Category: Security

Introducing MariaDB MaxScale 2.0 – Webinar

Today, I attended a webinar conference on MariaDB MaxScale carried out by Roger Bodamer at 10.00 AM PDT. That was really interesting and I strongly feel the future of system and database administrators are going to be enhanced with this technology.

It started with a thorough introduction about the challenges faced by the IT industry today especially large firms to market agility, system integration, real-time insights, security, and high availability. Some basic explanations on both application (customer-centric front-end) and database(transaction focused back-end) levels were addressed. At the application level, this deal mainly with continuous delivery of the application, microservices and modular deployment whereas at database level, it lays emphasis on security, scalability, high availability and high quality data management.

“MariaDB MaxScale makes it easy to handle the scalability and availability of your database cluster, and also secure it and manage the maintenance downtime. MaxScale is a next generation database proxy that goes well beyond routing, with advanced filtering, enhanced security and authentication. It is a multi-threaded, event-driven engine, that has its main functionality provided by plugins loaded at runtime. With MaxScale’s innovative architecture you can update the data layer on scale-out architectures, without impacting application performance.” – MariaDB

Photo Credits: MariaDB MaxScale
Photo Credits: MariaDB MaxScale

There are so many features in MaxScale that have really amazed me in the security pillar such as data motion, data in use and the DB firewall. Emphasis was laid on the type of job MaxScale that can be performed compared to simple master-slaves environments. MaxScale is really good at replication when it comes on one master having hundreds of slaves which prevents load on the master which means that MaxScale can take great care of replication issues. Another feature of MaxScale is when database is used to store information, a specific route can be defined for traffic within the database itself. Keymaps also comes into a great feature to manage those issues. Schemas can be updated. The goal is high availability. Another feature is data streaming which can be controlled. I noticed a heavy emphasis on security especially when it comes to whitelisting/blacklisting at database level to reduce DDOS attack drastically at database level.

A demo was then displayed live showing some interesting features of MariaDB MaxScale. An interesting GUI web interface called MaxPanel is used to connect with the servers Master-Slave-Slave (All three instances on docker instances) which give indications about the server names, addresses, ports, connections, and status (Server running). A load was generated on of the slave server where writes were configured on the master and read only on the slaves. The tool which was used to generate the load is HammerDB. In the conf file, under the dbfw-blacklist, rules can be inserted there to prevent certain type of query for example a “select * from tablename” which if the table have too many records, this will consume heavy amount of resources. To remediate this issue, a rule can be specified to use the “where” statement. An example of such entry is rule safe_order deny no_where_clause on_queries select which means that no select to be made with a where clause. Also rule query_regex deny regex ‘*.orders*’ which is going to be applied on the table called orders.

After the demo, the questions and answers session were tossed out. This includes different architectures where plugging architectures can be used with specific protocols. Some answers still need to be cleared out as regards to MUSL compatibility with MaxScale which was pointed by me. Some days back, cyberstorm.mu have enhanced MariaDB to be MUSL compatible. That was really an interesting and educational session for MariaDB MaxScale especially for administrators. I am looking forward for MariaDB MaxScale installation soon.


Counter DNS Attack: Enabling DNSSEC

To reach another person on the Internet you have to type an address into your computer – a name or a number. That address has to be unique so computers know where to find each other. ICANN coordinates these unique identifiers across the world. Without that coordination we wouldn’t have one global Internet. When typing a name, that name must be first translated into a number by a system before the connection can be established. That system is called the Domain Name System (DNS) and it translates names like www.icann.org into the numbers – called Internet Protocol (IP) addresses. ICANN coordinates the addressing system to ensure all the addresses are unique. – ICANN

Screenshot from 2016-07-23 20-56-11

Finally, i decided to enable DNSSEC on Tunnelix.com. It can be tested on the http://dnssec-debugger.verisignlabs.com link and its really cool. This is just another security addons to kept away from being attacked. For example, an attacker can take control of the session with the aim to make the user believe that the hijacker deceptive website is the right one. We also need to understand the basics of how  DNS traffic work. We are normally like three players in the normal DNS world that is your computer, the ISP’s recursive DNS servers, and the website’s authoritative DNS servers. Of course there are cached DNS servers that facilitate the DNS query. So to get into more detail how the attack goes on is where the attacker try to trick the resolver making it to believe that, lets say, tunnelix.com lives at the IP xx.xx.xx.xx and even to remember it for lets say 7 days. Its important to understand that since most of the traffic pass on UDP, it is kind difficult to prevent attackers from sending a flood of responses to the resolver.

