# CySec19/20 - Security Architectures - TP2 ## SSH > You can control a remote screen through ssh , for example, try :# xclock (some configuration of ssh might require to set the environment variable DISPLAY as in export DISPLAY=:0;) > > What happens ? The clock pops up. SSHd configuration `sshd_config`: ```ini # Package generated configuration file # See the sshd_config(5) manpage for details # What ports, IPs and protocols we listen for Port 3423 # Use these options to restrict which interfaces/protocols sshd will bind to #ListenAddress :: #ListenAddress 0.0.0.0 Protocol 2 # HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key #Privilege Separation is turned on for security UsePrivilegeSeparation yes # Lifetime and size of ephemeral version 1 server key KeyRegenerationInterval 3600 ServerKeyBits 1024 # Logging SyslogFacility AUTH LogLevel INFO # Authentication: LoginGraceTime 120 PermitRootLogin no StrictModes yes RSAAuthentication yes PubkeyAuthentication yes #AuthorizedKeysFile %h/.ssh/authorized_keys # Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts yes # For this to work you will also need host keys in /etc/ssh_known_hosts RhostsRSAAuthentication no # similar for protocol version 2 HostbasedAuthentication no # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes # To enable empty passwords, change to yes (NOT RECOMMENDED) PermitEmptyPasswords no # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) ChallengeResponseAuthentication no # Change to no to disable tunnelled clear text passwords PasswordAuthentication no # Kerberos options #KerberosAuthentication no #KerberosGetAFSToken no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes X11Forwarding no X11DisplayOffset 10 PrintMotd no PrintLastLog yes TCPKeepAlive yes #UseLogin no #MaxStartups 10:30:60 #Banner /etc/issue.net # Allow client to pass locale environment variables AcceptEnv LANG LC_* #Subsystem sftp /usr/lib/openssh/sftp-server # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. UsePAM yes ``` `authorized_keys`: ``` ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAEAQDcZAgwlCzUV/6uXH1GErboWrwZaIKQ+4VIRKzaq2uyvXjryAa6LI58TJec8vBRzsmQ7PK8gg/Zv1rXoshzSza1iXBRvuIpxOfO5ztNIi9kCLsBxmYlsvuvWmzs75Nd5Wpp2zBYBxD84B+U91FNxTSyEcaKwnJCk7iukql7WIgsGvDF/otjIRZUTTn4a4buYkBNNnKQG/NTXdN6khNuadYfWwYF9ge5rTassiU5h0ETl39pEwvZV8xWBlKPxFJJVSGVnvWv0innhRHK5utrIP+kUC4q3haX9PKyzl7Oy83x03HRg3cWGVyATv9wjssZ0CkmwiVcAnEPbIoSLSfDU7z4wmO/gnNpGL/k2v+HMdx98VqMhhkjbNRpgwhtkTx5zeViovgk2zrLnRVI7A+2qHU0eg8NeNWG9vQ8VjdQryfce+/KRZXyuLq1B/w5rX43oFrqFYQfCHuIqzmcYbEoBfZzuWfGDViT0z2xsrj978H5CKC30bMWqjeifEO5CjdpHAKeAsvK87XNr4C7zc7bOwfYSuXlvE57cqsmDcqHcq+iRPDabpHmxdOw0wOiFqdAgzmnVGfj7xkay+znxRJcfV3kUKqm6IDWdUbCz+uPO7nrXy/GQMiyRPuU1lYUZUGUzW5Jk5UaowHMZXF3RCqnPfyfGJuovI3nXixb4PPI5W9ZJJ2SQ65YLFFkIEou2yMTtBGpPrwTmA9eNVlN/9gu3EG5Uv5ZTSX6yz2bX6TjPryhpLTxKZOko6GaGtF9LnW4VcMG/axCXXm09IEfFrwsbfcsv92w+RN5cGd//QVX+6T+v0xSY8mWIJC/RIY+d1lJV3YuhfPlZ0805e6Flx9SCJo2TW5SdIECGfhES+JOYoVtGpryEBFrPrF1q+MHs8QsMfoBMb3Q+uNVwDbsY9YIGPpxEBa40JIV62Mw076NpbyonxDqCV8UcIacXATgkL2OwAXEWkGLdpa6CQnGk4198JBYtu6j9jUAH6sDQ6FsBa4rEAlKcNJmikjz4/YZiIiOA4CiXwZzDAD1KbvU4orLTai9AWre6ynYcyl+J7IvYPaG16uFJ0QotWR7GtPPLaxvS7GX1P8ecQXJJvBDgJfKsREQi6xRJv99Q0r4l45JUmYkEdFMoDYVLVMUhSx5LQSjnK+1doIZGkenKI2eCJC72MPsM6XiPjBHRnEliNUzf1jTTi7mmnwsbEQ6YwMiXkK8NkgZigMEFfZrc5VGHmcawkcbr91O8crxWK22loS93J5KUC5HR7MsizSTyvMwZIRWq3Swts6cI7vqZTyhRvbTmduyiuGnTupuoPAIR6dnPZdCbuXFpKB5XTYQsWlzPnYXPspbqKUVQoKCAAudlxFVfbwF ``` ## Nmap Find OpenSSH version: `nmap -sV -p- 192.168.142.76` ``` Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-16 16:20 CET Nmap scan report for 192.168.142.76 Host is up (0.00067s latency). Not shown: 65532 filtered ports PORT STATE SERVICE VERSION 80/tcp open http nginx 1.10.3 (Ubuntu) 3423/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) 8080/tcp open http nginx 1.10.3 (Ubuntu) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 110.79 seconds ``` Idem with http headers/methods of the web server: `nmap --script http-headers --script http-methods 192.168.142.76` ``` Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-16 16:25 CET Nmap scan report for 192.168.142.76 Host is up (0.00036s latency). Not shown: 998 filtered ports PORT STATE SERVICE 80/tcp open http | http-headers: | Server: nginx/1.10.3 (Ubuntu) | Date: Mon, 16 Dec 2019 15:25:12 GMT | Content-Type: text/html | Content-Length: 341 | Last-Modified: Wed, 04 Dec 2019 17:14:09 GMT | Connection: close | ETag: "5de7e961-155" | Accept-Ranges: bytes | |_ (Request type: HEAD) | http-methods: |_ Supported Methods: GET HEAD 8080/tcp open http-proxy | http-headers: | Server: nginx/1.10.3 (Ubuntu) | Date: Mon, 16 Dec 2019 15:25:12 GMT | Content-Type: text/html | Content-Length: 204 | Connection: close | WWW-Authenticate: Basic realm="Restricted Access" | |_ (Request type: GET) Nmap done: 1 IP address (1 host up) scanned in 5.03 seconds ``` List SSH able machines: `nmap -sS -p 22 --open 192.168.142.0/24` ``` Alias tip: _ nmap -sS -p 22 --open 192.168.142.0/24 Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-16 16:50 CET Nmap scan report for 192.168.142.2 Host is up (0.00042s latency). PORT STATE SERVICE 22/tcp open ssh MAC Address: 02:35:64:12:54:24 (Unknown) Nmap scan report for 192.168.142.3 Host is up (0.00051s latency). PORT STATE SERVICE 22/tcp open ssh MAC Address: B4:96:91:52:34:43 (Intel Corporate) Nmap scan report for 192.168.142.11 Host is up (0.00027s latency). PORT STATE SERVICE 22/tcp open ssh MAC Address: B4:96:91:52:32:F2 (Intel Corporate) Nmap scan report for 192.168.142.23 Host is up (0.00028s latency). PORT STATE SERVICE 22/tcp open ssh MAC Address: B8:CA:3A:84:2A:5C (Dell) Nmap scan report for 192.168.142.39 Host is up (0.00032s latency). PORT STATE SERVICE 22/tcp open ssh MAC Address: B4:96:91:47:9B:18 (Intel Corporate) Nmap scan report for 192.168.142.41 Host is up (0.00019s latency). PORT STATE SERVICE 22/tcp open ssh MAC Address: B4:96:91:47:9B:14 (Intel Corporate) Nmap scan report for 192.168.142.49 Host is up (0.00039s latency). PORT STATE SERVICE 22/tcp open ssh MAC Address: B4:96:91:52:34:49 (Intel Corporate) Nmap scan report for 192.168.142.79 Host is up (0.00045s latency). PORT STATE SERVICE 22/tcp open ssh MAC Address: 08:00:27:D4:8D:6A (Oracle VirtualBox virtual NIC) Nmap scan report for 192.168.142.83 Host is up (0.00022s latency). PORT