issue #14 - Update information texts for endusers

AbuseIO · Mar 17, 2015 · 647ee4d · 647ee4d
1 parent d4efced
commit 647ee4d
Show file tree

Hide file tree

Showing 12 changed files with 342 additions and 66 deletions.
diff --git a/www/ash/infotext/en/Compromised_website.html b/www/ash/infotext/en/Compromised_website.html
@@ -42,26 +42,26 @@ <h2>Why would this be bad?</h2>
 
 <h2>Recommended action</h2>
 
-If your site has been hacked or infected with malware, you should act quickly to repair the 
+<p>If your site has been hacked or infected with malware, you should act quickly to repair the 
 damage. First take your entire website offline first. This is pretty impopulair, however if
 you consider the fact your might be leaking privacy information or infecting the
-systems of your visitors you want to act as quickly as possible.
+systems of your visitors you want to act as quickly as possible.</p>
 
-After you closed your website you will need to clean up the changed area's of your
-website.
+<p>After you closed your website you will need to clean up the changed area's of your
+website.</p>
 
 <h2>Tips how to resolve this matter</h2>
 
-The safest way to clean the hacked website is to delete it entirely and then upload
-a known clean version of it.
+<p>The safest way to clean the hacked website is to delete it entirely and then upload
+a known clean version of it.</p>
 
 <ul>
 <li>Look for files that have been changed recently or on times your developers are
 closed and not placing updates on the website<li>
 <li>Look in temporally folders for (executable) scripts</li>
 </ul>
 
-In addition future risk of compromise can be reduced by following these basic tips: 
+<p>In addition future risk of compromise can be reduced by following these basic tips: </p>
 
 <ul>
 <li>Keep software and all plug-ins updated. Whether you run popular content

diff --git a/www/ash/infotext/en/Open_DNS_Resolver.html b/www/ash/infotext/en/Open_DNS_Resolver.html
@@ -59,20 +59,20 @@ <h3>Bind 9.x Authoritative</h3>
 
 <p>For BIND 9.x authoritative servers, apply the following global options:
 <br>
-<code>
+<pre>
   options {
       recursion no;
       additional-from-cache no;
   };
-</code>
+</pre>
 <br>
 Beginning with BIND versions 9.4 and later, most configurations would default to a closed resolver. Those running earlier versions should upgrade if possible.<br>
 </p>
 
 <p><h3>Bind 9.x Caching</h3>
 
 For BIND 9.x caching servers, additionally create access control lists and use "views" to explicitly permit a limited set of source addresses from your trusted network issue queries to your caching server:
-<code>
+<pre>
   # example only, replace 192.0.2.0/24 a list of your CIDR blocks
   acl "trusted" {
       192.0.2.0/24;
@@ -90,7 +90,7 @@ <h3>Bind 9.x Authoritative</h3>
       recursion yes;
       additional-from-cache yes;
   };
-</code></p>
+</pre></p>
 
 <h3>Windows Systems</h3>
 

diff --git a/www/ash/infotext/en/Open_Microsoft_SQL_Server.html b/www/ash/infotext/en/Open_Microsoft_SQL_Server.html
@@ -28,8 +28,17 @@ <h2>Recommended action</h2>
 
 <h2>Tips to resolve this matter</h2>
 
-<p></p>
+<p>By default, Microsoft Windows enables the Windows Firewall, which closes port 
+1433 to prevent Internet computers from connecting to a default instance of SQL 
+Server on your computer. Connections to the default instance using TCP/IP are not 
+possible unless you reopen port 1433. If you need access from remote machines to
+your Microsoft SQL server, then only allow the required hosts and close down
+world wide accesss to the SQL server.</p>
+
+<p>Ports used by Microsoft are: TCP/1433, UDP/1434, TCP/1434, TCP/4022, TCP/135, TCP/2383.
+In addition the SQL Server uses a randomly assign dynamic port for named instance! </p>
 
 <h2>Getting more information</h2>
 
 
+<a href='https://msdn.microsoft.com/en-us/library/ms175043.aspx'>Configure a Windows Firewall for Database Engine Access</a><br>
diff --git a/www/ash/infotext/en/Open_NTP_Server.html b/www/ash/infotext/en/Open_NTP_Server.html
@@ -1,5 +1,10 @@
 <h2>What is an 'Open NTP Server'?</h2>
 
