Security and Cloud 24/7

In the recent time social networking sites simply becomes a victim of hacking event but today Instagram – A social networking site experienced different face of internet called Social Engineering. You might have heard about spam emails that lure reader to click on emails, offering lottery, and jobs, discount offers, but from the last few days, Symantec has observed a shocking activity on Instagram carried on by hackers.

Instagram scammers are posting images related to fake lottery winnings. Even spammers have also convinced users for post sharing, surrendering their personal information, and sending money to the scammers.

The users who fall victim were mostly belonged to USA and UK. Spammers also offered $1000 to Instagram users for following them, and leaving comment with email addresses. Below is an image of Instagram accounts pretend to be real-life lottery winners.

Almost spammers got response from 5,000 to 10,000 followers. After receiving a huge response, they disclose a new Instagram account named “accountant” to deliver $1000 to users. Spammers also asked users to send $0.99 postage charge for a large payment processing. In this case, some users also sent such postage charge and many of users revealed their email addresses to spammers. Below is an image of fake accountant that asked for money from users.

The main object of this campaign was to amass account details to be used for personal use or resale. Spammers also changed the avatar, user name, biography for spamming purpose.

Spammers had spin accounts and after it, the impersonated accounts reappeared with few followers. Though these accounts were bogus, still users hoped that they would get $1000 for following Instagram accounts. Below is an Instagram account that reappeared with few followers.

Symantec has revealed some precautions against this spamming activity.

• Do not blindly trust everything you see on social media.
• Raise a question in your mind, when you find such offers.
• Do not unveil your personal information.
• Do not send money to the person that you do not know.

Recently, viruses’ manufacturers know now how to penetrate antivirus programs. They do it by changing the virus code a little so it appears to have new “signature”. Signature is the traditional way antivirus programs detect viruses. By having a new signature, the virus is unknown to the antivirus program and it can penetrate the computer easily.

Once it is in the computer, it can do several things:

1. Scan your computer and steal important documents.
2. Act like a bridge head and download other viruses.
3. Implant itself to become operated every time the computer boots.
4. Record every keystroke/conversation/login you make on the computer and transmit it to external criminal use.

The life expectancy of such a virus is three weeks – the time it takes to the antivirus program to get updated on every computer in the world. By that time the virus manufacturer releases a new (and unknown) version.

Since the antivirus has this inherit flow, many solutions are being developed aiming to seal this “zero day virus gap”. The common solutions are placing a monitoring program in the computer that monitors the computer activities and sends suspicious incidents to network administrator attention. The incidents are evaluated based on “behavioral approach” which aims to determine if the incident indicates virus penetration or not.  Other solutions put traps on the computer and wait for a virus to trigger the trap alarm. Most of those solutions are aimed for the enterprise market and require professional staff to handle the alerts received.

“Magen – Malware Vigilance” was developed by programmers for the home market: It alerts the users about possible Malware penetration into their computer and allows them to disable the threat before significant damage is made. Magen is an alarm system, not an antivirus. This means that it does not block/erase/dismantle viruses, but specializes in detecting new program penetration into the computer and conveying the message to the computer owner scrutiny.

Magen detection algorithm is very efficient and patent pending. It alerts on every program implementation into the computer, which is every program that has configured itself to be automatically operated in the computer.

Using the Magen brings to the computer users attention information about significant changes in their computer and allows them to stay in control regarding their computer hygiene. From time to time it reveals legitimate program updates that install new computer services without telling the owner and without a good reason for doing so.  I consider such updates to be immoral, and the information Magen convey allow people to remove the undesired intrusion.

“Decent Spyware” can be used to inflict significant damage to the victim. From pedophiles who are able to get to kids’ bedrooms, to cyber criminals that can take home mortgage on other people’s name.

In the following example we can see a sample of Virus that is received using an Email message (Click the Image to enlarge):

The virus trigger the following alert:



Pressing the “more…” reveals the program properties:

Googling for msxurpk.exe does not show any results. With the rest of the properties, it is quite evident that this is most likely a virus. The best way to disable this threat is to click on the “system restore” button and restore the operating system to an earlier date then the detection date (in our case 02/March/2014).

In these sophisticated times, when people spend many hours online, it is essential to be “Malware Vigilant” and protect your computer from being infected by “Zero day virus” which can pass through the antivirus.

To see some samples of infections and how they are revealed, you can see Cyber-Dome YouTube channel.

You can download Magen and test it free for 45 days here.

This document explains the process of installation, configuration and hardening of NGINX server from source files, based on CentOS 6.4 default installation (IPTables and SELinux enabled by default), including support for TLS v1.2 and protection from BEAST attack and CRIME attack

Some of the features explained in this document are supported by only some of the Internet browsers:

• X-Frame-Options – Minimum browser support: IE 8.0, Firefox 3.6.9, Chrome 4.1.249, Opera 10.50, Safari 4.0
• TLS 1.2 – Minimum browser support: IE 8.0 on Windows 7/8 (Need to be enabled by default), Firefox 24.0 (Need to be enabled by default), Chrome 30, Opera 17, Safari 5.0

