Wednesday, July 25, 2012

SSL.Server.Supports.Weak.Encryption.Vulnerability and Disable SSLv2 in Apache

SkyHi @ Wednesday, July 25, 2012

Disable SSLv2 and enable SSLv3 or TLSv1
SSL 2.0, reportedly suffers from several cryptographic flaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients. To disable SSLv2 follow these steps.
After performing vulnerability scan using nessus if you find details about SSLv2 weaknesses in that report then please find the options required to disable SSLv2 as mentioned below.
In /etc/httpd/conf.d/ssl.conf change following options
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
After changing options try this command from command prompt and make sure you get error
  1. #openssl s_client –ssl2 –connect virtualhost:443
  2. then try this command
  3. #openssl s_client –ssl3 –connect virtualhost:443
  4. OR
  5. #openssl s_client –tls1 –connect virtualhost:443
This is to make sure that your sites with ssl are working correctly with SSLv3 or TLSv1.
In order to perform these changes you need to login to server and become super user.
Note: Depending on server configuration ssl.conf file will be different. Default directory to hold apache / httpd configuration in most of gnu/linux is /etc/httpd/



Does your server support SSLv2?
How to test:
You will need to have OpenSSL installed on the system that you will perform the tests from. Once installed, use the following command to test your web server, assuming port 443 is where you're providing https connections:
# openssl s_client -ssl2 -connect SERVERNAME:443
If the server does not support SSLv2 you should receive an error similar to the following:
# openssl s_client -ssl2 -connect SERVERNAME:443
CONNECTED(00000003)
458:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:428:
How to configure Apache v2 to not accept SSLv2 connections:
You will need to modify the SSLCipherSuite directive in the httpd.conf or ssl.conf file.
An example would be editing the following lines to look similar to:
SSLProtocol -ALL +SSLv3 +TLSv1
Restart the Apache process and ensure that the server is functional. Also retest using OpenSSL to confirm that SSLv2 is no longer accepted.
How to configure Microsoft IIS to not accept SSLv2 connections:
You will need to modify the system’s registry.
Merge the following keys to the Windows registry:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"Enabled"=dword:00000000
Restart the system and ensure that the server is functional. Also retest using OpenSSL to confirm that SSLv2 is no longer accepted.
Those Pesky Weak SSL Ciphers
Does your server support weak SSL ciphers?
How to test:
You will need to have OpenSSL installed on the system that you will perform the tests from. Once installed, use the following command to test your web server, assuming port 443 is where you're providing https connections:
# openssl s_client -connect SERVERNAME:443 -cipher LOW:EXP
If the server does not support weak ciphers you should receive an error similar to the following:
# openssl s_client -connect SERVERNAME:443 -cipher LOW:EXP
CONNECTED(00000003)
461:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:226:
How to configure Apache v2 to not accept weak SSL ciphers:
You will need to modify the SSLCipherSuite directive in the httpd.conf or ssl.conf file.
An example would be editing the following lines to look similar to:
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
Restart the Apache process and ensure that the server is functional. Also retest using OpenSSL to confirm that weak SSL ciphers are no longer accepted.

How to configure Microsoft IIS to not accept weak SSL ciphers:
You will need to modify the system’s registry.
Merge the following keys to the Windows registry:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128]
"Enabled"=dword:0000000
Restart the system and ensure that the server is functional. Also retest using OpenSSL to confirm that weak SSL ciphers are no longer accepted..
At this point have your Approved Scanning Vendor (ASV) scan your external facing PCI environment to validate. Making the above changes should cause the ASV scans to nottag and fail you on the following vulnerabilities:
  • SSL Server Supports Weak Encryption
  • SSL Server Allows Cleartext Encryption
  • SSL Server May Be Forced to Use Weak Encryption
  • SSL Server Allows Anonymous Authentication

REFERENCES

Disabling Web Server HTTP TRACE method Supported

SkyHi @ Wednesday, July 25, 2012


Disabling TRACE and TRACK in Apache for PCI-related vulnerabilities like Web Server HTTP Trace/Track Method Support Cross-Site Tracing Vulnerability is surprisingly quite easy with the Apache web server.  The main thing to keep in mind is understanding that if you are running apache and this vulnerability pops up during a scan, you can be reasonably certain that TRACK is not the problem—TRACE is.
The HTTP TRACK method is something Microsoft cooked up that performs essentially the same thing that TRACE does with the exception that it never got used—except by penetration testers, hackers, worms, and vulnerability scanners.

