linux

​Malware can be delivered many different ways from either advertisements (remember the NY Times malicous ads?) to hacked websites that contain malicious code.  One technique designed to help curb these infections is through the use of DNS blackhole.  This technique will redirect your internal users to an internal website to block their access.  To do so, first install Bind on your Linux server.  Then edit your named.conf file which should be located in /etc/bind and enter:

include “/etc/named/blackhole.conf”;

Create a new file called blackhole.conf.  This file will contain every website you wish to redirect to an internal site, effectivly blocking your users from accessing it:

zone “doubleclick.com” {type master; file “/etc/bind/blackhole.db”;};

Each additional website that you want to block should containt he same format as the one stated above.

Next, create your zone file which will redirect all traffic destined to FQDN’s listed in the blackhole.db file to your internal website:

$TTL 3600
@ IN SOA ns1.example.com. root.example.com. (
20131020 ;
3600  ;
600  ;
86400  ;
600 )

@ IN NS ns1.example.com.

* IN A 192.168.2.254

There are plenty of websites on the Internet that maintain an updated list of malware websites.  One that I use quite frequently is Malware Domain List

The first version of PyMyDB Backup has been released and is based on Python 2.4.3. This is a Python script that will back up your MySQL databases, calculate the size of the backed up files, tarball and compress the contents, then email the results.

To use:

    Download the EPEL RPM which can be found at: http://download.fedora.redhat.com/pub/epel/

Install pymydb-0.5.1-1.noarch.rpm which can be found at: GitHub

This script creates the necessary directories and user account

After installation, there will be two scripts placed in /usr/local/bin which are pymydb.py and setup.py

Run the setup.py script, this will configure the pymydb.py script

Logs into the MySQL server

Creates the backup user, sets a password, and gives him select and lock tables privileges

Configures the email settings

Change the permissions on the pymydb.py script

chown root.pymydb pymydb.py

Add the pymydb.py script into cron and make sure to add a password for the system user

You can download it at my GitHub page

In part two of this series we’re going to discuss adding firewall rules to the router.  Everyone knows that adding ingress (or incoming) firewall rules is important to securing your network.  However, the same can be said for adding egress rules for traffic leaving your network.  For instance, aside from an email server, no client should ever send traffic to the Internet via TCP port 25.  If you see traffic like this, it could mean that you have an infected computer within your network.  Egress firewall rules, along with logging of those rules, will help track down problems before it gets out of hand.

First lets up the ingress rules to protect the router from incoming traffic we do not want.

    iptables -A INPUT -m state –state INVALID -j DROP

    iptables -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT

    iptables -A INPUT -s 192.168.2.0/24 -p icmp -j ACCEPT

    iptables -A INPUT -i lo -j ACCEPT

    iptables -A INPUT -s 192.168.2.0/24 -p tcp -m state –state NEW -m tcp –dport 22 -j ACCEPT

    iptables -A INPUT -i eth0 -j LOG –log-prefix ” *** IPTABLES DENY IN *** “

    iptables -A INPUT -j REJECT

The first rule allows us to configure the stateful firewall.  Any connections that are already established on the server is allowed through, new connections will not be allowed by this line.  The second rule allows for internal clients to ping their default gateway.  Third rule is VERY IMPORTANT as it allows server traffic to be allowed on the loopback interface.  Most Linux communication including X and service daemons use the loopback for internal communication.  If you do not allow this rule then you could kill everything.  The fourth line allows internal traffic to connect through SSH for remote administration.  We can further restrict SSH by only allowing SSH keys, or if you have a monitor hooked up to the router you could skip this rule altogether.  And the last rule blocks all other incoming traffic to the router.

Now lets setup the egress rules on the router.  To do this, we will use the forward table in iptables.  This is used to forward traffic from one interface to another.

