Autorenarchiv
Just found an interesting article over at TechRepublic. Toni Bowers, Head Blogs Editor of TechRepublic is reporting about this over at their site. Just read the full post
Today, nagios issued a security notice about CSRF and XSS Exploits regarding their product. You can read the original notice below:
The Nagios Team was notified last week about security exploits in Nagios XI that could potentially compromise a Nagios XI deployment. This message contains information about the exploits, as well as information related to mitigating these problems. We recommend that all Nagios XI users upgrade to the latest release to resolve these issues.
Security Exploit Details
The security vendor that notified us indicated that Nagios XI 2009R1.2B and earlier were vulnerable to Cross Site Scripting (XSS) and Cross Site Request Forgery (CSRF) exploits.
In order to help prevent current Nagios XI users from malicious attacks, we will not be releasing the details of exploits. However, the exploits allowed the vendor to craft requests to Nagios XI that ultimately created a PHP-based shell program that ran as the Apache user. This would allow an attacker to run arbitrary commands as the Apache user and potentially expose sensitive information.
What We Are Doing
Upon receiving the notice from the security vendor, we made changes to the Nagios XI code and released a new 2009R1.2C version that we believe fixes the problems that were reported. We have asked the vendor the re-verify the security test using the 2009R1.2C release. If the vendor reports additional problems with the latest release, we will work quickly to solve the problem and notify you of additional fixes and updates.
What Should You Do?
We recommend that Nagios XI users immediately upgrade to the latest 2009R1.2C release of Nagios XI. This release contains changes that we believe resolve the security risks reported to us.
2009R1.2C is a free upgrade for all Nagios XI users – including customers and users currently evaluating Nagios XI.
Instructions on how to upgrade your Nagios XI instance can be found in the following document:
Nagios XI Upgrade Instructions
Additional Assistance
If you encounter problems with the upgrade to 2009R1.2C, please contact our technical support team by posted to our online support forum at:
http://support.nagios.com/forum
If you have any questions about the information provided in this email please contact us.
Phone: 1-888-624-4671
So, let’s get your installation updated.
What is knowmore?
From their page:
knowmore is the best and easiest way to consume all your social networks. Clients were a great first step but it’s time for a whole new level.
Sure we let you bring together all your social networks (an ever growing list) in a single amazing interface but that’s just the beginning. We are the first intelligent and rich media aggregator. You can finally get out from under the sea of blue links and enjoy a stream of rich media. Avoid being buried by the endless flow of the timeline. Slice up your stream into a variety of new angles. Oh yeah, and search all your connected social networks for highly personal results. There’s a lot of other sweet nuggets you’ll love but we’ll let you experience those for yourself.
With knowmore you’ll finally attain social nirvana.
What do I think about knowmore?
I’m not sure yet. I just signed up there and will do some tests over the next couple of weeks. At least it is an interesting service and I’m really interested into the search function, which allows me to search through all my connected social networks.
At the time of this writing it’s only possible to connect to Twitter, Facebook and Flickr, but I think there are more to come, like Buzz and the like.
In letzter Zeit häufen sich mal wieder die Angriffe auf Webseiten, bevorzugt Shops. Die Masche der Erpresser läuft meist so, den DDoS Angriff per Email anzukündigen um vorab ein “Schutzgeld” zu erpressen. Näheres wusste bereits der Spiegel unter http://www.spiegel.de/netzwelt/web/0,1518,701879,00.html zu berichten.
Im Gegensatz zum Spiegel Artikel, welcher meist von Säberasseln ausgeht, und eher auf die Trittbrettfahrer abzielt, ist die Bedrohung durchaus real, da sich bereits mit einem Server und ein wenig Perl entsprechend ungeschützte Webserver aus dem Rennen nehmen lassen. Einer der Vertreter dieser Angriffsschnecken, wie ich sie nenne, ist Slowloris, aber es gibt auch andere die ähnlich arbeiten.
Da Slowloris ohne Probleme frei verfügbar ist unter http://ha.ckers.org/slowloris/ , kann jeder halbwegs versierte ITler so einen Angriff starten, sei es zu Kontrollzwecken ob die eigene Infrastruktur vor solchen Angriffen geschützt ist, oder auch zu kriminellen Zwecken, wie der oben genannten Erpressungsweise. Anfällig für solche Angriffe sind zum Beispiel die meisten Apache Server, alte Nginx Versionen und auch diverse andere Webserverplattformen.
In größeren lastverteilten Systemen welche Hardware Balancer nutzen und die korrekt konfiguriert sind, tritt das Problem eher weniger auf, da diese meist von Haus auf ein sogenanntes Late Binding vornehmen, und gegen die meisten dieser Angriffe schützen. Anders sieht es bei alleine im Netz stehenden Servern aus, oder lastverteilten Systemen welche eine Direktverbindung zum Webserver auf dem zum Beispiel ein Apache Server läuft zulassen (IPVS als Beispiel).
Für die letzteren Varianten gibt es aber dennoch diverse Schutzmöglichkeiten. In einem kompletten Setup mit Balancing kann man zum Beispiel als Eintrittstor einen aktuellen NGINX Server nehmen, der auch gleich das SSL Offloading übernehmen kann, aufgrund seiner sehr guten Performance. Dieser greift auf einen HAPROXY zu welcher das Balancing übernimmt. Die eigentlichen Webserver sind am Ende Apache Webserver, welche jedoch mit mod_qos laufen, welches zum Beispiel SLOWLORIS sehr gut abfangen kann.
