technology | art | nature
I was looking form some video footage from the Chaos Communication Camp Lectures when i stumbled across some interesting footage from Defcon which took place one week before the CCC2007.
DefCon 15 – T505 – Dirty Secrets of the Security Industry
Adressing the real problems in security issues. Very interesting and funny speech about the root of security problems
DefCon 15 – T112 – No-Tech Hacking
Gathering information by a close analysis – shoulder surfing, social engineering and analyzing people
Looks like the effort of Rop Gonggrijps project group Wij vertrouwen stemcomputers niet (we dont trust voting machines) has finally paid off.
Nedap voting computers will no longer be used for voting in the Netherlands.
In 2006, Rop Gongrijp appeared on a documentary hosted by a dutch tv station to demonstrate the flaws of the Nedap voting computers used in elections in which he proved that manipulating a voting machine isnt that hard at all.
The Chaos Computer Club manged to replace the firmware memory of a voting machine in less than one Minute as seen here
Fail2Ban is a phyton script that analyzes failed login attempts in logfiles and implements firewall rules to ban brute force attackers. Classic brute force targets on the web are:
Here is a basic example for Apache in /etc/fail2ban/jail.conf:
[apache]
enabled = true
port = http,https
filter = apache-auth
logpath = /var/log/apache*/*access.log
maxretry = 5
By default, the global ban time is 600 seconds.
Installation for Debian and Ubuntu is quite simple, as always:
apt-get install fail2ban
Checkt out http://www.fail2ban.org/wiki/index.php/Main_Page for other installation packets and further info. If you are running servers on the web, i highly reccomend using somesort of method to disable brute force attacks…and of course, using strong passwords 🙂
Note: The initial IP and Domain have been replaced by x.x.x.y in order to spare the shame and keeping anybody from doing something stupid 😉
Today i ran a routine check on my Apache logs….the same as usual…
[Mon Aug 20 07:36:43 2007] [error] [client x.x.x.y] File does not exist: /var/www/mysqladmin
[Mon Aug 20 07:36:43 2007] [error] [client x.x.x.y] File does not exist: /var/www/db
[Mon Aug 20 07:36:43 2007] [error] [client x.x.x.y] File does not exist: /var/www/dbadmin
[Mon Aug 20 07:36:43 2007] [error] [client x.x.x.y] File does not exist: /var/www/web
[Mon Aug 20 07:36:43 2007] [error] [client x.x.x.y] File does not exist: /var/www/phpmyadmin2
[Mon Aug 20 07:36:43 2007] [error] [client x.x.x.y] File does not exist: /var/www/phpmyadmin1
[Mon Aug 20 07:36:43 2007] [error] [client x.x.x.y] File does not exist: /var/www/phpadmin
[Mon Aug 20 07:36:43 2007] [error] [client x.x.x.y] File does not exist: /var/www/myadmin
[Mon Aug 20 07:36:43 2007] [error] [client x.x.x.y] File does not exist: /var/www/phpMyAdmin-2.2.3
[Mon Aug 20 07:36:43 2007] [error] [client x.x.x.y] File does not exist: /var/www/phpMyAdmin-2.5.6
[Mon Aug 20 07:36:43 2007] [error] [client x.x.x.y] File does not exist: /var/www/phpMyAdmin-2.5.7-pl1
…
This goes on forever … big deal….
But the host was pretty aggressive so i decided to take a closer look:
traceroute x.x.x.y
….
7 somebody.something.net (bla.bla.bla.bla) 18.017 ms 17.852 ms 17.231 ms
8 somedomain.de (x.x.x.y) 16.701 ms 16.391 ms 16.322 ms
So i take a look at somedomain.de and find this:
Looks like someones Windows Server was compromised or so to say…. owned.
Conclusion: Dont use XAMMP on the web, it may be superb for testing your stuff before sending it to the real world but not meant to survive in hazardous environments, especially with Windows up your back…
The least thing you could do is make sure your webservices aren’t running on blank or default passwords!
The final data & score is is available online.
http://itsec2.rbg.informatik.tu-darmstadt.de/~esperer/ctf/
Well not much infiltrating from our Side (Drunkensheeps) we only had 6 out of originally estimated 12 hours of time. Big props to gophers retserv exploit and phantom for his leet erlang skills (:
One thing is certain – letting users pick their own passwords is a major security risk.
As an administrator you can simply test your passwords by running john the ripper over your passwords.
If john spits out passwords in single mode immediately this is an indication that your passwords suck!
This is where password generating tools come into play.
APG is a simple tool for random password generation. I recommend at least 8 characters for efficient passwords.
So here is an example on setting up a random 8-character password:
apg -m8 -x8
This will deliver a 8 charcter password. The m/x parameters indicate the minimum/maximum characters
If you want to make a password pronounceable (thus easier to remember):
apg -a1 -m8 -x8
While checking your users passwords you might also consider checking if any users have shell access they dont even need.
You can list all users that have somesort of shell access by greping your passwd file:
cat /etc/passwd | grep -v /bin/false
Note: Some Services use /usr/sbin/nologin which is the same as /bin/false