Category: Security

Posted on

Exploring Mac OS Server – afctl Adaptive Firewall

I have learned a lot in the past months Mac OS X Server and his capabilities and what are services it can give with lower cost than competition.

The several services presented by OS Server are interesting, in the middle of the most eye candy services I have found one that allows us to improve security controls in a situation where for some time I thought there was not much to do in the native OS.

The bellow tool would allow us to mitigate brute force attacks in automated way. Something that was not known to me without extra tools.

Apple has implemented the Adaptive Firewall on Mac OS Server

Enable the service with the following command:

sudo /Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -c
sudo /Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -f

afctl is a tool for temporarily blocking a given ipv4 or ipv6 address using the built-in firewall.
All blocking requests have a time to live; they are unblocked when it expires.

afctl also maintins a whitelist of addresses that it will not block.
All block requests are checked against this list before being added to the blacklist.

All the firewall rules managed by afctl are grouped into a rule set to allow for bulk enabling/disabling via -e & -d.

I did not find much documentation about this tool.

I will try to update this information while I learn.

For now what I have is the following from the man factl page:

afctl [-v debug_level] [-a ip_address -t ttl] [-w ip_address] [-r ip_address] [-x ip_address] [-c -i interval] [-e] [-d] [-f]

-v -debug_level Verbosity, ascenting numbers are more verbose. level 0 is default level 1 is basic progress.

-a -ip_address Add address to the blacklist. ip_address can be ipv4 or ipv6 in CDIR notation. No DNS names allowed. An optional -t parameter allows the specification of the time in minutes that the address will remain blocked.

-r -ip_address Remove address from the blacklist. It will also be removed from the firewall rules.

-w -ip_address Add address to the white list. ip_address can be ipv4 or ipv6 in CDIR notation. No DNS names allowed.

-x -ip_address Remove an address from the white list. ip_address can be ipv4 or ipv6 in CDIR notation. No DNS names allowed.

-c -i interval Self configure. The afctl tool will query the system configuration and determine the addresses that need to be  (routers, local interfaces, nameservers). It will also modify its launchd plist to invoke the tool every interval to remove old entries from the blacklist. If -i interval is not specified, then a default value of 15 minutes will be used.

-d Disables all firewall rules managed by afctl using a rule set (see man page for ipfw ). Currently ipfw only ( ip6fw does not support rule sets).

-e Enables the rules disabled by -d (above)

-f Forces afctl into a running state (sets the proper key in af.plist and writes out af_state )

We can also get a summary of the afctl activity running the following command:

sudo /Applications/Server.app/Contents/ServerRoot/usr/libexec/hb_summary

Information available from Apple is very restrict and almost resumes to this and user support questions:

https://support.apple.com/en-us/HT200259

I will post more as soon I have news.

Posted on

List all IP addresses range in a 16 bit network v1.0

Objective:

Pass some IP address as part of a command string to test reverse proxy vulnerability and scan the internal network behind the proxy. Running one already existing python script that receives this Ip as one possible dmz host to scan open tcp ports.

Exploit only accepts one DMZ ip as argument. Does not accept any range or array of IP addresses.

Requirements:

Script that provides me all possible IPs one per one in a network with 16 or more bits so the python exploit script can be called with the ip address as argument.

Missing:

The python script call from shell with the ip and argument for scanning the DMZ network.

Observation:
Script does nothing it only list all the ip address in a 16bit network starting from 192.168.0.0 until it reaches 192.168.255.255

Improvements:
Create multiple parallel requests as they are not dependent and will be faster if executed in parallel.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

#!/bin/bash
 
############################################################################
# List all IPs in 16 Bit Network
############################################################################
 
let first_Octet=192
let second_Octet=168
let third_Octet=0
let fourth_Octet=0
 
while [ $third_Octet -lt 255 ]
do
		while [ $fourth_Octet -lt 255 ]
		do
			let fourth_Octet=$[$fourth_Octet+1]
			host=$first_Octet.$second_Octet.$third_Octet.$fourth_Octet
			echo $host
		done
		let third_Octet=$[$third_Octet+1]
		let fourth_Octet=0
done
Posted on

Log Types inside /Var/log

This post is for the persons that wish to start understanding the log structure or need to spend lots of time checking logs or trying to analyse what happen in a Linux system.

For them it is vital importance to know what logs exist and what information they can give us.

Most of the logs in Linux environments exist inside the /var/log folders.

This is a list with brief description of what we can find and why they are useful…

While your system is running smoothly try to check the logs and try to understand the existing data and how it might be useful for you.

This will be of valuable importance if something wrong happens and might help you a lot in a crisis.