Installation Phase
1. Login to the server using Root account
2. Install pre-requirement packages:
   yum install policycoreutils-python-* -y
yum install setools-libs-* -y
yum install libcgroup-* -y
yum install audit-libs-python-* -y
yum install libsemanage-python-* -y
yum install setools-libs-python-* -y
yum install gcc* -y
3. Create a new account:
   groupadd nginx
useradd -g nginx -d /dev/null -s /sbin/nologin nginx
4. Upgrade the Openssl build:
   rpm -ivh --nosignature http://rpm.axivo.com/redhat/axivo-release-6-1.noarch.rpm
yum --enablerepo=axivo update openssl -y
5. Download Openssl source files:
   cd /opt
wget http://www.openssl.org/source/openssl-1.0.1e.tar.gz
6. Extract Openssl source files:
   tar zxvf /opt/openssl-1.0.1e.tar.gz -C /opt
7. Remove Openssl source file:
   rm -rf /opt/openssl-1.0.1e.tar.gz
8. Download PCRE source file into /tmp, from:
   http://sourceforge.net/projects/pcre/files/pcre/
9. Compile PCRE from source file:
   tar zxvf /tmp/pcre-8.34.tar.gz -C /tmp
mv /tmp/pcre-8.34 /usr/local/pcre
cd /usr/local/pcre
./configure --prefix=/usr/local/pcre
make
make install
10. Remove PCRE package:
    rm -rf /tmp/pcre-8.34.tar.gz
11. Download Nginx 1.5.8:
    cd /tmp
wget http://nginx.org/download/nginx-1.5.8.tar.gz
12. Extract the nginx-1.5.8.tar.gz file:
    tar -zxvf /tmp/nginx-1.5.8.tar.gz -C /tmp
13. Move to the Nginx source folder:
    cd /tmp/nginx-1.5.8
14. Edit using VI, the file
    /tmp/nginx-1.5.8/src/http/ngx_http_header_filter_module.c and replace the following section, from:
    static char ngx_http_server_string[] = "Server: nginx" CRLF;
static char ngx_http_server_full_string[] = "Server: " NGINX_VER CRLF;To:
    static char ngx_http_server_string[] = "Server: Secure Web Server" CRLF;
static char ngx_http_server_full_string[] = "Server: Secure Web Server" NGINX_VER CRLF;
15. Run the commands bellow to compile the Nginx environment:
    ./configure --with-openssl=/opt/openssl-1.0.1e --with-http_ssl_module --without-http_autoindex_module --without-http_ssi_module --with-pcre=/usr/local/pcreNote: The command above should be written as one line.
    make
make install
16. Remove the Nginx source files:
    cd /
rm -rf /tmp/nginx-1.5.8
rm -f /tmp/nginx-1.5.8.tar.gz
17. Remove Default Content
    rm -rf /usr/local/nginx/html
18. Updating Ownership and Permissions on Nginx folders:
    chown -R root:root /usr/local/nginx
chmod 750 /usr/local/nginx/sbin/nginx
chmod -R 640 /usr/local/nginx/conf
chmod -R 770 /usr/local/nginx/logs
19. Create folder for the web content:
    mkdir -p /www
20. Updating Ownership and Permissions on the web content folder:
    chown -R root /www
chmod -R 775 /www
21. Edit using VI the file /usr/local/nginx/conf/nginx.conf and change the following settings:
    From:
    #user nobody;To:
    user nginx nginx;From:
    #error_log logs/error.log notice;To:
    error_log logs/error.log notice;From:
    server_name localhost;To:
    server_name Server_FQDN;Note: Replace Server_FQDN with the actual server DNS name.

    From:
    root html;To:
    root /www;

22. Add the following sections to the end of the /usr/local/nginx/conf/nginx.conf file (before the last “}” character):
    ## turn off nginx version number ##
server_tokens off;
## Size Limits & Buffer Overflows ##
client_body_buffer_size 1K;
client_header_buffer_size 1k;
client_max_body_size 1k;
large_client_header_buffers 2 2k;
## Timeouts ##
client_body_timeout 10;
client_header_timeout 10;
send_timeout 10;
23. Create using VI, the file /etc/init.d/nginx with the following content:
    #!/bin/sh
    #
    # nginx - this script starts and stops the nginx daemon
    #
    # chkconfig: - 85 15
    # description: Nginx is an HTTP(S) server, HTTP(S) reverse \
    # proxy and IMAP/POP3 proxy server
    # processname: nginx
    # config: /usr/local/nginx/conf/nginx.conf
    # config: /etc/sysconfig/nginx
    # pidfile: /var/run/nginx.pid
    # Source function library.
    . /etc/rc.d/init.d/functions
    # Source networking configuration.
    . /etc/sysconfig/network

    # Check that networking is up.
    [ "$NETWORKING" = "no" ] && exit 0

    nginx="/usr/local/nginx/sbin/nginx"
    prog=$(basename $nginx)

    NGINX_CONF_FILE="/usr/local/nginx/conf/nginx.conf"

    [ -f /etc/sysconfig/nginx ] && . /etc/sysconfig/nginx

    lockfile=/var/lock/subsys/nginx

    start() {
    [ -x $nginx ] || exit 5
    [ -f $NGINX_CONF_FILE ] || exit 6
    echo -n $"Starting $prog: "
    daemon $nginx -c $NGINX_CONF_FILE
    retval=$?
    echo
    [ $retval -eq 0 ] && touch $lockfile
    return $retval
    }

    stop() {
    echo -n $"Stopping $prog: "
    killproc $prog -QUIT
    retval=$?
    echo
    [ $retval -eq 0 ] && rm -f $lockfile
    return $retval
    }

    restart() {
    configtest || return $?
    stop
    sleep 1
    start
    }

    reload() {
    configtest || return $?
    echo -n $"Reloading $prog: "
    killproc $nginx -HUP
    RETVAL=$?
    echo
    }

    force_reload() {
    restart
    }

    configtest() {
    $nginx -t -c $NGINX_CONF_FILE
    }

    rh_status() {
    status $prog
    }

    rh_status_q() {
    rh_status >/dev/null 2>&1
    }

    case "$1" in
start)
rh_status_q && exit 0
$1
;;
stop)
rh_status_q || exit 0
$1
;;
restart|configtest)
$1
;;
reload)
rh_status_q || exit 7
$1
;;
force-reload)
force_reload
;;
status)
rh_status
;;
condrestart|try-restart)
rh_status_q || exit 0
;;
*)
echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload|configtest}"
exit 2
esac