Validation Steps

If you web server is listening on port 80, by far the easiest (and universal) way to determine whether it is vulnerable or not is using telnet.  Simply open up your telnet application and connect to your web site/web server over port 80, ( telnet ).  If you are using the Microsoft telnet client, be careful because it doesn't echo back what you were typing in.  Once you connect, type the following:

$ telnet hostname:80
    TRACE / HTTP/1.0
    Host:
    TestA: Hello
    TestB: World
Press enter twice and if trace is enabled, you should see output similar to the following:
    HTTP/1.1 200 OK
    Server: Apache
    Date: Tue, 04 Aug 2009 20:17:15 GMT
    Content-Type: message/http
    Content-Length: 76
  
    TRACE / HTTP/1.0
    Host:
    TestA: Hello
    TestB: World

Failed sample:

$ telnet security.gib.local 80
Trying 192.168.0.107...
Connected to  security.gib.local .
Escape character is '^]'.
TRACE / HTTP/1.0


HTTP/1.1 403 Forbidden
Date: Wed, 25 Jul 2012 20:26:56 GMT
Server: Apache
Connection: close
Content-Type: text/html; charset=iso-8859-1




403 Forbidden


Forbidden


You don't have permission to access /
on this server.


Connection closed by foreign host.

Request and Response over telnet for the HTTP TRACK method is identical, for testing purposes, as it is for TRACE.  Simply subsitute TRACK for TRACE.  If you need to test a host that is listening on ssl port 443 (and does not have an HTTP port exposed), use openssl's s_client.  Simply type " openssl s_client -connect  ".  You will connect and then you can enter the above request the same as you would for telnet.
If you use Perl, I did put a script together called 'test4trac', which will test a site to see if trace and track are allowable. It can be downloaded from my blog's download page and more information is available at the test4trac information page.

Remediation

TRACE is enabled by default in an apache installation.  There are two ways to remediate.  The first can be used if you are running Apache 1.3.34, 2.0.55, or anything in the 2.2 release.  Simply add the TraceEnable directive into your httpd.conf and set the value to Off.   
TraceEnable off
The second mechanism involves creating a mod_rewrite rule that will disable http methods, which is also quite popular and works with ANY version of apache that supports mod_rewrite.  The directives below would need to be set, which are written assuming that this is the first time use for mod_rewrite.
The first thing to do is make sure that mod_rewrite is loaded.  If mod_rewrite.so is missing from your apache configuration but you have it installed, (and your install location is /usr/local/apache), then add the following statement to your httpd.conf:
    LoadModule  rewrite_module  "/usr/local/apache/modules/mod_rewrite.so"
Then add the following as well to your httpd.conf file:
    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
    RewriteRule .* - [F]

##this one work for me Apache 1, be sure put it in the PORT 80 stand 

...
# disable TRACE in the www.example.com virtual host
RewriteEngine On 
RewriteCond %{REQUEST_METHOD} ^TRACE 
RewriteRule .* - [F] 


Restart apache, re-run the steps in the Validation section, and with either method, you should receive an HTTP 405-Method Not Allowed status code back.

An Important Note Regarding the HTTP OPTIONS Method

I've seen a lot of posts in forums from people that are attempting to validate TRACE is enabled by issuing an HTTP OPTIONS request against a target web server.  This is not a valid test because HTTP OPTIONS reports back the methods that a particular web server may support and not necessarily the HTTP methods that are enabled on a site.  Even disabling the TRACE method will not remove TRACE from the Supported Methods line in an OPTIONS request, so if you see or hear of anyone telling you that you can validate by issuing an OPTIONS call, they are incorrect.