  1. /var/log/messages – Contains global system messages. Including startup messages. This logs include information from several things like: mail, cron, deamon, kern, auth etc.
  2. /var/log/dmesg – /var/log/dmesg – Contains kernel ring buffer information. When the system boots up, it prints number of messages on the screen that displays information about the hardware devices that the kernel detects during boot process. These messages are available in kernel ring buffer and when the new message comes the old message gets overwritten. You can also view his contents of this file using the dmesg command.
  3. /var/log/auth.log – Contains system authorisation information, including user logins and authentication mechanism that was used.
  4. /var/log/boot.log – Contains information that is logged when the system boots
  5. /var/log/daemon.log – Contains information logged by the various background daemons that are running on the system.
  6. /var/log/dpkg.log – Contains information that is logged when a package is installed or removed using package manager command. (Debian Based systems)
  7. /var/log/kern.log – Contains information logged by the kernel. Helpful for you to troubleshoot a custom-built kernel.
  8. /var/log/lastlog – Displays the recent login information for all the users. This is not an ascii file. You should use lastlog command to view the content of this file.
  9. /var/log/maillog || /var/log/mail.log – Contains the log information from the mail server that is running on the system. (Sendmail logs information about all the forward items to this file).
  10. /var/log/user.log – Contains information about all user level logs.
  11. /var/log/Xorg.x.log – Log messages from the X
  12. /var/log/alternatives.log – Information by the update-alternatives is logged into this log file. On Ubuntu, update-alternatives maintains symbolic links determining default commands.
  13. /var/log/btmp – This file has information about failed login attempt. Use the last command to view the btmp file. For example, “last -f /var/log/btmp | more”
  14. /var/log/cups – All printer and printing related log messages
  15. /var/log/anaconda.log – When you install Linux, all installation related messages are stored in this log file
  16. /var/log/yum.log – Contains information that is logged when a package is installed using yum. (Red Hat based systems)
  17. /var/log/cron – Whenever cron daemon (or anacreon) starts a cron job, it logs the information about the cron job in this file.
  18. /var/log/secure – Contains information related to authentication and authorization privileges. For example, sshd logs all the messages here, including unsuccessful login.
  19. /var/log/wtmp or /var/log/utmp – Contains login records. Using wtmp you can find out who is logged into the system. who command uses this file to display the information.
  20. /var/log/faillog – Contains user failed login attempt. Use faillog command to display the content of this file.

What goes inside to some of this files is controlled by rsyslog based on what is defined in the configuration file: /etc/rsyslog.conf

Try to edit it and you will see the files that where configured with all the specifications.

You can also use this tool to send the logs to any remote location.

*.info indicates that all logs with type INFO are logged.
mail.none,authpriv.none,cron.none indicates that those error messages are not logged into the /var/log/messages file.
You can also specify *.none, which indicates that none of the log messages is logged.

Other logs can be found in this folder depending on the applications that are running there.

This is a small example of the most used ones based on my experience.

  1. /var/log/httpd/ || /var/log/apache2 – Contains the apache web server access_log and error_log
  2. /var/log/lighttpd/ – Contains light HTTPD access_log and error_log
  3. /var/log/mail/ – This subdirectory has more logs from your mail server. For example, sendmail stores the collected mail statistics in /var/log/mail/statistics file
  4. /var/log/audit/ – Contains logs information stored by the Linux audit daemon (auditd).
  5. /var/log/setroubleshoot/ – SELinux uses setroubleshootd (SE Trouble Shoot Daemon) to notify about issues in the security context of files, and logs those information in this log file.
  6. /var/log/samba/ – Contains log information stored by samba, which is used to connect Windows to Linux.
  7. /var/log/sa/ – Contains the daily sar files that are collected by the sysstat package.
  8. /var/log/sssd/ – Use by system security services daemon that manage access to remote directories and authentication mechanisms.
Posted on

Kable Deutschland and Dyndns… :( first piece…

Well my Dyndns has stopped working in Kable Deutschland…

I am a bit pissed…

It appears that they have changed from IPv4 to IPv6 and there is somewhere in their network a conversion back to IPv4… 🙁 that I think it is killing my DynDNS functionality…

I am trying to see how I can bypass this issue…

Talking with them is hard (almost impossible, I am dependent on good will from the support team in speaking English…) because I do not speak German… 🙁 so I guess I will need to know how I can reconfigure my devices… 🙂

Most of the pages that speak about similar issues are in German also so they are not much helpful to me…

First lets us know a bit more about the device… (Enumeration)

I asked for the cheapest one… I got an unknown (to me) cable modem CBN brand / model number CH6640E
After some search i found the following manual on the device…
http://www.ktech.no/CG6640E_User_Guide_English.pdf

German Version…
https://www.kabeldeutschland.de/psources/media/Handbuch_compal_cbn_ch6640e.pdf

There are some differences on the manuals… But even this German version has more menus than my device…

More info about the device…

Vendor CBN Inc.
Model CH6640E
Hardware Version 1.0
Firmware Version CH6640-3.5.11.7-NOSH
Boot Version PSPU-Boot(BBU) 1.0.12.19m1-CBN03

Interesting reading, it seems that the device can have wi-fi but some how it is not functional might be because it is not there or because someone disabled it in the firmware… (well I did not ask the wi-fi version to make it cheaper…) I will check this later.

In one of the documents I read that there is 2 special users configured on the device… 🙂

1 – Admin with default password admin for access to the gateway pages user access…
2 – root with default password compalbn for access to the Operator mode… I guess this is the equal to a privilege user… 🙂

Of course Kabeldeutschland has changed the password or disabled this functionality… 😛

the menu schema according with the manuals is not the same also…

It seems that I have some missing menus.

Sadly one of the things that it is missing is the logs webpage…

I will have to find if I can have access to that info in another way. 🙁

In the manual it seems that some firmware have the webpage where we can set up dyndns configuration…
I wonder if they disabled it on purpose or it is my device that does not handle this extra configs… 🙁

Lets try do see what firmware has that option and what are the available firmware… 🙂

Manufacturer…

http://www.icbn.com.tw
That conveniently has his page under construction… 🙁 now at 04-01-2015…

This are the listening ports from inside…

PORT SCAN

PORT STATE SERVICE VERSION
21/tcp open tcpwrapped
53/tcp open domain dnsmasq 2.46
80/tcp open tcpwrapped
554/tcp open tcpwrapped
5000/tcp open sip (SIP end point; Status: 501 Not Implemented)
7070/tcp open tcpwrapped

For now this is all…