Penetration Test results (interpreting results) Open-Filtered Ports

Penetration Test results (interpreting results) Open-Filtered Ports

 

Recently we had a penetration test done. I am not going to mention company names here, I’ll write just about the results.

 

I asked them to check out Public IPs and all services which face the Internet, I also asked them to check our WIFI and finally our internal office Windows domain.

 

I knew there were many problems and potentially many holes. I have inherited this network and I don’t think things were set with security in mind. But something also important to note is; if the any company is not willing to participate and embrace security there is very little which can be done, directories and all managers at the top need to accept security as an important step. Security is not for preventing anyone from working, but to give companies a degree of digital/online stability. Knowing where the holes are surely is better than not knowing; at least you won’t be caught by surprises.

 

The test took around three days and literally the only information I provided was the public IP addresses.

 

Port 445 Open-Filtered

One thing in specific I want to talk about is; our office firewall has been diagnosed with port 445 (SMB) Open-Filtered.

I asked the security team which did the pen test and they said; “if the port is filtered, it does mean it is open. Maybe nothing is listening but the port is definitively opened”.

 

This is a serious discovery and it needs a full investigation. My boss and Operations pushed me to dig this out and get it sorted.

 

Action Plan

Review the firewall configuration thoroughly and check any references to port 445.

Disabled all unnecessary rules and checked open ports once again with nmap. Once again, this time I could verify myself, the result was Port 445 Open-Filtered. I could not believe it.

I could not find anywhere in the firewall a rule which explicitly opened, forward, or NATTED port 445.

 

I downloaded a program called Nipper see: https://www.titania-security.com/, exported the configuration from the firewall, parsed the config and I did not find any indication port 445 was actually opened.

 

Block Port 445

I decided to explicitly create a rule to block port 445. Rule in place, once again I used nmap to check for open ports and, once again for my surprise, nmap showed port 445 Open-Filtered.

 

There is no way port 445 was open! I decided to Google and I vaguely remember this, something to do with ISPs filtering port 445.

In 2004 there was an outbreak of a virus which propagated itself through exploiting port 445 (SMB). This is how Microsoft Windows for communicate with each other on a network and access shares.

 

Because of this outbreak Firewall vendors decided it was a good approach to just filter this port, instead of blocking it. This is because by blocking it the firewall has to use more CPU and memory.

 

So finally I got to the bottom and I understand the real result. Port 445 was actually being filtered at a higher level by our ISP, which is good.

 

So if you come across ports being Open-filtered, I would recommend the following:

1.    Review your firewall configuration

2.    Check with your ISP

3.    Get in touch with your Firewall vendor and ask them to clarify it for you

 

Some links for you to research

http://www.speedguide.net/port.php?port=445

 

http://www.securitymanagement.com/archive/library/Sans_Ulrich1203.pdf

 

By Renato Oliveira

How to secure your Linux server (part 1)

How to secure a Linux Server (Part 1)

 

There are many people and companies which don’t believe in security. I wish 'security' was just a myth, but I am afraid there are many people out there with the intent of cause disruption and take advantage of it. I heard and read many times on the news, stories about data being stollen, compromised servers being used to attack other systems, back dorrs, trojans, keyloggers, crackers, hackers, bored teenagers, industrial espionage, even country sabotage.

There are many unscrupulous people in the world, and with the easiness of the Internet, anyone from anywhere can easily connect to any system around the globe and just cause havoc.

I wish I could spend my time just improving the system and making it more reliable, user friendly, more robust but we have to keep an eye on the bad guys.

At least if you can’t stop them, make it harder, so they have to spend more time trying to get into your system.

I am going to show you few things I do, to harden you Linux servers and give you some space for breathing.

Tips

1.    Only install the software you need onto your Linux server

2.    Disable unnecessary processes and services

3.    Change SSH default port from 22 to something like 2297

4.    Configure iptables and only allow IN the services you MUST

a.    If you only need Apache, just allow in port 80

5.    Make use of TCPwrapers

                a.  /etc/hosts.allow

                b.  /etc/hosts.deny

6.    Disable Apache signature

7.    Do not allow root login via SSH

8.    Create an user with an unusual name to be your admin

9.    Create a list of allowed users and set it on /etc/ssh/sshd_config

10.  Setup sudo and always use it

11.  Don’t log in directly as root to manage the server

12.  Create a banner /etc/issue

                a.    Add a security disclaimer

                b.    Make sure you specify that the server is not public

13.  Install and configure tripwire – IDS (Intrusion Detection System)

14.  Configure /tmp as a loopback mounted file

15.  Mount /tmp with the following options on /etc/fstab

                a. tmpdir /tmp ext4 loop,noexec,nosuid,rw 0 0

16.  Send logs to a remote syslog server

17.  Keep your Linux server patched and up-to-date

18.  Use different passwords for root and for your admin user

19.  Use different passwords for different servers and services

20.  Change your Password regularly (every 3 months)

21.  Set ssh login attempts to:

             a. MaxAuthTries 5

22.  Install and configure Fail2Ban to automatically block too many password failures

23.  Set grub boot password

Note: Be careful if you reboot your Server remotely

24.  Always create separate file systems or partitions

25.  Mount your application file system as follows on /etc/fstab

      a.  nosuid,nodev,noexec 1 2

26.  Disable SUID and SGID for binaries

27.  Install a log analyser

 

If you follow these tips, your server will become much harder to crack.

