Security monitoring - Penetration testing meets monitoring

Transcript

1. Security Monitoring Penetration testing meet monitoring Gareth Rushgrove

2. Who (Who is this person?)

3. @garethr

4. UK Government Digital Service

5. None

6. How did it come to this, that the government has

   one of the most exciting start-ups in the UK?!
7. None
8. None

9. Last code I wrote

10. None

11. The Problem (Why talk about security monitoring)

12. The continuous delivery argument Gareth Rushgrove

13. How often do you change your applications? Gareth Rushgrove

14. Gareth Rushgrove How often do you conduct penetration tests?

15. The security is part of quality assurance argument Gareth Rushgrove

16. Testing used to be manual, slow and expensive Gareth Rushgrove

17. Testing is now automated, fast and done on every commit

    Gareth Rushgrove

18. Security testing is still mainly manual, slow and expensive Gareth

    Rushgrove

19. This presentation (What to expect from this talk)

20. Reactive security monitoring Gareth Rushgrove 1

21. Proactive security testing Gareth Rushgrove 2

22. Gareth Rushgrove 3 Community efforts

23. Reactive monitoring (Mitigate attacks)

24. rkhunter Gareth Rushgrove

25. Gareth Rushgrove

26. rkhunter \ --check \ --no-mail-on-warning \ --skip-keypress Gareth Rushgrove

27. Tuxtendo Rootkit [ Not found ] URK Rootkit [ Not

    found ] Vampire Rootkit [ Not found ] VcKit Rootkit [ Not found ] Volc Rootkit [ Found ] Xzibit Rootkit [ Not found ] X-Org SunOS Rootkit [ Not found ] zaRwT.KiT Rootkit [ Not found ] ZK Rootkit [ Not found ] Performing additional rootkit checks Suckit Rookit additional checks [ OK ] Checking for possible rootkit files and directories [ None found ] Checking for possible rootkit strings [ None found ] Gareth Rushgrove
28. None

29. Gareth Rushgrove

30. rkhunter \ --check \ --nocolors \ --no-mail-on-warning \ --skip-keypress \

    --no-summary | rkhunter-librato.py Gareth Rushgrove

31. Gareth Rushgrove

32. Gareth Rushgrove

33. def test_beastkit_not_installed(): assert (metric("beastkit_rootkit") == 0) Gareth Rushgrove

34. >> nosetests -v rkhunter-librato-test.py rkhunter-libratoo-test.test_beastkit_not_installed ... ok --------------------------------------------------------- Ran 1

    test in 1.585s OK Gareth Rushgrove

35. Nginx Naxsi Gareth Rushgrove

36. Web Application Firewall Gareth Rushgrove

37. Gareth Rushgrove

38. SecRulesEnabled; DeniedUrl "/RequestDenied"; CheckRule "$SQL >= 8" BLOCK; CheckRule "$RFI

    >= 8" BLOCK; CheckRule "$TRAVERSAL >= 4" BLOCK; CheckRule "$EVADE >= 4" BLOCK; CheckRule "$XSS >= 8" BLOCK; Gareth Rushgrove

39. 2013/09/18 08:59:57 [error] 891#0: *6 NAXSI_FMT: ip=192.168.50.20&server=victim&uri=/pictures/ search.php&total_processed=14&total_blocked=7&zo ne0=ARGS&id0=1007&var_name0=query, client:

    192.168.50.20, server: localhost, request: "GET /pictures/search.php?query=--%3E+ %3Csome_dangerous_input_a1056fd2f0ffbb7f18fec9bd 33257e12ab5e0494b33011967bcbcbc5699408eb%2F%3E+ %3C%21-- HTTP/1.1", host: "victim" Gareth Rushgrove

40. id0=1007 Gareth Rushgrove

41. SQL Injection Gareth Rushgrove

42. Gareth Rushgrove

43. grok { type => "nginx_error" match => ["message", " ip=%{IP:client_ip}&

    server=%{IP:server_ip}& uri=%{PATH:uri}& total_processed=%{NUMBER:total_processed}& total_blocked=%{NUMBER:total_blocked}& zone0=%{WORD:zone}& id0=%{NUMBER:id}"] } Gareth Rushgrove

44. Gareth Rushgrove

45. Fail2Ban Gareth Rushgrove

46. Gareth Rushgrove

47. [ssh] enabled = true port = ssh filter = sshd

    logpath = /var/log/auth.log maxretry = 3 [ssh-ddos] enabled = true port = ssh filter = sshd-ddos logpath = /var/log/auth.log maxretry = 6 Gareth Rushgrove

