coder . cl » sysadmin

configuring snmptrapd

Daniel Molina Wegener — Fri, 16 Jul 2010 23:28:27 +0000

snmptrapd(8) is a SNMP trap daemon, in other words, it captures SNMP notifications from the network and similar devices. In this post I will try to explain how to configure this daemon to allow a network server to process SNMP traps using both, embeded perl handlers for snmptrapd(8) and plain standard input — or stdin — handlers.

daemon configuration

The daemon is quite easy to configure, you must setup the snmptrapd.conf(5snmp) file. For this configuration, you must read your desired configuration options, such as logging and execution. For example if we have a community called inetsnmp, we can configure the file to allow traps from that community and also configure a trap handler written in perl.


# configure inetsnmp community to allow logging,
# execution of handlers and network traffic.
authCommunity   log,execute,net         inetsnmp

# perl embeded handler.
perl do "/usr/share/snmp/handler/trapdembed.pl"

This configuration is not enough, the snmptrapd(8) daemon uses hosts.allow(5) facility, so we need to add the proper rule in that file:


snmptrapd : 192.168.100.0/255.255.255.0 : allow
snmptrapd : 10.10.10.0/255.255.255.0 : allow

the embeded perl handler

#!/usr/bin/perl -w
#

# strict perl is better
use strict;
use FileHandle;
use Data::Dumper;
use NetSNMP::TrapReceiver;

# we create a sample/demo log file...
my $log = FileHandle->new("/var/log/snmptrapsample.log", "a+") ||
    die "Failed to open log file";

# how we process an SNMP variable
sub process_var {
    my ($var) = @_;
    my %res;
    my $name = "$var->[0]";
    my ($vt, $vv) = split /: /, "$var->[1]";
    $res{'oid'} = $name;
    $res{'type'} = $vt;
    $res{'value'} = $vv;
    return \%res;
}

# our default receiver
sub default_receiver {
    my ($pdu, $ivars) = @_;
    my %vars;
    $log->print(Dumper($pdu));
    foreach my $k (@{$_[1]}) {
        $vars{$k->[0]} = process_var($k);
    }
    $log->print(Dumper(\%vars));
    $log->flush;
}

# every OIDs pass through the default_receiver
NetSNMP::TrapReceiver::register("all", \&default_receiver) ||
    die "Failed to laod Sample Trap Receiver\n";

# status message...
print STDERR "Loaded Sample Trap Receiver\n";

This perl(1) handler will allow you basically to create a handler which is capable to process SNMP notifications creating two main variables on the handler itself $pdu which is the reference to the %pdu hash and %vars hash. Both hashes contains the proper data to process the request as you want:


%pdu = {
    'notificationtype' => 'TRAP',
    'receivedfrom' => 'UDP: [10.10.10.1]:53951->[192.168.100.5]',
    'version' => 1,
    'errorstatus' => 0,
    'messageid' => 0,
    'community' => 'public',
    'transactionid' => 1,
    'errorindex' => 0,
    'requestid' => 1012897136
};

%vars = {
    'IF-MIB::ifDescr' => {
        'value' => 'eth0',
        'type' => 'STRING',
        'oid' => 'IF-MIB::ifDescr'
    },
    'IF-MIB::ifAdminStatus.1' => {
        'value' => '1',
        'type' => 'INTEGER',
        'oid' => 'IF-MIB::ifAdminStatus.1'
    },
    'DISMAN-EVENT-MIB::sysUpTimeInstance' => {
        'value' => '(0) 0:00:00.00',
        'type' => 'Timeticks',
        'oid' => 'DISMAN-EVENT-MIB::sysUpTimeInstance'
    },
    'IF-MIB::ifIndex.1' => {
        'value' => '1',
        'type' => 'INTEGER',
        'oid' => 'IF-MIB::ifIndex.1'
    },
    'SNMPv2-MIB::snmpTrapOID.0' => {
        'value' => 'IF-MIB::linkUp',
        'type' => 'OID',
        'oid' => 'SNMPv2-MIB::snmpTrapOID.0'
    },
    'IF-MIB::ifOperStatus.1' => {
        'value' => '1',
        'type' => 'INTEGER',
        'oid' => 'IF-MIB::ifOperStatus.1'
    }
};