24. Change the permissions of the file /etc/init.d/nginx
    chmod +x /etc/init.d/nginx
25. To start Nginx service at server start-up, run the command:
    chkconfig nginx on
26. To manually start the Nginx service, use the command:
    /etc/init.d/nginx start
27. Configure IPTables:
    service iptables stop
    iptables -P INPUT DROP

    iptables -A INPUT -i lo -j ACCEPT

    iptables -A OUTPUT -o lo -j ACCEPT

    iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

28. Allow SSH access from Internal segment (i.e. 10.0.0.0/8)
    iptables -A INPUT -m state --state NEW -p tcp --dport 22 -s 10.0.0.0/8 -j ACCEPTNote: Replace 10.0.0.0/8 with the internal segment and subnet mask.
29. Allow HTTP access from the Internet on the public interface (i.e. eth0)
    iptables -A INPUT -m state --state NEW -p tcp --dport 80 -i eth0 -j ACCEPTNote: Replace eth0 with the public interface name.
30. Save the IPTables settings:
    service iptables save

SSL Configuration Phase
1. Login to the server using Root account.
2. Create folder for the SSL certificate files:
   mkdir -p /usr/local/nginx/ssl
chmod 600 /usr/local/nginx/ssl
3. Run the command bellow to generate a key pair:
   /usr/bin/openssl genrsa -aes256 -out /usr/local/nginx/ssl/server-sec.key 2048Note: Specify a complex pass phrase for the private key (and document it)
4. Run the command bellow to generate the CSR:
   /usr/bin/openssl req -new -newkey rsa:2048 -nodes -sha256 -days 1095 -key /usr/local/nginx/ssl/server-sec.key -out /tmp/server.csrNote: The command above should be written as one line.
5. Send the file /tmp/server.csr to a Certificate Authority server.
6. As soon as you receive the signed public key from the CA server via email, copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as “server.crt”
7. Copy the file “server.crt” using SCP into /usr/local/nginx/ssl
8. Follow the link on the email from the CA server, to create the Root CA chain, and save it as “ca-bundle.crt” (Note: The file must be PEM (base64) encoded).
9. Copy the file “ca-bundle.crt” using SCP into /usr/local/nginx/ssl
10. Combine the content of both the public key (server.crt) and the Root CA chain (ca-bundle.crt) into one file:
    cat /usr/local/nginx/ssl/ca-bundle.crt /usr/local/nginx/ssl/server.crt > /usr/local/nginx/ssl/server.pemNote: The command above should be written as one line.
11. Remove the key store passphrase:
    /usr/bin/openssl rsa -in /usr/local/nginx/ssl/server-sec.key -out /usr/local/nginx/ssl/server.keyNote: The command above should be written as one line.
12. Remove the original “server.crt”, “server.csr” and “ca-bundle.crt” files:
    rm -f /tmp/server.csr
rm -f /usr/local/nginx/ssl/server.crt
rm -f /usr/local/nginx/ssl/ca-bundle.crt
13. Edit using VI the file /usr/local/nginx/conf/nginx.conf and replace the section bellow from:
    # HTTPS server
#
#server {
# listen 443 ssl;
# server_name localhost;
# ssl_certificate cert.pem;
# ssl_certificate_key cert.key;
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 5m;
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
# location / {
# root html;
# index index.html index.htm;
# }
#}To:
    # HTTPS server
#
server {
listen 443;
server_name Server_FQDN;
ssl on;
ssl_certificate /usr/local/nginx/ssl/server.pem;
ssl_certificate_key /usr/local/nginx/ssl/server.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
ssl_prefer_server_ciphers on;
# HTTP Strict Transport Security #
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# X-Frame-Options header #
add_header X-Frame-Options SAMEORIGIN;
location / {
root /www;
index index.html index.htm;
}
}Note: Replace Server_FQDN with the actual server DNS name.
14. Configure IPTables – Allow HTTPS access from the Internet on the public interface (i.e. eth0)
    iptables -A INPUT -m state --state NEW -p tcp --dport 443 -i eth0 -j ACCEPTNote: Replace eth0 with the public interface name
15. Remove HTTP access from the Internet on the public interface (i.e. eth0)
    iptables -D INPUT -m state --state NEW -p tcp --dport 80 -i eth0 -j ACCEPTNote: Replace eth0 with the public interface name
16. Save the IPTables settings:
    service iptables save
17. Restart the nginx:
    service nginx restart

This document explains the process of installation, configuration and hardening of Apache server from source files, based on CentOS 6.4 default installation (IPTables and SELinux enabled by default), including support for TLS v1.2 and protection from BEAST attack and CRIME attack.
Some of the features explained in this document are supported by only some of the Internet browsers:
• X-Frame-Options – Minimum browser support: IE 8.0, Firefox 3.6.9, Chrome 4.1.249, Opera 10.50, Safari 4.0
• TLS 1.2 – Minimum browser support: IE 8.0 on Windows 7/8 (Need to be enabled by default), Firefox 24.0 (Need to be enabled by default), Chrome 30, Opera 17, Safari 5.0

