You are here: Home / Archives for July 2007

Aggressive Spam and Zombie blocking via spamhaus.org/drop and IPTables

July 9, 2007 By rjamestaylor

If there is no end to spam and automated attacks against a server and you do not (or cannot) invest in a high-quality firewall, this technique may offer a respite.

The idea is to pro-actively block all “well-known” malicious net-blocks (according to spamhaus.org’s definition, of course). The source for these net-blocks is the Spamhaus DROP list, which is described as:

 

DROP (Don't Route Or Peer) is an advisory "drop all traffic" list, consisting of stolen 'zombie'
netblocks and netblocks controlled entirely by professional spammers. DROP is a tiny sub-set of
the SBL designed for useby firewalls and routing equipment.

 

Spamhaus promises:

 

 The DROP list will NEVER include any IP space "owned" by any legitimate network and reassigned -
 even if reassigned to the "spammers from hell". It will ONLY include IP space totally controlled
 by spammers or 100% spam hosting operations. These are "direct allocations" from ARIN, RIPE,
 APNIC, LACNIC, and others to known spammers, and the troubling run of "hijacked zombie" IP blocks
 that have been snatched away from their original owners (which in most cases are long dead corporations)
 and are now controlled by spammers or netblock thieves who resell the space to spammers.

 When implemented at a network or ISP's 'core routers', DROP will protect all the network's users from
 spamming, scanning, harvesting and dDoS attacks originating on rogue netblocks.

 

I combine this list with Portsentry (customizing /etc/cron.hourly/portflush and the killroute BASH script) to release and renew these blocks each hour. This is not really necessary, but it’s my way. As an added benefit, however, using Portsentry to block routes will make those routes subject to the portsentry.ignore routes you have configured, which will likely prevent you from blocking yourself or close associates if the DROP list somehow includes your netblock one day!

Here’s the one-liner to grab the DROP list and run it through killroute:

 

 curl -s http://www.spamhaus.org/drop/drop.lasso |grep ^[1-9]|cut -f 1 -d ' ' | \
 xargs -iX -n 1 killroute  X "source: spamhaus.org/drop"

 

This can also be run as “xargs -iX -n 1 iptables -A INPUT -s X -i eth0 -j DROP“, instead.

In /etc/cron.hourly/portflush I add the above one-liner before the “exit” statement so that the now-flushed iptables entries are replaced with the (possibly) updated list of net blocks from the DROP list.

A minor edit to portsentry’s killroute (vi `which killroute`) allows a custom “source” comment. Here’s my edited killroute:

 

 #!/bin/sh

 source /etc/sysconfig/portsentry

 # Make sure we have a target
 if [ "x$1" = "x" ]
 then
        echo "$(basename $0):  Error no target specified."
        exit 1
 #else
        #echo "Arg 1: $1"
 fi

 if [ "y$2" = "y" ]
 then
        PREFIX="portsentry attack alert"
 else
        PREFIX="$2"
        #echo "Arg 2: $2"
 fi

 # Figure out which firewall tool to run... backwards compat blows chunks.
 case "$(basename $IPTOOL)" in
        ipchains)
                ipchains -I $PORTSENTRY_CHAIN -s $1 -j DENY -l
                ;;
        iptables)
                iptables -I $PORTSENTRY_CHAIN -s $1 -j LOG --log-prefix "$PREFIX"
                iptables -I $PORTSENTRY_CHAIN -s $1 -j DROP
        ;;
        *)
                echo "Unrecognized option.... no action taken against $1"
                exit 1
        ;;
 esac

 exit 0

 

I also use this technique in conjunction with Mitigating brute-force password attacks with pam_abl to help protect against brute-force password attacks. Fun, fun, fun.

Filed Under: How-to, Linux, Web, import, robotterror.com

How now failed Wow?

July 8, 2007 By rjamestaylor

CompUSA July 4 AD I usually ignore spam. Especially spam from computer retailers like CompUSA. However, last week I received an advertisement from CompUSA that proved beyond a shadow of a doubt that Windows Vista sucks.

It is, what, more than 6 months from Vista’s consumer release and a year (sorry, I don’t follow Windows product announcements since 2001) since the corporate release? Anyway, this operating system has been publicly available for quite some time. In short, it’s way past the Now from whence the Wow commenced.

With that background, CompUSA’s leading promotion in last week’s ad is very telling:

CompUSA July 4 AD

Hmmm… a marketing campaign to let people know CompUSA has an OS from 2001 available NOW! Is that really the most exciting thing available in the once-venerated PC world? No wonder Dell is trying to create a buzz around Ubuntu.

Also, no wonder Microsoft is stretching credulity with bending the GPL to its own ends with its patent deals with Novell (distributor of SuSE and Mono), Linspire and Xandros. Microsoft is out of ideas and the public knows it.

Filed Under: Tech, import, robotterror.com

Is your site HACKER SAFE?

July 7, 2007 By rjamestaylor

Ran across a web server the other day that had an active exploit running that allowed unrestricted remote shell access. The exploited vulnerability was in the Horde suite (PHP) of web applications. The Horde team had disclosed the vulnerability and had patched it more than a year ago. However, the exploit had been executed toward the end of May of this year (2007).

I’m being vague as to the web server details because I want to protect the identity of the webserver operators. I believe they thought, based on the claims of the Hacker Safe service they subscribed to, that they were doing everything in their power to prevent hackers from authorized access to their server.

When I was administering the server for unrelated reasons I found the exploit running bound to port 80 and owned by the user apache. Thus it was not, yet, a root-level exploit. Nevertheless, seeing a process name “bash” running from /dev/shm is not a heartwarming event. Once I tracked down the vector of compromise (Horde) and verified that it was closed off, I swept the computer for other compromises in play.

One of my searches (for the Turkish Hacker PHP include injection) revealed that the compromised web server subscribed to the HACKER SAFE service by Scan Alert. In fact, Scan Alert was, at the time of my discovery of the compromise, declaring that the server was meeting the highest level of published government standards for security.

Time to revise those published standards, eh, folks?

Or, perhaps, HACKER SAFE is more about a marketing tool than anything about a proactive prevention of compromises and exploited vulnerabilities.

What is the purpose of HACKER SAFE? Is it to reduce instances of compromise or is it to increase sales? Reading the Scan Alert site makes it clear there is a marketing component to their service, which is natural. However, under the menu “Security” the bottom-line service is a test to measure conversion rate increase while using the HACKER SAFE mark:

Placing the HACKER SAFE certification mark on your web site has
been proven to increase visitor-to-sales conversion rates. Our
technology allows customers without in-house data mining tools
to scientifically measure the effects HACKER SAFE certification
has on their business by conducting a sales analysis.
ScanAlert’s sales analysis technology uses an A/B test
methodology in which half of the site’s visitors see a HACKER
SAFE certification mark while the other half (the control group)
do not. Our sales analysis service includes installation support
and real-time graphical reporting.

Hopefully the web server operators with the year-old unpatched vulnerability and the month-and-a-half old active exploit increased their conversion rate with the HACKER SAFE server — they surely didn’t get any security benefit from their subscription. I wonder how the customers would feel knowing that the HACKER SAFE logo meant, basically, nothing more than a marketing ploy.

Filed Under: General, Tech, import, robotterror.com

Bad Behavior has blocked 185 access attempts in the last 7 days.