| FreeBSD Server Administration |  |
December 31, 2005
Change FTP Port
After I changed the ssh port, combined with the changes of net.inet.tcp.blackhole and net.inet.udp.blackhole, now the server is completely free of ssh login attempts. I realized these two changes should be made together, it doesn't make much sense to change only one of them. For example, if only change the port, the server will still respond to the port scan, it very probably gets more scan activity. What if only changed the system varibles? Since the ports of common services are the main target, the evil people still can easily find the ports to attack.
This reminded me of the ports of other common service, especially FTP. There are also lots of attempts for anonymouse FTP account, the message in /var/log/messages look like:
pure-ftpd: [ERROR] Unable to set up secure anonymous FTP
I'm using pure-ftpd (switched from proftpd), very easy installation and worked very well.
I used command line to start pure-ftpd. But to change the port, configuration file is necessary.
Copy or rename /usr/local/etc/pure-ftpd.conf.sample to /usr/local/etc/pure-ftpd.conf.
I changed "NoAnonymous no" to
"NoAnonymous yes".
The default configuration for port:
# IP address/port to listen to (default=all IP and port 21).
# Bind 127.0.0.1, 21
It should be very easy to change this, but I coudn't figure out the format for "all IP", very silly :-(.
Start pure-ftpd with the configuration file:
# /usr/local/sbin/pure-config.pl /usr/local/etc/pure-ftpd.conf
Posted by FreeBSD Newbie at 06:01 PM | Comments (4)
December 26, 2005
Change sshd Port
I used default port number 22 for sshd, the server got lots of login attempts every day which left thousands of lines in daily security run output.
There are several variables related to port range in sysctl, mine is different from the default value, although I didn't modify anything.
# sysctl -a | grep portrange
net.inet.ip.portrange.lowfirst: 1023
net.inet.ip.portrange.lowlast: 600
net.inet.ip.portrange.first: 49152
net.inet.ip.portrange.last: 65535
net.inet.ip.portrange.hifirst: 49152
net.inet.ip.portrange.hilast: 65535
net.inet.ip.portrange.first and net.inet.ip.portrange.last are supposed to be 1024 and 5000 according to the FreeBSD manual. I was worried being locked outside of the box and didn't modify the sshd port.
I can't bear the annoying automate login attempts any more and decided to give it a try. It's easy to change:
Add a line in the file /etc/ssh/sshd_config:
Port 8888
Reload sshd
#/etc/rc.d/sshd reload
I opened another putty client to test the login, everything worked fine. The great thing is the old ssh connection is still active after the sshd modification and reload, I always have the chance to revert the configuration back if it doesn't work.
By the way, binding the ssh login to a static IP is highly recommended.
Posted by FreeBSD Newbie at 10:00 AM | Comments (2)
November 21, 2005
Security Discussion
On the FreeBSD security mailing list, there is a post about a compromised box which got many interesting replies: Need urgent help regarding security
Posted by FreeBSD Newbie at 07:22 PM | Comments (0)
November 16, 2005
Contact Form Abused Through BCC Field
A simple contact form on my website was abused to send spams. I received weird messages sent from the contact form in the past two weeks, I thought it was just from some boring persons, and didn't pay attention to it until I got some messages bounced back from other servers. After checked the mail queue, I was shocked that there were still a few emails with a very long recipient list.
Here is my original code:
Continue reading "Contact Form Abused Through BCC Field"
Posted by FreeBSD Newbie at 11:08 AM | Comments (1)
November 05, 2005
No. 1 Keyword Referrer "phpBB Hack"
Google seems to like this blog a lot, new posts were picked up and ranked in the top 10 within a couple of days...simply amazing to me. Although this blog has quite a few keywords with great ranking such as "FreeBSD server", the most searched term is "phpBB hack". Several visitors even came here with "how to hack phpBB".
Clearly, phpBB has caused lots of problems on Unix/Linux systems, might be the most troublesome PHP script ever. If you are looking for a forum script, avoid phpBB, no exceptions!
Posted by FreeBSD Newbie at 12:09 AM | Comments (1)
October 30, 2005
Chkrootkit 0.46 Problem
Cordeiro posted the following message on the FreeBSD security list. I didn't test it (I don't have testing server).