REFERENCES
http://www.techstacks.com/howto/disable-tracetrack-in-apache-httpd.html
http://publib.boulder.ibm.com/httpserv/ihsdiag/http_trace.html
http://www.linuxquestions.org/questions/linux-server-73/disabling-http-trace-method-in-apache-623907/
http://www.kb.cert.org/vuls/id/867593/

Tuesday, July 24, 2012

wget vs curl: How to Download Files Using wget and curl

SkyHi @ Tuesday, July 24, 2012

Question: I typically use wget to download files. On some systems, wget is not installed and only curl is available. Can you explain me with a simple example on how I can download a remote file using curl? Are there any difference between curl and wget?
Answer: On a high-level, both wget and curl are command line utilities that do the same thing.
  • They both can be used to download files using FTP and HTTP(s).
  • You can also send HTTP POST request using curl and wget
  • However curl provides APIs that can be used by programmers inside their own code. curl uses libcurl which is a cross-platform library.
  • wget is just a command-line tool without any APIs.
  • Curl also supports lot more protocols that wget doesn’t support. For example: SCP, SFTP, TFTP, TELNET, LDAP(S), FILE, POP3, IMAP, SMTP, RTMP and RTSP.
  • There is a major advantage of using wget. wget supports recursive download, while curl doesn’t.

Wget Examples

The following example downloads the file and stores in the same name as the remote server.
wget http://www.openss7.org/repos/tarballs/strx25-0.9.2.1.tar.bz2
The following example download the file and stores in a different name than the remote server. This is helpful when the remote URL doesn’t contain the file name in the url as shown in the example below.
wget -O taglist.zip http://www.vim.org/scripts/download_script.php?src_id=7701

Curl Examples

$ curl -O http://www.openss7.org/repos/tarballs/strx25-0.9.2.1.tar.bz2
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
 28 3762k   28 1085k    0     0  72771      0  0:00:52  0:00:15  0:00:37 54267
Option -O (upper-case O) is important. Without this, curl will start dumping the downloaded file on the stdout. Using -O, it downloads the files in the same name as the remote server. In the above example, we are downloading strx25-0.9.2.1.tar.bz2, so the downloaded file will also be the same name.
Instead of -O, you an also specify, “–remote-name” as shown below. Both are the same.





$ curl --remote-name http://www.openss7.org/repos/tarballs/strx25-0.9.2.1.tar.bz2
While curl is downloading it gives the following useful information:
  • % – The total % of the download that was completed as of now. When it gets to 100% the download is completed. In the above example, it has downloaded only 28% of the file.
  • Total – The total size of the file
  • Received – The total size of the file that was has been downloaded so far. In the above example, it has downloaded 1085k so far (out of 3762k total)
  • Xferd – This will be used when you upload some files to the remote server. During upload, this will indicate the total size of the file that has been uploaded so far. Since we are downloading a file, in this example, this is 0.
  • Average Speed Dload – This indicates the average download speed.
  • AVerage Speed Upload – While uploading a file, this will indicate the average upload speed
  • Time Total – This indicates the total time it will take to download (or upload) the whole file based on the current download (or upload) speed. In this example, it will take approximately a total of 52 seconds to download this file.
  • Time Spend – The time curl has spent so far downloading (or uploading) the file. In this example, it has spent 15 seconds so far.
  • Time Left – This is caculated based on “Time Total” – “Time Spent”.
  • Current Speed – This indicates the current download/upload speed. Compare this with Average Spped Dload/UPload to see how fast or slow your system is downloading currently.
If you want to download the file and store it in a different name than the name of the file in the remote server, use -o (lower-case o) as shown below. This is helpful when the remote URL doesn’t contain the file name in the url as shown in the example below.
$  curl -o taglist.zip http://www.vim.org/scripts/download_script.php?src_id=7701
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 50243  100 50243    0     0   170k      0 --:--:-- --:--:-- --:--:--  400k
In the above example, there is no file name in the remote URL, it just calls a php script that passes some parameter to it. However, the file will be downloaded and saved as taglist.zip on your local system. Instead of -o, you an also specify, “–output”.