STATE SERVICE 22/tcp open ssh MAC Address: B4:96:91:52:33:E9 (Intel Corporate) Nmap scan report for 192.168.142.85 Host is up (0.0011s latency). PORT STATE SERVICE 22/tcp open ssh MAC Address: 08:00:27:A5:0D:BB (Oracle VirtualBox virtual NIC) Nmap scan report for 192.168.142.93 Host is up (0.00068s latency). PORT STATE SERVICE 22/tcp open ssh MAC Address: 08:00:27:85:CB:17 (Oracle VirtualBox virtual NIC) Nmap scan report for 192.168.142.98 Host is up (0.00019s latency). PORT STATE SERVICE 22/tcp open ssh MAC Address: B4:96:91:47:9C:62 (Intel Corporate) Nmap scan report for 192.168.142.100 Host is up (0.00040s latency). PORT STATE SERVICE 22/tcp open ssh MAC Address: B4:96:91:52:36:3C (Intel Corporate) Nmap scan report for 192.168.142.103 Host is up (0.00018s latency). PORT STATE SERVICE 22/tcp open ssh MAC Address: B4:96:91:52:33:EA (Intel Corporate) Nmap scan report for 192.168.142.126 Host is up (0.00062s latency). PORT STATE SERVICE 22/tcp open ssh MAC Address: 08:00:27:7A:53:6C (Oracle VirtualBox virtual NIC) Nmap scan report for 192.168.142.128 Host is up (0.0013s latency). PORT STATE SERVICE 22/tcp open ssh MAC Address: 08:00:27:D5:73:82 (Oracle VirtualBox virtual NIC) Nmap scan report for 192.168.142.146 Host is up (0.00036s latency). PORT STATE SERVICE 22/tcp open ssh MAC Address: B4:96:91:47:9A:FE (Intel Corporate) Nmap scan report for 192.168.142.147 Host is up (0.00034s latency). PORT STATE SERVICE 22/tcp open ssh MAC Address: B4:96:91:52:36:41 (Intel Corporate) Nmap scan report for 192.168.142.152 Host is up (0.00029s latency). PORT STATE SERVICE 22/tcp open ssh MAC Address: B4:96:91:47:9C:3F (Intel Corporate) Nmap scan report for 192.168.142.153 Host is up (0.00030s latency). PORT STATE SERVICE 22/tcp open ssh MAC Address: B4:96:91:47:9B:F0 (Intel Corporate) Nmap scan report for 192.168.142.155 Host is up (0.00023s latency). PORT STATE SERVICE 22/tcp open ssh MAC Address: B4:96:91:52:32:F2 (Intel Corporate) Nmap scan report for 192.168.142.157 Host is up (0.00033s latency). PORT STATE SERVICE 22/tcp open ssh MAC Address: B4:96:91:47:9C:5C (Intel Corporate) Nmap scan report for 192.168.142.159 Host is up (0.00019s latency). PORT STATE SERVICE 22/tcp open ssh MAC Address: B4:96:91:47:9C:5C (Intel Corporate) Nmap scan report for 192.168.142.160 Host is up (0.00028s latency). PORT STATE SERVICE 22/tcp open ssh MAC Address: B4:96:91:47:9C:3F (Intel Corporate) Nmap scan report for 192.168.142.171 Host is up (0.00022s latency). PORT STATE SERVICE 22/tcp open ssh MAC Address: B8:CA:3A:84:20:96 (Dell) Nmap scan report for 192.168.142.198 Host is up (0.00063s latency). PORT STATE SERVICE 22/tcp open ssh MAC Address: 08:00:27:FF:50:E6 (Oracle VirtualBox virtual NIC) Nmap scan report for 192.168.142.199 Host is up (0.00022s latency). PORT STATE SERVICE 22/tcp open ssh MAC Address: B4:96:91:47:9F:7B (Intel Corporate) Nmap done: 256 IP addresses (42 hosts up) scanned in 8.04 seconds ``` List broadcast services: `nmap --script broadcast 192.168.142.0/24` ``` Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-16 16:32 CET Pre-scan script results: | broadcast-avahi-dos: | Discovered hosts: | 224.0.0.251 | After NULL UDP