48. [ssh-ddos] Ban 192.168.50.20 Gareth Rushgrove

49. [nginx-naxsi] enabled = true port = http,https filter = nginx-naxsi

    logpath = /var/log/nginx/*error.log maxretry = 2 Gareth Rushgrove

50. grok { type => "naxsi_fail2ban" match => ["message", " WARNING

    \[nginx-naxsi\] %{WORD:action} %{IP:ip}" ] } Gareth Rushgrove

51. Auditd Gareth Rushgrove

52. Auditd in less than 2 minutes. Maybe. Gareth Rushgrove

53. -a exit,always -S mkdir Gareth Rushgrove

54. type=CWD msg=audit(1379493067.779:57): cwd="/tmp" type=PATH msg=audit(1379493067.779:57): item=0 name="vagrant-puppet" inode=20 dev=fc:00 mode=041777

    ouid=0 ogid=0 rdev=00:00 type=SYSCALL msg=audit(1379493067.779:58): arch=c000003e syscall=83 success=yes exit=0 a0=7fff172d0e5e a1=1ed a2=1ed a3=7fff172cf910 items=2 ppid=1239 pid=1241 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=21 comm="mkdir" exe="/bin/mkdir" key=(null) type=CWD msg=audit(1379493067.779:58): cwd="/tmp/ vagrant-puppet" Gareth Rushgrove

55. cwd="/tmp" Gareth Rushgrove

56. syscall=83 Gareth Rushgrove

57. sys_symlink Gareth Rushgrove

58. Gareth Rushgrove

59. comm="mkdir" Gareth Rushgrove

60. cwd="/tmp/vagrant-puppet" Gareth Rushgrove

61. Aside: penetration testing tools (State of open source)

62. Skipfish, nikto, w3af, garmr, sslyze, owasp zap, arachni, sqlmap, sslscan,

    TLSSLed, slowhttptest, DIRB, SQLiBF Gareth Rushgrove

63. BackTrack Gareth Rushgrove

64. The problem with distributing software as a Linux distribution Gareth

    Rushgrove

65. Configuration management + Vagrant Gareth Rushgrove

66. Penetration testing tools

67. Vulnerable web apps

68. Source code

69. Puppet module

70. Proactive monitoring (Attack yourself)

71. Gareth Rushgrove

72. nmap monitorama.eu Gareth Rushgrove

73. Starting Nmap 5.21 ( http://nmap.org ) at 2013-09-18 15:09 BST

    Nmap scan report for monitorama.eu (141.101.116.49) Host is up (0.17s latency). Hostname monitorama.eu resolves to 2 IPs. Only scanned 141.101.116.49 Not shown: 998 filtered ports PORT STATE SERVICE 80/tcp open http 8080/tcp open http-proxy Nmap done: 1 IP address (1 host up) scanned in 24.18 seconds Gareth Rushgrove

74. Gareth Rushgrove

75. it "should have one port open" do @host.open_ports.should have(1).items end

    Gareth Rushgrove

76. Gareth Rushgrove

77. 1) the monitorama.eu website should have one port open Failure/Error:

    @host.open_ports.should have(1).items expected 1 items, got 2 Finished in 8.99 seconds 1 example, 1 failure Gareth Rushgrove

78. Arachni Gareth Rushgrove

79. Gareth Rushgrove

80. Web application security scanner Gareth Rushgrove

81. arachni http://monitorama.eu --modules=xss Gareth Rushgrove

82. + +[+] 2 issues were detected. + +[+] [1] Trusted

    -- Cross-Site Scripting (XSS) +[~] ~~~~~~~~~~~~~~~~~~~~ +[~] ID Hash: +[~] Severity: High +[~] URL: http://victim/pictures/search.php +[~] Element: form +[~] Method: GET +[~] Tags: xss, regexp, injection, script +[~] Variable: query +[~] Description: +[~] Client-side code (like JavaScript) can be injected + into the web application which is then returned to + the user's browser. This can lead to a compromise + of the client's system or serve as a pivoting + point for other attacks. + Gareth Rushgrove

83. Gauntlt Gareth Rushgrove

84. Gareth Rushgrove

85. Cucumber + security tool integrations Gareth Rushgrove

86. Officially supports curl, nmap, sslyze, sqlmap, garmr Gareth Rushgrove

87. Gareth Rushgrove

88. $ gauntlt methods.attack Gareth Rushgrove

89. Gareth Rushgrove

90. Support in master dirb, arachni Gareth Rushgrove

91. Gareth Rushgrove

92. $ gauntlt xss.attack Gareth Rushgrove

93. Conclusions (You convinced me, now what?)

94. Gareth Rushgrove Use penetration tests to discover how attackers work

    1

95. Gareth Rushgrove Use security monitoring to build and maintain checklists

    2

96. Share common configuration patterns Gareth Rushgrove 3

97. Gareth Rushgrove Help with packaging and configuration management 4

98. Gareth Rushgrove 5 Help integrate security tools with monitoring systems

99. Gareth Rushgrove Get security together with developers and operations 6

100. Questions? (And thanks for listening)