There are many more things you can do, to improve your security, keep your eyes open and be alert, always check your logs. Make sure you rotate your logs and save them to a remote location.
 
I will in the next post show you how to set these things up and which files you need to modify.
 
I hope this will be useful to you.

 

By Renato de Oliveira

 

 

 

 

Linux (Red Hat/Centos) post Install tasks

Linux (Red Hat/Centos) post Install tasks


I assume if you are setting up a Linux server, there must be a purpose, a new service you need to deploy, you want to learn it, you want to test it etc.

 

Once you have successfully installed your Red Hat/Centos server, there are few things you need to set, and think ahead.

 

I recommend before you set to install your new server to take some time to think it through.

There are some questions you need to think about, some of them below:

Note: By no means is this a comprehensive list, it is just some ideas.

 

1.       What is the purpose of the (new) server?

·          Test, Production, learning

2.       What application the (new) server will host?

·          Web, DNS, FTP, Mail, Custom app

3.       Will the server face the Internet?

·         web app, DNS

4.       How will it be exposed to the Internet?

a.       Directly (with a Public IP)

Via a proxy (Behind a proxy sock or similar)

b.      Behind a physical Firewall (Juniper, Cisco) Being NATted

c.       Positioning of the server on your network (LAN v DMZ)

Note: If your server needs to face the Internet, I think it is a good idea to isolate it from the LAN.

5.       What Partition layout and how big each should be

I think it is always a good idea to separate the following File Systems:

                /boot – normally 100MB – you can give more if you want to

                /tmp - depending on the system 2GB is a good starting point

                /swap – depending how much memory you have etc.

                Note: Some guys like giving twice the RAM memory size. If you have enough

Memory you will not need to worry about /swap too much

                /var – a good starting point is 5GB

                /home – depending if you will be hosting users and what your users will be doing

                /usr – 5-10GB is ok (it all depends, how the server will be used, where the

                Application will be installed etc.

/ (the root file system is very important not to run out of space here.

Note: Depending on the server’s role, the level of security you need to apply to certain partitions differ. i.e /tmp need extra care if you have web applications.

 

6.       What services should be left running

I am in favour of, if the service is not needed, then it should not be enabled.

This is a good practice, for stability and security.

7.       What IP address will be assigned to the server

If your ISP provided you with a single Public IP, then you have no choice. If you on the other hand you will be protecting the server behind a Firewall. Just plan it, use private IPs.

Place the server in a different sub-net; I tend to use 192.168.0.0/24 or 172.16.0.0/24.

Split the range into separate blocks, assign blocks to different servers and services. For example: 192.168.1.1-10 to web servers, 192.168.11-30 to database servers etc.

8.       What name to give the server

There are many ways to create a name convention

9.       What Name servers to use

10.   The Default Gateway to access the Internet

11.   If you need to keep DATE/TIME in sync

 

I think I covered most things, but there is many more, depending how secure and reliable you want your server to be.

 

I start setting up the server name, see below:

Set Hostname

# cd /etc

# vi hosts

192.168.1.34  centos63 centos63.adlinux.int

 

# vi /etc/sysconfig/network (this is where you set the server name and the default gateway)

NETWORKING=yes

HOSTNAME=centos63.adlinux.int

GATEWAY=192.168.1.1

 

Set IP address

# vi /etc/sysconfig/network-scripts/ifcfg-eth0

DEVICE="eth0"

BOOTPROTO="static"

NM_CONTROLLED="no"

ONBOOT="yes"

TYPE="Ethernet"

IPADDR=192.168.1.34

NETMASK=255.255.255.0

 

Set Name servers

# vi /etc/resolv.conf

domain adlinux.int

search adlinux.int

nameserver 192.168.1.22

 

Just reboot your Linux server and all the changes will take affect at boot time.

 

There are many files which need to be set; it all depends on the role, of the server as already pointed out above. The configuration above is just the basic network configuration to get you up and running.

Don’t forget to plan, think it through, break it down into smaller tasks and take note of your plan, document it well otherwise when you need to revisit the configuration, you may not remember the reasons for setting things up the way you did.

 

Advice:

1.       Planning

2.       Documentation

3.       Backup

4.       Roll back

 

 

Hope you enjoy it.

 

By Renato de Oliveira

 

 

Netwok design, install and configuration

Netwok design, install and configuration

I have decided to share with you my experiences and I will show you most things about networks.

I am going to start from scratch and write posts on how to:

• How to Install Windows 2008
• Setup network
• Active Directory
• DNS
• DHCP
• etc
• How to Install Redhat 6
• Setup the Network
• Integrate Linux to Active directory
• Setup most config files under /etc
• NFS
• SAMBA
• How to Set up Citrix
• How to Setup Juniper SRX Security gateway
• How to Setup NetApp Ontap 8.1

I am going to give you ideas on how to plan your AD, your DNS naming, your IP address scheme, how to position your clients on the network.
I will discuss DMZ, VLANs, Security, SSH, Locking down Linux.