Pre-Requirements
• policycoreutils-python-* package installed
• setools-libs-* package installed
• libcgroup-* package installed
• audit-libs-python-* package installed
• libsemanage-python-* package installed
• setools-libs-python-* package installed
• gcc* package installed
• gcc-c++* package installed
• autoconf* package installed
• automake* package installed

Installation Phase
1. Login to the server using Root account
2. Upgrade the Openssl build:
   rpm -ivh --nosignature http://rpm.axivo.com/redhat/axivo-release-6-1.noarch.rpm

   yum --enablerepo=axivo update openssl -y

3. Download Apache source file into /tmp, from:
   http://httpd.apache.org/download.cgi
4. Download APR and APR-Util source files into /tmp, from:
   https://apr.apache.org/download.cgi
5. Download PCRE source file into /tmp, from:
   http://sourceforge.net/projects/pcre/files/pcre/
6. Compile PCRE from source file:
   
   tar zxvf /tmp/pcre-8.33.tar.gz -C /tmp

   mv /tmp/pcre-8.33 /usr/local/pcre

   cd /usr/local/pcre

   ./configure --prefix=/usr/local/pcre

   make

   make install

7. Extract Apache source files:
   cd /tmp

   tar zxvf httpd-2.4.6.tar.gz

   cd httpd-2.4.6/srclib/

   tar zxvf ../../apr-1.4.8.tar.gz

   ln -s apr-1.4.8/ apr

   tar zxvf ../../apr-util-1.5.2.tar.gz

   ln -s apr-util-1.5.2/ apr-util

8. Compile the Apache from source files:
   cd /tmp/httpd-2.4.6

   ./configure --prefix=/opt/httpd --with-included-apr --enable-so --enable-ssl --with-ssl=/opt/openssl-1.0.1e --enable-ssl-staticlib-deps --enable-mods-static=ssl --with-pcre=/usr/local/pcre

   make

   make install

9. Remove the source files:
   rm -rf /tmp/apr-1.4.8.tar.gz

   rm -rf /tmp/apr-util-1.5.2.tar.gz

   rm -rf /tmp/httpd-2.4.6.tar.gz

   rm -rf /tmp/httpd-2.4.6

   rm -rf /tmp/pcre-8.33.tar.gz

10. Remove Default Content:
    rm -rf /opt/httpd/cgi-bin

    rm -rf /opt/httpd/htdocs

    rm -rf /opt/httpd/icons

    rm -rf /opt/httpd/man

    rm -rf /opt/httpd/manual

    rm -rf /opt/httpd/conf/extra/httpd-autoindex.conf

    rm -rf /opt/httpd/conf/extra/httpd-autoindex.conf.in

    rm -rf /opt/httpd/conf/extra/httpd-dav.conf

    rm -rf /opt/httpd/conf/extra/httpd-dav.conf.in

    rm -rf /opt/httpd/conf/extra/httpd-default.conf

    rm -rf /opt/httpd/conf/extra/httpd-default.conf.in

    rm -rf /opt/httpd/conf/extra/httpd-info.conf

    rm -rf /opt/httpd/conf/extra/httpd-info.conf.in

    rm -rf /opt/httpd/conf/extra/httpd-languages.conf

    rm -rf /opt/httpd/conf/extra/httpd-languages.conf.in

    rm -rf /opt/httpd/conf/extra/httpd-manual.conf

    rm -rf /opt/httpd/conf/extra/httpd-manual.conf.in

    rm -rf /opt/httpd/conf/extra/httpd-mpm.conf

    rm -rf /opt/httpd/conf/extra/httpd-mpm.conf.in

    rm -rf /opt/httpd/conf/extra/httpd-multilang-errordoc.conf

    rm -rf /opt/httpd/conf/extra/httpd-multilang-errordoc.conf.in

    rm -rf /opt/httpd/conf/extra/httpd-userdir.conf

    rm -rf /opt/httpd/conf/extra/httpd-userdir.conf.in

    rm -rf /opt/httpd/conf/extra/httpd-vhosts.conf

    rm -rf /opt/httpd/conf/extra/httpd-vhosts.conf.in

    rm -rf /opt/httpd/conf/extra/proxy-html.conf

    rm -rf /opt/httpd/conf/extra/proxy-html.conf.in

    rm -rf /opt/httpd/conf/original

11. Updating Ownership and Permissions on Apache folders:
    chown root:root /opt/httpd/bin/apachectl

    chown root:root /opt/httpd/bin/httpd

    chmod 770 /opt/httpd/bin/apachectl

    chmod 770 /opt/httpd/bin/httpd

    chown -R root:root /opt/httpd

    chmod -R go-r /opt/httpd

    chown -R root:root /opt/httpd/logs

    chmod -R 700 /opt/httpd/logs

12. Create folder for the web content:
    mkdir -p /www
13. Updating Ownership and Permissions on the web content folder:
    chown -R root /www

    chmod -R 775 /www

14. Fix the SELinux security context on the new web folder:
    semanage fcontext -a -t httpd_sys_content_t "/www(/.*)?"

    restorecon -F -R -v /www

15. Edit using VI the file /opt/httpd/conf/httpd.conf and change the following strings:
    From:
    LogLevel warnTo:
    LogLevel notice

    From:
    DocumentRoot "/opt/httpd/htdocs"To:
    DocumentRoot "/www"

    From:
    Listen 80To:
    Listen Server_FQDN:80
    Note: Replace Server_FQDN with the actual DNS name.