DNSSEC is a technology which acts as a security layer on top of the DNS traffic by means of cryptographic tools to re-assure you that the website you are visiting is the real one. In 2008, Dan Kaminsky revealed a flaw that could allow attackers to easily perform cache poisoning attacks on most nameservers. Here is a link from the ISC (Internet System Consortium) which shed lots of interesting material about the DNSSEC technology. For bloggers behing Cloudfare, you can easily activate DNSSEC on for your domain, of course, if the root domain name is supporting DNSSEC, otherwise its impossible to achieve it. For example .mu domain does not support DNSSEC. On cloudflare, the steps are easy. You just need to activate the DNSSEC with a simple click and save all those informations like DS records, Digest, Digest type, Algorithm uses, Public key etc.. and feed it to the domain name registrar. The information will be verified by Cloudflare after which you are happily DNSSEC enabled domain owner.

Screenshot from 2016-07-23 21-48-53

To test out on your linux  terminal if a domain is signed use the following command:

[email protected]:~# dig tunnelix.com +dnssec

; <<>> DiG 9.10.3-P4-Ubuntu <<>> tunnelix.com +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36645
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;tunnelix.com. IN A

;; ANSWER SECTION:
tunnelix.com. 177 IN A 104.18.41.96
tunnelix.com. 177 IN A 104.18.40.96
tunnelix.com. 177 IN RRSIG A 13 2 300 20160724190355 20160722170355 35273 tunnelix.com. L5t/xVbsuB99HntpdpHkYu4ig52YL9QA+Vvi509KFgdgKrtY3pvZfKfD LGjtT0Ev0UFEn73TObofJyOmzIEmUg==

;; Query time: 46 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Sat Jul 23 22:05:57 MUT 2016
;; MSG SIZE rcvd: 181

“To fix this, all major DNS servers implemented Source Port Randomization, as both djbdns and PowerDNS had before. This fix is widely seen as a stopgap measure, as it only makes the attack up to 65,536 times harder. An attacker willing to send billions of packets can still corrupt names. DNSSEC has been proposed as the way to bring cryptographic assurance to results provided by DNS, and Kaminsky has spoken in favor of it.” – blackhat.com

Domain owners might consider enabling DNSSEC on their domains to increase the security of letsencrypt in their infrastructure for ACME, as there is a return on investment in terms of security. Loganaden of cyberstorm.mu

Other article i wrote on BIND: Anatomy of a simple dig result 

 


HTTPoxy – Is your nginx affected?

httpoxy is a set of vulnerabilities that affect application code running in CGI, or CGI-like environments. It comes down to a simple namespace conflict:

  • RFC 3875 (CGI) puts the HTTP Proxy header from a request into the environment variables as HTTP_PROXY
  • HTTP_PROXY is a popular environment variable used to configure an outgoing proxy

This leads to a remotely exploitable vulnerability. If you’re running PHP or CGI, you should block the Proxy header now.httpoxy.org

httpoxy is a vulnerability for server-side web applications. If you’re not deploying code, you don’t need to worry. A number of CVEs have been assigned, covering specific languages and CGI implementations:

Screenshot from 2016-07-20 22-45-54

After receiving the updates from cyberstorm.mu, I immediately started some heavy research. For Nginx users, to defeat the attack, modifications can be carried out in the fastcgi_params file.