I will have recommendations on security, patch management, for Windows. Design considerations for your network.
Resiliency and redundancy will be discussed also.

If you want to benefit from this blog, just keep visiting it, it will be your stop shop for most Network systems.

My plan is to every day write a new post about some topic.

I have already few posts and I will make the link between each post, so you can easily follow up.

If you have suggestions, please let me know I will try my best to accomodate your suggestions and also write about them.

I hope you will enjoy and learn all this exciting stuff related to IT.

Many thanks

Renato Oliveira

How to set a Postfix SMTP mail Gateway

How to set a Postfix SMTP mail Gateway

Few months ago when I started the implementation of a big system in one of our Data Centers.
It became clear we need a server to act a mail HUB for all servers within the same network.
This was a secure environment and emails had to be cetralised and logged.

I would like to draw your attention for something imporatnt; we have an Exchange server in the office and all emails must be archived for a long period of time.

So emails are sent from clients within the Data Centre through the Postfix SMTP Gateway and from the SMTP Gateway, emails are forwarded to our Exchange in the office.

I chose Postfix for the task because I think it is easy to setup, robust and secure.

There are only two files you need to touch, which are:
/etc/postfix/main.cf
/etc/postfix/transport

I will give you details of my setup and network below.
Network: 10.10.10.0/24
SMTP Gateway IP: 10.10.10.224
Exchange Server Name: mail.domain.com
Exchange Server IP: Public IP for Exchange

Server Side
Edit /etc/postfix/transport file
# cd /etc/postfix
# vi transport

Go to the bottom of the file and add the following line:
mail.domain.com :[Public IP Address of our Exchange Server]

Creating transport.db
# postmap transport

The command above will create the file /etc/postfix/transport.db

Now we need to edit the /etc/postfix/main.cf    
# vi mail.cf

Comment out the line
#inet_interfaces = localhost (make sure it has a # at the beggining of the line)

Uncomment the line below
inet_interfaces = all (remove the # from the begging of this line)

Modify the line below:
mynetworks = 127.0.0.0/8 10.10.10.0/24 (this is your network which)

Restart Postfix process
# service postfix restart

That is it. Your SMTP Gateway is ready to receive emails from the server clients on your network.

Client Side:
# cd /etc/postfix
# vi transport

add the line below to the file and save it
smtpgateway.domain.com :[10.10.10.224]

Create the transport.db file
# postmap transport

Now we need to edit the /etc/postfix/main.cf
# vi mail.cf

Make sure the line below is uncommented
inet_interfaces = localhost
Note: this is a client, therefore for security reasons the SMTP service only needs to answer to the localhost.

Add the line below
relayhost = [10.10.10.224]

Make sute the lines below are uncommented
alias_maps = hash:/etc/aliase
alias_database = hash:/etc/aliases

Restart Postfix process
# service postfix restart


Repeat the Client Side Process on all clients which nees sending email via the SMTP Gateway.

That is it Folks, I hopw you enjoy these simple How Tos

by Renato de Oliveira

Configuring Juniper SRX (some commands)

Configuring Juniper (Some Commands)

How to save config to a File:
root@fw-name# save <config-11-21-10-version-1>

How to restart Firewall
root@srx100-01> request system reboot

How to display systems alarms 
root@srx100-01> show system alarms

How to set System hostname
root@srx100-01# set system host-name <hostname>

How to set the system domain name on Juniper SRX
admin@srx100-01# set system domain-name <domainname>

How to set the nameserver or resolvers for your SRX
admin@srx100-01#set system name-server <IP Nameserver>

How to set root password
root@srx100-01#set system root-authentication plain-text-password

How to create an user on Juniper SRX
root@srx100-01#set system login user <username> class super-user

How to set the new user's name password on Juniper
root@srx100-01#set system login user renato authentication plain-text-password

How to create a readonly user on SRX
admin@srx100-01# set system login user readonly class read-only

How to display the Junos version
root@srx100-01# show version

How to set Time Zone
root@srx100-01# set system time-zone Europe/London

How to set Date and Time
root@srx100-01> set date 201302170917.32

Note: The command above can be explained as follows:
2013 (year), 02 (month), 17 (day of month), 0917.32 (09:17:32am - nine o'clock, seventeen minutes and thirty two seconds a.m)

How to set Juniper to sync date and time from NTP server
root@srx100-01> set date ntp <NTPSERVER>

How to setup 2 NTP servers and have one as a preferred one
root@srx100-01# set system ntp server <NTPSERVER> version 4 prefer
root@srx100-01# set system ntp server <NTPSERVER> version 4

How to setup NTP server at boot time
root@srx100-01# set system ntp boot-server <NTPSERVER>

Hot to show NTP server configured on Juniper
root@srx100-01# show system ntp

How to show NTP status 
root@srx100-01> show ntp status

How to show the Uptime for a Juniper firewall
root@srx100-01> show system uptime | match current

How to troubleshoot NTP problems
root@srx100-01> show log messages | match ntp