    iptables -A FORWARD -m state –state INVALID -j DROP

    iptables -A FORWARD -m conntrack –ctstate RELATED,ESTABLISHED -j ACCEPT

    iptables -A FORWARD -i eth1 -p tcp -m tcp –dport 22 -j ACCEPT

    iptables -A FORWARD -i eth1 -p tcp -m tcp –dport 80 -j ACCEPT

    iptables -A FORWARD -i eth1 -p tcp -m tcp –dport 443 -j ACCEPT

    iptables -A FORWARD -i eth1 -p tcp -m tcp –dport 465 -j ACCEPT

    iptables -A FORWARD -i eth1 -p tcp -m tcp –dport 587 -j ACCEPT

    iptables -A FORWARD -i eth1 -p tcp -m tcp –dport 993 -j ACCEPT

    iptables -A FORWARD -i eth1 -j LOG –log-prefix " *** IPTABLES DENY OUT *** "

    iptables -A FORWARD -j REJECT

    iptables -A FORWARD -s 192.168.2.0/24 -i eth0 -j DROP

The first rule for this is similar to the first rule to the last set.  The next set of rules allow internal clients to connect to any server on the Internet using SSH, HTTP/HTTPS, and email.  The last few lines are important as first we log dropped packets, then drop packets that do not meet the lines above, and then an anti-spoofing line.  We will talk about logging in a minute, I just want to point out one additional thing.  Be extremely careful when creating egress firewall rules as this will break things.  For instance, if someone needs to establish an outgoing VPN connection then you will need to add those rules in or it will not work.

To get IPTABLES to log dropped packets to a log file, we use rsyslog.  In the /etc/rsyslog.conf file add the following lines:

    :msg,startswith,” *** IPTABLES DENY OUT *** ” /var/log/iptables-egress

    :msg,startswith,” *** IPTABLES DENY IN *** ” /var/log/iptables-ingress

    &~

Now start the rsyslog daemon and restart iptables and you’ll be all set.

​This will be part 1 in a series of configuring CentOS/Red Hat 6 as a secured firewall. Though I am a huge fan of pfSense (which can be found here pfSense), I wanted to build my own from scratch. So, the first part of this series will consist of setting up PAT (or NAT overload for the Cisco geeks) on Linux.

The first step is to configure the network cards.  In this scenario we will use eth0 as the WAN connection and eth1 as the LAN connection.  Refer to the diagram below

 | ISP - 192.168.1.1/30 | <--- | eth0(WAN) - 192.168.1.2/30 | --- NAT Server --- | eth1(LAN) - 192.168.2.1/24 | ---> Internal Network

Edit both the ifcfg-eth0 and the ifcfg-eth1 files located in /etc/sysconfig/network-scripts/, make sure both of the network cards are set to BOOTPROTO=”static”.

The second step is to setup IP forwarding which can be done by editing the /etc/sysctl.conf file and adding

    net.ipv4.ip_forward = 1

You can then either reload the server or issue the ‘sysctl -p’ command. Once that command is run, you will see the output of the command and you should see ‘net.ipv4.ip_forward = 1’ in the output. You can also verify by running ‘cat /proc/sys/net/ipv4/ip_forward’ and it will return a ‘1’. If it returns a 0 then the command did not run correctly and you need to try again.

The last step is to set up masquerade with IPTABLES. As eth0 is your outside (or WAN) connection, run

    iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Connect a laptop to the eth1 NIC with a crossover cable, and statically set the IP address to 192.168.2.2/24 with the default gateway of 192.168.2.1.  You should now be able to ping out of the LAN to the Internet. If successful run,

    service iptables save

which will save the command to the /etc/sysconfig/iptables file when either the service or the server is reloaded.

​GnuPG is used to encrypt and sign email messages and files. First you need to create the GPG key:

Generating Keys

———————————————————–

$ gpg –gen-key

———————————————————–

Select option 5 for RSA and then type the encryption level.

———————————————————–

Please select what kind of key you want:

(1) DSA and Elgamal (default)

(2) DSA (sign only)

(5) RSA (sign only)

Your selection? 5

RSA keys may be between 1024 and 4096 bits long.

What keysize do you want? (2048) 4096

Requested keysize is 4096 bits

Please specify how long the key should be valid.

0 = key does not expire

= key expires in n days

w = key expires in n weeks

m = key expires in n months

y = key expires in n years

Key is valid for? (0)

Key does not expire at all

Is this correct? (y/N) y

———————————————————–

Now enter your personal information

———————————————————–

Real name: Jason Brown

Email address: [email protected]

Comment: Example

You selected this USER-ID:

“Jason Brown (Example) ”

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o

You need a Passphrase to protect your secret key.

We need to generate a lot of random bytes. It is a good idea to perform

some other action (type on the keyboard, move the mouse, utilize the

disks) during the prime generation; this gives the random number

generator a better chance to gain enough entropy.