    From:
    ServerAdmin root@localhostTo:
    ServerAdmin webmaster@mycompany.com
    Note: Replace mycompany.com with the actual Company DNS name.

    From:
    #ServerName www.example.com:80To:
    ServerName Server_FQDN
    Note: Replace Server_FQDN with the actual DNS name.

    From:
    ScriptAlias /cgi-bin/ "/opt/httpd/cgi-bin/"To:
    # ScriptAlias /cgi-bin/ "/opt/httpd/cgi-bin/"

    From:
    <Directory />
Options FollowSymLinks
AllowOverride None
</Directory>To:
    <Directory />
Options None
AllowOverride None
Require all denied
Order deny,allow
deny from all
<LimitExcept GET POST>
deny from all
</limitexcept>
</Directory>

    From:
    <Directory "/opt/httpd/htdocs">
Options Indexes FollowSymLinks
AllowOverride None
</Directory>To:
    <Directory "/www">
Options None
AllowOverride None
Require all granted
Order allow,deny
Allow from all
<LimitExcept GET POST>
deny from all
</limitexcept>
</Directory>

16. Comment out all lines inside the /opt/httpd/conf/httpd.conf file, begining with:
    ScriptAlias

    IndexOptions

    AddIconByEncoding

    AddIconByType

    AddIcon

    DefaultIcon

    ReadmeName

    HeaderName

    IndexIgnore

    LanguagePriority

    ForceLanguagePriority

17. Comment out the lines inside the /opt/httpd/conf/httpd.conf file below to disable default modules:
    LoadModule cgi_module modules/mod_cgi.so

    LoadModule status_module modules/mod_status.so

    LoadModule info_module modules/mod_info.so

    LoadModule autoindex_module modules/mod_autoindex.so

    LoadModule include_module modules/mod_include.so

    LoadModule userdir_module modules/mod_userdir.so

    LoadModule env_module modules/mod_env.so

    LoadModule negotiation_module modules/mod_negotiation.so

    LoadModule actions_module modules/mod_actions.so

18. Comment out the entire section <Directory “/opt/httpd/cgi-bin”> inside the /opt/httpd/conf/httpd.conf
19. Add the following sections to the end of the /opt/httpd/conf/httpd.conf file:
    # Configure custom error message:
ErrorDocument 400 "The requested URL was not found on this server."
ErrorDocument 401 "The requested URL was not found on this server."
ErrorDocument 403 "The requested URL was not found on this server."
ErrorDocument 404 "The requested URL was not found on this server."
ErrorDocument 405 "The requested URL was not found on this server."
ErrorDocument 408 "The requested URL was not found on this server."
ErrorDocument 410 "The requested URL was not found on this server."
ErrorDocument 411 "The requested URL was not found on this server."
ErrorDocument 412 "The requested URL was not found on this server."
ErrorDocument 413 "The requested URL was not found on this server."
ErrorDocument 414 "The requested URL was not found on this server."
ErrorDocument 415 "The requested URL was not found on this server."
ErrorDocument 500 "The requested URL was not found on this server."
# Configure Server Tokens
ServerTokens Prod
# Disable Server Signature
ServerSignature Off
# Disable Tracing
TraceEnable Off
# Maximum size of the request body.
LimitRequestBody 25000
# Maximum number of request headers in a request.
LimitRequestFields 40
# Maximum size of request header lines.
LimitRequestFieldSize 4000
# Maximum size of the request line.
LimitRequestLine 4000
MaxRequestsPerChild 10000
# Configure clickjacking protection
Header always append X-Frame-Options SAMEORIGIN
20. Edit using VI the file /opt/httpd/include/ap_release.h and replace the following strings:
    From:
    #define AP_SERVER_BASEVENDOR "Apache Software Foundation"To:
    #define AP_SERVER_BASEVENDOR "Restricted server"

    From:
    #define AP_SERVER_BASEPROJECT "Apache HTTP Server"To:
    #define AP_SERVER_BASEPROJECT "Secure Web Server"

    From:
    #define AP_SERVER_BASEPRODUCT "Apache"To:
    #define AP_SERVER_BASEPRODUCT "Secure Web Server"

21. Download the Apache boot script into /tmp from:
    http://www.linuxfromscratch.org/blfs/downloads/svn/blfs-bootscripts-20131023.tar.bz2
22. Extract and install the Apache boot script:
    cd /tmp/

    tar xvjf blfs-bootscripts-20131023.tar.bz2

    cd /tmp/blfs-bootscripts-20131023

    make install-httpd

23. Edit using VI, the file /etc/init.d/httpd, and replace the strings below:
    From:
    /usr/sbin/apachectlTo:
    /opt/httpd/bin/apachectl

    From:
    log_info_msgTo:
    echo

    From:
    evaluate_retvalTo:
    #evaluate_retval

24. Configure the Apache to start automatically:
    chkconfig httpd on
25. Configure IPTables:
    service iptables stop

    iptables -P INPUT DROP

    iptables -A INPUT -i lo -j ACCEPT

    iptables -A OUTPUT -o lo -j ACCEPT

    iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

26. Allow SSH access from Internal segment (i.e. 10.0.0.0/8)
    iptables -A INPUT -m state --state NEW -p tcp --dport 22 -s 10.0.0.0/8 -j ACCEPT
    Note: Replace 10.0.0.0/8 with the internal segment and subnet mask
27. Allow HTTP access from the Internet on the public interface (i.e. eth0)
    iptables -A INPUT -m state --state NEW -p tcp --dport 80 -i eth0 -j ACCEPT
    Note: Replace eth0 with the public interface name
28. Save the IPTables settings:
    service iptables save
29. Start the Apache daemon:
    service httpd start