Where each OID or variable, can be treated by using the NetSNMP::OID package. Fora stdin handler, if you don’t know about perl(1), the difference is made on the snmptrapd.conf(5snmp) file, instead of configuring a global perl script which itself registers which OIDs will handle, you need to configure a global trap handler or each handler for each OID that you want to handle:


# configure inetsnmp community to allow logging,
# execution of handlers and network traffic.
authCommunity   log,execute,net         inetsnmp

traphandle     default           /usr/share/snmp/handler/defaultstding.py   default
traphandle     IF-MIB::linkUp    /usr/share/snmp/handler/ifuphandler.py     up

This will make your script or application to receive the OID data from stdin as follows:

router
UDP: [10.10.10.1]:37745->[192.168.100.5]
DISMAN-EVENT-MIB::sysUpTimeInstance 0:0:00:00.00
SNMPv2-MIB::snmpTrapOID.0 IF-MIB::linkUp
IF-MIB::ifIndex.1 1
IF-MIB::ifAdminStatus.1 up
IF-MIB::ifOperStatus.1 up
IF-MIB::ifDescr eth0

And also will require that you will enable in some manner the processing of that data as plain text.

Good luck configuring SNMP traps

share this article at:

Copyright © 2010 Daniel Molina Wegener
Atribución-No Comercial-Sin Derivadas 2.0 Chile

integrating kontact and skype

Daniel Molina Wegener — Sat, 20 Feb 2010 01:53:25 +0000

Kontact is my default PIM application. On its configuration we can setup a phone calling program, such as ekiga, skype and others, it just requires a small script, like the one bellow, which I have integrated with KPilot, so I can manage my contacts centered and synchronized.

#!/usr/bin/env python
# skype_call.py
import sys
import Skype4Py

def main():
    if len(sys.argv) != 2:
        print "No dialup number\n"
    number = sys.argv[1]
    number = number.strip()
    for n in [' ', '+', '(', ')', "\s", "\t", '-']:
        number = number.replace(n, "");
    number = '+' + number
    print number, "\n"
    skype = Skype4Py.Skype()
    skype.Attach()
    skype.PlaceCall(number)

if __name__ == '__main__':
    main()

Then, on the Kontact configuration, on the address book settings, we configure the path to our script, called skype_call.py, in this case located at my home directory, on my personal scripts folder.

One time configured contact, you can call your contacts just by clicking on their phone numbers. Remember that skype needs the format +country_code—area_code—phone_number, like +56 (2) 555 55 55.

Happy internet calling

share this article at:

Copyright © 2010 Daniel Molina Wegener
Atribución-No Comercial-Sin Derivadas 2.0 Chile

gmail with fixed font

Daniel Molina Wegener — Tue, 22 Sep 2009 20:16:45 +0000

On a post from Leo Soto, he explains how to setup Gmail under Firefox with fixed with fonts or monospaced fonts. I’ve extended that trick to allow the same behaviour under many Google products. I’m currently using it to display fixed with fonts in Gmail and Google Groups, for both on the message body and text editor.

My current fragment of my userContent.css, located at my profile directory for Firefox, usually ~/.mozilla -> firefox -> profile_name -> chrome, is as follows:

/* gmail fonts */
@-moz-document domain(mail.google.com)
{
    .gs .ii, textarea.dV {
        font-family: "Lucida Sans Typewriter" !important;
        font-size: 8pt !important;
    }

    .editable , .editable * {
        font-family: "Lucida Sans Typewriter" !important;
        font-size: 8pt !important;
    }

    .tr-field, .editable * {
        font-family: "Lucida Sans Typewriter" !important;
        font-size: 8pt !important;
    }

}

/* google groups fonts */
@-moz-document domain(groups.google.com)
{
    textarea, textarea * {
        font-family: "Lucida Sans Typewriter" !important;
        font-size: 8pt !important;
    }

    textarea.wdth100, textarea.wdth100 * {
        font-family: "Lucida Sans Typewriter" !important;
        font-size: 8pt !important;
    }

    textarea.padall5, textarea.padall5 * {
        font-family: "Lucida Sans Typewriter" !important;
        font-size: 8pt !important;
    }
}

