오픈소스활용사례 ü 수천여대의 Linux 기반서버로인터넷서비스제공 Subversion Kickstart,YUM Puppet GATEWAY+LDAP Graylog2 mailman Amanda RT HIDS(OSSEC) Edge + iptables SMS(Nagios) I

보안오픈소스실무활용 2015. 12 홍석범 (antihong@gmail.com)

오픈소스활용사례 ü 수천여대의 Linux 기반서버로인터넷서비스제공 Subversion Kickstart,YUM Puppet GATEWAY+LDAP Graylog2 mailman Amanda RT HIDS(OSSEC) Edge + iptables SMS(Nagios) IPMI Connect

오픈소스 = DIY? 오픈소스를활용한보안인프라구축의장점, 단점 오픈소스 ü 적은예산으로구축이가능하다 ü 구축과정에서솔루션및기술에대한이해도를높일수있다 ü 다양한 integration 이가능하다 ü 유지보수 ( 문제해결, 장애시대처등 ) 및기술지원이어렵다 ü UI 가좋지않다, 불편하다등. ü 기술담당자가있을경우유리함 상용솔루션 ü 많은비용이소요된다 ü 내부의 internals 를알기어렵다 ü 동일벤더가아닐경우또는지원되는버전이아닐경우 integration 이어렵다

OSSEC 오픈소스기반의 Host 기반 IDS/IPS( 침입탐지시스템 ), 현재는 Trendmicro에서인수하여제공 :: Http://ossec.net/ Log 분석, 파일무결성모니터링 (FIM), 루트킷탐지, 실시간탐지및차단 agent 기반, multi platform, secure by itself( 암호화통신 ) System(kernel, 내부 daemons등 ) 의 visibility( 가시성 ) 를제공함 Server-agent 기반으로각서버에는로그를수집하는 agent만설치하면되므로확장성이용이 기본적으로 /var/ossec에설치되고, 주설정파일은 /var/ossec/etc/ossec.conf /var/ossec/rules/*.xml :: 60여개의룰파일, Log에기반한것이므로 snort처럼오탐이많지는않음 /var/ossec/logs/alert.log :: 알람파일

Mini WAF 로활용사례 <rule id="31103" level="6"> <if_sid>31100,31108</if_sid> <url>=select%20 select+ insert%20 %20from%20 %20where%20 union%20 </url> <url>union+ where+ null,null xp_cmdshell</url> <description>sql injection attempt.</description> <group>attack,sql_injection,</group> </rule>

Received From: (www.example.com) 192.168.7.19->/var/log/secure Rule: 5551 fired (level 10) -> "Multiple failed logins in a small period of time." Src Location: CN,Guangdong,Guangzhou Portion of the log(s): www vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=zhaolg rhost=61.144.79.245 => 지속적인 ftp 접속시도를알람 Received From: localhost->ossec-logcollector Rule: 592 fired (level 8) -> "Log file size reduced." Portion of the log(s): ossec: File size reduced (inode remained): '/var/log/messages'. Þ 파일을삭제하거나로그의특정부분을삭제시알람 ** Alert 1436711244.74050: - ossec,active_response, 2015 Jul 12 23:27:24 (www.example.com) any->/var/ossec/logs/active-responses.log Rule: 601 (level 7) -> 'Host Blocked by firewall-drop.sh Active Response' Src IP: 192.168.0.2 Sun Jul 12 23:27:21 KST 2015 /var/ossec/active-response/bin/firewall-drop.sh add - 192.168.0.2 1436711242.71719 5720 => HIPS 작동예 <command> <name>firewall-drop</name> <executable>firewall-drop.sh</executable> <expect>srcip</expect> <timeout_allowed>yes</timeout_allowed> </command> <active-response> <command>firewall-drop</command> <location>local</location> <level>6</level> <timeout>600</timeout> </active-response>

Chkrootkit, UNHIDE # chkrootkit -x lkm ROOTDIR is `/' ### ### Output of:./chkproc -v -v -p 3 ### CWD 22665: / EXE 22665: /usr/local/app/bin/gserver PID 23970(/proc/23970): not in getpriority readdir outputç hidden process CWD 27355: / EXE 27355: /usr/bin/ruby CWD 31855: / EXE 31855: /usr/sbin/snmpd You have 1 process hidden for readdir command http://www.unhide-forensics.info/ # unhide-linux26 proc ç /proc 과비교 # unhide-linux26 sys ç system call 과비교 http://www.unhide-forensics.info [*]Searching for Hidden processes through getpriority() scanning [*]Searching for Hidden processes through getpgid() scanning [*]Searching for Hidden processes through getsid() scanning [*]Searching for Hidden processes through sched_getaffinity() scanning HIDDEN Processes Found: 1 sysinfo.procs = 369 ps count = 370

구글 OTP Iphone, 안드로이드, 윈도우폰등모든 device 지원 OTP 코드는 30 초간유효, 30 초마다 Random 하게변경됨 T(Time based)otp 의경우 WIFI/LTE 연결이되지않아도사용가능 ( 시간동기화가중요 ) 별도의인증서버가필요하지않아비용투자가없음 Brute force 공격에안전, ID/PW 를저장하는사이트에도안전 IP 등으로 ACL 설정이불가한서비스에도유용함 사용하기편리함

https://github.com/google/google-authenticator/wiki Git 또는 # yum install google-authenticator 이후 QR code를볼수있도록 # yum install qrencode 로설치각유저들은각자아래명령어로설정초기화 $ google-authenticator 이후.google_authenticator 라는설정파일이생성됨

Free OTP https://fedorahosted.org/freeotp/ # yum install pam_oath oathtool gen-oath-safe /etc/pam.d/ssh auth sufficient pam_oath.so usersfile=/etc/liboath/users.oath window=10 digits=6 이후키생성 gen-oath-safe jon hotp

DUO OTP Google OTP의단점 QR Code를복사해두면 OTP를재사용 ( 재생성 ) 할수있음 Browser plugin을설치하여사용할수있음 OTP 사용에대한 history 관리가안됨 SSH외 RDP나 Web등다른 Application 적용에어려움 여러 Application을사용할경우중앙관리를위해서는별도개발이필요함 상용 OTP :: DUO OTP / AUTHY 10 개계정까지는 Free 로사용가능함 https://www.duosecurity.com/ CEO 는 Dug Song( 송덕준 ) 으로한국계 http://www.monkey.org/~dugsong/dsniff/ SSH, RDP, VPN, WIKI, JIRA, OWA, WEB site 등대부분의 Application 을지원함 OTP 적용에 API 를이용하여수십분소요

Push 기능, Passcode 입력 (TOTP), SMS 등다양한옵션지원가능 Portal 을통한관리자의관리 ( 로그모니터링 )

취약성점검 :: Nessus 가장대표적인취약성스캐너솔루션, 초기에는오픈소스로시작 => 현재는 tenable에서인수 Nessus Professional의경우 $2,000/year 로제한없이대부분의기능이용가능 HOME license는일부기능 ( 동시스캔가능한 ip수등 ) 의제한으로 Free로사용가능 안정성 ( 스팸..) 과정확도 ( 오탐..) 가매우높음 rpm -Uvh Nessus-x.x.x-xxx.i386.rpm 후 https://example.com:8834/ 로즉시사용가능 Home License 에서의다양한메뉴

취약성점검 :: Nessus 리눅스시스템패치전후 Credentials scan 결과 다수의 ip 를동시에스캔가능 각취약성항목에대해상세정보 Html 이나 pdf 등으로 report 생성

KALI Linux :: https://www.kali.org/ https: /www.exploit-db.com/ 의 offensive-security 에서운영하는데비안기반배포판 이전에는백트랙,2013 년 Kali 라는이름으로바꾸어현재 2.0 정보수집, 취약성점검, 웹어플리케이션분석, 패스워드크랙, 무선해킹, 리버스엔지니어링, 스니핑및 spoofing 툴, 포렌식, 리포팅툴등다양한분야별로가장대표적인 300 여개의모의침투프로그램을제공 복잡한설치과정없이즉시사용가능 기본적으로 root 로실행

KALI Linux http: /tools.kali.org/tools-listing Openvas (http: /openvas.org/) Nessus 의뒤를잇는취약성점검솔루션 System 취약성스캐너 매우복잡한설치과정,Kali 는매우쉬움 openvas-setup; openvas-stop ;openvas-start

취약성점검 :: OepnVAS

웹취약성점검 :: arachni http://www.arachni-scanner.com/ http://sectoolmarket.com/wivet-score-unified-list.html 가장오탐 (false positive) 이적으면서도많은취약성을찾아내는것으로유명함 CLI 또는 WEB 기반 GUI 모두지원 WEB GUI 의경우상용수준의미려한 Report 제공

웹취약성점검 :: arachni id/pw(readme 파일에있음 ) 입력후 스캔시작 arachni_web 으로실행 http://localhost:9292/ 에서리슨 스캔이진행되면서취약성정보가실시간으로출력됨

NMAP :: NSE Function 가장대표적인 port scanner :: https://nmap.org Matrix 등 13 편의영화에출현 (?) 함 NSE(Nmap Scripting Engine) 를활용, 확장된기능가능 /usr/local/share/nmap/scripts 에 500 여개스크립트 auth : 인증과관련된스크립트, anonymous ftp 스캔등 discovery : 대상에대한깊이있는정보를찾는스크립트들 external : 외부의자원 (resources) 을활용한스크립트들 intrusive : 대상에대한공격시도를하는스크립트들 malware : 백도어나악성코드 (malware) 점검과관련된스크립트들 Vuln : 알려진취약성을점검하는스크립트들 nmap --script dns-recursion 192.168.1.0/24 nmap --script ftp-anon 192.168.1.0/24 nmap --script ftp-brute 192.168.1.0/24 nmap -p 80 --script http-backup-finder www.example.com index.bak 나 index.html~ 등과같은백업파일검색

nmap -p 80 --script http-comments-displayer www.example.com http-comments-displayer: Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=www.example.com Path: http://www.example.com:80/ Line number: 367 Comment: <!--<li><a href="#"><img src="images/right_btn-04.png ></a></li>--> nmap -p 80 --script=http-errors www.examlpe.com d :: 400/500 에러점검 80/tcp open http syn-ack Spidering limited to: maxpagecount=40; withinhost=some-random-page.com Found the following error pages: Error Code: 404 http://some-random-page.com/admin/

nmap -p80 --script http-google-malware <host> safe browsing 을이용, malware 가삽입되었는지여부점검 PORT STATE SERVICE 80/tcp open http _http-google-malware.nse: Host is known for distributing malware. nmap -p80 --script http-sql-injection www.example.com nmap -p80 --script http-slowloris www.example.com nmap --script http-virustotal --script-args='apikey= xxxxxxx",http-virustotal.filename="/root/john-1.8.0.tar.gz"' http-virustotal: Permalink: https://www.virustotal.com/file/xxxxxx/analysis/1418142671/ Scan date: 2014-12-09 16:31:11 Results name result date version AhnLab-V3-20141209 2014.12.10.00 ALYac - 20141209 1.0.1.4 Comodo UnclassifiedMalware 20141209 20312 Fortinet Riskware/JohnRipper 20141209 5.0.999.0

nmap -sv --script=mysql-brute.nse -p 3306 192.168.1.201 3306/tcp open mysql mysql-brute: Accounts root:root - Valid credentials nmap --script reverse-index 192.168.0.0/24 Post-scan script results: reverse-index: 22/tcp: 192.168.0.60 23/tcp: 192.168.0.100 80/tcp: 192.168.0.70 445/tcp: 192.168.0.1 53/udp: 192.168.0.105, 192.168.0.70, 192.168.0.60, 192.168.0.1 _ 5353/udp: 192.168.0.105, 192.168.0.70, 192.168.0.60, 192.168.0.1 nmap -sv --script ssl-cert -p443 www.example.com ssl-cert: Subject: commonname=*.facebook.com/organizationname=facebook, Not valid before: 2014-08-28T00:00:00 Not valid after: 2015-10-28T12:00:00 spdy/3.1

OpenSCAP OpenSCAP(Security Content Automation Protocol) :: http://www.open-scap.org/ OpenSCAP 는 Open 되어있고 Free 이며매우활발히업데이트되고있다. scan 할항목을 customize 할수있어환경에따라불필요한항목은제외하고스캔할수있다. 유사한프로젝트로 Lynis 가있음

yum -y install openscap openscap-utils scap-security-guide # oscap xccdf eval --profile stig-rhel6-server-upstream --results /tmp/oscap-results.xml --report /tmp/oscap-results.html -- cpe /usr/share/xml/scap/ssg/content/ssg-rhel6-cpe-dictionary.xml /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml

--remediate option 시자동으로 fix Lynis :: https://cisofy.com/lynis/ Lynis 는 Linux,MacOS, unix 에대한 audit 지원

SIEM Security Information and Event Management Splunk 및 ELK 가대표적 Logstash - 데이터의 IN and OUT 을처리 Elasticsearch - Data 를검색가능하게저장 Kibana dashboard UI 를보여준다 https://splunkbase.splunk.com/ 에서다양한 App 제공, 예 ) ossec App

홍석범 (antihong@gmail.com)