Book Review: Mastering FreeBSD and OpenBSD Security

Mastering FreeBSD and OpenBSD Security by Yanek Korff

My review

rating: 4 of 5 stars
It was about what I expected. The sections on pf and osiris were the most interesting. It's due for another revision. There was no mention of portaudit or vuxml, which any FreeBSD user should know about. The was also no mention of IPF which surprised me - only ipfw and pf were discussed. There was no mention of monowall or pfSense which are based on FreeBSD.


View all my reviews.

VuXML wizard

I'm putting the finishing touches on my FreeBSD VuXML generation wizard. It's sort of like VuXML for dummies, in that you can enter the relevant information into a HTML form and get the raw XML data for entry into /usr/ports/security/vuxml/vuln.xml or just as an attachment to send-pr.

Example process flow...

1. Identify a valid vulnerability report from some source ... (freshports is your friend here as it will help identify the exact FreeBSD port name and whether the vulnerability has already been reported.

2. Complete the form

3. Save the resulting XML, for example /tmp/portname.vuxml

4. send-pr -a /tmp/portname.vuxml

5. Complete the problem report and send.

I'm also considering an option to have the submission sent to me (or some sort of queue) instead of just producing the raw output, that way it can find it's way to the vuxml input stream with even less effort.

Generating a shared-key for use with OpenVPN

It can be created using this command...

openvpn --genkey --secret /path/to/vpn-cn-key.txt 

Then you can specify secret /path/to/vpn-key.txt in the OpenVPN configuration file.

portaudit and vuxml

I really like portaudit, a FreeBSD app that you can install to notify you when vulnerabilities appear in your installed ports. It pulls down a database of vulnerabilities (much ClamAV does or other virus scanners pull down virus signatures) and compares that to the versions of the packages you have installed.

The vulnerabilities identified by portaudit via vuxml is built by volunteer submission, so users submit patches to /usr/ports/security/vuxml/vuln.xml to describe newly-discovered vulnerabilities. So I consider this a negative in a way since vulnerabilities are frequently falling through the cracks. Can port-maintainers be held responsible for updating vuxml when their ports are listed? I think this would be a reasonable compromise.

Otherwise we need a delegation of responsibilities to ensure vulns DON'T fall through the cracks. Perhaps a team of volunteers who focus on CVEs, non-CVEs (e.g. SecurityFocus or FrSIRT but not CVE-listed) and strictly vendor identified vulns would be able to provide better coverage.

There's also the learning curve of generating vuxml entries, which I describe here. The process is a bit cumbersome and could use some help, so I've begun working on a "wizard" HTML form for vuxml submission (Note:non-functioning as of yet) which could make this a little easier esp. for newbies.

I'd also love to see portaudit ported to Linux distros (both RPM and DEB) as it should be fairly easy to do.

dh params for pfSense

Random tip #1.

pfSense has openvpn capability. You can provide SSL CA and server certificate + key.
It also wants the Diffie Helman (DH) parameters. Generating these is described by the openvpn documentation as running ./build-dh script.

Not really an option within pfSense. So you need the "other" command that works on pfSense.

Here's what I did.
1. SSH to pfsense system (ssh admin@pfsense)
2. Choose 8) Shell from menu
3. Run # openssl dhparam -out dh1024.pem 1024
4. cat dh1024.pem
5. Paste contents into pfsense web form.

Here is what the parameters should look like.
-----BEGIN DH PARAMETERS-----
MIGHAoGBAJe656S7xrtxwiQbL/hQ6POKhywl8avqLw2ZxMux5YsQnEQJIHr0sCm1
...RANDOM GIBBERISH...
k963XupLUOCM893va70qdpCjEZFapXZsm7nlFfsDMafOWFRyyY4bAgEC
-----END DH PARAMETERS-----

Web Proxy Auto Discovery (WPAD) problems

Hearing some noise today about Microsoft's faulty implementation of WPAD DNS record search. Seems they forgot to consider vast portions of the namespace including ccTLDs (like .cc) and the 3LD space (like amazon.co.uk).

I write about my personal experiences with WPAD here.

Browser x.509 subjectAltName vulnerability

Nils Toedtmann has published a vulnerability relating to browser validation errors of SSL/TLS certificates. Interesting use of TLD and SLD wildcards to fool the browser.

R.I.P. BIND 8

Looks like ISC is finally retiring bind 8. I remember when bind 4 was retired, and it still took a couple of years for vendors to move to bind 8 at the time. Then of course are all the legacy systems that could not upgrade by nature.

