Open Source Software Technical Articles

Want the Best of the Wazi Blogs Delivered Directly to your Inbox?

Subscribe to Wazi by Email

Your email:

Connect with Us!

Current Articles | RSS Feed RSS Feed

BackTrack and its tools can protect your environment from remote intrusions

  
  
  

Attackers commonly look for remote vulnerabilities in order to compromise the resources on your network. BackTrack Linux, a security-testing distribution, can help you inspect your network and servers for remote security weaknesses and potential vulnerabilities.

BackTrack, which is based on Ubuntu, bundles all the tools necessary for penetration testing and security audits. You don't really have to run BackTrack to use the tools it provides, but booting up a BackTrack live CD lets you get started in no time.

A word of caution before you start: Scanning your network may take system and network resources. Make sure to fully coordinate your actions inside your company and inform your management.

Exploring Your Environment With Nmap

One of the first tools you'll want to try is Nmap, a powerful, smart, command-line network scanner. In essence, Nmap shows open ports and some information about the services listening on these ports.

Nmap comes with a lot of useful options enabled by default. For instance, port randomization, which randomizes the order of the ports being scanned, prevents simple intrusion detection and protection systems from detecting and blocking you while you're probing. Some other useful options include:

  • --script – performs the scan with the aid of a set of scripts. Nmap comes bundles with a few sets of scripts categorized according to their use, such as for DOS, brute force, and other weakness detection. You can find the full list on the home page of the Nmap Scripting Engine. If you are not sure what scripts to use, choose the default, which is more informative and less intrusive than some other options.
  • -p – specifies which ports you are interested it. Most legitimate services run within the port range of 1:10000 for UDP and TCP protocols. Scanning a larger range requires more time and resources.
  • -sV – shows service and version information for the open ports. This is useful to show whether a service is listening on a non-default port, such as Apache listening on TCP port 8080, and the version information may indicate outdated software and potential vulnerabilities. If you detect such outdated applications with Nmap, make sure to patch them as soon as possible.

     

  • target – defines the target host or network as the final argument of your Nmap command.

Put the above options together and you get a command like:

nmap --script=default -p U:1-10000,T:1-10000 -sV 192.168.1.0/24

In this case the target is an internal, private network (192.168.1.0/24). If you are looking for truly remote vulnerabilities you should perform the scan from outside your local network. Still, internal scans are also useful and can show unnecessary exposure of services, which is always a security risk.

The output of this example is similar to:

...
Nmap scan report for example.org (192.168.1.102)
Host is up (0.0017s latency).
Not shown: 9997 closed ports
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh     OpenSSH 6.0p1 Debian 3 (protocol 2.0)
...
80/tcp   open  http    Apache httpd 2.2.22 ((Debian))
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)

...
3306/tcp open  mysql   MySQL 5.5.28-1
...

The above excerpt from the Nmap output shows information for SSH, HTTP, and MySQL services running on 192.168.1.102. It clearly shows the name and the version of each software – OpenSSH 6.0p1, Apache httpd 2.2.22, and MySQL 5.5.28-1.

Limiting the network exposure

For each exposed service, you should decide whether it's really necessary for it to be exposed. If not, one option is to make sure the service listens only on the local loopback interface (127.0.0.1). This is a good option for the MySQL service when it serves only local requests. To do that for MySQL, edit the my.cnf file. When MySQL listens on all interfaces, the bind-address directive looks like this: bind-address = 0.0.0.0. To make it listen only on the local interface, change it to bind-address = 127.0.0.1.

Furthermore, MySQL lets you explicitly limit the remote hosts from which a user is allowed to connect as part of MySQL's connection verification process. Such an additional security restriction helps guard against brute-force attacks but usually does not help against remote software vulnerability exploits.

You can also use a firewall to restrict access to a service. When properly configured, a firewall can allow only certain hosts to connect to a given service. An example iptables command for MySQL looks like this: iptables -I INPUT -s 192.168.1.1 -p TCP --dport 3306 -j ACCEPT; iptables -I INPUT -p TCP --dport 3306 -j DROP. This sample command allows MySQL connections only from the IP address 192.168.1.1.

As a last resort, you may decide to change the default port for a service. This is usually feasible for sensitive services that have to remain relatively hidden but still fully accessible from outside. This is often the case with SSH when system administrators want to have access from everywhere. You can change the SSH port to a port above the commonly scanned range (1-10000). For example, if you set the SSH daemon to listen on port 19999, it's less likely to be detected, but you will be still able to access the service from anywhere as long as you know this port. To change the SSH port, edit the directive Port in the file /etc/ssh/sshd_config and restart the service. Don't forget to specify this port when connecting later with your SSH client (ssh -p in Linux shell).

These are the simplest ways to limit the remote connectivity and protect from external attacks. If you are interested in more advanced techniques, consider port knocking as one interesting idea and option.

Limiting the exposed information

After dealing with the SSH and MySQL services from our example, only the web service remains. It is supposed to be fully accessible for the outside world on the standard HTTP TCP port 80, and we cannot hide it under a different port nor restrict the access to it. Our only choice is to disclose as little information about it as possible.

