security

mig5.netTaxonomy term
Posted by mig5
31 May 2010 - 17:03

Honeypot fun with Nepanthes

I've been running a honeypot on a server running Nepenthes, which is apt-get installable on Debian Lenny at time of writing.

Nepenthes works by starting up a bunch of emulated vulnerable services on all the typical ports you'd expect. It then monitors and reports on automated sniffers and malware attacks that think they're delivering payload to a real service.

The server has been running for 24 hours - here are my stats using the Submissions2stat.py log parser by Andrew Waite.

 

Basic firewall 

#!/bin/bash
 
# IP interfaces
eth0=`ifconfig eth0 | grep "inet addr" | awk '{print $2}' | cut -d: -f2`
 
# Change to 1 to enable logging of dropped packets
LOG=0
 
flush() {
  iptables --flush
  iptables --delete-chain
}
 
start() {
 
  # Flush just in case 'start' has been called twice without stop or restart
  flush
 
  # Default policies
  iptables --policy INPUT DROP
  iptables --policy OUTPUT DROP
  iptables --policy FORWARD DROP
 
  # Accept all on loopback
  iptables -A INPUT -i lo -j ACCEPT
  iptables -A OUTPUT -o lo -j ACCEPT

PCI Compliance and general good security

SSL:
/etc/apache2/mods-enabled/ssl.conf


SSLProtocol all -SSLv2
SSLCipherSuite HIGH:MEDIUM:!ADH

Squid
When SSL terminates at a Squid reverse proxy, instead make changes to the squid.conf likeso:

https_port 443 vhost cert=whatever.ssl key=whatever.key cafile=whatever.cer defaultsite=www.examplecom cipher=DEFAULT:!EXPORT:!LOW options=NO_SSLv2

Other Squid changes:

# PCI Verizon scan results
reply_header_access X-Cache-Lookup deny all
reply_header_access X-Cache deny all
reply_header_access All allow all
via off
httpd_suppress_version_string on

PHP:

/etc/php5/apache2/php.ini

expose_php = Off

This gets rid of those horrible mountains of 'safe_mode' vulnerabilities reported to exist in versions of PHP 5.2.8 or lower, because it hides the version number. Hiding information like this that is sent back in HTTP headers is a good idea and also something else that the scan complains about.
Kind of a dodgy fix, obviously in a better world we'd be upgrading to newer version of PHP but maybe that isn't an option for whatever reason.

Don't leave any pages that call phpinfo() without checking the requestor's IP too:

if( $_SERVER['REMOTE_ADDR'] == '1.2.3.4' )
{
        phpinfo();
}

Apache:

/etc/apache2/apache2.conf


ServerTokens Prod

(hides apache/php/ssl versions in the footer of pages, i.e when you hit a 404, probably headers too)

In any vhost, including the 000-default, prevent TRACE with mod_rewrite


RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]

The TRACE method is an HTTP command used for debugging purposes. A client sending the TRACE command to a web server will receive an echo of the entire request, including HTTP headers. It is possible for a malicious user to obtain sensitive information from the headers, such as cookies or authentication data.

Nmap Conficker Check 

nmap --script=smb-check-vulns --script-args=safe=1 -p445 -d (IP)