……………………….+++++

………..+++++

gpg: key 7C11053D marked as ultimately trusted

public and secret key created and signed.

gpg: checking the trustdb

gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model

gpg: depth: 0 valid: 4 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 4u

pub 4096R/7C11053D 2009-10-12

Key fingerprint = EE6B C53F A665 593C 3607 FEE1 F984 2AF9 7C11 053D

uid Jason Brown (Example)

———————————————————–

As stated in the option menu, this key is only generated to sign email or files and cannot be used to encrypt. You now have to edit the key that was just generated to use it for encryption.

———————————————————–

$ gpg –edit-key [email protected]

pub 4096R/7C11053D created: 2009-10-12 expires: never usage: SC

trust: ultimate validity: ultimate

[ultimate] (1). Jason Brown (Example)

Command> addkey

You need a passphrase to unlock the secret key for

user: “Jason Brown (Example) ”

4096-bit RSA key, ID 7C11053D, created 2009-10-12

———————————————————–

Enter in your passphrase and then select option 6 for ‘RSA (encrypt only)’. It will then ask for a key size and key expiration, use the same settings as in the first section. Once complete you will have a new key for encryption.

———————————————————–

pub 4096R/7C11053D created: 2009-10-12 expires: never usage: SC

trust: ultimate validity: ultimate

sub 4096R/55D59203 created: 2009-10-12 expires: never usage: E

[ultimate] (1). Jason Brown (Example)

———————————————————–

Now type save to exit:

———————————————————–

Command> save

———————————————————–

Your new key is now ready to be uploaded to the key repository servers.

———————————————————–

$ gpg –keyserver pgp.mit.edu –send-key [email protected]

———————————————————–

GPG Key Backup

Once your keys have been generated, you will need to export both the public and private keys and store them for safe keeping. To export your public key:

———————————————————-

$ gpg –export -a [email protected] > example-pub.key

———————————————————-

And the private key:

———————————————————-

$ gpg –export-secret-key -a [email protected] > example-priv.key

———————————————————-

You can then create a tar backup of these two keys and encrypt them with a passphrase.

———————————————————-

$ tar -cvf gpgkeys.tar example-priv.key example-pub.key

$ gpg -c –cipher-algo aes256 gpgkeys.tar

———————————————————-

Then enter in a strong password. This will allow you to retrieve your keys if you do not have your public/private key pair installed on a machine. Once this is done you will need to securely delete your keys leaving just the tarball. This is important as someone can compromise your keys.

———————————————————-

$ for i in gpgkeys.tar example-priv.key example-pub.key

>do

>shred -n 100 -z -u -v $i

>done

———————————————————-

Retrieving Public Keys

To search for a persons key type:

———————————————————-

$ gpg –search-keys [email protected]

———————————————————-

As this is an example and a fake email address, this will not return any results. Had this been a real address you will see a list of email addresses with numbers along the side. To request the public key of that person, type the number and hit ‘enter’ and it will retreive the public.

Encrypting Files to Other Users

To encrypt a file to a different user you must first have that users public key. To check type:

———————————————————-

$ gpg –list-keys

pub 4096R/7C11053D 2009-10-12

uid Jason Brown (Example)

sub 4096R/55D59203 2009-10-12

———————————————————-

I will encrypt a file to myself. The ‘-e’ option is to tell it to encrypt and the ‘-r’ is the recipient or public key of the person you want to give the file to.

———————————————————-

$ gpg -e -r [email protected] ssn.txt

———————————————————-

To decrypt the file, the receipient must have their public key installed on the machine. Then type:

———————————————————-

$ gpg –output ssn.txt –decrypt ssn.txt.gpg

———————————————————-

Where ‘–output’ is the name of the decrypted file and ‘–decrypt’ is the file being decrypted.

You may also want to digitally sign the file you are encrypting, to do so type:

———————————————————-

$ gpg –detach-sig ssn.txt.gpg

———————————————————-

And to verify the signature file:

———————————————————-

$ gpg –verify ssn.txt.gpg

gpg: Signature made Mon 12 Oct 2009 02:21:26 PM EDT using DSA key ID 7C11053D

gpg: Good signature from “Jason Brown (Example) ”

———————————————————-