Dynamic iptables – “Flexible (and fun)”

Have you ever said to yourself that there should be a tool to do x, start building a tool to do it, then about halfway through your little project, somebody glances over your shoulder and says to you “hey, I use a tool like that, it’s called y, you should check it out,” so you do, and that tool is far more comprehensive and well built than the one you were working on?

Well this isn’t one of those times, because this tool hit me from left field while I was researching ways to mitigate a DDoS attack. Though there are many, many ways to do it, if all you have is a Linux box facing the world with nothing to hide its private parts except iptables, then this “flexible (and fun)” toolset is another weapon you can deploy when you get that 2:30AM call saying “our website’s down and I think it’s being DDoS’d.”

The tool is a simple set of scripts that make adding and removing specific IP’s quick and simple. The main site of the author is at http://www.ibm.com/developerworks/library/l-fw/, or is available (hosted locally) here.

Once installed, you can simply ban/unban an IP by typing ipdrop {IP ADDRESS} {on|off}

While perusing this thread at webhostingtalk.com, member dynamicnet mentioned grep-ing for ridiculous levels of SYN_RECV ‘d connections (this is indicative of a TCP SYN Flood attack) and generating ipdrop commands for quick banning of a SYN Flood-ing IP’s. Though you may accidentally drop one or two legitimate IP’s (have a rule already in place so you don’t ban yourself out of a remote box), you’ll likely get the bulk of the attacking IP’s.

Use netstat -n -p|grep SYN_REC | wc -l to count how many SYN_RECV connections you have.

Use netstat -n -p | grep SYN_REC | awk '{print $5}' | sort -u | awk -F: '{print "ipdrop "$1 " on"}' to generate code to ban IP’s in SYN_RECV status.

Use cat /root/.dynfw-ipdrop |awk -F: '{print "ipdrop "$1" off"}' to generates code to “undrop” those IP’s.

May 30th, 2009 | jim | Tags: , , , , .
Categories: DoS, Internet, Linux, Security | Comments: No Comments

Conficker Update Part Deuce

UPDATE 11 Jun 2009: Locally hosted bdtools removal tools (availabe at downadup.org for single computers and network. Cheers =D

Our favorite worm got an update 8 April according to Network World. Read more here…
And of course, at downadup.org.

April 14th, 2009 | jim | Tags: , , , , , .
Categories: Internet, Security, Virii, Windows | Comments: No Comments

Key-Genius Leverages Yubikey to Secure Web-Logins

So I was listening to another Security Now podcast and heard about a promising new authentication technology designed by Yubico that generates asynchronous one time passwords with a simple push of a button. The device can authenticate against the maker’s servers or your own. The device itself registers as a USB keyboard and is therefore compatible with most computers. The device costs less than $25 each, with discounts for bulk purchases.

Key Genius is a product that leverages the Yubikey to provide a more secure platform for logging into websites. It recently won an award in the Yubiking competition, in partnership with Security Now. The site stores site-specific passwords in an encrypted database, and using a browser extension, replies to valid Yubikey passwords by automatically inserting the correct password for the site. Usernames are not stored by Key Genius at all, so it’s up to the user to supply them to the website in question. This is actually a good thing, as compromise of the Key Genius database cannot in of itself bely a user’s logon credentials. This is a neat product that not only enhances convenience, but does so in a secure manner.

April 5th, 2009 | jim | Tags: , , , , .
Categories: Authentication, Internet, Security | Comments: No Comments

Conficker Update

Update: An excellent resource list is available at the Internet Storm Center.

The headline at dailymail.co.uk read “April Fool’s Day computer virus is activated… but fails to cause internet chaos.”

I guess the rumors were unfounded. However, it’s important to note that the virus is still rampant and speculation on the potential uses of such a huge botnet are as well. Some surmise that it might be used to DDOS the crap out of some poor server(s). It might also be used to crack passwords or encryption. Check out http://downadup.org to read more and for removal tools. It’s also a good idea to prepare your network for the potentiality of attack. Don’t be a soft target.

Here’s a couple (read non-comprehensive) ideas on how to not be a soft target:

  • Backup, backup, backup
    • Have systems ready to leap into action if necessary, and keep at least one form of backup offline in case of worst-case scenarios.
    • If you don’t already have a backup strategy in place, it’s time to implement one.
  • Control access to your critical services
    • Enforce strong passwords – or better yet, employ multi-factor authentication. PPP is a strong candidate for the thrifty.
    • Audit your users – does that guy who quit last year still have an active user account? Do your non-administrative users have access to critical servers?
    • Use fail2ban or iptables to detect and drop password-guessing attacks – even with 10 million + IP’s to choose from, it’s not easy to crack a password/one-time password combination when you only get 3 tries per IP.
  • Watch your traffic (not really a botnet vulnerability, but good practice in general):
    • Control your legacy services – seriously, it’s time to retire telnet and other services that transmit passwords in cleartext.
    • https > http – especially when it comes to passwords. Don’t allow users the ability to transmit passwords over http.
  • etc…

I’ve hardly compiled a comprehensive list, and I welcome comments for other good practices, but the most important takeaway is to be cognizant of your security stance. Don’t make it easy for the bad guys.

April 1st, 2009 | jim | Tags: , , , , , , , .
Categories: Infrastructure, Internet, Security | Comments: No Comments

Shoulder Surfing by Laserlight

Here’s the first sentence from the source document:

Using equipment costing about $80, researchers from Inverse Path were able to point a laser on the reflective surface of a laptop between 50 feet and 100 feet away and determine what letters were typed.

…read the rest

The gist of the article is that researchers were able to determine key sequences by analyzing the sound waves produced by each key as subjects type. The researchers have also managed to isolate EMI transferred through the power grid to identify keystrokes. Most folks need not worry about directed attacks of this nature, but if you’ve got a secret somebody wants badly, watch your back… and your windows.

Note: Thanks to _dilan for the link!

March 29th, 2009 | jim | Tags: , .
Categories: Security | Comments: No Comments

« Previous PageNext Page »