In other words, retired or not bind 8 is going to be around for a while yet.

Doing the portaudit dance

First off, just let me say I love portaudit, the FreeBSD port you can install which will notify you whenever security vulnerabilities are discovered with your installed ports/packages.

Well, today in my usual "security run output" e-mail that my FreeBSD servers send me was this:

Checking for packages with security vulnerabilities:

Affected package: rsync-2.6.9
Type of problem: rsync -- off by one stack overflow.
Reference: http://www.FreeBSD.org/ports/portaudit/af8e3a0c-5009-11dc-8a43-003048705d5a.html

Great - I hopped on the box and, knowing also that the myupdate script had brought my ports tree up-to-date the night before... I just ran portmaster rsync and was asked do I want to upgrade rsync-2.6.9.

So I said yes and portmaster began the upgrade to 2.6.9_1. Only momentarily I was interrupted with the fatal error echoing the message above except for 2.6.9_1.

What was happening? I will tell you.

portaudit periodically downloads a local copy of the portaudit database. The copy on my local filesystem was from the day before, which must have not had the updated known-good version specified. After running portaudit -Fa I was able to update the rsync port.

The -F flag forces portaudit to fetch a fresh copy of the vulnerability (XML) database.

This would be something to know for handling quick fixes to freshly released & patched vulnerabilities.

FreeBSD port security/xca-0.6.3 update

After many weeks of (re)compiling and code wrangling, followed by 5 weeks of waiting for someone to commit, it is finally here!

http://www.freshports.org/security/xca/

Thanks to everyone who helped, you know who you are!

For the rest of you who are in a position to manage certificates for your organization/company/school, xca is an excellent GUI to manage the CA generation and functions of CSR import, certificate signing and CRL generation. We've used it for 2 years at the Port and has worked out really well. Please try it out and show your support.

Interview with Cricket Liu

Nice interview. Noteworthy is that ISC will begin shipping BIND with recursion off with the release of BIND 9.4.0. About time.

Bugs put widely used DNS software at risk

Not so much a vulnerability advisory than an announcement about their new test tool. Hmm, I'll to give it a try.

Microsoft: All your resolver belong to us

To paraphrase...
"This is yet another example of the sheer breathtaking arrogance of
Microsoft's belief that they have the right to control your computer and
misdirect the normal flow of operations if they believe doing so to be in
their own financial advantage."

DNS Amplification Attacks

This paper outlines a Distributed Denial of Service (DDoS) attack which abuses open recursive Domain Name System (DNS) name servers using spoofed UDP packets.

It's an amplification attack leveraging EDNS.

nscan patch

This patch against nscan v0.18 simply adds nbe as another report-type, which
is supported according to the output of 'nessus -h'
This is a more flexible output format since from it any of the other
formats created, using nessus -i infile.nbe -o outfile

Right Tool For the Job - Nessus

Good article about vulnerability scanning with nessus. Interesting that they chose to implement the scanner from a virtual machine, my recent installation of nessus 3.x on a VM (running under VMware's ESX server) produced a warning that running under a VM was not a great idea for performance reasons.

Domain contamination

http://www.webappsec.org/projects/articles/020606.shtml
Interesting write-up of how browser caches, web (proxy) caches and cookies can be used to instigate long-term data theft, even after a domain owner has regained control of a hijacked domain.

Tip of the day

Do NOT try to run pwdump2, pwdump4 or lsadump2 over a remote desktop
client - it will fail with this error..

C:\temp\pwdump2>pwdump2
CreateRemoteThread failed: 8

Instead, login directly for much better results.

Gear up for New Year's DNS resolutions

A recent article by Cricket Liu has recommendations for securing and tuning your DNS infrastructure. I agree with most of his points, especially the use of shadow master(s). Now I present a few of my own.
The use of "fallback" forwarding to handle Internet name resolution (as opposed to internally resolvable names) is something I have implemented and recommend. This design sets up a predictable upward query path which can be given proper security treatment, both in the BIND ACLs and on the firewalls which lie between the internal/DMZ network(s) and DMZ/Internet.

