Thursday, 26 September 2013

Defending Against Web Server Denial of Service Attacks(Post attack)

Sample of DoS attack traffic (only 7 lines of literally 4 million log lines in the past few days)
A,B,120.152 - - [21/Jul/2013:02:53:42 +0000] "POST /?CtrlFunc_DDDDDEEEEEEEFFFFFFFGGGGGGGHHHH HTTP/1.1" 404 9219 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
C.D.3.168 - - [21/Jul/2013:02:53:43 +0000] "POST /?CtrlFunc_yyyzzzzzzzzzz00000000001111111 HTTP/1.1" 404 9213 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
E.F.67.90 - - [21/Jul/2013:02:53:44 +0000] "POST /?CtrlFunc_FFFGGGGGGGGGGGGGGGGGGGGGGHHHHH HTTP/1.1" 404 9209 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
G.H.76.206 - - [21/Jul/2013:02:53:45 +0000] "POST /?CtrlFunc_iOeOOkzUEV8cUMTiqhZZCwwQBvH9Ot HTTP/1.0" 404 9136 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
I.J.21.174 - - [21/Jul/2013:02:53:45 +0000] "POST / HTTP/1.1" 200 34778 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
K.L.57.51 - - [21/Jul/2013:02:53:45 +0000] "POST / HTTP/1.1" 200 34796 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
M.N.29.143 - - [21/Jul/2013:02:53:46 +0000] "POST /?CtrlFunc_ooppppppppppqqqqqqqqqqrrrrrrrr HTTP/1.1" 404 9213 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"



This is a type of DDOS attack targeting to particular domain hosted in the server . Here it seems the attacker using POST requests to consume all the bandwidth of the account. Normally a POST request means something uploaded to the site or entering some data to the site,but here the attacker some how using it as method to consume all bandwidth. Also as the requests are not targetting any specific link or files.

Solution:

Add below mod security rule to mod sec config file of the domain. If you are using cPanel server, add below mod_sec rule to the following file.

============================
1) Open file /usr/local/apache/conf/userdata/std/2/USERNAME/DOMAIN/modsec.conf

2) Add the below rule in the file

SecRule REQUEST_HEADERS:User-Agent "^Mozilla/4.0 \(compatible; MSIE 6.0; Windows NT 5.1; SV1\)$" "log,drop,phase:1,msg:'Brute Force Attack Dropped'"

3) Please make sure run the following script after making the changes.

/scripts/ensure_vhost_includes --user=username

 This script will uncomment the following line in apache configuration. It will customise the virtual host to use the particular include file and will restart apache.

Include “/usr/local/apache/conf/userdata/std/2/username/domain.com/*.conf”


Thats all!!!


Posted by at No comments:

Tuesday, 24 September 2013

Windows Server Hardening

BASIC LEVEL HARDENING

 

Steps to hardening Windows Server 2003


Here I am listing some easy steps involved in Windows server hardening.

Step 1: Strong password

The first line of defense to unauthorized access is Strong password. The Microsoft Windows Server 2003 family has a new feature that checks the complexity of the password for the Administrator account during setup of the operating system. Select minimum 15 alphanumeric character for password. The attackers cannot crack the stronger password that much easily.

You can change the administrator password by following the simple steps shown below.

1. Click Start, and then click Run.
2. In the Open box, type "mmc" (without the quotation marks), and then click OK to start MMC.
3. Start the Local Users and Groups snap-in.
4. Under Console Root, expand "Local Users and Groups", and then click Users.
5. In the right pane, right-click Administrator, and then click Set Password.
6. Click Proceed in the message box that appears.
7. Type and confirm the new password in the appropriate boxes, and then click OK.

Step 2: Software restriction policies through Group Policy

You can restrict the execution of untrusted code by restricting it through Group policy. The policy can apply to all of the computers or to a particular user.

Software restriction policy can perfrom following tasks.

* Control which program can run in the server.
* Can run only specif files in the server.

To start Software restriction policies.

*  Click Start >> Programs >>  Administrative Tools, and then click Local Security Policy.
*  In the console tree, expand Security Settings, and then expand Software Restriction Policies.

Step 3: Enable Windows Firewall in the server

Windows firewall is a line of defense which monitor and restrict the information that travels between the computer and the network. When the system receives an unsolicited request, windows firewall blocks the connection.

You can turn on Windows firewall from Start >> control panel >> Windows firewall.

Also you can use IPSEC to block or filter connections to the server.

Step 4: Strengthen TCP/IP stack

Denial of service (DoS) attacks are network attacks that are difficult to defend. In order to prevent Deniel of service attack, always keep the server updated with security patches. Also tune the TCP/IP stack to prevent against DoS attack.

The following TCP/IP-related values can be used to harden the TCP/IP stack on the server. The vales mentioned below should be created under the registry key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

All values are in hexadecimal.

Key 1:
Value name: SynAttackProtect
Key: Tcpip\Parameters
Value Type: REG_DWORD
Valid Range: 0,1
Default: 0

This value causes retransmission of the the SYN-ACKS. If you set the value as "0" means SYN attack protection. Set to "1" for better protection against SYN attacks.