Editing mail in fixed with fonts is great, mainly for code an similar tasks. The problem with variable with fonts is the fact that you can not setup the proper spacing or line with in chars while you are trying to preserve the Netiquete. Sorry, and you can call me old, but I still think that those rules must apply to electronic communications. Also, the Netiquete was standarized: "RFC1855 – Netiquette Guidelines".

share this article at:

Copyright © 2009 Daniel Molina Wegener
Atribución-No Comercial-Sin Derivadas 2.0 Chile

identifying phishing email

Daniel Molina Wegener — Fri, 18 Sep 2009 02:49:34 +0000

Phishing is a criminal activity. I’ve recently received an electronic mail with one of those phishing attempts. Surely I’ve ignored since I know how to read the electronic mail headers and some other useful information that comes in electronic mails. The Wikipedia refers to it as:

In the field of computer security, phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication.

This time — I usually receive those electronic mails — I’ve received an important announcement from a Chilean bank, but really it was a phishing attempt. How do I know that? It appears to be quiet real, but what is behind all those pretty and trustful words?

The electronic have a plain text format. Yes! is not a binary format like Micro$oft Word or another kind of electronic format. This format has standard basis from the RFC 5322, and looks pretty similar on every message you sent and you receive. As the RFC 5322 standarizes the message format, the message format is as follows:

A message consists of header fields, optionally followed by a message body. Lines in a message MUST be a maximum of 998 characters excluding the CRLF, but it is RECOMMENDED that lines be limited to 78 characters excluding the CRLF. (See section 2.1.1 for explanation.) In a message body, though all of the characters listed in the text rule MAY be used, the use of US-ASCII control characters (values 1 through 8, 11, 12, and 14 through 31) is discouraged since their interpretation by receivers for display is not guaranteed.

Well, message headers are an important task while we are examining the message. You can view the original message by saving your email as plain text and looking at it with any text editor. Find a menu with View Source, View Message Source, View Raw Message, Save As (…plain text), and similar options to take a look on the message source. Well, this phishing mail has some interesting headers, such as the Received header, which indicates how the mail message was received by MX servers or mail servers:


Received: (qmail 12145 invoked by uid 1552); 14 Sep 2009 08:38:10 -0000
Received: from virtual1.webair.com (virtual1.webair.com [216.130.161.111])
    by mail07.ifxnetworks.com with SMTP id 9f9zhdib52zaavt9vaiekajna6;
    for dmw@unete.cl;
    Mon, 14 Sep 2009 08:38:10 +0000 (GMT)
    (envelope-from monitor@santander.cl)
Received-SPF: None; receiver=mail07.ifxnetworks.com;
    client-ip=216.130.161.111; envelope-from=;
    helo=virtual1.webair.com
X-Avenger: version=0.7.9; receiver=mail07.ifxnetworks.com;
    client-ip=216.130.161.111; client-port=2914;
    syn-fingerprint=32768:58:1:60:M1380,N,W0,N,N,T FreeBSD 4.8-5.1 (or MacOS
    X); data-bytes=0

My electronic mail address which received the phishing mail, is hosted at IFX Networks, so the final receiver — from top to bottom — was the ****.ifxnetworks.com server. Electronic mail routes can be longer that this one, but you can read as final receiver from top to the initial receiver to bottom. WOW! What a surprise!, the initial client is 216.130.161.111, let see from where comes that IP address…


[www@quake ~]$ geoiplookup 216.130.161.111
GeoIP Country Edition: US, United States

[www@quake ~]$ nslookup 216.130.161.111
Server:         200.62.2.180
Address:        200.62.2.180#53

Non-authoritative answer:
111.161.130.216.in-addr.arpa    name = virtual1.webair.com.

WOW!, the client comes from USA, not a Chilean sender! and matches with Spam Filter receiver at IFX: helo=virtual1.webair.com. Why a Chilean bank wants to send an important advice from foreign servers? it smells like pure phishing. Now let me see what are indicating the NIC servers from that domain:


[www@quake ~]$ whois webair.com

Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

WEBAIR.COM.BR.GAROTAEXECUTIVO.COM
WEBAIR.COM

Hhhmmm… looks like a Brazilian domain . Looking at the real entry: GAROTAEXECUTIVO.COM.