According to the above example, the Apache version is Apache httpd 2.2.22 ((Debian)). This gives an attacker plenty of information – web server name, version, and even operating system. You can limit this information by changing the Apache configuration and setting the server token setting as ServerTokens ProductOnly. After this, when you run the scan again, you'll see for version only Apache httpd.

Even with our basic Nmap example we got more information than just the version. For Apache, Nmap also showed that the OPTIONS header is allowed and there is no restriction on the http methods|_http-methods: No Allow or Public header in OPTIONS response (status code 200). From a security point of view it's important to restrict the allowed HTTP methods to only the ones your site really needs and thus give attackers fewer options.

For example, the TRACE HTTP method echos back user input. Clearly, this is a feature useful for debugging but not needed in a production web server. The TRACE method is used in certain attacks by allowing access to sensitive information, so it should almost always be disabled. In fact, most average web servers should support only two HTTP methods: GET and POST. To forbid the rest, use the Apache directive limitexcept like this:

    Order deny,allow
    Deny from all

Hiding the server token and forbidding unneeded communication methods is a good start, but it's far from enough. You also need an application firewall, which offers more thorough protection. Almost all publicly accessible services have such a firewall solution available. In the case of Apache, check the article How to protect your web server with ModSecurity.

Examine your Nmap output and proceed similarly for any publicly exposed services. You should be able to foil the usual generic untargeted attacks that randomly scan the Internet for outdated or misconfigured software.

Delving deeper into penetration testing with Nessus

Nmap is powerful and lets you do some serious penetration testing of your environment, but it's not as easy to use and complete as some more advanced vulnerability scanners. Nessus, for instance, is a commercial vulnerability scanner that allows limited free use for home users. To start using it in BackTrack you have to register for a license key first and follow a few preliminary steps as described in the official Nessus on BackTrack guide.

Once you have Nessus up and running in BackTrack, you control it from an intuitive web interface accessible at https://localhost:8834. The web interface allows you to easily configure your penetration test and generate a professional-looking report upon completion.

Nessus detects more than 50,000 vulnerabilities on all exposed levels, from misconfigured services to outdated software. Once it detects a vulnerability, it reports all the related information and, most importantly, suggests a solution. This saves you time, ensures that you follow the best practices for resolving a problem, and that you comply with the highest security standards.

Nessus is the most preferred penetration testing solution for enterprise users. Still, Nmap remains the Swiss Army Knife for network scanning, as it provides the fastest and simplest path to exploring your environment without binding to licenses and spending significant amounts of money.

No matter what application you choose, the most important thing is to understand the concept of remote security. Don't unnecessarily expose services, nor any information that is not explicitly required. That should ensure you don't attract publicly circulating threats that may exploit zero-day vulnerabilities.




This work is licensed under a Creative Commons Attribution 3.0 Unported License
Creative Commons License.

Comments

Considering the possibilities with bridesmaid gowns now available, just about every member of this chanel 2.55 bags gathering really should enjoy one more effects and may expend the wedding ceremony time celebrating while using the star of the wedding in addition to the woman future husband. It truly is popular expertise of which the majority persons on earth usually are crazy about magnificence. For the good reasons, it may not be shocking men and women usually are generally hunting for anything many people uncover wonderful, hip and in some cases lavish that can be noticed amongst the normal people. Lavish fake rolex watches, flamboyant necklaces, the best quality custom made clock, along with hip factors usually are hugely wanted because of the normal people. After we have a look at most of these extravagance objects, most of us know that this custom made check out is among the most in-demand within both equally adult males in addition to chanel replica. There're viewed as besides an inclusive element of your day-to-day lives, but seeing that representations connected with rank in addition to beneficial vogue good sense. Greatly assist mix off good appears to be, fantastic efficiency in addition to reputation, there're sought after by means of many of people in existence, though, many people are typically costly, being people a adjustable rate mortgage as well as a calf. Although after we think about the loaded in addition to replica chanel handbags, most of us make sure they can't find it hard to have the funds for like replica chanel 1118. In contrast, the standard specific is unable to assemble dollars to order just one. Generally, it may not be brilliant that you invest in anything you are unable to have the funds for. If you are who want to practical knowledge what exactly it truly is including to get a prada outlet check out although while not having to fork out a whole lot dollars for getting just one, there are lots of creative options there for these individuals. Choosing a extravagance check out resale is a practicable solution, given that this fake hublot watches was in good condition, that is certainly. Whilst comparing those to bogus in addition to imitation products, many people determine seeing that the best option. After you try to find a extravagance check out second-hand, you possibly can spend less with lots of replica chanel coco. Acquire an exceptionally hip check out for a pure tiny proportion connected with it is first selling price. If you wish to search decrease that way, subsequently there are various connected with chanel tote bags that you have to understand. 
Posted @ Tuesday, May 13, 2014 3:45 AM by rolex day date watches
Post Comment
Name
 *
Email
 *
Website (optional)
Comment
 *

Allowed tags: <a> link, <b> bold, <i> italics