...don't use chkrootkit 0.46 on production machines. The "chkproc" process sends a SIGXFSZ (25) signal to init, that interprets this signal as a "disaster" and reboots after a 30s sleep.
I tested chkrootkit(0.45) and Rootkit Hunter before. I prefer Rootkit Hunter.
Posted by FreeBSD Newbie at 09:22 PM | Comments (2)
August 17, 2005
Rootkit Hunter - Another Root Kits Checking Tool
I have tried chkrootkit, and I think it's a very good tool. The book "Mastering FreeBSD and OpenBSD Security", a security bible to me, only mentioned Rootkit Hunter, so I decide to give it a try.
Install
# cd /usr/ports/security/rkhunter/
# make install clean
# rehash
Check for database updates
# rkhunter --update
Perform a complete scan
# rkhunter -c
I got two warnings: one is the hidden directory /usr/.snap, the other one is the toor account, both are actually normal for FreeBSD system. Full report is attached below.
Compared to chkrootkit, the checking process takes longer and seems more thorough, the output looks better with color highlight.
For crob job, its FAQ suggests using the parameter "--quite" to only print the warning messages, but the output is undesirable:
# rkhunter -c --cronjob --quiet
Line:
[ Warning! ]
Line: [ Warning! ]
[ Warning! (some users in root group) ]
To perform a daily scan, the cron job looks like:
MAIL root
0 3 * * * /usr/local/bin/rkhunter -c --cronjob
(Execute at 3:00am)
Sample output
Continue reading "Rootkit Hunter - Another Root Kits Checking Tool"
Posted by FreeBSD Newbie at 11:35 AM | Comments (2)
August 16, 2005
Arbitrary Code Execution Vulnerability in Awstats 6.4
There is a new vulnerability in Awstats 6.4, detailed explanation is here. The new development version 6.5 has addressed this issue, but not available yet in ports. Awstats 6.4 has been marked forbidden in the ports, "make install" will display the following message, which is different from the portaudit error:
===> awstats-6.4 is forbidden: http://vuxml.FreeBSD.org/e86fbb5f-0d04-11da-bc08-0001020eed82.html.
I deinstalled Awstats and cleaned up the files and related Apache configuration. Awstats installation is a little messed up on my server, I started using it since version 6.1 which needs a manual copy, version 6.4 seemed to make it automate, which ended with two copies on my server. But now I think I might be mistaken - ports shouldn't be so dumb, it's very possible that I missed something when I installed 6.1. Anyway, the domain configuration files are located in a different folder /etc/awstats and not affected, it will be very easy to install the soon-to-be-released version, a "make install" and an optional directory protection should be enough.
Posted by FreeBSD Newbie at 12:35 PM | Comments (0)
August 13, 2005
Check Rootkit
chkrootkit (official website is very slow) is a tool for checking root kits, it's very easy to install and use.
# cd /usr/ports/security/chkrootkit
# make install clean
# rehash
# chkrootkit
I got a warning on the server where my phpBB forum is running:
Searching for anomalies in shell history files... Warning: `//root/.mysql_history' file size is zero nothing found
I can't find any information about how MySQL updates this file, I suppose it is normal.
Output on my server:
Continue reading "Check Rootkit"
Posted by FreeBSD Newbie at 04:40 AM | Comments (0)
August 07, 2005
phpBB Hack
My phpBB forum was hacked recently, it seemed to be a targeted attack.
What's Changed
1. Three word censors were added.
2. A few users (user IDs are in a row) were granted the admin privileges.
Possible ways to make the above changes:
1. Through phpBB admin control panel.
2. Modify tables directly in mysql command line or with uploaded scripts.
My first guess is phpBB. I installed phpBB beginning with version 2.0.11, and followed the upgrades thereafter. Because the forum is heavily customized and it isn't easy to perform a clean upgrade, I only applied the critical security fix according to its official release notes, maybe I missed something. Adding word censors needs to access admin_words.php, but I didn't find any stats in the Apache log file. Also, it's a little troublesome to grant the admin rights to a few users with the admin control panel.