Registrant:
   Executivo
   Rua: Executivo 3333
   Sao Paulo, Sao Paulo  01313000
   BR

   Registrar: DOTSTER
   Domain Name: GAROTAEXECUTIVO.COM
      Created on: 24-OCT-07
      Expires on: 24-OCT-09
      Last Updated on: 04-OCT-08

   Administrative, Technical Contact:
      Club, Executivo  postmaster@postmaster.com
      Executivo
      Rua: Executivo 3333
      Sao Paulo, Sao Paulo  01313000
      BR
      551122334455

Yeah! it’s a Brazilian one! Now, looking for all those URLs to make me fall in the fraudulent activity of phishing, where I’ve found three interesting URLs:

hxxp://www.santander.cl/estilos/2008_08/bitmaps/santander.gif
WOW!, it points to an image at the Chilean bank — I’ve replaced the t for x intentionally — and surely this will make some believe some people that the electronic mail is quiet real.
hxxps://www.officebanking.cl/images/porque.gif
WOW!, it points to an URL of the same bank but using the HTTPS protocol, this will make a possible client to believe that is pointing to the real bank, since many email clients asks for the site certificate. Interesting.
hxxp://www.fpfa.esp.br/imagens/campeoes/st2.php
WOW!, the full URL to the phishing site! I’ve not opened the URL, and I don’t know what is behind it :B

The piece of code with the link to the phishing web site in the body of the message:

conclusions

You can not trust in banking electronic mail until you strongly verify the electronic mail.
You can not enter any site with your financial institution logos without verifying the URL bar.
Google permits to download the message source.
Use a good electronic mail client, for example Thunderbird has good advices on spam and phishing.
Certainly the www.fpfa.esp.br site was cracked, and was used for phishing activities, and I’ve blocked it in my browser.
Those virtual1.webair.com servers are widely opened to be used by spammers, and I’ve added them to my blacklist.

share this article at:

Copyright © 2009 Daniel Molina Wegener
Atribución-No Comercial-Sin Derivadas 2.0 Chile

securing apache 2.x

Daniel Molina Wegener — Thu, 16 Jul 2009 16:21:33 +0000

This is not a security guide for Apache HTTP Server. Instead is a small guide that can be used as reference to protect some aspects of how the applications and pages are served. For security guides, you must look at other places. Well, I hope this approach would help a little in your administration tasks. All examples are not a copy/paste rules, you must think on them. I’ll never give you recipes… you always must think.

anonymous version

In Apache 2.X you can avoid of showing the server version and installed extensions, such as mod_php, mod_perl and others. This is an easy task, just add the both next directives — search for them and change their value.


#
# This hides the server signature on error pages.
# This means that the server version is not shown
# on error pages.
#
ServerSignature Off

#
# This will hide the server version and installed
# modules on the response headers.
#
ServerTokens Prod

limit requests

mod_rewrite is a good option to setup some filters on your server. If you enable this module, you can filter the request method and certain CGI enabled URLs.

mod_rewrite filters

If you serve dynamic web pages using some module as mod_perl or mod_php, you can filter only the used methods on your application, in example: HEAD, OPTIONS, GET and POST, and disable other methods, such as TRACE or WebDAV methods.


#
# this rule will block all request that differs from HEAD, OPTIONS,
# GET and POST
#

    RewriteCond     %{REQUEST_METHOD}       !^(HEAD|OPTIONS|GET|POST)$
    RewriteRule     (.*)                    [F,NS]

You can build a better request block using directories, in example over upload directories.


#
# this rule will block every request method that differs from HEAD,
# OPTIONS and GET. also it will block any request in files that do
# not have the extensions jpg, png and gif. It also works with image
# directories 
#


    RewriteCond     %{REQUEST_METHOD}       !^(HEAD|OPTIONS|GET)$       [OR]
    RewriteCond     %{REQUEST_FILENAME}     !^.*\.(jpg|png|gif)$
    RewriteRule     (.*)                    [F,NS]

You can play a lot with all those RewriteCond and RewriteRule. Also, you can block unwanted scripts, in example, if you are using PHP as your unique dynamic language to display your dynamic pages, you do not need to allow any Perl or Python scripts, you can block all other scripts that are unwanted on your site.


