Wednesday, March 23, 2016

Setting monit on your Ubuntu

Monit will watch around the clock in your server and can do the following capabilities :

* Monitoring the running server and have the ability to stop , start and restart
* Send email alerts
* Have the ability to monitor the service depends on the cpu,RAM disk, cut-off values


Install::
/home/ubuntu# apt-get install monit
:/etc/monit/conf.d# /etc/init.d/monit restart
 * Restarting daemon monitor monit     

/etc/monit/conf.d# service monit status
 * monit is running


Monit configuration file :: /etc/monit/monitrc

/etc/monit/conf.d# monit status
monit: error connecting to the monit daemon
You will found this error

Actually Monit has an embedded web server which can be used to view status of
services monitored and manage services from a web interface. So we need to enable apache interface in monit configuration file in order to fix this error.

open /etc/monit/monitrc and add the following lines under enable web server.

set httpd port 2812 and
use address localhost
allow localhost
allow admin:monit

/etc/monit/conf.d# /etc/init.d/monit restart
 * Restarting daemon monitor monit

/etc/monit/conf.d# netstat -lpn | grep 2812
tcp        0      0 127.0.0.1:2812          0.0.0.0:*               LISTEN      418/monit


root@ip-172-31-56-245:/etc/monit/conf.d# monit summary
The Monit daemon 5.6 uptime: 0m

Process 'mysqld'                    Running
System 'ip-172-31-56-245.ec2.internal' Running

Check out if mysql service is down on the server.

 /etc/monit/conf.d# service mysql status
mysql stop/waiting

root@ip-172-31-56-245:/etc/monit/conf.d# monit summary
The Monit daemon 5.6 uptime: 1m

Process 'mysqld'                    Does not exist
System 'ip-172-31-56-245.ec2.internal' Running

After 5 minute monit will automatically restart mysql service.

root@ip-172-31-56-245:/etc/monit/conf.d# monit summary
The Monit daemon 5.6 uptime: 5m

Process 'mysqld'                    Running
System 'ip-172-31-56-245.ec2.internal' Running

Wednesday, March 2, 2016

DROWN - Decrypting RSA using Obsolete and Weakened eNcryption


Here I am describing DROWN vulnerability along with affected Operating systems and steps for identification and remediation:
 
DROWN is a serious vulnerability that affects HTTPS and other services that rely on SSL and TLS, some of the essential cryptographic protocols for Internet security. DROWN allows attackers to break the encryption and read or steal sensitive communications, including passwords, credit card numbers, trade secrets, or financial data. 


Most of the web sites are now vulnerable to DROWN including yahoo , icicibank , snapdeal etc

CVE-2016-0800 , known as DROWN


Vulnerable in:
- SSLv2 (Secure Sockets Layer protocol version 2.0)
- TLS (Transport Layer Security) version (1.0 - 1.2)
- Services which do not use SSLv2 , but share their RSA keys with those services which have SSLv2 support, are also vulnerable.


CVE-2016-0703 : which affected OpenSSL versions prior to 1.0.2a, 1.0.1m, 1.0.0r, and 0.9.8z
CVE-2016-0704 : This issue affected OpenSSL versions 1.0.2, 1.0.1l, 1.0.0q, 0.9.8ze and all
earlier versions.


The following OS versions are now effected to DROWN [ RHEL and CentOS)
Red Hat Enterprise Linux 4*
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Red Hat Enterprise Linux 7


Obuntu 14 and AWS OS are not affected with DOWN vulnerability.


How to check our server is infected or not:
RedHat is providing a script for this: Download the bash script from here :   https://access.redhat.com/labs/drown/DROWN-test.sh

Or via a website  https://test.drownattack.com

#wget https://access.redhat.com/labs/drown/DROWN-test.sh
#chmod 755 DROWN-test.sh
# ./DROWN-test.sh

WARNING: The installed version of openssl (openssl-1.0.1e-30.el6_6.5) is vulnerable to both general and special DROWN attack and should be upgraded!
See https://access.redhat.com/security/vulnerabilities/drown for more information.

The installed version of openssl-libs (package openssl-libs is not installed) is not vulnerable to DROWN.


===========================
]# yum info openssl
Installed Packages
Name        : openssl
Arch        : x86_64
Version     : 1.0.1e
Release     : 30.el6_6.5
Size        : 4.0 M
Repo        : installed


Available Packages
Name        : openssl
Arch        : x86_64
Version     : 1.0.1e
Release     : 42.el6_7.4
================================================


Red Hat patched OpenSSL lists:

Red Hat Enterprise Linux 4      openssl-0.9.7a-43.23.el4        RHSA-2016:0306
Red Hat Enterprise Linux 5      openssl-0.9.8e-39.el5_11        RHSA-2016:0302
Red Hat Enterprise Linux 5.6   openssl-0.9.8e-12.el5_6.13      RHSA-2016:0304
Red Hat Enterprise Linux 5.9   openssl-0.9.8e-26.el5_9.5       RHSA-2016:0304
Red Hat Enterprise Linux 6      openssl-1.0.1e-42.el6_7.4       RHSA-2016:0301
Red Hat Enterprise Linux 6.2   openssl-1.0.0-20.el6_2.8        RHSA-2016:0303
Red Hat Enterprise Linux 6.4   openssl-1.0.0-27.el6_4.5        RHSA-2016:0303
Red Hat Enterprise Linux 6.5   openssl-1.0.1e-16.el6_5.16      RHSA-2016:0303
Red Hat Enterprise Linux 6.6   openssl-1.0.1e-30.el6_6.12      RHSA-2016:0305
Red Hat Enterprise Linux 7      openssl-1.0.1e-51.el7_2.4       RHSA-2016:0301
Red Hat Enterprise Linux 7.1   openssl-1.0.1e-42.el7_1.10, openssl-1.0.1e-42.ael7b_1.10        RHSA-2016:0305
Red Hat JBoss Web Server 2      openssl Patch Pending
Red Hat JBoss Web Server 3      openssl Patch Pending
Red Hat JBoss Enterprise Application Platform 6 openssl Patch Pending



==================================================


Follow the steps below to disable SSLv2 in aws:

- Select your load balancer (EC2 > Load Balancers).
- In the Listeners tab, click "Change" in the Cipher column.
- Ensure that the radio button for "Predefined Security Policy" is selected
- In the dropdown, select the "ELBSecurityPolicy-2015-05" policy.
- Click "Save" to apply the settings to the listener.
- Repeat these steps for each listener that is using HTTPS or SSL for each load balancer.


Fixing the DROWN on your Centos rpm based server.


1. Upgrade openssl
yum update openssl
2. Check for CVE information after openssl upgrade
rpm -qa openssl --changelog | grep CVE-2016-0800

OR

You can once again run the DROWN scripts from RedHat

 

A patched system will show

 [/usr/local/src]# ./DROWN-test.sh
The installed version of openssl (openssl-1.0.1e-42.el6_7.4.x86_64) is not known to be vulnerable to DROWN.