SSL Configuration Phase
1. Login to the server using Root account.
2. Create folder for the SSL certificate files:
   mkdir -p /opt/httpd/conf/ssl

   chmod 600 /opt/httpd/conf/ssl

3. Run the command bellow to generate a key pair:
   /usr/bin/openssl genrsa -des3 -out /opt/httpd/conf/ssl/server.key 2048
   Note: Specify a complex pass phrase for the private key (and document it)
4. Run the command bellow to generate the CSR:
   /usr/bin/openssl req -new -newkey rsa:2048 -nodes -sha256 -keyout /opt/httpd/conf/ssl/server.key -out /tmp/apache.csr
   Note: The command above should be written as one line.
5. Send the file /tmp/apache.csr to a Certificate Authority server.
6. As soon as you receive the signed public key from the CA server via email, copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as /opt/httpd/conf/ssl/server.crt
7. Follow the link on the email from the CA server, to create the Root CA chain, and save it as /opt/httpd/conf/ssl/server-ca.crt (Note: The file must be PEM (base64) encoded).
8. Edit using VI the file /opt/httpd/conf/httpd.conf and change the following strings:
   From:
   Listen Server_FQDN:80To:
   Listen Server_FQDN:443
   Note: Replace Server_FQDN with the actual DNS name.

   From:
   ServerName Server_FQDNTo:
   ServerName Server_FQDN:443
   Note: Replace Server_FQDN with the actual DNS name.

   From:
   #Include conf/extra/httpd-ssl.confTo:
   Include conf/extra/httpd-ssl.conf

   From:
   #LoadModule socache_shmcb_module modules/mod_socache_shmcb.soTo:
   LoadModule socache_shmcb_module modules/mod_socache_shmcb.so

9. Edit using VI the file /opt/httpd/conf/extra/httpd-ssl.conf and change the following strings:
   From:
   SSLCertificateFile "/opt/httpd/conf/server.crt"To:
   SSLCertificateFile /opt/httpd/conf/ssl/server.crt

   From:
   SSLCertificateKeyFile "/opt/httpd/conf/server.key"To:
   SSLCertificateKeyFile /opt/httpd/conf/ssl/server.key

   From:
   #SSLCertificateChainFile "/opt/httpd/conf/server-ca.crt"To:
   SSLCertificateChainFile /opt/httpd/conf/ssl/server-ca.crt

   From:
   SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5To:
   SSLCipherSuite EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS:!aNULL:!EDH:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS

   From:
   #SSLHonorCipherOrder onTo:
   SSLHonorCipherOrder On

   From:
   Listen @@SSLPort@@To:
   Listen Server_FQDN:443
   Note: Replace Server_FQDN with the actual DNS name.

   From:
   DocumentRoot "/opt/httpd/htdocs"To:
   DocumentRoot "/www"

   From:
   ServerName www.example.com:@@SSLPort@@To:
   #ServerName www.example.com:@@SSLPort@@

   From:
   ServerAdmin [email protected]To:
   ServerAdmin webmaster@mycompany.com
   Note: Replace mycompany.com with the actual Company DNS name.

   From:
   <VirtualHost _default_:@@SSLPort@@>To:
   <VirtualHost _default_:443>

10. Add the following sections to the end of the /opt/httpd/conf/extra/httpd-ssl.conf file:
    # Disable SSLv2
SSLProtocol ALL -SSLv2 +TLSv1 +TLSv1.1 +TLSv1.2
# Disable SSL Compression
SSLCompression Off
11. Comment out the entire section <Directory “/opt/httpd/cgi-bin”> inside the /opt/httpd/conf/extra/httpd-ssl.conf
12. Configure IPTables – Allow HTTPS access from the Internet on the public interface (i.e. eth0)
    iptables -A INPUT -m state --state NEW -p tcp --dport 443 -i eth0 -j ACCEPT
    Note: Replace eth0 with the public interface name
13. Remove HTTP access from the Internet on the public interface (i.e. eth0)
    iptables -D INPUT -m state --state NEW -p tcp --dport 80 -i eth0 -j ACCEPT
    Note: Replace eth0 with the public interface name
14. Save the IPTables settings:
    service iptables save
15. Restart the Apache service:
    service httpd restart

1. Make sure the Postfix is running with non-root account:
   ps aux | grep postfix | grep -v '^root'
2. Change permissions and ownership on the destinations below:
   chmod 755 /etc/postfix
chmod 644 /etc/postfix/*.cf
chmod 755 /etc/postfix/postfix-script*
chmod 755 /var/spool/postfix
chown root:root /var/log/mail*
chmod 600 /var/log/mail*
3. Edit using VI, the file /etc/postfix/main.cf and add make the following changes:
   • Modify the myhostname value to correspond to the external fully qualified domain name (FQDN) of the Postfix server, for example:
     myhostname = myserver.example.com
   • Configure network interface addresses that the Postfix service should listen on, for example:
     inet_interfaces = 192.168.1.1
   • Configure Trusted Networks, for example:
     mynetworks = 10.0.0.0/16, 192.168.1.0/24, 127.0.0.1
   • Configure the SMTP server to masquerade outgoing emails as coming from your DNS domain, for example:
     myorigin = example.com