#
# this one will allow only PHP scripts, and also
# HTML pages and JavaScript
#


    RewriteCond     %{REQUEST_METHOD}       !^(HEAD|OPTIONS|GET|POST)$       [OR]
    RewriteCond     %{REQUEST_FILENAME}     !^.*\.(php|html|htm|js)$
    RewriteRule     (.*)                    [F,NS]

And yet, there are a lot of useful rules that you can apply, just think on them to fit your needs. Well, also you can enable Apache to allow only preprocessed URLs, in example if you are using some kind of wrapper to deny direct access to all PHP scripts, why, because our application is a MVC based application.


#
# we deny access to all kind of scripts on our system
#


    RewriteCond     %{REQUEST_METHOD}       !^(HEAD|OPTIONS|GET|POST)$          [OR]
    RewriteCond     %{SCRIPT_FILENAME}      !^.*\.(jpg|png|gif|html|htm|js)$    [OR]
    RewriteCond     %{REQUEST_FILENAME}     ^.*\.(py|pl|cgi|php|php3|shtml)$
    RewriteRule     (.*)                    [F,NS]
#
# we allow jpg, png, gif, js and html
#
    RewriteCond     %{SCRIPT_FILENAME}      !^.*\.(jpg|png|gif|html|htm|js)$    [OR]
    RewriteRule     (.*)                    $1                                  [PT]

#
# and then we redirect all requests to the /index.php script 
# possibly the main controller on our application
#
    RewriteCond     %{REQUEST_METHOD}       !^(HEAD|OPTIONS|GET|POST)$
    RewriteRule     (.*)                    /index.php?$1                       [PT]

You can play a lot with mod_rewrite rules and customize your application to allow users to have normal and browser based access to your application.

limit by location

Two helpful directives are Limit and LimitExcept. Those directives can allow you to limit the request method for certain Location.


#
# this will block other request method
# than HEAD GET POST OPTIONS, under Location
#

    
        Order allow,deny
        Allow from all
    
    
        Order deny,allow
        Deny from all

third party modules

Well here you have a list of modules that you can use. All of them will help you on protecting your application

disable unused modules

Make deep review on how many modules are you using. If you are not using certain module, just remove it from your configuration. In example, many sites have enabled the dav_module and dav_fs_module, when they really don’t need them. This will reduce all possible bugs that can be remotely attacked and will reduce the memory and processor usage

on what can’t help?

Surely, there a lot of "responsibility of the user" issues on those those modules and rules can not help. In example, weak passwords, buggy applications, weak validations and wrong handled user privileges.

I’ve found an interesting paper on this topic, about the user authentication issue. It’s written by MIT researchers. Here is the abstract bellow.

Client authentication has been a continuous source of problems on the Web. Although many well studied techniques exist for authentication, Web sites continue to use extremely weak authentication schemes, especially in non enterprise environments such as store fronts. These weaknesses often result from careless use of authenticators within Web cookies. Of the twenty seven sites we investigated, we weakened the client authentication on two systems, gained unauthorized access on eight, and extracted the secret key used to mint authenticators from one.

We provide a description of the limitations, requirements, and security models specific to Web client authentication. This includes the introduction of the interrogative adversary, a surprisingly powerful adversary that can adaptively query a Web site.

We propose a set of hints for designing a secure client authentication scheme. Using these hints, we present the design and analysis of a simple authentication scheme secure against forgeries by the interrogative adversary. In conjunction with SSL, our scheme is secure against forgeries by the active adversary.

And here is the link to download it. I hope that all of those topics would help on your Web Site maintenance and development… And yet I know that I don’t cover some other issues, but that’s because I know that you can search for proper research and do security labs on your application

share this article at:

easy web services with pyxser

Daniel Molina Wegener — Mon, 11 May 2009 03:37:27 +0000

Working with Web Services is not an easy task. We must know about XML, WSDL and some other technologies and also the framework that we are using. In this article I will try to demonstrate how easy is the task of sending objects through Web Services. First of all I’m using SOAPpy as my Web Services framework and the second element in the recipe is pyxser my Python-Object to XML serializer and deserializer.

