maandag 10 september 2012

Compile a stable 3.2.28 grsecurity kernel with AppArmor and TPE trusted patch execution enabled

I noticed i had a spare pentium4 with 384MB RAM left and decided to install a
grsecurity+AppArmor hardened kernel with Trusted Path Execution enabled.
As OS i will use a fresh install of the latest xubuntu with xfce4 desktop and ext2/ext3
filesystem.The purpose of configuring TPE later on is to prevent a non root user from
executing executable files other than the ones installed by root himself.So any
executable and scripts will not execute from /home/username
You could also first add a least privilege user right after a fresh install of xubuntu
and start from there.
 ubuntu-least-privilege-instead-of-power



For indepth documentation regarding grsecurity i gladly refer to the exellent Grsecurity website:

http://grsecurity.net

From there you will need to download the grsec patch for the vanilla 3.2.28 kernel
From http://www.kernel.org/pub/linux/kernel/v3.x/ you will to download
linux-3.2.28.tar.bz2 and copy the package as root to: /usr/src
eg:
#cp /home/username/Downloads/linux-3.2.28.tar.bz2 /usr/src

now unpack the package:

#tar -xvjpf linux-3.2.28.tar.bz2

copy the downloaded grsec patch as well to the /usr/src directory

#cp  /home/username/Downloads/grsecurity-2.9.1-3.2.28-201209062131.patch /usr/src

change directory to the just unpacked kernel:

#cd /usr/src/linux-3.2.28
 
patch the 3.2.28 vanilla kernel with the grsecurity patch,
while in the  /usr/src/linux-3.2.28 dir

# patch -p1 < ../grsecurity-2.9.1-3.2.28-201209062131.patch

Before we can actually configure and compile the hardened kernel we have to
install some needed packages.And we need to know the group ID of the sudo or
least privilege user in order to configure a grsec option later on.

# apt-get install git-core kernel-package fakeroot build-essential ncurses-dev gcc-4.6-plugin-dev
 
Open a second terminal and enter id:
 
$id 

remember the number after gid=

you can close the second terminal now
 
Now configure the kernel while in de linux-3.2.28 kernel-source directory in first
terminal.Make sure to compile the ext2 and or ext3 filesystem within the kernel instead of as module
(*) instead of (M)
 


 
By pressing the space bar you can select the options in case you didn't know
Configure the options as in the pictures. 
#make menuconfig 


 The RBAC system (grsec's equivalent of AppArmor) is disabled.
 AppArmor selected as default RBAC
 Notice the gid 1001


 Now let's compile the kernel:
 
#make && make modules_install && make install 

Ubuntu least privilege instead of power user

After a default Ubuntu install you login with a equivalent of the windows "Power user" who is member of the following groups:
 
adm cdrom sudo dip plugdev

To increase the system security a little bit further add another user with a 
different password and uncheck all the group memberships.This way an attacker must know the username of the power user first and than the different password.
Furthermore if something with the least privilege gets compromized a direct sudo
can't be run.

Let's say we have two users: brick (power user) and wall (least privilege user)
In order to run: sudo apt-get update && sudo apt-get dist-upgrade,
you will have to su to brick first after which you have to enter another password
to be able to run whatever sudo command.

eg: su brick
passwd:
brick@blah-blah :/home/wall$
and then you can you can run something like: sudo apt-get update && sudo dist-upgrade or sudo psad -L or sudo psad -S.

zondag 9 september 2012

Install and configure a working port scan attack daemon PSAD on a Ubuntu 12.04
desktop with one network interface.There are not that many handson websites dealing with psad for a specific linux distro.And the ones who exist miss some essential details to get things working.
So i thought ,why not write a quick recipy that quickly gives you  both a working iptables script and psad.

I assume you have Ubuntu 12.04 installed and xtables-addons.

For the installation of psad and dependancies i also refer to the following website:

http://bodhizazen.net/Tutorials/psad

Although i prefer to install packages from a official repository as much as possible
your mileage may vary.You can perfectly well use ufw or the iptables example from the above mentioned website although I used the desk firewall example from the nixcraft website:

http://www.cyberciti.biz/faq/linux-detect-port-scan-attacks/


Configure psad:


sudo nano -w /etc/psad/psad.conf  ###de rest of the default settings will do fine

HOME_NET                    NOT_USED;
EXTERNAL_NET                any;
ENABLE_SNORT_SIG_STRICT     N;
ENABLE_AUTO_IDS             Y;
ENABLE_AUTO_IDS_REGEX       N;  ### if you say Y here psad will not auto-block
IPTABLES_BLOCK_METHOD       Y;
TCPWRAPPERS_BLOCK_METHOD    N;
AUTO_IDS_DANGER_LEVEL 2;

Make sure your router is whitelisted:
sudo nano  -w /etc/psad/auto_dl.conf
and append:
eg: 192.192.178.1.1 0; ### all is well explained in the file though, zero means:ignore

Remove rsyslog,install sysklogd,run the iptables script,restart psad
sudo apt-get install sysklogd
 append to /etc/syslog.conf: kern.info       |/var/lib/psad/psadfifo
chmod +x desk.fw
./desk.fw
sudo psad --sig-update && sudo psad -H
sudo /etc/init.d/sysklogd restart

Now it´s time to go to a site such as nmap onlie in order to test psad.
After a while online without directly provoking a psad reaction yourself you could see something like this:
sudo psad -H ### which displays the psad block chains

Chain PSAD_BLOCK_INPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination        
    0     0 DROP       all  --  *      *       62.58.48.30          0.0.0.0/0          
    0     0 DROP       all  --  *      *       111.1.76.214         0.0.0.0/0          
    0     0 DROP       all  --  *      *       174.36.4.18          0.0.0.0/0          

Chain PSAD_BLOCK_OUTPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination        
    0     0 DROP       all  --  *      *       0.0.0.0/0            62.58.48.30        
    0     0 DROP       all  --  *      *       0.0.0.0/0            111.1.76.214       
    0     0 DROP       all  --  *      *       0.0.0.0/0            174.36.4.18        

Chain PSAD_BLOCK_FORWARD (1 references)
 pkts bytes target     prot opt in     out     source               destination        
    0     0 DROP       all  --  *      *       0.0.0.0/0            62.58.48.30        
    0     0 DROP       all  --  *      *       62.58.48.30          0.0.0.0/0          
    0     0 DROP       all  --  *      *       0.0.0.0/0            111.1.76.214       
    0     0 DROP       all  --  *      *       111.1.76.214         0.0.0.0/0          
    0     0 DROP       all  --  *      *       0.0.0.0/0            174.36.4.18        
    0     0 DROP       all  --  *      *       174.36.4.18          0.0.0.0/0 





$host 85.190.0.3
$3.0.190.85.in-addr.arpa domain name pointer proxyscan.freenode.net