Posted by FreeBSD Newbie at 10:15 PM | Comments (0)
June 25, 2005
Known Vulnerabilities in Ruby-1.8.2_3
Portaudit reported a known vulnerability in ruby-1.8.2_3 package(lang/ruby18), but the ports hasn't released a fixed version yet.
Affected package: ruby-1.8.2_3
Type of problem: ruby -- arbitrary command execution on XMLRPC server.
Information for ruby-1.8.2_3:
Continue reading "Known Vulnerabilities in Ruby-1.8.2_3"
Posted by FreeBSD Newbie at 11:54 PM | Comments (0)
June 22, 2005
sysctl.conf Sample
Here is a sysctl.conf sample which changed many kernel variables, such as kern.ipc.somaxconn, net.inet.tcp.blackhole and net.inet.udp.blackhol, it also used net.inet.tcp.drop_synfin, net.inet.ip.rtexpire and net.inet.ip.rtminexpire.net.inet.tcp.drop_synfin
This variable is similar with net.inet.tcp.blackhole and will cause the kernel to drop all TCP packets that have the SYN and FIN bits set. It's not enough to change it with sysctl command or add to sysctl.conf file, the kernel has to be recompiled with TCP_DROP_SYNFIN option. On my FreeBSD 5.3, I got the following error, probably because it's a default kernel.
% sysctl net.inet.tcp.drop_synfin
sysctl: unknown oid 'net.inet.tcp.drop_synfin'
net.inet.ip.rtexpire and net.inet.ip.rtminexpire are explained in detail in the handbook.
Append the file here as a backup, from http://www.thern.org/projects/sysctl.conf
Continue reading "sysctl.conf Sample"
Posted by FreeBSD Newbie at 06:40 PM | Comments (1)
June 21, 2005
Reduce Server Visibility
Learnt a tip from the book "Mastering FreeBSD and OpenBSD Security". Servers connected to the Internet receive lots of network probes (automate scans). When the probes are to connect to a TCP and UDP port where no process is listening, the default kernel will compose a TCP reset packet, or an ICMP port unreachable message, and send it as a response.
This is not good for security reasons and system resource. To change the default kernel's behavior, there are two related variables in sysctl, add the following two lines in /etc/sysctl.conf, the system will drop these kinds of packets:
net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1
To make them go into effect immediately without reboot, run:
# sysctl net.inet.tcp.blackhole=2
# sysctl net.inet.udp.blackhole=1
By searching "net.inet.tcp.blackhole" with Google, I found a good article: Preventing Denial of Service Attacks, which coincidentally (or inevitably) used these two parameters and kern.ipc.somaxconn as important means, making a system more robust is surely helpful to fight against DoS attack, and vice versa.
Posted by FreeBSD Newbie at 08:37 PM | Comments (0)
June 19, 2005
AllowUsers
Currently every website matches one shell account on my servers, I always feel it's insecure to have more than a dozen accounts, but never taken a minute to think about how to change it.
AllowUsers parameter in sshd is just for it, to allow only one account to login with ssh, add the following line in /etc/sshd_config:
AllowUsers account_name
If you have a static IP address for login, you can make it more secure, for example:
AllowUsers account_name@192.168.1.32
Restart sshd after the file is modified:
# /etc/rc.d/sshd reload
For detailed information, please refer to the handbook.
Note: you should test the login before closing all terminals, a spelling error can lock yourself out of the server.
Update: Using a static IP address for login is strongly recommended, it's much more important than limiting the account number.
Posted by FreeBSD Newbie at 07:10 PM | Comments (0)
June 18, 2005
Portaudit Follow-up
Portaudit does not only make security checking much easier, but also make it automate. The security daily run fetches the latest portaudit database (#portaudit -F) and checks all installed packages (%portaudit -a). Now, I can know the latest package information about known vulnerabilities by reading emails. There is also another entry in the handbook specially for this tool.
The usability of FreeBSD is amazing, if you manage the server in the right way, almost everything has been taken care of very well.