Use curl to download a file from sourceforge (mirror)

Posted April 6th @ 8:09 by Werner
Sometimes one wants to download a source package or similar from sourceforge with curl and not with the browser, e.g. in a script where one wants to download a package automatically. It turns out, that due the latest changes in the download system of sourceforge this is not straightforward.
Assume you want to download the binutils binary package from the MinGW project. If you go to the download site of binutils and click on “direct link” you get “http://downloads.sourceforge.net/project/mingw/GNU%20Binutils/binutils-2.20.1/binutils-2.20.1-2-mingw32-bin.tar.gz”. If you just use “curl -O URL” nothing happens. Adding the option “-v” some more output is shown:
* About to connect() to downloads.sourceforge.net port 80 (#0)
*   Trying 216.34.181.59... connected
* Connected to downloads.sourceforge.net (216.34.181.59) port 80 (#0)
> GET /project/mingw/GNU%20Binutils/binutils-2.20.1/binutils-2.20.1-2-mingw32-bin.tar.gz HTTP/1.1
> User-Agent: curl/7.16.4 (i386-apple-darwin9.0) libcurl/7.16.4 OpenSSL/0.9.7l zlib/1.2.3
> Host: downloads.sourceforge.net
> Accept: */*
>
< HTTP/1.1 302 Found
< X-Powered-By: PHP/5.2.9
< Content-Disposition: attachment; filename="binutils-2.20.1-2-mingw32-bin.tar.gz"
< Location: http://surfnet.dl.sourceforge.net/project/mingw/GNU%20Binutils/binutils-2.20.1/binutils-2.20.1-2-mingw32-bin.tar.gz
< Content-type: text/html
< Content-Length: 0
< Date: Tue, 06 Apr 2010 18:50:34 GMT
< Server: lighttpd/1.4.26
<
* Connection #0 to host downloads.sourceforge.net left intact
* Closing connection #0
Sourceforge redirects to a mirror server, but curl doesn’t follow it. Fortunately the “-L” option tells curl to follow this redirection. So
curl -L -O http://downloads.sourceforge.net/project/mingw/GNU%20Binutils/binutils-2.20.1/binutils-2.20.1-2-mingw32-bin.tar.gz
works. This sourceforge trac ticket provided the information. Additionally it’s possible to shorten the URL a bit. Instead of the long URL above you could also use:
http://downloads.sourceforge.net/sourceforge/mingw/binutils-2.20.1-2-mingw32-bin.tar.gz
Ok, it’s not that much shorter but still. I’m not sure if this always works, at least for MinGW packages it does.


REFERENCES

Centos, services you can most likely disable

SkyHi @ Tuesday, July 24, 2012

This article shows you the 8 services you can most likely disable and speed up your boot process.
If you installed Fedora 15 from the live CD you will end up with some system services enabled, which you most likely do not need _ever_.

These services are:
fcoe and lldpad, only needed, if you have fibre channel over ethernet devices
iscsi and iscsid, only needed, if you have iSCSI devices
livesys and livesys-late, only needed for the live CD
mdmonitor, only needed, if you have RAID devices




#!/bin/bash
#Dependencies services package
#Turning off un-needed services on a Mythtv box
#One network NIC, no NSF, Selinux=0, no RAID, no wireless...
# VERY MINIMAL!
 echo ""
 echo " ********************************* "
 echo " Turning un-needed things off"
 echo " ********************************* "