   • Configure the SMTP domain destination, for example:
     mydomain = example.com
   • Configure to which SMTP domains to relay messages to, for example:
     relay_domains = example.com
   • Configure SMTP Greeting Banner:
     smtpd_banner = $myhostname
   • Limit Denial of Service Attacks:
     default_process_limit = 100
smtpd_client_connection_count_limit = 10
smtpd_client_connection_rate_limit = 30
queue_minfree = 20971520
header_size_limit = 51200
message_size_limit = 10485760
smtpd_recipient_limit = 100
4. Restart the Postfix daemon:
   service postfix restart

1. Make sure the Bind is running with non-root account:
   ps aux | grep bind | grep -v '^root'
2. Change permissions and ownership on the destinations below:
   chown -R root:bind /etc/bind
chown root:bind /etc/bind/named.conf*
chmod 640 /etc/bind/named.conf*
3. Edit using VI, the file /etc/bind/named.conf.options and add the following settings under the “Options” section:
   • Add the line below to replace DNS version banner:
     version "Secured DNS server";
     Note: In-order to test, run the command below:
     dig +short @localhost version.bind chaos txt
   • Add the line below to restrict recursive queries to trusted clients:
     allow-recursion { localhost; 192.168.0.0/24; };
     Note 1: Replace 192.168.0.0/24 with the trusted internal segments and subnet mask.
     Note 2: In-order to test, run the command below:
     nslookup www.google.com
   • Add the line below to restrict query origins to trusted clients:
     allow-query { localhost; 192.168.0.0/24; };
     Note: Replace 192.168.0.0/24 with the trusted internal segments and subnet mask.
   • Add the line below to Nameserver ID:
     server-id none;
   • Add the line below to restrict which hosts can perform zone transfers:
     allow-transfer { 192.168.1.1; };
     Note: Replace 192.168.1.1 with the trusted DNS server.
   • Add the line below to restrict the DNS server to listen to specific interfaces:
     listen-on port 53 { 127.0.0.1; 192.168.1.1; };
     Note: Replace 192.168.1.1 with the IP address of the DNS server.
4. Restart the DNS daemon:
   service bind9 restart

thought that SSL + TLS are the magic words??
think again!
http://www.isg.rhul.ac.uk/tls/

Roy Coren
Security Specialist
Roy Coren AT gmail

hello again!
with that live list you can search various sites for MD5 file names and keep updated regarding what and how those malware are spreading in your network.
this site is my bible regarding malware searching and fighting.

http://mtc.sri.com/live_data/binaries/

HAPPY NEW YEAR!
Roy Coren
Security Specialist
Roycoren AT gmail.com

Before we start – I just want to declare that the thing I publish here are Based on my experience only and in no means you should understand to buy or not to buy specific products.
After understanding the essentials of CISO’s work, I’ll expand on how I did the research work from part1 alongside with my incident response team from part 2.
Regarding the tools I have mentioned earlier , those needs to give you FULL view from the bottom up on every request \ connection to the internet starting from the users endpoint to firewall\proxy and DNS requests and cross dissect the findings to give you positive catch.
C&C life cycle:

1) Hostile Downloaded from “some” website or using exposed browser holes to get into a computer.
BTW – the hostile file can be an innocent legitimate skype.exe file that has been downloaded NOT from skype website…

2) If section 1 succeeded and no AV engine has stopped it , the hostile file is trying to “sniff” it’s way inside your organization , trying to elevate privileges and get as much as information as he can before going into phase II.

3) After getting some idea of how your organization “works” – the hostile file trying to get out and connect to the operator site , this phase usually known as domain fluxing and expressed by multiple burst random DNS searches to sites like [aabbccdd.your company domain extension ] or any other random sequence.
At this step – if you have implemented the right products, the hostile activity should be block at your gateway via IDS\IPS \FW \proxy\url filtering\DLP or any other PREVENTION product.
If it doesn’t and you need to look at step 4 – chances are you are in deep trouble…

4) Also known as Phase II, in which the hostile file –using it’s operator, are evolving into one unit that is fully aware of your organization methods and can exploit almost any aspect on your INTERNAL network.
This includes admin users, passwords, emails, internal ip’s ,DC’s, DNS ,AD and even firewall changing data.
This allows the attacker or shell we say “your commander” , to do whatever he likes in your data. 1-0 to the bad guys….
The first question you might ask is: if my AV vendor is not discovering the bad guys , what can I do?
Well – a good one…this brings me back to my friend original request once again. And the answer is:
No AV vendor is “the one” , enough to look at sites like Virus total or URL Query to see that even 10 AV engines together can miss…therefore you need special tools for this special jobs.
Or worst , if you trust your AV vendor as your sole solution for security – change your job…
It has got to be a BEST OF BREAD solutions that will answer your dynamic organization’s requests and whims..
They MUST be able to do the following in order to crossfire any hostile file in your environment.

Also make sure you IRT team are Using them and their results on a daily bases, in fact – base your security protocols and procedures on their output.

1) Security Event Management (SIEM): [ Such As Arcsight ,Symantec,RSA ]
Connect every available and relevant device to your SIEM and write basic rules .
Improve those rules as you go and remember, those devices can archive almost everything that happened on your network fairly easily, it is the correlation between those events that makes your life easier.