Die einzelnen Elemente dieser Setups und genauerer Beschreibungen findet man unter den folgenden Links:
Mit diesen Komponenten kann man seine Infrastruktur relativ gut gegen diese Form von Angriffen schützen. Natürlich sollten bei Linuxsystemen von Haus auf zusätzlich TCP_SYNCOOKIES aktiviert sein, um eine andere Angriffsform abzudecken. Distributionen wie aktuelle Fedora oder CentOS haben diesen Parameter bereits als Standardeinstellung aktiviert.
Dann mal erfolgreiches Schützen!
Today I discovered the site of alienvault. Alienvault is a Vendor for Security Information and Event Management (SIEM) Software. alienvault ist the creator if the leading Open Source Security Management tool – OSSIM.
After looking around on their site, I’m quite sure, that I – at least – want to try this thing out.
A few informations about OSSIM in advance, taken from their homepage:
AlienVault Open Source SIEM (OSSIM) is a complete Security Management solution that detects and profiles attacks, and provides a comprehensive, intelligent Security Management platform and toolset.
The entire solution is composed of open source distributions including all seamlessly integrated tools, and the security management platform. The OSSIM project was created and is currently coordinated by the founders of AlienVault.
The OSSIM platform consists of a Management Server, and Sensor or “Probe”. A professional version that includes Logger functionality is also available (please see below). The solution may be implemented as a single monolithic appliance or a set of appliances in which probes are separated from the management server, and distributed throughout the enterprise.
Probes capture network and system information in real time, and send it to the central Management Server where the data is analyzed to assess immediate threats and risk, filter out false positives, and locate false negatives that other security devices and software on the network cannot detect.
Probes not only capture data, but can be tasked as sophisticated attack detection components. They come with several attack detection systems, audit systems, and context learning systems (network profiles, inventory, availability), all of which are seamlessly integrated. When deployed in this fashion probes provide a very quick and safe way of continuously and transparently monitoring local and remote networks, providing provide full visibility of all security related aspects of the enterprise.
The information from the organization’s security systems, such as the firewall, antivirus, IPS, HIDS, etc, are all collected through these probes, and then analyzed through sophisticated intelligence technology. This technology correlates data from many sources to detect blended threats otherwise undetectable by individual systems; prioritize these threats; and make automated decisions with regard to the risk implied in each one.
OSSIM provides a complete management, reporting, and security analysis environment including graphical analysis, incident management workflow, and other tools. This system is capable of monitoring the security of globally distributed networks from a customizable, management console. High level, graphical dashboards are used to progressively drill down to the lowest level of detail.
Of course, there is a commercial version as well, the differences between the Open Source and the Commercial version are as follows:
Logger
The Logger allows for storage of large volumes of data while ensuring its admissibility as evidence in a court of law. The Logger provides an additional database specifically geared for massive, long-term forensic archiving. The Logger collects data in its native format, digitally signs and time-stamps the data, and securely stores it preserving data integrity; whereas the SIEM database is designed for the rapid and versatile analysis required for attack detection and response.
Scalability
AlienVault Professional SIEM allows for both horizontal and vertical load distribution. Horizontal distribution of security information is useful for high performance and high availability configurations. This architectural flexibility also enables highly customizable and scalable management scenarios.
For example, groups of management servers may be organized to create multiple hierarchies of management servers. This sort of architecture facilitates monitoring of large, distributed networks and makes it possible to create various levels of correlation and storage. Each of these hierarchies can then be rolled up into a global view that serves as a central console from which activity on any part of the network can be seen at any time down to the smallest detail.
Performance
AlienVault Professional SIEM is capable of handling very large volumes of data. The engineering team at AlienVault has structured system architecture with multiple optimization and load distribution layers so that the AlienVault Professional SIEM now offers 30 times the performance of OSSIM for any traffic type.
Accountability & Reliability
AlienVault Professional SIEM provides for greater accountability than OSSIM for those organizations that require commercial open source licensing. The commercial license, backed by AlienVault, is accompanied by a comprehensive commercial support and version maintenance offering at extremely competitive rates.
Both OSSIM and AlienVault Professional SIEM are thoroughly tested by AlienVault and the extensive OSSIM community. However, just as with all free open source products, new OSSIM versions that are not entirely stable may at times be released for testing purposes whereas only the most exhaustively tested versions of AlienVault Professional SIEM, which have been vetted for reliability and stability are released to market.
I wil try this thing out and tell you my opinion …….
- Advisories (2)
- Apache (7)
- Arbeit (21)
- BSD (1)
- Design (5)
- Deutsch (3)
- Internet (6)
- Social Networks (1)
- Internetanbieter (3)
- Linux (14)
- Fedora (6)
- Fedora Core (2)
- Gentoo (1)
- Netzwerk (9)
- PHP (8)
- Privat (5)
- Programmierung (8)
- Software (5)
- Open Source (4)
- Sonstiges (2)
- TCP/IP (7)
- Technologie (28)
- Tipps (13)
- Uncategorized (22)
- Virtualisierung (2)
- Windows (3)
