Platonic

Couple of weeks back few of Fedora servers have been compromised or there was a security breach. It has been confirmed by Fedora project leader via mailing list post. This security breach has compromised OpenSSH packages on Fedora distributions. The issue is being investigated by Fedora team.

Today here is an another update from Security Tracker:

OpenSSH for Red Hat Enterprise Linux Packages May Have Been Compromised

RedHat confirms that this compromise does not affect the content distributed via Red Hat Network.

Solution: Red Hat has issued a fix.

Red Hat has published a list of the tampered packages and how to detect them at:

http://www.redhat.com/security/data/openssh-blacklist.html

The Red Hat advisory is available at:

https://rhn.redhat.com/errata/RHSA-2008-0855.html

I thought I will have a great Sunday and sleep for long hours. I was stuck with a networking issue on one of the HyperVM Server. Ips of VE’s were not pinging from outside world. All due to misconfiguration of SonicWall firewall and also the weird CentOS 5.2 nightmares. It was a challenge to look through all the logs, VE configuration etc.

Still the reported on network restart, VZ restart errors are on server which is running on latest CentOS 5.2, they do not seem to be troubling the health of VE’s created at the moment. Got a chance to rebuild the VPS nodes, Fix the /dev partition from back end as well as from the HyperVM front end, Blocking and Unblocking IPs on HyperVM and LXAdmin. Use of ippools instead of direct ip allocation (Both didn’t seem to have created issue on the server though). Playing with ARP cache was fun. It was a great hackathon for a day or two. Though there is an another challenging task in front of me.

I never got to keep my self awake like this for couple of months now after starting to work out at Gym ;). I used to be an Insomniac but now, things have changed. I get to sleep a lot at least for 6 hours. Today I thought I will be back to the old biological cycle but now as everything is fixed, I’m desperate to hit the sack.

Eager to get on to work floor in night shift to start with my 6th year operation in my company.

PhpSecInfo provides an equivalent to the phpinfo() function that reports security information about the PHP environment, and offers suggestions for improvement. It is not a replacement for secure development techniques, and does not do any kind of code or app auditing, but can be a useful tool in a multilayered security approach.

PhpSecInfo is released under the “New BSD” license. View the LICENSE file for more details

Development of PhpSecInfo is being sponsored in part by CERIAS at Purdue University.

Its not yet over. Yesterday serial bomb blasts shook the entire city and today an another live bomb was found near the shopping mall where I used to hang around last year. “The Forum” is one of the famous shopping mall in Koramangala. Its very close to the locations where in bombs exploded yesterday.

An unidentified 20 year old guy was found to have been placing the bomb in footpath near the shopping mall. Authorities are in search of this man wearing a Red T-Shirt.

Its all a mess in the city. Traffic jams, mobile networks have been jammed, IT companies hit along with those who give daily wages to so many people around the city. Though life started off as usual this morning, terror is still on in mind of Bangalorians. It used to be a green and fun filled city. You can say now its also filled with low-intensity bombs to horrify common man.

Why people are playing around with the lives of others? Whats behind all this? Terror is not the solution for all. Live and let us live peacefully.

News sources : Hindu NDTV

Image source : NDTV

You had read about nagios plugin which I use in my firefox browser in my previous articles. Let me give you an insight about nagios remote server monitoring. Nagios has been a reliable monitoring tool for many clients for years now.

Nagios comes with lots of plugins which can be used to fine tune the results. While monitoring the remote servers we need to check the service status locally on those servers to understand the condition of service status. check_nrpe is one of those tools which facilitates this feature on Nagios.

The NRPE addon is designed to allow you to execute Nagios plugins on remote Linux/Unix machines. The main reason for doing this is to allow Nagios to monitor “local” resources (like CPU load, memory usage, etc.) on remote machines. Since these public resources are not usually exposed to external machines, an agent like NRPE must be installed on the remote Linux/Unix machines.