2) A cross stream line analyzer: [ Such As Damballa FailSafe , Fire Eye , websense Full Suite, advanced Proxy\URL filtering ]
This device sole purpose is to analyze the data from the endpoint to the DNS server \ Proxy \ FW and correlate them to one valid event.
As I explained in the C&C life cycle , it is essential to expose the hostile before phase II , meaning if you can catch one machine [or Asset] trying to contact hostile URL or doing a Domain fluxing –than phase II won’t be an issue for you.
Hell , you can even make these connections terminate automatically or have an event based action to your remediate device.

3) Investigating tool: [ Such As : Sillicium ECAT , HBGARY responder or even GMER or Comodo CCE ]
MUST HAVE The “cross platform approach” , meaning running in your whole enterprise as a natural endpoint agent , collecting ALL your computers\servers files into one place ,analyzing them and give you suspected or convicted files.
The methods should be as follow :

a) Compare your files through several MD5 signatures databases such as BIT9, NIST, MSDN, or any other Cloud based comparison engine(HITMAN\CCE)
This will bring UP all the files that has no valid or Root CA or No Company embedded in them -so only sealed authentic files can reside on your machines.
Any other result such as unknown files or broken CA – can imply that the file has been compromised by another hostile that may take additional steps, such as injecting DLL’s into other processes\Services and loading a rootkit, or connecting to additional C&C sites.

b) Use Several AV engines or upload your suspicious files from section A to sites like VirusTotal and similar. You can even upload the MD5 string to the web , you can consult with other findings on your specific hash.

c) Analyze Floating codes and memory Hash in live mode.

d) Create your OWN white list of files that has been created by your organization software developers – and direct them to work as methodically as they can.

e) Check your current network connection from the process and up.
Meaning if you can see EXCEL.exe reaching out to the internet – it is NOT looking to be updated from microsoft…
Even Simple NETSTAT –NAB can give you desired results.

f) Use a good URL filtering engine\Anti Bot – this actually should be the first DOT in the line of crossfire since you will most probably have an alert from your URL filtering device saying on machine tried to reach a hostile website. You can advise many other Online URL Checking tools.
a good tool in this section has to be one that updates as quickly as he can – since automated cleaning processes are happening on those websites almost whithin the hour – so before you block an access to it from your domain – make sure the danger hasn’t passed already…

From there you can start your query using all the tools and methods I have mentioned the more conclusive results on an evil residing on a machine you’ll get – the better.

this approach is the NOT bullet proof – but it will defiantly filter out above 95+% of your hostile files..therefore keep up with the technology and bring the human resource to the game.

GOOD LUCK!

Roy Coren

Security Specialist

[email protected]

If one of my customers would come today and ask me to design a full method to eliminate unwanted or dangerous files in his domain, I would say “No such thing”.

One of the reasons is that you can’t keep your sensitive enviroment clean enough without damaging the users freedom and productivity. Especially VP’s.

Most of the time CISO and IT managers come to me AFTER somebody has made a 207 or 207A on their domain (that’s the police code for Kidnapping) , in that case you have a legal and usually a very big Go! From the CTO\CEO to do everything you can to stop it from happening again.

Those are the good time for software vendors \integrators who can celebrate a 100% sell rate on those companies.

But – as you guessed, those time pressed CISO’s  are not always aware on which products to implement and most important which technology will give them the best results per dime for the longest time…having that said without the right consultant the will take Pain and turn it to Gain, they usually invest in the wrong methods.

Getting back to the original “bug free” request, on those special cases I would recommend a full revision in the company approach to data security, starting from bottom up.

Implementing a good solid, management backed, data security policy is not something that happened in a day, but it is worth putting a lot of effort and starts something good and harvest those applause later

Issues to consider:

–          Have every user to sign that the computer\software he gets from the company are NOT his own.

–          Publish a list of allowed software in your organization-saying that anything besides that list will cause issues with the HR department…

–          Start by classifying  and identifying your:

1)      Sensitive data – “Show me your data and I’ll tell you how to protect it”

In most cases you will find that they DO NO know the location and the amount of it…this step alone take several months to complete

2)      Weakest points in the LAN \WAN\DMZ

3)      Everyday use data flow – this is the stream that all problems are starting from.

4)      Gather and estimate your human resources, see if the team needs additional knowledge and if he can handle 911 calls and everyday tasks.

In most cases you will find 1 or 2 persons doing 5 persons jobs – this is not the kind of situation you would want to be when implementing a large DLP or SIEM project and realize your team can’t decrypt the results or lack of time to do it.

–          Harden security policies on Mobile users – have smartphones and laptops use hard rules and policies without losing the dynamic of work productivity.

–          Offer well known , dumb proof, productive solutions for the issues above, you can start by drilling down your AD GPO and dead users, continue with AV kill rate to start ,along with your main firewalls rules and block ratio.

–          Keep your software up to date – probably the best tip I can give , no holes ,no foxes…

–          Assign virtual “Data owners” – have them to take responsibility on their data in terms of backup and unwanted access.

–          Pick less tools and solutions as possible for all the scenarios you can imagine – if the 911 call will arrive , the first thing you need is to act as fast as possible and you would want the best results \outcomes\ logs\ products refined and stilled to your desktop.

Now you can start thinking on wide projects like DLP, Endpoint security, SIEM, virtual security, IDS\IPS and most important – a descent monitoring system Or any other solutions that your organization needs – just make sure it fits your gold rules above.

With the outcomes of those  products , you can assign an incident response team to be the task force for all kinds of alarms and events.

And since you will get tens of millions events per day, if this team can handle 10 REAL security events per day , you have scored it! Ace!

See you on part 3..

Roy Coren

Security Specialist

[email protected]