for s in atd \
        auditd \
        avahi-daemon \
        bluetooth \
        cgconfig \
        cgred \
        cups \
        dc_client \
        dc_server \
        dnsmasq \
        ebtables \
        firstboot \
        gpsd \
        haldaemon \
        ip6tables \
        irda \
        iscsi \
        iscsid \
        ksm \
        ksmtuned \
        libvirt-guests \
        libvirtd \
        lvm2-monitor \
        mdmonitor \
        NetworkManager \
        netconsole \
        netfs \
        nfs \
        nfslock \
        nmb \
        ntpd \
        ntpdate \
        openct \
        openvpn \
        pcscd \
        portreserve \
        psacct \
        rdisc \
        restorecond \
        rpcbind \
        rpcgssd \
        rpcidmapd \
        rpcsvcgssd \
        rsyslog \
        saslauthd \
        sendmail \
        smb \
        smolt \
        snmpd \
        speech-dispatcherd \
        snmptrapd \
        squid \
        svnserve \
        vboxdrv \
        vboxweb-service \
        wicd \
        wpa_supplicant \
        ypbind
do echo "chkconfig $s off";
chkconfig $s off;
done
 echo ""
 echo " ********************************* "
 echo " Turning minimal needed things on"
 echo " Httpd so webmin & mythweb work "

echo "********************************* "

for s in abrtd \
        httpd \
        network \
        mysqld \
        sshd \
        udev-post \
        xinetd
do echo "chkconfig $s on";
chkconfig $s on
done

 echo ""
 echo " ********************************* "
 echo " DONE...."
 echo " ********************************* "



REFERENCES
http://www.harald-hoyer.de/personal/blog/fedora-15-8-services-you-can-most-likely-disable

Monday, July 23, 2012

How to test Internet connection speed from command line?

SkyHi @ Monday, July 23, 2012

curl -o /dev/null http://speedtest.wdc01.softlayer.com/downloads/test500.zip


Run Speedtest from command line

http://tech.ivkin.net/wiki/Run_Speedtest_from_command_line

Sunday, July 22, 2012

VMware 5.0 Disk I/O performance – Thick Provision Lazy Zeroed vs Thick Provision Eager Zeroed vs Thin Provision

SkyHi @ Sunday, July 22, 2012

Hello dear reader,
As you know VMware has announced some time ago the vsphere 5  and finally it can be downloaded by anyone :)
Based on this i decided to test the performance of the 3 types of disks supported by VMware :
Basically the VM had 2 virtual disks assigned for the benchmark :
  • Thick Provision Lazy Zeroed
  • Thick Provision Eager Zeroed
  • Thin Provision
Test setup :
One VM has been configured with 2 vcpu’s, 2 GB ram and 4 disks, all using the LSI SAS SCSI Controller :
  • Disk 01 is the Windows “disk”  (c:\ drive)
  • Disk 02 it’s a Thick Provision Lazy Zeroed disk
  • Disk 03 it’s a Thick Provision Eager Zeroed disk
  • Disk 04 it’s a Thin Provision disk
The VM had 1 Gigabit link without any sort of redundancy, link aggregation, no MPIO , no jumbo frames to an ISCSI storage. The purpose of this exercise is to see the performance differences between the 3 types of disks and not to see the performance of the ISCSI storage .
Anyway….let’s go for the results
Results : ( results parsed at http://vmktree.org/iometer/ )
  •     I/O of a Thick Provision Lazy Zeroed disk
Test nameLatencyAvg iopsAvg MBpscpu load
Max Throughput-100%Read0.0034911093%
RealLife-60%Rand-65%Read12.8744902511%
Max Throughput-50%Read101.44619019315%
Random-8k-70%Read13.9656814417%
  • I/O of a Thick Provision Eager Zeroed disk
Test nameLatencyAvg iopsAvg MBpscpu load
Max Throughput-100%Read0.0035111091%
RealLife-60%Rand-65%Read12.7844603430%
Max Throughput-50%Read102.8862611952%
Random-8k-70%Read14.1957704534%
  • I/O of a Thin Provision disk
Test nameLatencyAvg iopsAvg MBpscpu load
Max Throughput-100%Read0.0035301100%
RealLife-60%Rand-65%Read13.0645663530%
Max Throughput-50%Read102.3662431952%
Random-8k-70%Read14.1757674536%
Conclusion :
It seems like VMware has quite similar performance across different types of disks (at least with the used benchmark profile for this test) and for me the Thin Provision disk would probably be the chosen one due to the fact of being…Thin .
During the next days/weeks i will try to get some more tests, against different storage devices and using ISCSI and NFS .

REFERENCES