NOVALUG Linux Security SIG

Linux & Windows HP Printing Services Vulnerability Patched

admin — Sat, 13 Oct 2007 17:16:52 +0000

This breach and patch cycle brings to light an interesting issue in maintaining a secure setup. The security alert(a XSS vulnerability) was publicly issued on October 3rd, and the Ubuntu patch was pushed out on the 12th(it may take a day or two for you to see it). That’s at least a 9 day window, where the only real defense was to take either your browser off-line or your printing services off-line, and manually only run only one or the other at a time.

This is a remote code execution security breach, which makes it one of the worst types of security breach there is. Such breaches, turn remote access into local access and are just a short hop away from privilege escalation and you loosing control of your computer(often without you ever knowing about it). I know the common sentiment is that Linux boxes are not really targeted by hackers, but, you have to rid yourself of that sentiment and quickly. As it turns out, people who commit most digital crime prefer Linux boxes as either spoof web site hosts or command and control machines for botnets. As such, your Linux machines are actually more desired by the phishers and bot-herders than the rank and file Windows machines that make up the vast majority of botnets.

The arena of digital crime and digital warfare is heating up, and with your highly desired Linux machine it’s important to understand these security concerns and stay vigilant and on top of your systems security.

-John W

Wordpress Security Alert

admin — Sat, 08 Sep 2007 20:22:33 +0000

It’s important to remember that dynamic web site frameworks, Javascript web page widgets and the like are a wholly independent security layer that has to be maintained. Even if you Linux server is secure and up to date, your website may still be vulnerable to attack. This “web 2.0″ layer needs to be treated almost like it’s own extra OS layer, and great care to keep it fully patched must be made.

Recently discovered vulnerabilities have been patched in Wordpress 2.2.3, upgrade now!

Where to find Linux distribution specific security announcements.

admin — Sat, 08 Sep 2007 20:20:48 +0000

Ubuntu = http://www.ubuntu.com/usn/
SuSE = http://www.novell.com/linux/security/securitysupport.html
Red Hat = http://www.redhat.com/errata/
Debian = http://www.debian.org/security/
Gentoo = http://www.gentoo.org/security/en/glsa/index.xml
Slackware = http://www.slackware.com/security/
Mandriva = http://www.mandriva.com/security/

I attempted to find the Sabayon security announcements page, but could not locate it. Several other distributions also lack security pages(such as CentOS which does have security team), so I’d recommend using the parent distro’s security pages in combination with staying on the bug tracking lists of the specific distro.

Hardening a Linux system with Bastille

admin — Fri, 31 Aug 2007 16:20:22 +0000

Linux.com has a good introductory article on using Bastille to help harden a Linux box. Which reminds me that I intended to do a step by step walk through of several different server hardening configurations on the NOVALUG wiki for Bastille. Which of course will be done someday, and will be a thorough step by step treatment of the process for several different server types, someday.

-John W

An excellent posthumis analysis of a compromised Linux server.

admin — Fri, 24 Aug 2007 22:11:00 +0000

I ran across this article on Slashdot, that an admin wrote about investigating a compromised Ubuntu server. The article is well written making for a good read, and a fairly good job at investigating the compromised machine.

Of course this type of forensics is probably more the arena of law enforcement or other legal prosecution, as I wouldn’t ever consider a cracked machine, regardless of the cleanup effort, to be 100% remediable. It’s just not possible to be absolutely sure you’ve covered every possible backdoor even when you have a good, incorruptible tripwire DB and binary. IMHO it’s generally always safer to rebuild from scratch and transpose the data on a web server with a good air-gap technique from backups.

-John W

Security Alerts! 08/22/2007

admin — Wed, 22 Aug 2007 14:05:53 +0000

This alert is intended to help keep you up to date on some of the more important remote security vulnerabilities in Linux and common applications that run on Linux. Because of the open nature of the OS and applications this is a summary only, minor vulnerabilities and local vulnerabilities will not be listed.

Kernel and Subsystems

A NULL pointer dereference condition was discovered in the netfilter subsystem. This vulnerability can be used to remotely crash a system by using carefully crafted SCTP protocol packets which will cause an “unknown chunk type” error.
There is a lack of range checking in nf_conntrack h323 that may lead to NULL pointer dereferences. This could be exploited remotely to cause a system crash.

Common Applications

Pidgin: A vague report of a remote code execution vulnerability due to an input validation error has been reported at Wasbisabilabi.
- I should note that I’ve never really trusted IM clients, and it should never be installed on a production server, for ANY reason.
NuFW: On versions 2.0 and higher, using a time based attack vector, remote attackers can bypass the firewall using “out of period” packet transmissions.

-John

Using DenyHosts as a defense against remote brute force cracking.

admin — Wed, 15 Aug 2007 21:40:08 +0000

I did a brief writeup of the Python deamon “DenyHosts” on the NOVALUG wiki. It will be one of many tools and techniques I think I’ll write up in the wiki. While the wiki article serves as part of an overall step by step guide to running your own Ubuntu server, DenyHosts is something that any server that runs SSH could use to help improve remote security. -John

Welcome to the Linux Security Special Interest Group

admin — Tue, 07 Aug 2007 15:10:56 +0000

This Special Interest Group’s sole purpose is to help improve the level of security consciousness throughout the whole Linux using community of Northern Virginia. To this extent we will have presentations and workshops on security specifically in how it relates to Linux.