wrote the following script to help them collecting credit card data:

#!/bin/python3
import requests
import ccard
import pprint
import random
from termcolor import colored


target_addr="https://<SCAMMERS-DOMAIN>/PHP/send.php"
counter=0
while 1:
    cc=str(ccard.visa())
    cc_str=cc[0:4]+" "+cc[4:8]+" "+cc[8:12]+" "+cc[12:16]+" "
    cvv=(random.randint(100, 999))
    year=(random.randint(23, 27))
    month=(random.randint(1, 12))
    valid_date=str("{:02d}".format(month))+"/"+str("{:02d}".format(year))
    cc_data={"cc":cc_str,"exp":valid_date,"cvv":cvv,"type":"livraison"}
    r=requests.post(target_addr,json=cc_data)
    if r.status_code != 200:
        print(colored("ERROR - statuscode: "+r.status_code, "red"))
    else:
        counter=counter+1
        print(counter, end="\r")

The script will just generate face credit card numbers CVVs and face validation-dates and post it to the script, the scammer used to receive the data from the phising-site.

Linux, Red Hat, Security, Webserver, Zabbix

(35) error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small

Leave a comment

When using Zabbix on a Centos8/RHEL8 machine the following error occurred whil trying to monitor an HTTPS-website via the build in web scenarieos:

(35) error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small

The error itself also shows up when trying to use curl to connect to the website:

$ curl -D - https://<some-legacy-website-> -k
curl: (35) error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small

That error occurs if the server uses an older cipher-suite that’s considered unsafe by the default crypto policy used in Centos8/RHEL8.

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening

To work around that problem, the legacy cipher suites must be enabled by:

# update-crypto-policies --set LEGACY

Although a restart is recommended after issuing the command, for me it also worked without the need of issuing a reboot.

Linux, Security, Zabbix

Zabbix SELinux policy generation

Leave a comment

Commands to query the auditlog for Zabbix relevant queries and create/import a compiled policy file within Zabbix

Could be adapted to generate policies for any other system.

The suggestion is to set SELinux to permissive (setenforce=0) execute the action and afterwards create the policy based on the logged events. If the policy does not work on the first try after re-enabeling SELinux again it it could happen that a call was blocked (which is also logged within the auditlog) that was not blocked with SELinux in permissive mode. Therefore it could help creating a new human readable policy (.te-file) and checking the first version vs. the second version + merging them. 

filename=zabbix-server
cat /var/log/audit/audit.log  | grep zabbix | audit2allow -m $filename >> $filename.te
checkmodule -M -m -o $filename.mod $filename.te
semodule_package -o $filename.pp -m $filename.mod
semodule -i $filename.pp
 
 
#restorecon -R -v /run/zabbix/zabbix_server_alerter.sock    #suggested by the policygenerator
Linux, Security, Tools

Get CVE information from NIST NVD and RHEL

Leave a comment

Just two littel scripts that come handy if you want to download all the CVE info in JSON format for offline use.

[pastacode lang=”bash” manual=”%23!%2Fbin%2Fbash%0Aurls%3D%24(curl%20https%3A%2F%2Fnvd.nist.gov%2Fvuln%2Fdata-feeds%23JSON_FEED%20%7C%20grep%20’https%3A%2F%2F’%20%7C%20grep%20-i%20json.gz%20%7C%20sed%20’s%2F.*href%3D%2F%2Fg’%20%7C%20cut%20-d%5C’%20%20-f2)%0A%0Amkdir%20-p%20.%2FnistNvdJson%0Acd%20nistNvdJson%0Afor%20l%20in%20%24urls%3B%0Ado%0Awget%20%24l%0Adone%0Agunzip%20*%0A” message=”Donwload NIST NVD CVEs in JSON” highlight=”” provider=”manual”/]

 

[pastacode lang=”bash” manual=”%23!%2Fbin%2Fbash%0A%0A%0AloopVar%3D1%0AdataDir%3D%22rhelCveData%22%0Amkdir%20%24dataDir%20-p%0Aecho%20%22getting%20data%3A%22%0AT%3D%22%24(date%20%2B%25s)%22%0Awhile%20%5B%5B%20%24loopVar%20-ne%200%20%5D%5D%3B%0Ado%0A%20%20%20%20%20%20%20%20echo%20-n%20%22-%24loopVar-%20%22%0A%20%20%20%20%20%20%20%20data%3D%24(curl%20-s%20https%3A%2F%2Faccess.redhat.com%2Flabs%2Fsecuritydataapi%2Fcve.json%3Fpage%3D%24loopVar)%0A%20%20%20%20%20%20%20%20if%20%5B%5B%20%22%24data%22%20%3D%3D%20%22%5B%5D%22%20%5D%5D%3B%20then%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20loopVar%3D0%0A%20%20%20%20%20%20%20%20else%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20toFile%3D%24toFile%24%7Bdata%3A1%3A-1%7D%22%2C%20%22%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20let%20loopVar%3DloopVar%2B1%0A%20%20%20%20%20%20%20%20fi%0Adone%0AT%3D%22%24((%24(date%20%2B%25s)-T))%22%0Aecho%20%22%5B%24%7BtoFile%3A%3A-2%7D%5D%22%20%3E%3E%20%22%24dataDir%2FrhelCve.json%22%0Ased%20-i%20’s%2F%5E%5C%5B%5C%5D%24%2F%2Fg’%20%22%24dataDir%2FrhelCve.json%22%0Aprintf%20%22Got%20data%20in%3A%20%2502dd%3A%2502dh%3A%2502dm%3A%2502ds%5Cn%22%20%22%24((T%2F86400))%22%20%22%24((T%2F3600%2524))%22%20%22%24((T%2F60%2560))%22%20%22%24((T%2560))%22%0A” message=”Get CVE infos for RHEL” highlight=”” provider=”manual”/]

 

Additional information:
If you query the NIST NVD Data and search for RHEL CPEs you won’t get a lot of hits as only a smal percentage of the CVEs that affect Red Hat software has the correct CPE attached. However – NIST NVD is nice to have because in the Red Hat CVEs only the total CVSS score is listed but no detailed vulnerability metrics are included.

Linux

Remove Oracle ApEx from the database

Leave a comment

Because Nessus seems to dislike Oracle ApEx we needed to remove it from the database.  Oracles manual regrading the removal is pretty straight forward (https://docs.oracle.com/database/121/HTMIG/trouble.htm#HTMIG270), but I wanted to do it in a single none intreactive line which makes it easier to do de removal automated.

so – here it is:

[pastacode lang=”bash” manual=”echo%20quit%20%7C%20sqlplus%20-S%20%22sys%2Fsys%20as%20sysdba%22%20%40%24ORACLE_HOME%2Fapex%2Fapxremov.sql%0A” message=”” highlight=”” provider=”manual”/]