avahi packet DoS (CVE-2011-1002). |_ Hosts are all up (not vulnerable). | broadcast-dns-service-discovery: | 224.0.0.251 | 2020/tcp teamviewer |_ Address=192.168.142.19 fe80::a887:e54b:af8:4fbb | broadcast-netbios-master-browser: |_ip server domain [...] ``` Look for vulnerabilities: `nmap --script vulners 192.168.142.76` ``` Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-16 16:48 CET Nmap scan report for 192.168.142.76 Host is up (0.00032s latency). Not shown: 998 filtered ports PORT STATE SERVICE 80/tcp open http 8080/tcp open http-proxy Nmap done: 1 IP address (1 host up) scanned in 4.70 seconds ``` ## fail2ban: We chose to enable (`enabled = true`) the following fail2ban filters: `sshd`, `sshd-ddos`, `nginx-botsearch`, `nginx-http-auth.conf`. ## Snort We installed snort and configured it according to our system. We enabled alert logging in `/var/log/snort`. It correctly detects port scanning, suspect traffic... We got the following alerts: ``` 12/18-15:54:43.515347 [**] [1:1917:6] SCAN UPnP service discover attempt [**] [Classification: Detection of a Network Scan] [Priority: 3] {UDP} 192.168.142.19:64166 -> 239.255.255.250:1900 12/18-15:54:44.516515 [**] [1:1917:6] SCAN UPnP service discover attempt [**] [Classification: Detection of a Network Scan] [Priority: 3] {UDP} 192.168.142.19:64166 -> 239.255.255.250:1900 12/18-15:54:48.561205 [**] [1:1418:11] SNMP request tcp [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.142.148:57218 -> 192.168.142.76:161 12/18-15:54:48.661284 [**] [1:1418:11] SNMP request tcp [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.142.148:57372 -> 192.168.142.76:161 12/18-15:54:55.570127 [**] [1:1420:11] SNMP trap tcp [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.142.148:42962 -> 192.168.142.76:162 12/18-15:54:55.670303 [**] [1:1420:11] SNMP trap tcp [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.142.148:43136 -> 192.168.142.76:162 12/18-15:54:59.117069 [**] [1:1917:6] SCAN UPnP service discover attempt [**] [Classification: Detection of a Network Scan] [Priority: 3] {UDP} 192.168.142.70:57026 -> 239.255.255.250:1900 12/18-15:55:02.117402 [**] [1:1917:6] SCAN UPnP service discover attempt [**] [Classification: Detection of a Network Scan] [Priority: 3] {UDP} 192.168.142.70:57026 -> 239.255.255.250:1900 12/18-15:55:05.117711 [**] [1:1917:6] SCAN UPnP service discover attempt [**] [Classification: Detection of a Network Scan] [Priority: 3] {UDP} 192.168.142.70:57026 -> 239.255.255.250:1900 12/18-15:55:08.140576 [**] [1:1917:6] SCAN UPnP service discover attempt [**] [Classification: Detection of a Network Scan] [Priority: 3] {UDP} 192.168.142.70:57026 -> 239.255.255.250:1900 12/18-15:55:11.141389 [**] [1:1917:6] SCAN UPnP service discover attempt [**] [Classification: Detection of a Network Scan] [Priority: 3] {UDP} 192.168.142.70:57026 -> 239.255.255.250:1900 12/18-15:55:14.142139 [**] [1:1917:6] SCAN UPnP service discover attempt [**] [Classification: Detection of a Network Scan] [Priority: 3] {UDP} 192.168.142.70:57026 -> 239.255.255.250:1900 12/18-15:55:19.817663 [**] [1:249:8] DDOS mstream client to handler [**] [Classification: Attempted Denial of