+<p>Network Time Protocol (NTP) is a networking protocol for clock 
+synchronization between computer systems over packet-switched, 
+variable-latency data networks. In operation since before 1985, NTP 
+is one of the oldest Internet protocols in current use.</p>
+
 <h2>Why would this be bad?</h2>
 
 <p>Running an open (UDP) service is not bad on its own and it is mostly
@@ -42,9 +47,44 @@ <h2>Recommended action</h2>
 
 <h2>Tips to resolve this matter</h2>
 
-<p></p>
+<h3>UNIX/Linux ntpd</h3>
+
+<p>The following configuration is for a UNIX/Linux machine to act as simply 
+an NTP client and never to allow NTP queries to it except from the loopback
+address:</p>
+
+<pre># by default act only as a basic NTP client
+restrict -4 default nomodify nopeer noquery notrap
+restrict -6 default nomodify nopeer noquery notrap
+# allow NTP messages from the loopback address, useful for debugging
+restrict 127.0.0.1
+restrict ::1
+# server(s) we time sync to
+server 192.0.2.1
+server 2001:DB8::1
+server time.example.net
+</pre>
+
+<p>You can use your standard host firewall filtering capabilities to limit
+who the NTP process talks to.  If you're using Linux and the host is acting
+as an NTP client only, the following iptables rules could be adapted to shield
+your NTP listener from unwanted remote hosts.</p>
+
+<pre>-A INPUT -s 0/0 -d 0/0 -p udp --source-port 123:123 -m state --state ESTABLISHED -j ACCEPT
+-A OUTPUT -s 0/0 -d 0/0 -p udp --destination-port 123:123 -m state --state NEW,ESTABLISHED -j ACCEPT
+</pre>
+
+<p>Authentication with the reference NTP software on UNIX can be done using
+symmetric key encryption, much like in Cisco IOS and Juniper JUNOS, using
+MD5.  However, a public key-based approach called 'AutoKey' is also
+available, which is generally be considered to be even more secure.  For
+more information about these options, see the <a href="http://www.eecis.udel.edu/~mills/ntp/html/authopt.html" target="_blank">NTP
+authentication options page</a> and the <a href="http://support.ntp.org/bin/view/Support/ConfiguringAutokey" target="_blank">Configuring
+Autokey documentation</a>.</p>
+
 
 <h2>Getting more information</h2>
 
+<a href='http://www.team-cymru.org/secure-ntp-template.html'>Examples in securing a NTP service</a>
 <a href='http://www.internetsociety.org/sites/default/files/01_5.pdf'>Amplification Hell: Revisiting Network Protocols for DDoS Abuse</a>
 
diff --git a/www/ash/infotext/en/Open_Netbios_Server.html b/www/ash/infotext/en/Open_Netbios_Server.html
@@ -1,11 +1,40 @@
 <h2>What is an 'Open Netbios server'?</h2>
 
-<p>NetBIOS (Network Basic Input/Output System) is a program that allows applications 
-on different computers to communicate within a local area network (LAN). Its a 
-integrated part of Windows for use with for example File Sharing.</p>
+<p>NetBIOS is a transport protocol that Microsoft Windows systems use to share 
+resources.  For example, if a PC running Windows wants to connect to and access a 
+share on a file server, it probably uses NetBIOS.  There have been some changes in 
+recent days, however, that allow this connection without it.  SMB, the method used 
+to access file and printer shares, can also run independently of NetBIOS over TCP 
+ports 139 and 445.  Both of these approaches, however, tend to increase the attack 
+surface of a network.</p>
 