Posted by FreeBSD Newbie at 04:59 PM | Comments (0)
June 12, 2005
portaudit
After the email server problem, I started to pay close attention to the ports update, the lesson told me it's ultra important to keep all packages up to date. Actually all information about how to handle ports is in the handbook, read it carefully if you haven't, only several small pages.
Besides CVSup to keep your ports tree up to date, another very important program is portaudit, it's extremely convenient to monitor all installed packages.
portaudit checks installed packages for known vulnerabilities and generates reports including references to security advisories.
Two simple commands get everything done:
1. Fetch the current database of known vulnerabilities from the FreeBSD servers. It's recommended to run this command before you install any new ports, you will be warned if you are installing a package with known vulnerabilities.
# portaudit -F
2. Print a vulnerability report for all installed packages, can you find any other easier means? ;-)
% portaudit -a (Here I use % to indicate that the command doesn't need root privilege, this rule applies to all new blog entries).
Portaudit follow-up
I ran "portaudit -a" on my server and got the following report, updated all packages except for MySQL, I just can't start it, and no error messages. (Update: this is due to the changes of mysql start script)
Posted by FreeBSD Newbie at 02:06 AM | Comments (0)
June 03, 2005
Great FreeBSD Security Page
Just found a great security alert website for FreeBSD on the ports help page, this will make things much easier. Bookmark it.
Posted by FreeBSD Newbie at 12:20 AM | Comments (0)
May 28, 2005
Email Problem Follow-up
It has been one week since I stopped postfix and disabled the mail command (#chmod 444 /usr/bin/mail), everything seems fine. I restarted postfix and notified my ISP, they told me they would keep watching this server. Since this server doesn't host any critical or major websites, I can take the risk - if anything bad happens again, I will make an OS reload.
According to some Blogs about Awstats exploit, the hackers modified their web pages and very probably gained shell access. Assuming the spammer didn't gain my shell account, that could be because:
1. The spammer is not "professional enough" to hack into my box - this is very unlikely, since they used the exploit for "business purpose".
2. FreeBSD is more secure, he wasn't able to gain the shell account even they used the exploit and had enough time. I have to love FreeBSD more if that's the case.
Posted by FreeBSD Newbie at 03:50 AM | Comments (0)
May 18, 2005
Awstats Exploit
I found the source of my email server problem, it's because I was using an old version of Awstats, which has a known exploit - allows remote command execution. After further search on the Internet, I found that it seemed to be a hot topic on the Internet several months ago, especially among bloggers, it's a shame that I haven't even heard of it.
I also found the spam email and attack source code under /tmp, I think it's better to check this directory regularly. I'm not sure if the spammer gained the shell access, the server seems clean.
The lesson: it's necessary to check out security alert frequently for administrators. Please let me know if you know some good source.
If you are using Awstats 6.2 or earlier versions, your server is at great risk, update it now!
Here is a great blog entry about this exploit, lots of helpful comments with security suggestions and resource.
Posted by FreeBSD Newbie at 06:06 AM | Comments (2)
May 15, 2005
Spam Email
Someone sent out lots of spams from my server yesterday, my ISP responded so fast that they disconnected my server immediately after they received the complaint.
They reconnected the server after I told them I would stop postfix and disable mail command to make sure no any emails will be sent out before the problems were fixed.
Actually I didn't manage postfix to work well, I even can't send emails from my desktop myself. Sending/receiving emails works well on the server side. Since it's not necessary for me to use the SMTP from my desktop, I kept the current configuration till now. That's why I haven't mentioned email configuration on this Blog so far.
I guess the spams were sent with a web script, because:
1. My postfix doesn't allow relays from desktop.
2. The sender was specified as "www@myhost.com" according to the
complaint email.
The spam email entry in the maillog looks like:
May 14 14:55:03 pang postfix/smtp[46011]: EC0C595C90: to=<xxx@xxx.com>,
relay=mail2.iecc.com[208.31.42.98], delay=724, status=sent (250 ok 1116100192
qp 2255)
The server looks clean to me, odds are it wasn't hacked. I use phpBB, vBulletin and Awstats on this server, currently I'm still trying to find out how the spammer did it.
Posted by FreeBSD Newbie at 06:59 PM | Comments (2)