Service] [Priority: 2] {TCP} 192.168.142.148:33364 -> 192.168.142.76:15104 12/18-15:55:19.917699 [**] [1:249:8] DDOS mstream client to handler [**] [Classification: Attempted Denial of Service] [Priority: 2] {TCP} 192.168.142.148:33588 -> 192.168.142.76:15104 12/18-15:55:43.448399 [**] [1:1917:6] SCAN UPnP service discover attempt [**] [Classification: Detection of a Network Scan] [Priority: 3] {UDP} 192.168.142.70:57026 -> 239.255.255.250:1900 12/18-15:55:46.448894 [**] [1:1917:6] SCAN UPnP service discover attempt [**] [Classification: Detection of a Network Scan] [Priority: 3] {UDP} 192.168.142.70:57026 -> 239.255.255.250:1900 12/18-15:55:49.449404 [**] [1:1917:6] SCAN UPnP service discover attempt [**] [Classification: Detection of a Network Scan] [Priority: 3] {UDP} 192.168.142.70:57026 -> 239.255.255.250:1900 12/18-15:55:52.468782 [**] [1:1917:6] SCAN UPnP service discover attempt [**] [Classification: Detection of a Network Scan] [Priority: 3] {UDP} 192.168.142.70:57026 -> 239.255.255.250:1900 12/18-15:55:55.468895 [**] [1:1917:6] SCAN UPnP service discover attempt [**] [Classification: Detection of a Network Scan] [Priority: 3] {UDP} 192.168.142.70:57026 -> 239.255.255.250:1900 12/18-15:55:58.469216 [**] [1:1917:6] SCAN UPnP service discover attempt [**] [Classification: Detection of a Network Scan] [Priority: 3] {UDP} 192.168.142.70:57026 -> 239.255.255.250:1900 12/18-15:56:22.937255 [**] [1:1421:11] SNMP AgentX/tcp request [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.142.148:46292 -> 192.168.142.76:705 12/18-15:56:23.037266 [**] [1:1421:11] SNMP AgentX/tcp request [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.142.148:46620 -> 192.168.142.76:705 12/18-15:56:41.519081 [**] [1:1917:6] SCAN UPnP service discover attempt [**] [Classification: Detection of a Network Scan] [Priority: 3] {UDP} 192.168.142.19:64169 -> 239.255.255.250:1900 12/18-15:56:42.519876 [**] [1:1917:6] SCAN UPnP service discover attempt [**] [Classification: Detection of a Network Scan] [Priority: 3] {UDP} 192.168.142.19:64169 -> 239.255.255.250:1900 12/18-15:56:43.520097 [**] [1:1917:6] SCAN UPnP service discover attempt [**] [Classification: Detection of a Network Scan] [Priority: 3] {UDP} 192.168.142.19:64169 -> 239.255.255.250:1900 12/18-15:56:44.520962 [**] [1:1917:6] SCAN UPnP service discover attempt [**] [Classification: Detection of a Network Scan] [Priority: 3] {UDP} 192.168.142.19:64169 -> 239.255.255.250:1900 ``` Here is an example of a rule: ``` alert tcp $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE sparc setuid 0"; content:"|82 10| |17 91 D0| |08|"; reference:arachnids,282; classtype:system-call-detect; sid:647; rev:6;) ``` `alert` means to log this as an alert. `tcp` means that it is looking for tcp. `$EXTERNAL_NET` means that it is looking for packets comming from an external network. `$SHELLCODE_PORTS` means that it is looking for packets comming form specific ports. `$HOME_NET` means that it is looking for packets comming towards the local network. `any` means that it is looking for packets comming towards any ports. The next part is the message, and what should be matched in order to create the alert.