A single web service that should receive an XML string, now can convert that input into a Python Object. Let’s see the server code under SOAPpy framework

#!/usr/bin/env python
#
#
import pyxser as ser
from testpkg.sample import *
import SOAPpy

def hello(request):
    ### so we take the input string as xml and we deserialize it
    req = ser.unserialize(obj = request, enc = "ascii")
    ### we create a response object
    reqo = TestAnotherObject()
    ### we assign equal .first_element properties
    reqo.first_element = req.first_element
    ### we set a custom .second_element property
    reqo.second_element = "client"
    ### we serialize the response object
    rep = ser.serialize(obj = reqo, enc = "ascii", depth = 0)
    ### we return back the response object as xml string
    return rep

### create the server
server = SOAPpy.Server.SOAPServer(("localhost", 8888))
### register the hello function
server.registerFunction(hello)

print "Starting server..."
### and let server run...
server.serve_forever()

The code above show a single server with one operation hello(). The pyxser serializer can not serialize/deserialize classes declared in the __main__ module. So we declare a class in an external module testpkg.sample with the code bellow.

__all__ = [
    'TestAnotherObject']

class TestAnotherObject:
    first_element = "123"
    second_element = "456"
    def __str__(self):
        return repr(self.__dict__)
    def __repr__(self):
        return repr(self.__dict__)

This module contains our serialization target data transfer object. Now, at the client side, we have a complete support to send and receive objects using pyxser .

#!/usr/bin/env python
#
#
#

import pyxser as ser
import sys, httplib
from testpkg.sample import *
import SOAPpy

HELLOWS_NS = "http://localhost/hellows/"

def GetHello():
    ### we create a request object
    reqo = TestAnotherObject()
    ### we set the object properties as we need
    reqo.first_element = "client"
    reqo.second_element = "server"
    ### we serialize the object using pyxser
    hstr = ser.serialize(obj = reqo, enc = "ascii", depth = 0)
    ### we create a SOAP proxy to our server
    server = SOAPpy.SOAPProxy("http://localhost:8888/")
    ### we call the server method and we get the xml string
    resp = server.hello(hstr)
    ### we convert the response xml into a python object and
    ### return it!
    return ser.unserialize(obj = resp, enc = "ascii")

if __name__ == "__main__":
    ### then we can manipulate the object easily
    newobj = GetHello()
    print newobj.first_element[0:2]

We can do more expertize work with pyxser. You can try using WSDL, and importing the complete pyxser 1.0 XML Schema as follows…

So we can use integrate our Python web services by calling with other platforms and let the other platforms know the pyxser serialization model to allow us to develop more complex Web Services…

Certainly the pyxser package comes with with both standard and C14N XML schemas, and both standard and C14N XML DTDs — or document type definitions — so you can use them in your Web Services development.

share this article at:

i’ve changed my gpg keys…

Daniel Molina Wegener — Fri, 20 Feb 2009 13:08:17 +0000

I’ve changed my GPG keys. Take the new ones…


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Key Type:...........RSA
Key Length:.........4096
Signing Algorithm:..SHA512
Cipher Algorithm:...AES-256
Entropy Used:.......HW-RNG
Passphrase Length:..25-up chars

Valid Keys:
pub   4096R/98E0EE4D 2009-02-20
uid                  Daniel Molina Wegener (Developer)

pub   4096R/67B3A7BB 2009-02-20
uid                  Daniel Molina Wegener (Developer)

pub   4096R/8F9B167B 2009-02-20
uid                  Daniel Molina Wegener (Developer)

