Tuesday, October 30, 2007

OpenSSH Brute Password Capture Patch

Today I took was dealing with one of the countless ssh brute force grinders running wild out there on the net. I was thinking that it would be cool if I could capture all the username/password combinations they were supplying. During a search I ran across this nifty little patch. I downloaded and attempted to use it, but could not get the patch to apply. After a bit of investigation, I determined that this patch was written for the OpenBSD-specific version of OpenSSH and would not work on OpenSSH Portable. Since I wanted to use this on my Linux box, I had modify the patch to get it work.

The next thing I discovered, is that I really didn't like the logging format... The logs record Epoch time, username, password, and IP address... However, these are spread across 4 separate lines. So, a sample entry looks something like this:

1193780392
root
test
10.0.6.147


Not very easy to parse. Since I was interested in using the data for other things, I also decided to modify the logging as well. The format is still all the same fields, but now in a colon-delimited format, with one attempt per line. It now looks something like this:

1193780828:root:test2:10.0.6.147
1193788608:test:test:127.0.0.1


I've placed the patch on my Google code site for now. Its not very clean, but appears to work with the portable version of openssh for Linux. I tested it on version 4.7p1 on CentOS.

I'll attempt to clean it up and refine it later.

Labels: , ,

Wednesday, October 24, 2007

CapSec October - 10/25

Reminder: CapSec meet up tomorrow.

CapSec October
October 25 (Thursday) 7:30 PM
The Brickskellar
1523 22nd St, NW
Washington DC 20037


View Larger Map

Monday, October 22, 2007

Published! .... well, sorta

Last month I was contacted by a professor from a university in the midwest. He had run across my posting on DNS Best Practices and was requesting permission to include those in his course material. This material is being included in the curriculum for a Systems Administration class he teaches.

While this is both an honor and a privilege, the real kicker is that I am extremely jealous. I really wish that these sort of courses existed back in my college days. The closest thing available for me at the University of Houston where I majored in Physics, was an intro to computers they provided as part of my Physics major curriculum. We briefly learned about hardware (486 vs Pentium, ISA cards vs PCI, etc) and then we jumped into Mathematica and how we could use it to do our physics homework. Unfortunately, like many of my fellow UofH students that year, about the only thing I did learn was which computers could and could not effectively run the now classic Civ I game. ;)

Security Links - 10/22/07

Just a few links for security related tools and sites that piqued my interested in the past few weeks.

Hashmaster - Have a tool or application that is encrypting data, but you are unsure what algorithm is being used? Pass your application a string to encrypt and then pass those tow values to Hashmaster. It will make compare the values and attempt to identify the algorithm in question.

HITB Presentations - All the presentations from last months HackInTheBox Security Conference in Malaysia have been posted and are available to download. Pretty interesting stuff.

fierce.pl - By far, the best tool available for enumerating hosts via DNS. I had played with the very first version when it was announced, but had never bothered to follow up on subsequent releases. I recently downloaded and played with the most current version (0.9.9 - Beta) and was wholly impressed. A must have in any pen-testers toolbox.

Knoppix-NSM - A bootable LiveCD based on the popular Knoppix distro. This one has been customized to provide almost-instant NSM capabilities. Comes with Snort, BASE, Barnyard, ntop, and Squil. Was covered in this months copy of Information Security Mag.

Labels:

Thursday, October 18, 2007

Thailand or Bust!

(This is a bit more of a personal post than security related, but I will try to tie it in as much as possible.) I have a blogging policy that I don't mention my employers by name in my post or talk about issues directly related to them. However, today I am going to violate my own policy. ;) As of today, I have resigned my position here in the US as Director of Security Operations for Revolution Health and have accepted a new role with a Thailand-based company. Aware Corporation is a premier IT services, headquartered in Chiang Mai, Thailand. This is an truly exciting company that I have been communicating with and tracking for 3+ years and the opportunities are practically endless. In my 10-year IT/ Security career, I can't recall ever being as excited to work for a company as this one!

I will be leaving the US later next month and beginning in my new role the first part of December. For those of in the industry and traveling to the region or already working in the region, please feel free to contact me. I'm hoping to start occasionally attending BangSec, HITB, becoming active in the SE Asian security community, and building up my network of contacts on that side of the world.

Wish me luck!

Friday, October 12, 2007

Simple Website Security - 4.5 Tips!

When setting up a secure website, system administrators and webmasters often fail to perform very basic tasks that would greatly "shore up" the webserver. Here are 4 and half simple tips to secure your webserver, make it easier to monitor, and prevent it from sticking out like a sore thumb during a security audit.


1.) There are known security vulnerabilities and weaknesses in some SSL versions and encryption ciphers. SSL2 along with all weak and export grade SSL encryption ciphers should be disabled. In addition to being a good overall security practice, this is also mandated by the PCI Data Security Spec. (4.1). This can be easily done in apache by adding the following line to your config file:

#Disable SSLv2 and weak/ export grade ciphers
SSLCipherSuite ALL:+HIGH:+MEDIUM:!SSLv2:!EXP:!eNULL



2.) When hosting a secure portal'ish site where the landing page is simply a login page, I like to force SSL only without requiring the user to remember that the site is SSL only. This can be easily accomplished in Apache by using a rewrite rule. This allows my server to still listen for regular http requests, but automatically rewrite those to https. Adding the following to your Apache config file will achieve this behavior.

#Redirect to SSL
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/(.*) https://%{SERVER_NAME}%{REQUEST_URI} [R]


3.) TRACK and TRACE are not very well-known HTTP request methods that allow you to debug HTTP problems. These methods are very seldomly used (if ever) and there are a few known Cross Site Scripting (XSS) vulnerabilities related to them. This is a very common vulnerability that will be reported by almost every automated security scanner in the world and can also lead to failed security audits. Because of this, its best to disable them. Again we can use Apache rewrite rules to do this by adding the following lines to the apache config file:

#Disable TRACE & TRACK Methods
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

4.) Monitoring application logs is an essential part of any security program. Often time your access and error logs will be polluted with error messages that "robots.txt" file is not found. Essentially all this really is, is a list of rules that a search engine spider should follow when crawling your site. Each time an automated crawler visits your site, this file is the first thing they request. To prevent this error from filling your logs, you should create a simple text file named "robots.txt" and place it in the root of your web directory which will still allow crawling of everything. The contents of the file should be:

User-agent: *
Disallow:

4.5) The next thing you will see constantly polluting your error logs are failed requests for a file named "favicon.ico". This file is the small little logo you see in your browser's address bar when you visit some sites or in your bookmarks when you bookmark that same site. This file is requested by the users browser at the beginning of EVERY visit to your site. Because of this, the failed request can quickly fill up your log files! An easy way to fix this is to copy a blank favicon.ico in to the root of your web directory. Alternatively, if you are feeling especially creative you can create a custom favicon here or here.

Security Links - 10/12/2007

Just a few links for security related tools and sites that piqued my interested in the past few weeks.

EasyIDS - Installable IDS system based on CentOS. Includes a web GUI, snort, barnyard, ntop, etc.

SecureDVD - Bootable DVD containing 10 popular Security LiveCD distros. A bit dated as it still ships with BackTracks 1.0

SecurityDistro.com - Great site that lists and tracks security related Linux distros.

Nipper - Fantastic little open source tool for auditing configurations of many network devices. Similiar to the Cisco Router Auditing Tool (RAT), but supporting so many more devices, including Juniper/Netscreen Firewalls.

Ruby on Rails Security Cheatsheet - Great list of security best practices for Ruby on Rails.

Labels: , , ,