Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security monitoring - Penetration testing meets...

Gareth Rushgrove
September 20, 2013
Technology
32
5.9k

Security monitoring - Penetration testing meets monitoring

Presented at Monitorama EU 2013

How often do you have a full penetration test done on your application? How often do you deploy changes to your application? This talk is for everyone who worries about the difference between the answers to those two questions.

Penetration testing and other forms of security testing are often a mystery to developers and operations people alike, a specialist skill available only on the largest projects. With lots of good open source penetration testing tools available it doesn't have to be that way, especially if we can turn some of those tools into things we run constantly from our monitoring system.

This talk will:

* Identify security relevant metrics from a few tools available in a typical web stack
* Suggest a few more useful system tools which provide both protection and metrics
* Highlight a number of open source penetration testing tools, and show a few of them in use
* Find out which of those tools lend themselves to automation
* Bring it all together in a modern monitoring system

After the talk the audience will hopefully be:

* Scared of putting things on the internet
* Wanting to install a few simple tools that provide some protection
* Aware of a number of penetration testing tools they can use with their monitoring systems

Gareth Rushgrove

September 20, 2013
Tweet

More Decks by Gareth Rushgrove

See All by Gareth Rushgrove
GTM vs Open Source
garethr
0
790
Software Build of Materials For Cloud Native applications
garethr
1
380
Evolving vulnerabilities in CycloneDX
garethr
0
380
Configuration security is a developer problem
garethr
2
2.1k
Patterns for secure container base image management
garethr
1
2k
Testing configuration with Open Policy Agent
garethr
0
550
Building a Docker Image Packaging Pipeline Using GitHub Actions
garethr
5
2.6k
The perils of configuration security
garethr
1
220
Shifting Terraform security left
garethr
3
1.7k

Other Decks in Technology

See All in Technology
技術者はかっこいいものだ!!~キルラキルから学んだエンジニアの生き方~
masakiokuda
2
270
クラウド開発環境Cloud Workstationsの紹介
yunosukey
0
180
Writing Ruby Scripts with TypeProf
mame
0
170
От ручной разметки к LLM: как мы создавали облако тегов в Lamoda. Анастасия Ангелова, Data Scientist, Lamoda Tech
lamodatech
0
750
Spring Bootで実装とインフラをこれでもかと分離するための試み
shintanimoto
7
840
Porting PicoRuby to Another Microcontroller: ESP32
yuuu
4
430
LangfuseでAIエージェントの 可観測性を高めよう!/Enhancing AI Agent Observability with Langfuse!
jnymyk
1
240
より良い開発者体験を実現するために~開発初心者が感じた生成AIの可能性~
masakiokuda
0
200
“パスワードレス認証への道" ユーザー認証の変遷とパスキーの関係
ritou
1
600
PicoRabbit: a Tiny Presentation Device Powered by Ruby
harukasan
PRO
2
240
AIエージェント開発手法と業務導入のプラクティス
ykosaka
2
1.3k
ElixirがHW化され、最新CPU/GPU/NWを過去のものとする数万倍、高速+超省電力化されたWeb/動画配信/AIが動く日
piacerex
0
150

Featured

See All Featured
The Cost Of JavaScript in 2023
addyosmani
49
7.7k
Git: the NoSQL Database
bkeepers
PRO
430
65k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
331
21k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
129
19k
Thoughts on Productivity
jonyablonski
69
4.6k
Keith and Marios Guide to Fast Websites
keithpitt
411
22k
Facilitating Awesome Meetings
lara
54
6.3k
Producing Creativity
orderedlist
PRO
344
40k
How To Stay Up To Date on Web Technology
chriscoyier
790
250k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
34
2.9k
Designing for humans not robots
tammielis
252
25k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
160
15k