1. Create a file called test.php containing the following codes in the source code.

[[email protected]]# cat test.php

<?php
 echo getenv ('HTTP_PROXY')
 ?>

2. Launch a CURL as follows:

As you can see its “Affected”

[[email protected]]# curl -H 'Proxy: AFFECTED' http://127.0.0.1:/test.php
 AFFECTED

3. Add the following parameters in the /etc/nginx/fastcgi_params file

 fastcgi_param  HTTP_PROXY  "";

4. Stop and start the Nginx Service

5. Conduct the test again. You should be vulnerable by now.

Several links available already explaining this vulnerability :

References:

  • https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
  • https://www.kb.cert.org/vuls/id/797896
  • https://access.redhat.com/solutions/2442861
  • https://httpoxy.org/#history
  • http://www.theregister.co.uk/2016/07/18/httpoxy_hole/
  • https://blogs.akamai.com/2016/07/akamai-mitigates-httpoxy-vulnerability.html
  • http://www.zdnet.com/article/15-year-old-httpoxy-flaw-causes-developer-patch-scramble/
  • https://access.redhat.com/solutions/2435541

 


DDOS attack on WordPress xmlrpc.php solved using Fail2Ban

Several types of attack can be launched against WordPress website such as unwanted Bots, SSH Bot requests, unwanted Crawlers etc.. Some times back, i noticed that there were several attempts to perform a DDOS attack on a WordPress website by sending massive POST requests on the xmlrpc.php file. This will consequently brings the webserver to consume almost all resource and consequently caused the website to crash. Worst is that if you are hosting your website on a container such as OpenVZ or Docker, your hosting provider would usually mentioned on its agreement about abuse of resource which would turn you solely responsible. In many agreements, the provider would terminate the contract and you may loose all your data. Hosting your website on a container is indeed a huge responsibility.

Screenshot from 2016-07-17 13-49-23

What is xmlrpc.php file on a WordPress website ?

It is actually an API which enables developers who build apps the ability to communicate to the WordPress site. The XML-RPC API that WordPress provides gives developers a way to write applications that can do many things when logged in the web interface such as post publishing, Editing etc.. There is a full list of the wordpress API at this link. There are several ways to block out users from performing POST requests on the xmlrpc.php such as IPtables rules, rules in the htaccess file or in the webserver etc.. However, i find Fail2Ban more suitable for my environment.

How VPS hosting providers might interprete these attacks ?

Usually VPS provider will not perform analysis of the attack but it depends on the service you are buying. One of the way how the attack might felt at hosting level is about the conntrack sessions usage. Abuse of conntrack usage will usually raise an alert at hosting side and you might received a mail about the issue. Its now upto you to investigate deeply the issue.

What are conntrack (connections tracking) sessions ?

A normal Linux OS has a maximum of 65536 conntrack sessions by default, these sessions all require memory which is used by the host node and not by the VPS so setting this limit to high can impact the whole node and allow users to use more RAM than their VPS has allocated by eating up the host’s RAM. Any VPS that uses over 20000 conntrack sessions will automatically be suspended by our automated system. “In brief, conntrack refers to the ability to maintain state information about a connection in memory tables such as source and destination ip address and port number pairs (known as socket pairs), protocol types, connection state and timeouts.” – rigacci.org Firewalls that performed such task are known as stateful.

Counter attack measures that could be taken

1.In the jail.local of the Fail2Ban application add the following line. By default jail.local is located at /etc/fail2ban/jail.local

It also depends where your web server access log is located. In this case its located at /var/log/nginx/access.log

[xmlrpc]
enabled = true
filter = xmlrpc
action = iptables[name=xmlrpc, port=http, protocol=tcp]
logpath = /var/log/nginx/access.log
bantime = 43600
maxretry = 20

2. Then, create a conf file in /etc/fail2ban/filter.d I have created it as xmlrpc.conf and add the following lines:

This acts as a rules to look for all post for xmlrpc.php

[Definition]
failregex = ^<HOST> .*POST .*xmlrpc\.php.*
ignoreregex =

3. Restart your fail2ban service and watch them out in the fail2ban log. Here is an idea what happens when an IP is caught