 <h2>Why would this be bad?</h2>
 
+<p>The ports that that are open to the Internet are UDP/137, UDP/138, and TCP/139. 
+Unfortunately, the most popular attacker target is NetBIOS and against these 
+ports.</p>
+
+<p>Once an attacker discovers an active port 139 on a device, he can run NBSTAT to 
+begin the very important first step of an attack—footprinting.  With the NBSTAT 
+command, he can obtain some or all of the following information:</p>
+
+<ul>
+<li>Computer name</li>
+<li>Contents of the remote name cache, including IP addresses</li>
+<li>A list of local NetBIOS names</li>
+<li>A list of names resolved by broadcast or via WINS</li>
+<li>Contents of the session table with the destination IP addresses</li>
+</ul>
+
+<p>With this information, the attacker has information about the OS, services, and major 
+applications running on the system. He also has private IP addresses that the LAN/WAN 
+and security engineers have tried hard to hide behind NAT.  And that’s not all.  The 
+lists provided by running NBSTAT also include user IDs.</p>
+
+<p>If null sessions are allowed against IPC$, it isn’t difficult to take the next step 
+and connect to the target device.  This connection provides a list of all available 
+shares.</p>
+
 <p>These services have the potential to be used in amplification attacks by criminals 
 that wish to perform denial of service attacks. In addition it opens up your system 
 to 0-day attacks or worm/virus infections that exploit a vulnarability in Windows to 
@@ -19,11 +48,28 @@ <h2>Recommended action</h2>
 something that uses Netbios. In all cases the administrator is unaware of these open 
 ports.</p>
 
+<p>If you really need NETBIOS open for the entire world, then ensure that the exposed 
+system(s) are hardened by:</p>
+<ul>
+<li>Disabling the system’s ability to support null sessions</li>
+<li>Defining very strong passwords for the local administrator accounts</li>
+<li>Defining very strong passwords for shares, assuming you absolutely have to have shares on exposed systems</li>
+<li>Keeping the Guest account disabled</li>
+<li>Under no circumstances allowing access to the root of a hard drive via a share</li>
+<li>Under no circumstances sharing the Windows or WinNT directories or any directory located beneath them</li>
+</ul>
+
 <h2>Tips to resolve this matter</h2>
 
-<p></p>
-
-<h2>Getting more information</h2>
+<p>In a privileged DOS box run the following commands:</p>
 
+netsh advfirewall firewall add rule name="NetBIOS UDP Port 137" dir=in action=deny protocol=UDP localport=137<br>
+netsh advfirewall firewall add rule name="NetBIOS UDP Port 137" dir=out action=deny protocol=UDP localport=137<br>
+netsh advfirewall firewall add rule name="NetBIOS UDP Port 138" dir=in action=deny protocol=UDP localport=138<br>
+netsh advfirewall firewall add rule name="NetBIOS UDP Port 138" dir=out action=deny protocol=UDP localport=138<br>
+netsh advfirewall firewall add rule name="NetBIOS TCP Port 139" dir=in action=deny protocol=TCP localport=139<br>
+netsh advfirewall firewall add rule name="NetBIOS TCP Port 139" dir=out action=deny protocol=TCP localport=139<br>
 
+<h2>Getting more information</h2>
 
+<a href='https://technet.microsoft.com/en-us/library/cc940063.aspx'>Microsoft NetBIOS Over TCP/IP guide</a>
diff --git a/www/ash/infotext/en/Open_QOTD_Server.html b/www/ash/infotext/en/Open_QOTD_Server.html
@@ -41,8 +41,29 @@ <h2>Recommended action</h2>
 
 <h2>Tips to resolve this matter</h2>
 
-<p></p>
+<h3>Unix/Linux</h3>
 
-<h2>Getting more information</h2>
+<p>To disable QOTD when started from inetd:</p>
+
+<ul>
+<li>Edit the /etc/inetd.conf (or equivalent) file.</li>
+<li>Locate the line that controls the qotd daemon.</li>
+<li>Type a # at the beginning of the line to comment out the daemon.</li>
+<li>Restart inetd.</li>
+</ul>
+
+<h3>Windows</h3>
+
+<p>Set the following registry keys to 0:</p>
+<pre>
+HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableTcpQotd
+HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableUdpQotd
+</pre>
+
+<p>Then launch cmd.exe and type the following commands to restart the service:</p>
+<pre>
+net stop simptcp
+net start simptcp
+</pre>
 
 
diff --git a/www/ash/infotext/en/Open_REDIS_Server.html b/www/ash/infotext/en/Open_REDIS_Server.html
@@ -1,42 +1,81 @@
 <h2>What is an 'Open REDIS Server'?</h2>
 
+<p>Redis clients communicate with the Redis server using a protocol called 
+RESP (REdis Serialization Protocol). While the protocol was designed 
+specifically for Redis, it can be used for other client-server software 
+projects.</p>
 