  +-----------+   |   +--------+   |   +---------+    +----------+
  | Internal  |==|A|=>| DMZ NS |==|B|=>| ISP NS  |<==>| Internet |
  | NS        |   |   +--------+   |   +---------+    | NS       |
  +-----------+   |        ^       |                  +----------+
        ^         |        |       |
        |         |        |       |
  +-----------+   |   +---------+  |
  | Internal  |   |   | DMZ     |  |
  | clients   |   |   | clients |  |
  +-----------+   |   +---------+  |

The diagram shows how to architect an upward flow of DNS resolution which maximizes the security posture. For internal clients, the Internal nameservers either answer authoritatively or forward to the DMZ nameservers. For DMZ clients and internal nameservers, the DMZ nameservers either answer authoritatively or forward to the ISP nameservers. The DMZ nameservers can also be primary for your external-facing zones, which can be be controlled using views. They can even be shadow masters if you want to achieve full isolation, using your ISP nameservers to secondary and only publish those ISP nameservers in WHOIS and public DNS. Meanwhile, firewalls at (A) and (B) can be configured to enforce traffic flows to and from the nameservers, and each layer (presumably up through the ISP) can be configured to allow zone-transfers, queries and recursion as appropriate.

I also believe this topology to provide more protection against cache poisoning attacks, especially if the DMZ nameservers are shadow-masters... they can be told to not allow queries from any Internet nameservers save the secondaries (ISP nameservers).

The Six Dumbest Ideas in Computer Security

Worth the read if you care even a little about security, and who doesn't these days?
By Marcus Ranum (SANS, et al.)

Phishing attack mitigation using DNS

This morning I checked my email and found a phishing message purporting to be from Amazon. The link appeared as
http://www.amazon.com/exec/obidos/flex-sign-in/
but really pointed to
http://bvs.ucsg.edu.ec/lildbi/manual/.amazon/index.html

Immediately I thought of this as a good opportunity to "blackhole" the domain using our DMZ name servers.

But first a little background. Recently we reconfigured all of our internal resolvers to forward through our DMZ name servers, which in turn forward through their upstream (ISP) nameservers, which are either Internap or Qwest depending on location. By using a controlled packet flow we can be assured of knowing where our questions and answers (queries and replies) are going.

It also provides an opportunity to override DNS resolution as needed for specific domains. Today, that domain is bvs.ucsg.edu.ec.

Enter our blackhole.zone file...

$TTL    1h
@                        IN SOA @ root (
                                        2005060601  ; serial
                                        1H          ; refresh
                                        15M         ; retry
                                        4W          ; expiry
                                        5M )        ; negativeTTL

                        1D IN NS        ns1.example.org.
                        1D IN NS        ns2.example.org.
                        1D IN A         127.0.0.2
*                       1D IN A         127.0.0.2

The zone file above ensures that queries for any name below the domain name, including the domain name itself, are answered with an A record for 127.0.0.2. By returning this address we circumvent any follow-on traffic, since the asking host will simply start talking to itself (localhost) and should, in virtually all cases, receive a connection refused.

There are other strategies, such as using a defined internal IP address of a tracking webserver which will return a "Sorry, the web address you are trying to reach has been banned for security purposes, now get back to work!" message. In the meantime, the URL they tried to get to is logged. This provides a neat, centralized location for auditing purposes to get an idea of just how many suckers following the phisher's link.

Back to present. So I add the blackhole zone clause to named.conf and restart it.

  zone "bvs.ucsg.edu.ec" {
    type master;
    file "master/blackhole.zone"; 
  };

# /etc/init.d/named restart

After loading the zone, some quick checking with dig reveals the zone has in fact been loaded and our server is giving out the "correct" address.

; <<>> DiG 9.2.4 <<>> @10.10.1.2 bvs.ucsg.edu.ec a
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52090
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;bvs.ucsg.edu.ec.               IN      A

;; ANSWER SECTION:
bvs.ucsg.edu.ec.        86400   IN      A       127.0.0.2

;; AUTHORITY SECTION:
bvs.ucsg.edu.ec.        86400   IN      NS      ns1.example.org.
bvs.ucsg.edu.ec.        86400   IN      NS      ns2.example.org.

;; ADDITIONAL SECTION:
ns1.example.org.  10800  IN      A       10.10.1.2
ns2.example.org.   10800  IN     A       10.11.3.4

;; Query time: 0 msec
;; SERVER: 10.10.1.2#53(10.10.1.2)
;; WHEN: Tue Nov 22 08:36:20 2005
;; MSG SIZE  rcvd: 178

Survey Results Expose Widespread DNS Vulnerabilities

Interesting CircleID topic regarding a recent survey on DNS name server vulnerabilities. The results and types of checks are remarkably similar to the root DNS analysis I did back in October 2003.