Transcript

  1. Security Monitoring Penetration testing meet monitoring Gareth Rushgrove

  2. Who (Who is this person?)

  3. @garethr

  4. UK Government Digital Service

  5. None

  6. How did it come to this, that the government has

    one of the most exciting start-ups in the UK?!
  7. None
  8. None

  9. Last code I wrote

  10. None

  11. The Problem (Why talk about security monitoring)

  12. The continuous delivery argument Gareth Rushgrove

  13. How often do you change your applications? Gareth Rushgrove

  14. Gareth Rushgrove How often do you conduct penetration tests?

  15. The security is part of quality assurance argument Gareth Rushgrove

  16. Testing used to be manual, slow and expensive Gareth Rushgrove

  17. Testing is now automated, fast and done on every commit

    Gareth Rushgrove

  18. Security testing is still mainly manual, slow and expensive Gareth

    Rushgrove

  19. This presentation (What to expect from this talk)

  20. Reactive security monitoring Gareth Rushgrove 1

  21. Proactive security testing Gareth Rushgrove 2

  22. Gareth Rushgrove 3 Community efforts

  23. Reactive monitoring (Mitigate attacks)

  24. rkhunter Gareth Rushgrove

  25. Gareth Rushgrove

  26. rkhunter \ --check \ --no-mail-on-warning \ --skip-keypress Gareth Rushgrove

  27. Tuxtendo Rootkit [ Not found ] URK Rootkit [ Not

    found ] Vampire Rootkit [ Not found ] VcKit Rootkit [ Not found ] Volc Rootkit [ Found ] Xzibit Rootkit [ Not found ] X-Org SunOS Rootkit [ Not found ] zaRwT.KiT Rootkit [ Not found ] ZK Rootkit [ Not found ] Performing additional rootkit checks Suckit Rookit additional checks [ OK ] Checking for possible rootkit files and directories [ None found ] Checking for possible rootkit strings [ None found ] Gareth Rushgrove
  28. None

  29. Gareth Rushgrove

  30. rkhunter \ --check \ --nocolors \ --no-mail-on-warning \ --skip-keypress \

    --no-summary | rkhunter-librato.py Gareth Rushgrove

  31. Gareth Rushgrove

  32. Gareth Rushgrove

  33. def test_beastkit_not_installed(): assert (metric("beastkit_rootkit") == 0) Gareth Rushgrove

  34. >> nosetests -v rkhunter-librato-test.py rkhunter-libratoo-test.test_beastkit_not_installed ... ok --------------------------------------------------------- Ran 1

    test in 1.585s OK Gareth Rushgrove

  35. Nginx Naxsi Gareth Rushgrove

  36. Web Application Firewall Gareth Rushgrove

  37. Gareth Rushgrove

  38. SecRulesEnabled; DeniedUrl "/RequestDenied"; CheckRule "$SQL >= 8" BLOCK; CheckRule "$RFI

    >= 8" BLOCK; CheckRule "$TRAVERSAL >= 4" BLOCK; CheckRule "$EVADE >= 4" BLOCK; CheckRule "$XSS >= 8" BLOCK; Gareth Rushgrove

  39. 2013/09/18 08:59:57 [error] 891#0: *6 NAXSI_FMT: ip=192.168.50.20&server=victim&uri=/pictures/ search.php&total_processed=14&total_blocked=7&zo ne0=ARGS&id0=1007&var_name0=query, client:

    192.168.50.20, server: localhost, request: "GET /pictures/search.php?query=--%3E+ %3Csome_dangerous_input_a1056fd2f0ffbb7f18fec9bd 33257e12ab5e0494b33011967bcbcbc5699408eb%2F%3E+ %3C%21-- HTTP/1.1", host: "victim" Gareth Rushgrove

  40. id0=1007 Gareth Rushgrove

  41. SQL Injection Gareth Rushgrove

  42. Gareth Rushgrove

  43. grok { type => "nginx_error" match => ["message", " ip=%{IP:client_ip}&

    server=%{IP:server_ip}& uri=%{PATH:uri}& total_processed=%{NUMBER:total_processed}& total_blocked=%{NUMBER:total_blocked}& zone0=%{WORD:zone}& id0=%{NUMBER:id}"] } Gareth Rushgrove

  44. Gareth Rushgrove

  45. Fail2Ban Gareth Rushgrove

  46. Gareth Rushgrove

  47. [ssh] enabled = true port = ssh filter = sshd

    logpath = /var/log/auth.log maxretry = 3 [ssh-ddos] enabled = true port = ssh filter = sshd-ddos logpath = /var/log/auth.log maxretry = 6 Gareth Rushgrove

  48. [ssh-ddos] Ban 192.168.50.20 Gareth Rushgrove

  49. [nginx-naxsi] enabled = true port = http,https filter = nginx-naxsi

    logpath = /var/log/nginx/*error.log maxretry = 2 Gareth Rushgrove

  50. grok { type => "naxsi_fail2ban" match => ["message", " WARNING

    \[nginx-naxsi\] %{WORD:action} %{IP:ip}" ] } Gareth Rushgrove

  51. Auditd Gareth Rushgrove

  52. Auditd in less than 2 minutes. Maybe. Gareth Rushgrove

  53. -a exit,always -S mkdir Gareth Rushgrove

  54. type=CWD msg=audit(1379493067.779:57): cwd="/tmp" type=PATH msg=audit(1379493067.779:57): item=0 name="vagrant-puppet" inode=20 dev=fc:00 mode=041777

    ouid=0 ogid=0 rdev=00:00 type=SYSCALL msg=audit(1379493067.779:58): arch=c000003e syscall=83 success=yes exit=0 a0=7fff172d0e5e a1=1ed a2=1ed a3=7fff172cf910 items=2 ppid=1239 pid=1241 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=21 comm="mkdir" exe="/bin/mkdir" key=(null) type=CWD msg=audit(1379493067.779:58): cwd="/tmp/ vagrant-puppet" Gareth Rushgrove