The NRPE addon consists of two pieces:

• The check_nrpe plugin, which resides on the local monitoring machine
• The NRPE daemon, which runs on the remote Linux/Unix machine

When Nagios needs to monitor a resource of service from a remote Linux/Unix machine:

• Nagios will execute the check_nrpe plugin and tell it what service needs to be checked
• The check_nrpe plugin contacts the NRPE daemon on the remote host over an (optionally) SSL-protected connection
• The NRPE daemon runs the appropriate Nagios plugin to check the service or resource
• The results from the service check are passed from the NRPE daemon back to the check_nrpe plugin, which then returns the check results to the Nagios process.

Note: The NRPE daemon requires that Nagios plugins be installed on the remote Linux/Unix host. Without these, the daemon wouldn’t be able to monitor anything.

Today I found the answer for one of my questions. I wanted to monitor a server which is not directly connected to internet. I used the above mentioned NRPE plugin to check the status of MySQL service via an another server which had privilege to interact with the db server. It has been made possible via Nagios Indirect checks via check_nrpe. You can find the block diagram explaining the same below.

Its quite easy to configure this just like any other remote service checks done via nrpe daemon. Now I can monitor anything on servers which are locked in a DMZ. Nagios and NRPE made for each other.

Read more : Nagios

We don’t want our customers to be victims of software vulnerabilities in this age of Internet. Every day and every where security is a big concern. Many of us do not believe that a small security hole left unnoticed on our boxes can turn out to be a critical issue that could bog down the server.

Auditing, analyzing, assessing  and profiling of our IT infrastructure is a routine job for all of us. However, as you can imagine, isolating vulnerabilities and ‘hack-proof’ing critical data is not an easy job in a shared server environment.

Tenable’s Security Center has made our job lot easier by inventing Nessus Scanner. Nessus vulnerability scanner is one of the best tools we have come across so far. Most of the security analysts and sever administrators like this tool very much due to its high speed discovery, configuration auditing, asset profiling, sensitive data discovery and vulnerability analysis. It’s assessment reports your servers security posture in detail. And with their latest release, the speed of Nessus scan has pretty much improved. Most of the scans which I have done recently were over in less than 25 Minutes. Read the rest of this entry »

OSSEC is an Open Source Host-based Intrusion Detection System (IDS). It performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, real-time alerting and active response.

OSSEC is now out with its release v1.5 with more bug fixes and features listed below :

-New log formats (info):

• Solaris BSM auditing logs
• Asterisk logs
• Checkpoint and Smart Defense logs
• Debian package (dpkg) install/status/remove messages
• Shorewall logs
• Postfix SASL error messages
• Localized pure-ftpd messages (for 12 different languages)
• DJB multilog

-Greek translation of the install.

-Added agent_control tool to manage the agents directly from the server (info).

-New options to syscheckd/rootcheckd to better schedule the scans (info).

-Performance improvements to the Windows Agent, specially when dealing with
large event logs.

-Added new options to Rootcheck to look for common web exploits installed
on the system (used to attack others).

Download it from: http://www.ossec.net/main/downloads .

It runs on most operating systems, including Linux, OpenBSD, FreeBSD, MacOS, Solaris and Windows. A list with all supported platforms is available here. Haven’t tried it yet? try it now.

News of Owning Vista from the boot with VBootKit developed by NVlabs Nitin and Vipin is still buzzing around our ear and this year you’ve an another hot news. Guess what?

Yet another tool to unlock the windows box without password is now on internet. It’s HOT.

Boileau, a New Zealand based consultant with Immunity Inc., demoed a tool way back in 2006 to gain Firmware memory access. Years have passed but no solution to this serious issue from Microsoft. Finally Boileau decides to release this tool on his websit. Its called Winlockpwn, bypasses windows authentication via firewire, as demoed at Ruxcon 2006, and released on Risky Business, 2008.

This tool lets you inject the code to modify the Window’s password protection code. All you need is to connect to the target machine via its Firmware port from your Linux-based computer and gain the full write access to its memory.

Read more about this project and tool here