Revoked Keys:
pub   4096R/A8F10DE3 2009-02-18 [revocada: 2009-02-20]
uid                  Daniel Molina Wegener (Developer)

pub   1024D/32C7B9FA 2009-02-18 [revocada: 2009-02-20]
uid                  Daniel Molina Wegener (Developer)

pub   4096R/DF22B3AF 2009-02-18 [revocada: 2009-02-20]
uid                  Daniel Molina Wegener (Developer)

pub   1024D/4B0608C4 2007-02-06 [revocada: 2009-02-18]
uid                  Daniel Molina Wegener (Developer)
uid                  [jpeg image of size 2663]

pub   1024D/41696C3C 2007-02-06 [revocada: 2009-02-18]
uid                  Daniel Molina Wegener (Developer)
uid                  [jpeg image of size 2663]

pub   1024D/F5CEDD61 2007-10-27 [revocada: 2009-02-18]
uid                  Daniel Molina Wegener (Developer)
uid                  [jpeg image of size 2997]

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (FreeBSD)

iQIcBAEBCgAGBQJJn3Q1AAoJEHxqfq6Y4O5NjF4QAJF2Nnnnb2rPP7Oy++U3hF3u
Tud8Yx2wLjSHCb94pM0AYgi/bVFYBQhUx0tN1TDx/WcsXpbkYvVMiV+4z/IjyL2P
zdFqSFp9igE3daYc4ScmrUY0bw+A/ZS5mcgNE2zKuPKD4Vu8rLwpf4JfJ5BKy/Mo
u8QIQNECOSJcPCZn4HQZA07CZcyRpGnCeDQVxiUQtpJSmSHEVoyiCMd3jMxDxYVH
glby39MXjKE1tnlYeC6DqV7bdGnATYrRoaTfRtowj/XRDmOtg117exTCkBQ5FYLd
oUXKxkSimUIlqLtTfLv+DCJDD0x1m5OCAQjXhtgjcCx1uzOdojpR40+/3dyaNKz4
SJ/Yf69fNnk2/TAikSMyrojZ5aZuAHY4XV6RUtqPbv2mmdLNoEBbQE8hSG+Bd0cm
Wf5/twfRl+85jvaa5niJZEBMJM8Y3leo++3lJQnlkrXMgJD4AFzCMU0V7c6iMCsQ
TVxPOkQT/ZPSWIv37dhEhJTekPVKrBxlhzY/Wii91Zrm08LDRz6CHPCRcyl8r9Gc
PJ2DTPOoWnLDSku56TFLCMPquTlHFgut76Uh+lIr1Gp6xX0XnoYTr279YRQL1JsD
JCrv4fhy3Q/WSbfYKhuV2x6ECST7WUK3GCbYlK20YDQS/0kkwbuGzX/dzwPOezdG
VjBUtFIMGwwOJWM3Rj7p
=yksm
-----END PGP SIGNATURE-----

share this article at:

preventing os guessing

Daniel Molina Wegener — Tue, 17 Feb 2009 02:01:18 +0000

Today I was experimenting with the FreeBSD TCP Stack Parameters with one target in mind: to prevent os guessing through classical port scanners. One of the most classic scanner — the one that appeared in the The Matrix movie ~~as a h4x0r tool~~ — brings me the next piece of output on a Wintendo machine:


Device type: general purpose
Running: Microsoft Windows 2000|2003|XP|Vista
Too many fingerprints match this host to give specific OS details

With the FreeBSD default parameters, it brings me the next piece of output with some basic pf and ipfw rules:


Device type: general purpose
Running: FreeBSD 7.X
OS details: FreeBSD 7.0-RELEASE, 7.1-RELEASE

But I’ve successfully prevented the OS guessing from this tool by modifying the stack parameters and random number generation parameters on my machine:


Retrying OS detection (try #2) against quake (XXX.XXX.XXX.XXX)
Host quake (XXX.XXX.XXX.XXX) appears to be up ... good.
All 80 scanned ports on quake (XXX.XXX.XXX.XXX) are filtered
Too many fingerprints match this host to give specific OS details
TCP/IP fingerprint:
...

Well, I think that this is a success over this kind of tools. The next and easy to put settings on third party software, such as Apache Web Server, are a merely token on the way securing the operating system.

BSD guys can use the blackhole feature plus some random number generation parameters to prevent the OS guessing… Linux guys seems to need some patches and third party tools, I’m trying to figure on how to apply similar rules in WRT distributions by using the iptables features. Only then I, will release some tips or a well documented paper.

share this article at: