If you like this, you can use flattr. ;)
- Quickpost: Inspiring Windows software profilers and checkers
- 0x41 - back to bugs
- low footprint/hardware assisted virtualization with Linux and GrSec
- Postfix troubleshooting - a security nightmare
- New content soon
- 0x41 - (weekly) exploitation matters - Vista Heap, scripting debuggers with debug libs and how to learn to use that knowledge
- 0x41 - weekly exploitation matters - Shellcode and frameworks
- Explicit and implicit security in software development - measures and change
- 0x41 - weekly exploitation matters - Heap overflow fundamentals
- 0x41 - weekly exploitation matters - About
- wishinet: http://www.godblock.com/#what "block sexual, and psychologically harmful material" like "holy texts". Protect "from being indoctrinated"
- wishinet: Load average: 23.69 20.11 14.95 - jepp, this is obviously bad.
- wishinet: http://img2.moonbuggy.org/imgstore/ethernet-killer.jpg
- wishinet: According to my 400d stats the most viewed page at my blog is phpids's xss warning. You can do better! :)
- wishinet: I'm super-hungry after some meditation... guess this isn't normal. :-) 0xf000000d
UnprotectedHex - about formal software verification
Sean's blog
Xecurity - a security feed collecter
Reddit RCE group
Freedom To Tinker
Emergent Chaos
Woodmann RCE forums
OpenRCE community forums
SecViz - security data visualization
DAVIX Live - for security metrics
Hex Live
Security Metrics
Immunity's Free Software
Core Security's OpenSouce research
Zynamics Blog
Get grsecurity for Debian now
Tue, 05/26/2009 - 23:19 | wishi
txtSetting up the server
If you do this, you want three things:
- a clean and secure setup, that ensures your availability - even if you're working on a remote-server
- easy steps
- drinking a coke or a coffee during this setup. No beer. Because kernel-upgrades and beer don't work together
Okay, what's grsecurity and why do I need it
Easily said: it's doing everything to prevent successful exploitation, like we recently saw happening on Linux through SCTP, ptrace or UDEV.
The sctp-Exploit (a masterpiece) in the end is a simple memory corruption - so to counter we could need memory-protection. The other two code-pireces force privilege escalations and probably aren't the best examples. Nevertheless most exploits today are just buffer-overruns - that's almost boring.
- In order to protect bad application-code from bad exploit-code modern operating systems can implement certain layers of security measurements to prevent successful exploitation. Like memory address space layout randomization - to just shake the addresses in memory into organized chaos; or access-levels combined with user separation - mainly to ensure information integrity.
If in address-space - where the variables are stored (data or bss segment) - overwriting the buffer-space doesn't affect the one running process, successful exploitation-strategies need to include guessing where the vulnerable buffers are. Which is possible too, but I guess the random script-kiddie cannot do this. It's getting harder to exploit applications. Now with:
- RBAC
- memory protection features
- Segmentation-based implementation of non-executable user pages for i386 with no performance hit
- Randomization of stack and mmap base
- ... a lot more
If you like this stuff, have a look at this setup, which focuses Debian because it's on many servers. Unless you aren't sure you need that level of security, don't install. Or consult knowing people. It's a little... dangerous because you cannot know about the compatibility issues.
Installation procedure
I like to keep it minimal: Don't use a kernel-source > 2.6.29.3.
- cd #339933;">/usr#339933;">/src #339933;">&&
- wget http#339933;">:#666666; font-style: italic;">//www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.28.7.tar.bz2
Now unpack that stuff. Create a softlink that links /usr/src/linux to it.
- cd linux #339933;">&&
- wget http#339933;">:#666666; font-style: italic;">//www.grsecurity.net/~spender/grsecurity-2.1.14-2.6.29.3-200905192213.patch
And verfiy like "gpg --verify file.sig file", because the .sig is there too.
Let's patch that source now with all these fancy features, while we are in /usr/src/linux/ :
- patch #339933;">-Np1 grsecurity#339933;">-2.1.13#339933;">-2.6.28.7#339933;">-200902232153.#202020;">patch
Now let's make the kernel. Unless you've no special config, you don't need to copy it into your actual building folder.
- make#339933;">-kpkg #339933;">--initrd kernel_image kernel_headers #339933;">--config menuconfig
In the menu now you're able to chose what you want. If you ask me: don't play around with stuff you don't understand unless you've got local access to that box. Or you really know what you're doing. There're predefined configs: a normal server should run pretty good in "Medium". I like "High". Don't be a low hanging fruit ;).
After the configuration screen you'll need your tea or coffee. Because even modern systems need some time to compile operating system kernels. Did you ever try Earl Grey with milk and sugar? Tastes wonderful - especially together with nice manuals.
After the build is ready, use "dpkg -i" for the two new .debs in /usr/src.
The next thing to to is to run "apt get update" and "apt-get upgrade" - just for fun - before you're updating your bootloader configuration. I found out that apt-get tends to overwrite the menu.lst in case of Grub:
- #b1b100;">default #0000dd;">2
- fallback #0000dd;">1
- title 2.6.26.3
- kernel #009900;">(hd0#339933;">,#0000dd;">1#009900;">)#339933;">/boot#666666; font-style: italic;">//bzImage-2.6.26.3 root=/dev/sda2 panic=60 acpi=off
- title 2.6.26.2
- kernel #009900;">(hd0#339933;">,#0000dd;">1#009900;">)#339933;">/boot#666666; font-style: italic;">//bzImage-2.6.26.2 root=/dev/sda2 panic=60 acpi=off
- title 2.6.27.10#339933;">-grsec
- kernel #009900;">(hd0#339933;">,#0000dd;">1#009900;">)#339933;">/boot#339933;">/vmlinuz#339933;">-2.6.27.10#339933;">-grsec root#339933;">=/dev#339933;">/sda2 panic #339933;">=#0000dd;">60 acpi#339933;">=off
- #009900;">[...#009900;">]
In that case that would be two for default, because it starts counting with 0. In case something doesn't work the system will fallback to one - a kernel that just works. Any experiments with configurations therefore should be safe.
And reboot your box. The rest is pretty well documented. It just works. Here's the PaXtest on a medium secured Debian:
Mode: blackhat
Linux kaze.crazylazy.info 2.6.27.10-grsec #1 SMP Tue May 26 19:11:15 CEST 2009 i686 GNU/Linux
Executable anonymous mapping : Killed
Executable bss : Killed
Executable data : Killed
Executable heap : Killed
Executable stack : Killed
Executable anonymous mapping (mprotect) : Vulnerable
Executable bss (mprotect) : Vulnerable
Executable data (mprotect) : Vulnerable
Executable heap (mprotect) : Vulnerable
Executable shared library bss (mprotect) : Vulnerable
Executable shared library data (mprotect): Vulnerable
Executable stack (mprotect) : Vulnerable
Anonymous mapping randomisation test : 18 bits (guessed)
Heap randomisation test (ET_EXEC) : 13 bits (guessed)
Heap randomisation test (ET_DYN) : 24 bits (guessed)
Main executable randomisation (ET_EXEC) : No randomisation
Main executable randomisation (ET_DYN) : 16 bits (guessed)
Shared library randomisation test : 18 bits (guessed)
Stack randomisation test (SEGMEXEC) : 24 bits (guessed)
Stack randomisation test (PAGEEXEC) : 24 bits (guessed)
Return to function (strcpy) : Vulnerable
Return to function (strcpy, RANDEXEC) : Vulnerable
Return to function (memcpy) : Vulnerable
Return to function (memcpy, RANDEXEC) : Vulnerable
Executable shared library bss : Killed
Executable shared library data : Killed
Writable text segments : Vulnerable
Note that some of the "Vulnerable" _features_ are needed for compatibility. It's of course arguable, but poeple taking security seriously are rare. After some configs you'll beat this test, for sure ;).
Have fun,
wishi
wishi's blog | 1+[encrypted]+#b94+ | txt | 
Tags: Configuration, Debian, Exploits, haq tutorial, Linux, pentesting, Security Tools, Setup
Post new comment