 <h2>Why would this be bad?</h2>
 
-<p>Running an open (UDP) service is not bad on its own and it is mostly
-a required dependancy when installing a system.
-Unfortunately, hackers have also found this feature useful in performing a
-special type of DDoS attack called a 'Amplification Attack'.</p>
+<p>Redis is designed to be accessed by trusted clients inside trusted environments. 
+This means that usually it is not a good idea to expose the Redis instance 
+directly to the internet or, in general, to an environment where untrusted 
+clients can directly access the Redis TCP port or UNIX socket.</p>
 
-<p>The attacker sends a packet apparently from the intended victim to some
-server on the Internet that will reply immediately. Because the source
-IP address is forged, the remote Internet server replies and sends data
-to the victim.</p>
+<p>For instance, in the common context of a web application implemented using 
+Redis as a database, cache, or messaging system, the clients inside the 
+frontend (web side) of the application will query Redis to generate pages or 
+to perform operations requested or triggered by the web application user.</p>
 
-<p>That has two effects: the actual source of the attack is hidden and is
-very hard to trace, and, if many Internet servers are used, an attack
-can consist of an overwhelming number of packets hitting a victim from
-all over the world.</p>
+<p>In this case, the web application mediates access between Redis and untrusted 
+clients (the user browsers accessing the web application). This is a specific 
+example, but, in general, untrusted access to Redis should always be mediated 
+by a layer implementing ACLs, validating user input, and deciding what 
+operations to perform against the Redis instance. In general, Redis is not 
+optimized for maximum security but for maximum performance and simplicity.</p>
 
-<p>But what makes reflection attacks really powerful is when they are
-also amplified: when a small forged packet elicits a large reply from
-the server (or servers). In that case, an attacker can send a small
-packet "from" a forged source IP address and have the server (or
-servers) send large replies to the victim.</p>
-
-<p>Amplification attacks like that result in an attacker turning a small
-amount of bandwidth coming from a small number of machines into a massive
-traffic load hitting a victim from around the Internet.</p>
+<h2>Recommended action</h2>
 
+<p>Access to the Redis port should be denied to everybody but trusted clients in 
+the network, so the servers running Redis should be directly accessible only 
+by the computers implementing the application using Redis.</p>
 
-<h2>Recommended action</h2>
+<p>In the common case of a single computer directly exposed to the internet, such 
+as a virtualized Linux instance (Linode, EC2, ...), the Redis port should be 
+firewalled to prevent access from the outside. Clients will still be able to 
+access Redis using the loopback interface.</p>
 
 <p></p>
 
 <h2>Tips to resolve this matter</h2>
 
-<p></p>
+<h3>Firewalling remote access</h3>
 
-<h2>Getting more information</h2>
+<p>Simplest way is to block the default port TCP/6379 (or whatever port is listed
+in the report) and only allow IP's that should actually have access to this service.</p>
+
+<h3>Blocking remote access</h3>
+
+<p>It is possible to bind Redis to a single interface by adding a line like the following to the redis.conf file:</p>
+
+<pre>
+    bind 127.0.0.1
+</pre>
 
+<h3>Enabling Authentication feature</h3>
+
+<p>While Redis does not try to implement Access Control, it provides a tiny layer 
+of authentication that is optionally turned on editing the redis.conf file. When 
+the authorization layer is enabled, Redis will refuse any query by unauthenticated 
+clients. A client can authenticate itself by sending the AUTH command followed by 
+the password.</p>
+
+<p>The password is set by the system administrator in clear text inside the redis.conf 
+file. It should be long enough to prevent brute force attacks for two reasons:</p>
+
+<ul>
+<li>Redis is very fast at serving queries. Many passwords per second can be tested by an external client.</li>
+<li>The Redis password is stored inside the redis.conf file and inside the client configuration, so it does not need to be remembered by the system administrator, and thus it can be very long.</li>
+</ul>
+
+<p>The goal of the authentication layer is to optionally provide a layer of redundancy. 
+If firewalling or any other system implemented to protect Redis from external attackers 
+fail, an external client will still not be able to access the Redis instance without 
+knowledge of the authentication password. The AUTH command, like every other Redis 
+command, is sent unencrypted, so it does not protect against an attacker that has 
+enough access to the network to perform eavesdropping.</p>
+
+
+<h2>Getting more information</h2>
 
+<a href='http://redis.io/topics/security'>Redis Security advisory</a><br>