  55. cwd="/tmp" Gareth Rushgrove

  56. syscall=83 Gareth Rushgrove

  57. sys_symlink Gareth Rushgrove

  58. Gareth Rushgrove

  59. comm="mkdir" Gareth Rushgrove

  60. cwd="/tmp/vagrant-puppet" Gareth Rushgrove

  61. Aside: penetration testing tools (State of open source)

  62. Skipfish, nikto, w3af, garmr, sslyze, owasp zap, arachni, sqlmap, sslscan,

    TLSSLed, slowhttptest, DIRB, SQLiBF Gareth Rushgrove

  63. BackTrack Gareth Rushgrove

  64. The problem with distributing software as a Linux distribution Gareth

    Rushgrove

  65. Configuration management + Vagrant Gareth Rushgrove

  66. Penetration testing tools

  67. Vulnerable web apps

  68. Source code

  69. Puppet module

  70. Proactive monitoring (Attack yourself)

  71. Gareth Rushgrove

  72. nmap monitorama.eu Gareth Rushgrove

  73. Starting Nmap 5.21 ( http://nmap.org ) at 2013-09-18 15:09 BST

    Nmap scan report for monitorama.eu (141.101.116.49) Host is up (0.17s latency). Hostname monitorama.eu resolves to 2 IPs. Only scanned 141.101.116.49 Not shown: 998 filtered ports PORT STATE SERVICE 80/tcp open http 8080/tcp open http-proxy Nmap done: 1 IP address (1 host up) scanned in 24.18 seconds Gareth Rushgrove

  74. Gareth Rushgrove

  75. it "should have one port open" do @host.open_ports.should have(1).items end

    Gareth Rushgrove

  76. Gareth Rushgrove

  77. 1) the monitorama.eu website should have one port open Failure/Error:

    @host.open_ports.should have(1).items expected 1 items, got 2 Finished in 8.99 seconds 1 example, 1 failure Gareth Rushgrove

  78. Arachni Gareth Rushgrove

  79. Gareth Rushgrove

  80. Web application security scanner Gareth Rushgrove

  81. arachni http://monitorama.eu --modules=xss Gareth Rushgrove

  82. + +[+] 2 issues were detected. + +[+] [1] Trusted

    -- Cross-Site Scripting (XSS) +[~] ~~~~~~~~~~~~~~~~~~~~ +[~] ID Hash: +[~] Severity: High +[~] URL: http://victim/pictures/search.php +[~] Element: form +[~] Method: GET +[~] Tags: xss, regexp, injection, script +[~] Variable: query +[~] Description: +[~] Client-side code (like JavaScript) can be injected + into the web application which is then returned to + the user's browser. This can lead to a compromise + of the client's system or serve as a pivoting + point for other attacks. + Gareth Rushgrove

  83. Gauntlt Gareth Rushgrove

  84. Gareth Rushgrove

  85. Cucumber + security tool integrations Gareth Rushgrove

  86. Officially supports curl, nmap, sslyze, sqlmap, garmr Gareth Rushgrove

  87. Gareth Rushgrove

  88. $ gauntlt methods.attack Gareth Rushgrove

  89. Gareth Rushgrove

  90. Support in master dirb, arachni Gareth Rushgrove

  91. Gareth Rushgrove

  92. $ gauntlt xss.attack Gareth Rushgrove

  93. Conclusions (You convinced me, now what?)

  94. Gareth Rushgrove Use penetration tests to discover how attackers work

    1

  95. Gareth Rushgrove Use security monitoring to build and maintain checklists

    2

  96. Share common configuration patterns Gareth Rushgrove 3

  97. Gareth Rushgrove Help with packaging and configuration management 4

  98. Gareth Rushgrove 5 Help integrate security tools with monitoring systems

  99. Gareth Rushgrove Get security together with developers and operations 6

  100. Questions? (And thanks for listening)