GHOST vulnerability in Linux distributions and its Solution

By Hasib January 29, 2015 January 29, 2015 Did you know?, Hosting Solution, Technology, Tips & Tricks, Uncategorized

A GNU C Library (glibc) vulnerability – termed as “GHOST Vulnerability” was announced to general public on 27 January 2015 – after a Cloud research company Qualys discovered this major security vulnerability. This vulnerability enables hackers to remotely take control of systems without even knowing any system IDs or passwords.

How to Quickly Identify if your system is vulnerable:

The GHOST vulnerability can be exploited on Linux systems that use versions of the GNU C Library prior to glibc-2.18. That is, systems that use glibc-2.2 to glibc-2.17 are at risk. Many Linux distributions like CentOS (6,7), Debian 7, RHEL (6,7), Ubuntu and Distributions with end of life are vulnerable and should be patched immediately.

You may check the version of glibc by looking up the version of ldd (which uses glibc) with the following command:

#ldd –version

The first line of the output will tell you the glib version, the output could be like this:

# ldd (GNU libc) 2.12

As mentioned earlier – if it is older than 2.18 – your system is vulnerable.

How to solve (patch the system) this problem:

Ubuntu / Debian:

Update all of your packages to the latest version available using this command:

# sudo apt-get update && sudo apt-get dist-upgrade

Respond to the confirmation prompt with: “y” and finally reboot using this command: # sudo reboot

CentOS / RHEL:

Update glibc to the latest version available via “yum”:

# sudo yum update glibc

Respond to the confirmation prompt with: “y” and finally reboot using this command: # sudo reboot

IF UPDATE FAILS:

To mitigate the problem you before the patch change the value of UseDNS to “no” in “etc/ssh/sshd_config”. This disables the Reverse DNS checks in public facing services.

Although you can be relived for the time being – make sure you patch your distribution whenever it is available using the steps mentioned above.

No comments

How to block IP address in Linux – Using IPTables Rule

By Hasib August 10, 2014 August 10, 2014 Hosting Solution, Technology, Tips & Tricks, Uncategorized

Using IPTables rules we can block a Single IP address or a block of IP Addresses.

The following command (via ssh) will drop any packet coming from the IP address 1.2.3.4 :

# iptables -I INPUT -s 1.2.3.4 -j DROP

or you can use append

# iptables -A INPUT -s 1.2.3.4 -j DROP

How To Block Subnet (ip.Add.re.ss/subnet):

If your Machines public interface card name is eth1 and if you’d like to block the subnet 10.0.0.0/8 -Use the following syntax:

# iptables -i eth1 -A INPUT -s 10.0.0.0/8 -j DROP

How to View Blocked IP Address(es):

Simply use the following command:

# iptables -L -v

How to Save Blocked IP Address(es) in IPTables:

# service iptables save

3 Comments

ConfigServer installation IPtables problem in OpenVZ or Virtuozzo (solved!)

By Hasib August 8, 2014 August 8, 2014 Did you know?, Hosting Solution, Technology, Tips & Tricks, Uncategorized

ConfigServer Firewall (AKA csf) is an essential security tool for Linux based server and VPS.

The installation of CSF is pretty straight forward and is described here: http://configserver.com/free/csf/install.txt

However, some of the iptables modules required by the csf might not be present in the server and when the perl test command ( # perl /usr/local/csf/bin/csftest.pl ) is run in the VPS container while installing csf – the following fatal error may be encountered:

[root@vps-xyz ~]# perl /etc/csf/csftest.pl
Testing ip_tables/iptable_filter…OK
Testing ipt_LOG…FAILED [ 4294967295] – Required for csf to function
Testing ipt_multiport/xt_multiport…FAILED [FATAL Error: iptables: Unknown error 4294967295] – Required for csf to function
Testing ipt_REJECT…OK
Testing ipt_state/xt_state…FAILED [FATAL Error: iptables: Unknown error 4294967295] – Required for csf to function
Testing ipt_limit/xt_limit…FAILED [FATAL Error: iptables: Unknown error 4294967295] – Required for csf to function
Testing ipt_recent…FAILED [Error: iptables: Unknown error 4294967295] – Required for PORTFLOOD and PORTKNOCKING features
Testing xt_connlimit…FAILED [Error: iptables: Unknown error 4294967295] – Required for CONNLIMIT feature
Testing ipt_owner/xt_owner…FAILED [Error: iptables: Unknown error 4294967295] – Required for SMTP_BLOCK and UID/GID blocking features
Testing iptable_nat/ipt_REDIRECT…FAILED [Error: iptables v1.3.5: can’t initialize iptables table `nat’: Table does not exist (do you need to insmod?)] – Required for MESSENGER feature
Testing iptable_nat/ipt_DNAT…FAILED [Error: iptables v1.3.5: can’t initialize iptables table `nat’: Table does not exist (do you need to insmod?)] – Required for csf.redirect feature

SOLUTION:

To resolve the issue – You’ll need to have access to your Hardware node (main server – not the VPS container). If you do not have access to the main server you may provide this guide to your VPS provider. Now you need to do the following steps:

1. First, you need to define required iptables modules are available for VPS.
Edit /etc/sysconfig/iptables-config file on the Hardware Node (Main server) and make sure you have the following:

IPTABLES_MODULES="ipt_REJECT ipt_tos ipt_TOS ipt_LOG ip_conntrack ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state iptable_nat ip_nat_ftp"

Edit /etc/sysconfig/vz file:

IPTABLES="ipt_REJECT ipt_tos ipt_TOS ipt_LOG ip_conntrack ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state iptable_nat ip_nat_ftp"

2. Restart Virtuozzo/OpenVZ:

# service vz restart

3. execute the command (Assuming your VPS’s CTID is 1001):

# vzctl set 1001 --netfilter full --save --setmode restart

4. Now run the perl test command once again in the VPS container and you should see the result successful:

root@vps-xyz [~]# perl /usr/local/csf/bin/csftest.pl Testing ip_tables/iptable_filter...OK Testing ipt_LOG...OK Testing ipt_multiport/xt_multiport...OK Testing ipt_REJECT...OK Testing ipt_state/xt_state...OK Testing ipt_limit/xt_limit...OK Testing ipt_recent...OK Testing xt_connlimit...OK Testing ipt_owner/xt_owner...OK Testing iptable_nat/ipt_REDIRECT...OK Testing iptable_nat/ipt_DNAT...OK

RESULT: csf should function on this server

5. Finally restart CSF:

# Service csf restart

No comments

How to disable IPtables Firewall in Linux (Red hat/CentOS/Fedora Core)

By Hasib August 2, 2014 August 2, 2014 Did you know?, Hosting Solution, Technology, Tips & Tricks, Uncategorized

Disable / Turn off Linux Firewall (Red hat/CentOS/Fedora Core)

Type the following two commands to save the IPtables first and then to stop it (you must login as the root user):

# /etc/init.d/iptables save
# /etc/init.d/iptables stop

Turn off firewall on boot

# chkconfig iptables off

Enable / Turn on Linux Firewall (Red hat/CentOS/Fedora Core)

Type the following command to turn on iptables firewall:

# /etc/init.d/iptables start

Turn on firewall on boot:

# chkconfig iptables on

Tag: centos