Apresentação na Pós-Graduação em Segurança da Informação: - Sniffer de senhas em plain text; - Ataque de brute-force no SSH; - Proteção: Firewall, IPS e/ou TCP Wrappers; - Segurança básica no sshd_config; - Chaves RSA/DSA para acesso remoto; - SSH buscando chaves no LDAP; - Porque previnir o acesso: Fork Bomb

1. Segurança - Acesso Remoto
 Leandro Silva
 Leandro Purificacão
 David Wallace
 Tiago Cruz - http://everlinux.com
 Jeferson
 Níve: Intermediário
 Pre-requisitos: Básico em Inglês, protocolos de
rede e universo Unix.

2. Tópicos
 Sniffer de senhas em plain text;
 Ataque de brute-force no SSH;
 Proteção: Firewall, IPS e/ou TCP Wrappers;
 Segurança básica no sshd_config;
 Chaves RSA/DSA para acesso remoto;
 SSH buscando chaves no LDAP;
 Porque previnir o acesso: Fork Bomb

3. Segurança - Acesso Remoto
 Telnet não tem criptografia, um atacante pode
pegar a sua senha usando um sniffer
 OpenSSH criptografa a comunicação
 Presente em todos os Unixes (*BSD, Solaris,
Linux, AIX...) e também nos roteadores
 Porém, uma máquina comprometida com um
keylogger pode pegar a senha do
administrador

4. Capturando senhas sem
criptografia (ex: telnet e
FTP)

5. ”Snifando” senhas: dsniff

6. Capturando senhas: ettercap

7. Ataques de força-bruta
contra o SSH

8. SSH é sempre visado
...
Aug 31 23:21:28 localhost sshd[4560]: Illegal user admin from ::ffff:206.113.121.118
Aug 31 23:21:31 localhost sshd[4562]: Illegal user test from ::ffff:206.113.121.118
Aug 31 23:21:36 localhost sshd[4564]: Illegal user guest from ::ffff:206.113.121.118
Aug 31 23:21:39 localhost sshd[4566]: Illegal user webmaster from ::ffff:206.113.121.118
Aug 31 23:21:44 localhost sshd[4568]: Illegal user mysql from ::ffff:206.113.121.118
Aug 31 23:21:47 localhost sshd[4570]: Illegal user oracle from ::ffff:206.113.121.118
Aug 31 23:21:49 localhost sshd[4572]: Illegal user library from ::ffff:206.113.121.118
Aug 31 23:21:52 localhost sshd[4574]: Illegal user info from ::ffff:206.113.121.118
Aug 31 23:21:55 localhost sshd[4576]: Illegal user shell from ::ffff:206.113.121.118
Aug 31 23:21:59 localhost sshd[4578]: Illegal user linux from ::ffff:206.113.121.118
Aug 31 23:22:01 localhost sshd[4580]: Illegal user unix from ::ffff:206.113.121.118
Aug 31 23:22:05 localhost sshd[4582]: Illegal user webadmin from ::ffff:206.113.121.118
Aug 31 23:22:08 localhost sshd[4584]: Illegal user ftp from ::ffff:206.113.121.118
Aug 31 23:22:12 localhost sshd[4586]: Illegal user test from ::ffff:206.113.121.118
Aug 31 23:22:18 localhost sshd[4590]: Illegal user admin from ::ffff:206.113.121.118
Aug 31 23:22:21 localhost sshd[4592]: Illegal user guest from ::ffff:206.113.121.118
Aug 31 23:22:25 localhost sshd[4594]: Illegal user master from ::ffff:206.113.121.118
Aug 31 23:22:28 localhost sshd[4596]: Illegal user apache from ::ffff:206.113.121.118
Aug 31 23:22:33 localhost sshd[4598]: User root not allowed because not listed in AllowUsers
Aug 31 23:22:37 localhost sshd[4600]: User root not allowed because not listed in AllowUsers
...