Key 2:
Value name: EnableDeadGWDetect
Key: Tcpip\Parameters
Value Type: REG_DWORD
Valid Range: 0, 1 (False, True)
Default: 1 (True)

When the EnableDeadGWDetect is "True", TCP may ask the Internet Protocol (IP) to change to a backup gateway. Backup gateways are defined in the Advanced section of the TCP/IP configuration dialog box in the Network tool in Control Panel.

Microsoft recommends that you set the EnableDeadGWDetect value to 0. If you do not set this value to 0, an attack may force the server to switch gateways and cause it to switch to an unintended gateway.

Key3:
Value name: EnablePMTUDiscovery
Key: Tcpip\Parameters
Value Type: REG_DWORD
Valid Range: 0, 1 (False, True)
Default: 1 (True)

Microsoft recommends that you set EnablePMTUDiscovery to 0.

Key4:
Value name: KeepAliveTime
Key: Tcpip\Parameters
Value Type: REG_DWORD-Time in milliseconds
Valid Range: 1-0xFFFFFFFF
Default: 7,200,000 (two hours)

This value controls how frequently TCP tries to verify that an idle connection is still intact by sending a keep-alive packet. The recommended value setting is 300,000 (5 minutes).

Key5:
Value name: NoNameReleaseOnDemand
Key: Netbt\Parameters
Value Type: REG_DWORD
Valid Range: 0, 1 (False, True)
Default: 0 (False)

Microsoft recommends that you set the NoNameReleaseOnDemand value to 1.

Step 5: Disable or delete unnecessary accounts, ports and services

During the installation, three local user accounts namely Administrator, Guest and Help-Assistant, are created automatically. The adminstator user is having the full privilege. So this account cannot be deleted from the server. For increasing the server security, you can disable the account and at the same time provide the administrative privilege to another user. This make it much harder for the hacker to identify which user is having admin privilege. Also disable the other two accounts Guest and Help-Assistant.

Open ports are high-risk area. There are 65,535 ports available. The ports are divided into three ranges.

Well-known ports (0-1023)
Registered ports (1024-49151)
Dynamic/private ports (49152-65535)

The known ports are required for OS function. The registered ports are only for services. The rest are wild west. You can block the access to a particular ports using Windows firewall or IPSEC rules.

The most effective way of securing the server is not to install the applications that are not relevant to its function.

Step 6: Secure Internet Information Services

* Do not provide permission for IUSER to any of the files or directory out side the web application directory. If any of the application run into an error, use FileMon utility available from http://sysinternals.net to check the file permission.

* Set the NTFS permission as
 IUSER = Read and execute only
 WP User = Read and execute only
 System and administrator = Full

* Enable logging in IIS. This can be done from IIS manager >> web sites >> property >> Enable logging. The logs will be generated in the directory "C:\WINDOWS\system32\LogFiles".

* Enable Windows auditing on the machine. This will help to backtrack any attacker's activity. The default location for the audit log is c:\winnt\system32\config\secevent.log.

* Finally make sure that windows updates are regularly run and necessary patches are deployed.

Step 7: Secure FTP server

* Disable anonymous FTP. Anonymous access is enabled by default when you first install FTP services in Windows 2003. Anonymous access allows any user to gain FTP access without the need of a user account. Anonymous access can be disabled from  IIS manager >> FTP sites >> property >> Security Accounts >> Uncheck "Allow Anonymous Connections".

* Enable Logging. This can be done from IIS manager >> FTP sites >> property >> Enable Logging. You will have an accurate record of which IP addresses and users accessed your site.

* Restrict Access by IP address. You can restrict the FTP access to particular IP address through Directory security in FTP site property.

WINDOWS PHASE2 HARDENING


==> Protecting windows server against dos attack

Refer: http://www.informit.com/articles/article.aspx?p=371702

==> If you are using windows server2008, you can harden the server using below doc.

Refer: http://blog.tevora.com/enterprise-applications/10-steps-to-harden-windows-server-2008-2/

==> sql server hardening

http://securityblog.gr/1936/hardening-a-sql-server/
http://www.greensql.com/content/sql-server-security-best-practices?goback=.gde_3779596_member_97204230#!

==> IIS hardening

http://www.md3v.com/hardening-a-microsoft-iis-web-server

==> PHP hardening

http://www.madirish.net/199

http://blog.up-link.ro/php-security-tips-securing-php-by-hardening-php-configuration/

 

Posted by at No comments:
Labels:

Saturday, 15 June 2013

various iptables rules



#Show all iptable rules

iptables -nL

# 1. Delete all existing rules
iptables -F

# 2. Set default chain policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

# 3. Block a specific ip-address
#BLOCK_THIS_IP="x.x.x.x"
#iptables -A INPUT -s "$BLOCK_THIS_IP" -j DROP

# 4. Allow ALL incoming SSH
#iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

# 5. Allow incoming SSH only from a sepcific network
#iptables -A INPUT -i eth0 -p tcp -s 192.168.200.0/24 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

# 6. Allow incoming HTTP
#iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT

# Allow incoming HTTPS
#iptables -A INPUT -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A OUTPUT -o eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT

# 7. MultiPorts (Allow incoming SSH, HTTP, and HTTPS)
iptables -A INPUT -i eth0 -p tcp -m multiport --dports 22,80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m multiport --sports 22,80,443 -m state --state ESTABLISHED -j ACCEPT

# 8. Allow outgoing SSH
iptables -A OUTPUT -o eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

# 9. Allow outgoing SSH only to a specific network
#iptables -A OUTPUT -o eth0 -p tcp -d 192.168.101.0/24 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

# 10. Allow outgoing HTTPS
iptables -A OUTPUT -o eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT

# 11. Load balance incoming HTTPS traffic
#iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 0 -j DNAT --to-destination 192.168.1.101:443
#iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 1 -j DNAT --to-destination 192.168.1.102:443
#iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 2 -j DNAT --to-destination 192.168.1.103:443

# 12. Ping from inside to outside
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

# 13. Ping from outside to inside
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

# 14. Allow loopback access
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# 15. Allow packets from internal network to reach external network.
# if eth1 is connected to external network (internet)
# if eth0 is connected to internal network (192.168.1.x)
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT

# 16. Allow outbound DNS
#iptables -A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT
#iptables -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT

# 17. Allow NIS Connections
# rpcinfo -p | grep ypbind ; This port is 853 and 850
#iptables -A INPUT -p tcp --dport 111 -j ACCEPT
#iptables -A INPUT -p udp --dport 111 -j ACCEPT
#iptables -A INPUT -p tcp --dport 853 -j ACCEPT
#iptables -A INPUT -p udp --dport 853 -j ACCEPT
#iptables -A INPUT -p tcp --dport 850 -j ACCEPT
#iptables -A INPUT -p udp --dport 850 -j ACCEPT

# 18. Allow rsync from a specific network
iptables -A INPUT -i eth0 -p tcp -s 192.168.101.0/24 --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 873 -m state --state ESTABLISHED -j ACCEPT

# 19. Allow MySQL connection only from a specific network
iptables -A INPUT -i eth0 -p tcp -s 192.168.200.0/24 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 3306 -m state --state ESTABLISHED -j ACCEPT

# 20. Allow Sendmail or Postfix
iptables -A INPUT -i eth0 -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT

# 21. Allow IMAP and IMAPS
iptables -A INPUT -i eth0 -p tcp --dport 143 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 143 -m state --state ESTABLISHED -j ACCEPT

iptables -A INPUT -i eth0 -p tcp --dport 993 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 993 -m state --state ESTABLISHED -j ACCEPT

# 22. Allow POP3 and POP3S
iptables -A INPUT -i eth0 -p tcp --dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 110 -m state --state ESTABLISHED -j ACCEPT

iptables -A INPUT -i eth0 -p tcp --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 995 -m state --state ESTABLISHED -j ACCEPT

# 23. Prevent DoS attack
iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT

# 24. Port forwarding 422 to 22
iptables -t nat -A PREROUTING -p tcp -d 192.168.102.37 --dport 422 -j DNAT --to 192.168.102.37:22
iptables -A INPUT -i eth0 -p tcp --dport 422 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 422 -m state --state ESTABLISHED -j ACCEPT

# 25. Log dropped packets
iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables Packet Dropped: " --log-level 7
iptables -A LOGGING -j DROP
Posted by at No comments:

DDOS attack

=>Find number of apache connections to the server.

a) netstat -plan | grep 80 | wc -l

b) netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

Tip #1 – Let’s see if we can narrow down if a particular site on the server is being attacked or otherwise abused by running the following command on the server:

/usr/bin/lynx -dump -width 500 http://127.0.0.1/server-status | grep GET | grep -v unavailable | awk ‘{print $12}’ | sort | uniq -c | sort -rn | head

NOTES:
(a) You may need to install Lynx.  If you are on CentOS this can be as easy as “yum install lynx -y” and then chmod 700 /usr/bin/lynx
(b) If you are running Cpanel, the syntax to use changes lightly to

/usr/bin/lynx -dump -width 500 http://127.0.0.1/whm-server-status | grep GET | awk ‘{print $12}’ | sort | uniq -c | sort -rn | head
Posted by at No comments:

Find Out Linux CPU Utilization

 Below commands helps you to find out the CPU utilization

  • iostat
  • iotop
  • vmstat 1 10

  • ps auxf | sort -nr -k 4 | head -5
  • ps auxf | sort -nr -k 3 | head -5
  • echo [PID] [36EM] [PATH] && ps aux | awk '{print $2, $4, $11}' | sort -k2rn | head -n 20
  • ps -eo pcpu,pid,user,args | sort -k 1 -r | head -10


 The ps command lists all the currently running processes on the server. Will then pipes it though the sort and head commands to sort the information into his preferred format, and return only the top most important results. Here is a good article I found for you that has some basics on the ps command with good examples as well:

http://www.cyberciti.biz/tips/how-do-i-find-out-linux-cpu-utilization.html

https://blogs.oracle.com/pranav/entry/how_to_find_out_cpu_utilizatio
Posted by at No comments:
Subscribe to: Comments (Atom)