Something smells fishy...

Immediately after i had replied on someones tweet i received a tweet from a unknown girl with the name of Hugh - who clearly has some issues setting up the christmas lights. Clearly a spam account of some sort. As i do not know that person or could expect that link to contain anything but shady bidnid. Thus i decided, out of pure curiosity, to run that link on a test environment and logged what was going on, hopefully i will find some fun and malicious content. 

Little girl with christmas lights problem sendt me this link

When we click that link above we expect it to redirect us to a real url, since the sender (Hugh) has compressed the url at http://is.gd. The url is actually pointing to r.eurocable.com.br (with a GET parameter as seen below), the ip-address (5.12.190.202) points to a Romanian server. Then we yet again get redirected to cioara.info which are located in Canada, this is where we get a HTTP 200 OK response.

Domain record can be found here. I also did a quick google search on this hostname just to find a few mentions regarding its twitter spam (eg: WOT reputation).

The page source-coude contains a functions called dosub(), which simply submits a form called "frm1". It submits information using http://just-perfect-gifts.com/index.php as form processing agent. The domain just-perfect-gifts.com are located on the same ip as cioara.info, namely 184.107.175.178 which was powered by a ngnix http daemon and php 5.3.18. It is registered through GoDaddy and registrar info via Domains By Proxy... We continue to jump as we load the content of http://just-perfect-gifts.com/index.php it will use <meta http-equiv="refresh"> to load the main page. 

So we end up on a page which is telling me that i have the "opportunity to make some easy money" - clearly spam message as we already saw in the Web of Trust-reputation above. I also found that the domainname was sold on flippa.com in October. The user who was selling this site was suspended from Flippa, and it is getting pretty clear at this time what is actually going on, as that spam message was a way to get a lot of views and thereby get a good rating via Google Analytics. If we see the attachment provided by the user, which is Google Analytics Reports of www.just-perfect-gifts.com. There is certainly a lot of traffic to that site as it was created in May 2012, but the average user has only been at that site a few seconds. I also found another post from the user where he/she is stating that "I am offering twitter followers and accounts."

Next i went through the source-code where i can confirm these findings as i quickly find google analytics code along with facebook-likes button and a Twitter follow button. It says "Follow @JPgifts" but links me to "https://twitter.com/MicroLeavesCash". What i noticed was how the main site was loaded over and over, until i closed the connection. This is clearly a easy way to make a lot of traffic to a site - and to make the site look more valuable one could generate traffic via false advertising and throwing links to users on social media like facebook and twitter.

Okay, ill stop it here as i feel i have wasted enough time on this boring incident, i was actually hoping it contained a malicious iframe of some sort.

Securing a Linux server

Summary

In conjunction with another post i am working on i decided to write a small howto on administering and securing a freshly installed Linux distribution. In this small post i am using Debian but these steps should apply to most NIX operating systems. These steps are the minimum requirements to secure your system.

Restricting User Access

Default access to home-directories are umask 022, and as seen below - the user, members of the users group and "others" (none of the above) have read and execute permissions on the user's files. 

Permissions	User	Group	Others
READ	X	X	X
WRITE	X
EXECUTE	X	X	X

               Table 1. Umask 022 permissions

To disallow members of a user's group (and others) to access all the files we can set the umask to 077, which restrict everyone else but the user it self to read, write or execute owned files....

Edit /etc/login.defs and change following settings

#Default

#UMASK          022

#Secure

UMASK           077

Create user

Add a new group

groupadd usergroup

and add user with desired options

useradd --home-dir /home/username --create-home --shell /bin/bash --gid usergroup username

then we are ready to set a password on the account

passwd username

Sudo access

Since we sooner or later are going to disable root, either by disable the user completely or by deny root via ssh, we need a regular user with sudo-capabilities to administer the server.