9. ssh-brute force caseiro

10. Gerando senhas aleatórias
$ john -stdout -incremental
1952
sammy
stark
start
stack
stace
steve
steen
steet
samers
$ dd if=/dev/random ibs=6 count=1 2> /dev/null | mimencode
HKxWMgRD
$ pwgen
xaif7Nah lie1Ieth gook1aiD ur1Ahthi Noo3eo5M Baz4aeBu
ohMeek9a chiex7Iu Sipe0Eiv iDaighu7 Quuz3una AhB0echi
go0Um7yu azo6Tiel Thee5aWe Xo8jaim5 caif0ieN HuaWie9n

11. Proteções contra ataques
de força-bruta

12. Básico /etc/ssh/sshd_config
# Grupos com acesso via SSH
AllowGroups sysadmin suporte
AllowUsers tcruz maria
# Logar direto como root é suicídio:
PermitRootLogin no
# Mudar a porta padrão mata alguns script kiddies:
Port 2258
tcruz@tuxkiller:~$ ssh -p 2258 192.168.15.129
# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no
tcruz@tuxkiller:~$ ssh userteste@192.168.15.129
Permission denied (publickey).

13. IDS/IPS - OSSEC

14. Brute Force - Mitigação
- No servidor a ser protegido:
# iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state
NEW -m recent –set
# iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state
NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
# iptables -A INPUT -p tcp --destination-port 22 -j ACCEPT
- Teste na estação ”atacante”:
$ for i in `seq 1 10` ; do echo 'exit' | nc 192.168.1.1 22 ; done
192.168.15.129 22 ; done
SSH-2.0-OpenSSH_5.1p1 Debian-5ubuntu1
Protocol mismatch.
SSH-2.0-OpenSSH_5.1p1 Debian-5ubuntu1
Protocol mismatch.
SSH-2.0-OpenSSH_5.1p1 Debian-5ubuntu1
Protocol mismatch.
SSH-2.0-OpenSSH_5.1p1 Debian-5ubuntu1
Protocol mismatch.
^C

15. TCP Wrappers
O pacote TCP Wrappers (tcp_wrappers) faz parte da instalação padrão e
oferece controle de de acesso a serviços de rede baseado no host. O
componente mais importante do pacote é a biblioteca /usr/lib/libwrap.a.
$ cat /etc/hosts.deny
sshd: ALL
$ cat /etc/hosts.allow
sshd: 10.10.1.0/255.255.255.0 10.10.2.240/255.255.255.240
$ cat /etc/hosts.allow
sshd: 200.222.222.55 200.222.222.94: ALLOW

16. Sem senha: chaves
públicas e privadas no
acesso SSH

17. Chaves de Criptografia
tiago@cliente:~$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/tiago/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/tiago/.ssh/id_dsa.
Your public key has been saved in /home/tiago/.ssh/id_dsa.pub.
The key fingerprint is:
46:de:5d:e5:52:2a:8b:03:2d:75:e9:fd:fa:e6:b7:26 tiago@tuxkiller
tiago@cliente:~$ ssh-copy-id -i /home/tiago/.ssh/id_dsa
id_dsa id_dsa.pub
tiago@cliente:~$ ssh-copy-id -i ~/.ssh/id_dsa.pub 192.168.15.129
tiago@192.168.15.129 password:
Now try logging into the machine, with "ssh '192.168.15.129'", and
check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.

18. Copiando manualmente
Caso você não tenha o ssh-copy-id:
root@server:~# cat /home/tiago/.ssh/authorized_keys
ssh-dss
AAAAB3NzaC1kc3MAAACBANbDleaS26kY1Wukd0LiKhhzdxfG1dZC0EObXp8hIrK+xsNy
g6dLRFPbbDYtZGJ06M5/SIqPCFoeLqHIMVroIPzZ
1gDMSdOesSbJMYkTgytJQltG2RHBp9OdTd7sp9xldQj93IAvAPTzFoUUtq9RaBzJJZbu
2ZK9Jqg8Spc/lT8JAAAAFQD5kI62O8bqAS1lFqmf1kklnskl
SQAAAIA7Ff28UoKWAoECh0WFE5zqxvUPW+1Qz9sxCXjmXfDIwt2jBgyrGcDrJiyRffqQ
kWEAlgqPZPQ6HQ68sFS052CjYU/5HlLbh2lXaiFBEvYpRqPg
gnqbMgOcI2lBom1LSYwTCsbb61OZBKE9CC2KptGJdzXesaO4eo8ARzzOolnjUgAAAIEA
gBdKmuccKaMtUJPapa3Q7OJxPq5lHnOXNUVRwkavVjLd7MB/
OWJI1FBOcExb9nGuVRVB1DB1VxYjz1QEa9KxNyx8eZQTtvA64McyjUuWJuSS1ld+DqJG
TaeVvYDPICkgPK9HlDOvJUZmFHiUdwbn/BLUWAR/Bg106nkn
5s8WnQg= tiago@tuxkiller
root@server:~# ls -l /home/tiago/.ssh/authorized_keys
-rw------- 1 tiago tiago 605 2009-06-17 15:06 ~/.ssh/authorized_keys
root@server:~# ls -ld /home/tiago/.ssh
drwx------ 2 tiago tiago 4096 2009-06-17 15:06 /home/tiago/.ssh