[[email protected] nginx]# cat /var/log/fail2ban.log | grep -i xml
2016-07-17 06:39:06,685 fail2ban.actions [4565]: NOTICE [xmlrpc] Ban 108.162.246.97

4. Here is an idea the number of POST request received from a server.

[[email protected] nginx]# grep -i “xmlrpc.php” /var/log/nginx/access.log| grep POST | awk ‘{print $1}’ | wc -l
62680

5. Lets have a look at the 10 top IPs performing more POST request

[[email protected] nginx]# grep -i “xmlrpc.php” /var/log/nginx/access.log| grep POST | awk ‘{print $1}’  | uniq -c | sort -n | tail -n 10

185 91.121.143.111
186 94.136.37.189
279 37.247.104.148
317 80.237.79.2
1497 191.96.249.20
3060 46.105.127.185
5999 5.154.191.55
11612 191.96.249.54
16917 52.206.5.20
17111 107.21.131.43

6. However, if you are not using a container server, you can set different type of parameters in sysctl.conf if you have not performed a full analysis of the conntrak abuse. You can limit number of connections using the following command.

In this case, i have limit it to 10,000 connections.

/sbin/sysctl -w net.netfilter.nf_conntrack_max=10000

7. To check how many sessions, use the following command

/sbin/sysctl -w net.netfilter.nf_conntrack_count

8. However, you need to make sure that the modules have been activated into the kernel. Check with the following command

modprobe ip_conntrack

The aim is to find a solution to get away with DDOS over xmlprc.php as well as the setting up of the conntrack parameter in sysctl.conf


Tunnelix.com is now IPv6 ready! Are you?

Validated by IPV6-test.com, Tunnelix.com is now IPV6 ready. Woohoo.. I now have the IPv6 validation button 🙂 Can you spot it?

So, what is exactly IPV6-test.comIPv6-test.com is a free service that checks your IPv6 and IPv4 connectivity and speed. Diagnose connection problems, discover which address(es) you are currently using to browse the Internet, and what is your browser’s protocol of choice when both v6 and v4 are available. 

How I got an IPv6 address?

If you are running a low-cost budget blog, I would recommend you to try out Cloudflare to have made maximum use of the free IPV6 address that you can activate on the network tab. The IPv6 compatibility option is not activated by default.

Screenshot from 2016-07-17 10-55-06

Cloudflare provide both free and paid service for CDN service, security, DDOS protection etc… However, the IPv6 address is a free one. 

Why you might need to start moving towards IPv6 ?

Loganaden Velvindron of cyberstorm.mu recently shed some light in his Medium blog after attending the National Innovation Framework in Mauritius “The other issue that I think is strongly lacking are the remaining IPv4 resources left in our region to be able to make Internet of things a reality. There are currently 26.4 million of IPv4 addresses left, and it keeps shrinking at a frightening rate.” The world is running out of IPv4 addresses. I think we need to move on quickly on the IPv6 world because of Internet of Things (IoT) will depend on IPv6.

What is an IPv6? What are the parts of an IPv6 ?

Lets now get on the technical parts. As you should know already IPv4 use 32 bits infrastructure whilst an IPv6 use 128-bits which makes an IPv6 a lot more longer. Here is an idea of a representation of an IPv6 adress.

Photo credits: zeusdb.com
Photo credits: zeusdb.com

As you can see IPv6 address is composed of 8 segments of 4 hexadecimal strings. A simple math is by multiplying 8×4=32 then 32×4= 128 bits. When representing IPv6 addresses, zeroes are compressed and leading zeroes are further compressed by representing it with “: :” . See picture above.

The internet might run out of room

Since 2012, Vint Cerf, Chief Internet Evangelist at Google, and a founding father of the Internet, discussed the next version of the Internet, IPv6, and why we need it. Just as phones use a system of phone numbers in order to place calls, every Internet-connected device gets a unique number known as an “IP address” that connects it to the global online network. Watch out the video