Install the sudo package from repository

apt-get install sudo

and add username into sudoers

echo "username ALL=(ALL) ALL" >> /etc/sudoers

or as group policy

echo "%groupname ALL=(ALL) ALL" >> /etc/sudoers

If you want too disable password prompt use instead of the above,

echo "username ALL=NOPASSWD: ALL" >> /etc/sudoers

Disable root user

To have one less account to maintain security on, one can disable the root account all together

passwd -l root

Deny root via SSH

If the latter doesn't suite your needs and you want to use the root account - at least deny root login via secure shell (ssh)

cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

cat /etc/ssh/sshd_config.bak | sed s/"PermitRootLogin yes"/"PermitRootLogin no"/ > /etc/ssh/sshd_config

Securing SSH

Along with disable root access via secure shell (as shown above) there are several options to further strengthen the security on your secure shell service.

• ListenAddress 0.0.0.0 - Set this to listen only on a specific IP-address.

• Port 22 - Change the default SSH port. This is very useful to decrease the bruteforce attempts as most automated scripts searches for port 22 to bruteforce SSH accounts.

• PasswordAuthentication  - Change this to no in order to only allow people with their SSH-keys in place, this is also a good way to decrease bruteforce attempts. In order for this to work, one need to create a keyfile on your clients machine (ssh-keygen) and copy your public keyfile to the SSH-server (ssh-copy-id).

• PermitRootLogin - Default is to allow root logins via Secure Shell, change this to no, as described above.

When configuration is done, restart ssh server

sudo /etc/init.d/ssh restart 

Note: If you have more than one Network Interface Controller, ListenAddress should be configured on all services allowing it....

Automatic updates

Earlier i used crontab-daily directly to run apt-get update && apt-get upgrade, but this could in some cases break your install.
Install unattended-upgrades from repository, which was first introduced in Ubuntu.

apt-get install unattended-upgrades

and run

dpkg-reconfigure unattended-upgrades

to configure software. It will create /etc/apt/apt.conf.d/20auto-upgrades with the following preferences

APT::Periodic::Update-Package-Lists "1";

APT::Periodic::Unattended-Upgrade "1";

The default config file (/etc/apt/apt.conf.d/50unattended-upgrades) should do just fine as it will only allow security upgrades. However if you want to upgrade packages as well as security updates uncomment  //  "${distro_id} ${distro_codename}-updates";  in the Allowed-Origins section of the config-file.

To disable automatic-reboot add this line Unattended-Upgrade::Automatic-Reboot "false";

 echo -e '\nUnattended-Upgrade::Automatic-Reboot "false";\n' >> /etc/apt/apt.conf.d/50unattended-upgrades

Basic Firewall

Iptables is the most common firewall software used in Linux systems, altough it is not very user friendly it sure is a powerfull firewall. To simplify firewall management Ubuntu introduced uncomplicated firewall (ufw), which also is available via Debian's repository.

sudo apt-get install ufw

----
Captain Blackadder: "Baldrick, deny everything."
Lieutenant George: "You are private Baldrick?"
Baldrick: "No."
Lieutenant George: "Are you not Captain Blackadder's batman?"
Baldrick: "No."
----

Ufw does pretty much the same as Baldrick by default, denying everything - oh well at least the incomming connections. Thankfully since ufw is easy to maintain, one can easily add wanted rules:

ufw allow 22 - to allow both udp & tcp traffic on secure shell's default port. One could replace port number with service names found in /etc/services.

 ufw deny 22 - Deny incomming traffic on port 22.

ufw allow 22/tcp - to allow incomming tcp traffic on secure shell's default port.

 To delete rules we simply use ufw delete <rule>, in example (if we used ufw allow 22/tcp)

ufw delete allow 22/tcp

If we only want traffic from one specific ip-address we use this syntax: ufw allow <ip-address> or ufw allow from <ip-address> to <ip-address/any> port <port-number> proto <protocol>

In example - to allow traffic from your subnet:

ufw allow from 192.168.1.0/24

abit more complicated rule might be

ufw allow from 192.168.1.110 to any port 22 proto tcp 

When we are done enable the firewall with ufw enable and ufw status verbose to check status of uncomplicated firewall.

References

http://www.debian.org/doc/manuals/securing-debian-howto/
https://help.ubuntu.com/community/UFW