19. Logs de acesso
 # Log Antes:
 Jun 17 15:06:15 ubuntu sshd[2938]:
Accepted password for tiago from
192.168.15.1 port 32813 ssh2
 # Log Depois:
 Jun 17 15:28:26 ubuntu sshd[3184]:
Accepted publickey for tiago from
192.168.15.1 port 60079 ssh2

20. Acessando sem senha

21. SSH com as chaves
públicas centralizadas em
LDAP

22. SSH buscando chave no LDAP
OpenSSH-LPK
The OpenSSH LDAP Public Key patch provides an easy way of centralizing
strong user authentication by using an LDAP
server for retrieving public keys instead of ~/.ssh/authorized_keys.
=> http://code.google.com/p/openssh-lpk/
No Servidor LDAP - slapd.conf:
include /etc/openldap/schema/openssh-lpk_openldap.schema
Nos clientes - sshd_config:
UseLPK yes
LpkLdapConf /etc/ldap.conf

23. Busca no LDAP de exemplo
[root@testmachine ~]# ldapsearch -x uid=tcruz
# tcruz, People, empresa.com.br
dn: uid=tcruz,ou=People,dc=empresa,dc=com,dc=br
gecos: Tiago Cruz
loginShell: /bin/bash
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
objectClass: ldapPublicKey
uid: tcruz
uidNumber: 1002
cn: tcruz
homeDirectory: /home/tcruz
SshPublicKey:: ssh-dss
c3NoLWRzcyBBQUFBQjNOemFDMWtjM01BQUFDQkFPTDF0alppRmdXdEdtMkJ2UWx
9DOHJKNVYwaE90R3J3QUFBSUJIZVlzWnJGR2xITG4xblVGUTBTSXB6bzlnNG90RmFje
gidNumber: 1010
shadowLastChange: 14196
# search result
search: 2
result: 0 Success

24. Um bom motivo para deixar
o atacante longe da shell

25. Fork Bomb
Um processo que cria várias cópias dele mesmo recursivamente com o objetivo de
acabar com os recursos do servidor – DOS ou denial of service
A fork bomb using the Microsoft Windows (any version) batch language:
%0|%0
In poetic Perl:
fork while fork
Using Python:
import os
while True:
os.fork()
Or in C or C++:
#include <unistd.h>
int main(void)
{
while(1)
fork();
return 0;
}

26. Fork Bomb
tcruz@ubuntu:~$ ulimit -a | grep proce
max user processes (-u) unlimited
tcruz@ubuntu:~$ ulimit -u 1024
tcruz@ubuntu:~$ ulimit -a | grep proce
max user processes (-u) 1024
tcruz@ubuntu:~$ :(){ :|:& };:
[1] 3755
tcruz@ubuntu:~$ -bash: fork: Resource temporarily unavailable
-bash: fork: Resource temporarily unavailable
-bash: fork: Resource temporarily unavailable
-bash: fork: Resource temporarily unavailable
-bash: fork: Resource temporarily unavailable
-bash: fork: Resource temporarily unavailable
[1]+ Terminated : | :
Nota: Utilizado nesse teste uma VM com 512 GB de RAM

27. Referências
 http://everlinux.com/blog
 http://www.linux.com/archive/feature/61061
 http://code.google.com/p/openssh-lpk/
 http://en.wikipedia.org/wiki/Fork_bomb
 http://www.redhat.com/docs/manuals/enterprise/RH