Gamelinux PassiveDNS RPM (RedHat / Centos)

PassiveDNS, A tool (by GameLinux) to collect DNS records passively to aid incident handling, Network Security Monitoring (NSM) and general digital forensics.

PassiveDNS sniffs traffic from an interface or reads a pcap-file and outputs the DNS-server answers to a log file. PassiveDNS can cache/aggregate duplicate DNS answers in-memory, limiting the amount of data in the logfile without losing the essense in the DNS answer.

I only found some RPM builds, for example by Slava Dubrovskiy at Altlinux but they were out-of-date (release 0.3.3). I’ve created a new RPM which is up-to-date with release 1.2.0 (b94d776). Feel free to download and rebuild the source RPM (passivedns-1.2.0-3.20151019git3e0611d.cgk.el6.src.rpm) if required. 4 packages will be built: passivedns, passivedns-daemon, passivedns-tools, passivedns-debug.

One thing to note, a patch has been added to this RPM which makes passivedns send it’s logs to syslog via the local6 facility, instead of the local7 facility.

— update
I’m going to write some systemd compatible service scripts for passivedns at RedHat / Centos 7. These will be versioned at github.
Continue reading Gamelinux PassiveDNS RPM (RedHat / Centos)

Protect yourself from POODLE SSLv3

On Tuesday, October 14, 2014, Google released details on the POODLE attack, a padding oracle attack that targets CBC-mode ciphers in SSLv3. The vulnerability allows an active MITM attacker to decrypt content transferred an SSLv3 connection. While secure connections primarily use TLS (the successor to SSL), most users were vulnerable because web browsers and servers will downgrade to SSLv3 if there are problems negotiating a TLS session.
poodle.io

POODLE: SSLv3 vulnerability (CVE-2014-3566)
Red Hat Product Security has been made aware of a vulnerability in the SSL 3.0 protocol, which has been assigned CVE-2014-3566. All implementations of SSL 3.0 are affected.
https://access.redhat.com/articles/1232123

Fix Apache

SSLProtocol ALL -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:\
ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:\
RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS

Don’t forget to test your configuration at ssllabs
https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/

Fix your browser, eg: firefox
You can set the value security.tls.version.min = 1 in the about:config dialog.
https://poodle.io/browsers.html

Monitoring Cisco Ironport with Collectd

Collectd is a daemon which collects system performance statistics periodically and provides mechanisms to store the values in a variety of ways. Collectd gathers statistics about the system it is running on and stores this information. Those statistics can then be used to find current performance bottlenecks (i.e. performance analysis) and predict future system load (i.e. capacity planning)

You can’t run collectd directly on the Ironport so we needed to find some other way to pull useful data from Ironport. We could either use SNMP (less data) or some other way (more data). After some searching we found out you can also access your Ironport statistics using the web frontend. A logic choice was to use the cURL-XML plugin.

Another important functionality in our setup is the use of graphite, a tool that provides realtime scalable graphing. You can send your metric to graphite in stead of using a local RRD file. This is done via the AMQP plugin for which we provide packages at our yum repository.

You can access the ironport XML file containing more statistics manually: https:///xml/status?, which will result in:

<status build=”rls” hostname=”hostname” timestamp=”20130429193603″>

I’m only going to cover the gauges in this post, because those seem the most relevant.

<gauges>
<gauge name=”ram_utilization” current=”18″ />
</gauge>

You can pull data from this XML using XPath, it takes some time until you find the correct syntax to pull the data, so here is a small example:

<LoadPlugin curl_xml>
Interval 10
<LoadPlugin>

<Plugin “curl_xml”>
<URL “https://ironport.fqdn/xml/status”>
Host “ironport.fqdn”
Instance “ironport”
User “username”
Password “password”
VerifyPeer false
VerifyHost false
CACert “/etc/pki/tls/certs/ca-bundle.crt”

<xpath “/status/gauges/gauge[@name=\”ram_utilization\”]”>
Type “ram_utilization”
ValuesFrom “@current”
</xpath>
</URL>
</Plugin>

That’s about everything you need to do. Remember, if you want your data to be stored in graphite, you also have to configure the AMQP plugin. There are some fine blogposts about that matter, so I’m not going to duplicate this information. Check: Collectd to graphite.

Packaging puppet 3.1.1 for ARM Raspberry PI

Steps

There are some steps you can follow to create yourself a build host that matches the Raspberry Pi almost identically:

  • Install Qemu
  • Download the latest version of Raspbian
  • Expand the raspbian image with extra disk space (more info here)

When your buildhost is operational you can start packaging:

  • Install the puppetlabs source apt repository
  • Start building the arm deb packages

Prepare the buildhost

raspberry-pi_arm

Start building the packages at the buildhost

  • Add the apt-src repository of puppetlabs to your apt/sources.list: “deb-src http://apt.puppetlabs.com/ wheezy main devel depedencies” and apt-get update
  • Install the puppet sources (you’ll probably need to install & build facter first, because it’s a dependency of puppet): apt-src install facter puppet
  • Build the facter package: apt-src build facter (you’ll probably have to install the new package first)
  • Build the puppet package: apt-src build puppet
  • Continue these steps for all other packages until you built them all

Cegeka puppet apt (arm) repository

Our apt repository contains puppet deb packages for the ARM platform, they are build to manage our raspberry pi farm.
deb http://apt.cegeka.be/puppetlabs/ wheezy main dependencies

How Red Hat Decides Which Open Source Companies To Buy

“You don’t really buy an open source company — since the tech is all open. But then again, Red Hat ‘buys’ open source companies all the time, they just bought one this week. So when does it makes sense for Red Hat to buy a company versus just building it on their own? Apparently, it all comes down to community. ‘When you buy an open source company, if the people aren’t coming and passionate about staying then you spend a lot of money for what? Because you don’t get a lot of intellectual property,’ Red Hat CEO Jim Whitehurst said.”

Source: Slashdot

Bind – vulnerability (CVE-2011-4313)

CVE-2011-4313 bind: Remote denial of service against recursive servers via logging negative cache entry

A denial of service flaw was found in the way bind, a Berkeley Internet Name Domain (BIND) Domain Name System (DNS) server, performed processing of recursive queries for negative cache entries. A remote attacker could provide a specially-crafted DNS query, forcing the named server to process and log the error message, leading to named server crash. A different vulnerability than CVE-2009-0696 and CVE-2011-2464.

Dennis Ritchie – Unix creator Dennis Ritchie dies…

Dennis Ritchie – Unix creator Dennis Ritchie dies aged 70

Dr Ritchie was one of the creators of the hugely influential Unix operating system and the equally pioneering C programming language.

A vast number of modern technologies depend on the work he and fellow programmers did on Unix and C in the early days of the computer revolution.

Those paying respects said he was a “titan” of the industry whose influence was largely unknown.

Apache – Today Apache acknowledged another revers…

Apache – Today Apache acknowledged another reverse proxy issue (CVE-2011-4317) which I discovered while creating a QualysGuard vulnerability signature for an older problem CVE-2011-3368. Depending on the reverse proxy configuration, the vulnerability could allow access to internal systems from the Internet.

While reviewing the patch for the older issue CVE-2011-3368, it appeared that it was still possible to make use of a crafted request that could exploit a fully patched Apache Web Server (Apache 2.2.21 with CVE-2011-3368 patch applied) to allow access to internal systems if the reverse proxy rules are configured incorrectly. I submitted an advisory and proof of concept to Apache and Apache made the issue public today.

For a good description of the older CVE-2011-3368 issue as well as how a reverse proxy works please check the excellent blog post by Context.