Is your server secure?

1 overview

Before my company’s server was officially attacked by hackers, I always thought that hacker was a distant word, until I really became a victim, and suddenly realized the importance of security. Have a few basic experience and result summary come out, share with colleague.

2 Burst means

The most brutal hacking, is the use of computers compared to people’s uncanny computing ability, to brute force cracking. Generally, the server does not provide an interactive interface, and in order to facilitate automatic connection and integration with other programs, the Turing test captcha is not set up, so based on this condition, the server is naturally capable of bursting conditions.

The main burst methods are as follows:

3 Asset Collection

The so-called asset collection, in the field of server penetration, is to obtain the domain name and IP address of the server and other relevant information, which is the most basic requirements for obtaining the target of penetration. There are many methods of asset collection, including social engineering, computer information retrieval and hybrid methods.

  • Social engineering approaches start with insiders, using inducements or bribes to obtain information
  • Computer information retrieval tools * Retrieve and analyze publicly available information, such as business information, domain name information
  • Mixed methods * Study internal personnel, observe their social network behavior, obtain information retrieval clues from email, QQ number, etc., and gradually clarify assets

This is a “battlefield” situation with a single purpose: to obtain information about server assets.

Just how tough the field is can be seen in previous cases where a national research institute was sentenced to death for selling important data to foreign spies. Of course, most ordinary people still can’t get to that level, so experiments are carried out from ordinary technical levels.

For example, to obtain server information for a specified enterprise.

First-level clue:

  • An enterprise name
  • Corporate web site

Anyone can obtain the detailed business information of the enterprise on Qixinbao through the name of the enterprise.

Example: Alibaba

For small companies, especially small start-up companies, the company’s domain name is generally registered in the name of the founder or co-founder, of course, we generally do not use this name to query the company’s domain name, after all, with too many celebrities, this is used for the verification of domain name query.

General company will certainly have an official website, there is a domain name on the official website, through any domain name anti-check platform:

http://whois.chinaz.com/

The relevant information is as follows:

  • Name of the domain name holder (can be verified with the relevant personnel of the enterprise checked before)
  • Registration time and expiration time
  • Telephone number/address/email

It is possible to dig deeper and find more clues by phone/address/email, but this is not relevant to the topic of this article.

In support of whoIS reverse lookup platform, you can find out more relevant domain names, and then conduct screening analysis to get the domain name related to this enterprise.

You can use network tools such as PING or traceroute to check the server IP address and network node diagram.

Of course, if it is their own internal personnel to do penetration testing, there is no such trouble, directly ask the operation and maintenance personnel to ask for a list of server assets.

4 Port Scanning

Once you have a list of server assets, you can scan the services running on the server. Basically all servers use IP+ port as the service address to provide services externally.

Common tools such as NMAP can be used to scan the exposed ports on the server. The following is the scan for a security test server on the Intranet:

It’s obvious what services are running on the server.

  • ftp
  • ssh
  • dnsmasq
  • web-http
  • Mongo server
  • mysql
  • redis
  • other

With this information in hand, there’s more to do:

  • SSH password burst it is estimated that many small white user root account password will be affected, if this layer is breached, the server becomes a meat machine, so the operation and file system permissions are obtained

  • FTP password breach * Anonymous login accounts will be affected

    • Simple password accounts fall prey to this trick

    You can view files on FTP, even some have not set permissions, but also through this port to obtain the entire server root directory permissions

  • If the web password is broken successfully and the web permission is not properly configured, you may upload an executable file on the web background and execute shell scripts to obtain all server permissions indirectly

  • After database password bursts bursts bursts, the impact is also quite large

In general:

  • Inexperienced developers have no sense of system security and the server is full of bugs
  • The server that the company uses for testing, without sufficient security awareness and investment, often becomes the breakthrough point

Based on the information obtained above, you can have a good penetration of many servers. Too many people in the world are not security-conscious enough to put their services on the public network.

Surprise! 500GB network security learning materials, 👉 stamp this free access

5 Preventive Measures

The best way to do this is to disguise the services on your own server as well as possible. The main means are:

  • Disable ICMP to prevent others from obtaining network topology views through network tools
  • Access from public IP addresses is prohibited between multiple servers on the LAN
  • Don’t give outside access to information that doesn’t need to be made public
  • Do not expose too much port information by using proxy agents externally

Of course, there will certainly be a lot of developers will feel this is very inconvenient, especially in many start-up companies, early if too much effort in security, and the original for product development of expensive manpower put in here, it is not cost-effective, this is a common early enterprise contradiction.

So there’s this appeal:

  • Both develop server hidden ports
  • Developers also need to visit the corresponding database in their own machines, convenient to view data development and debugging

This paper proposes an intermediate agent mode to achieve the above demands.

5.1 Production Configuration diagram

A typical Web application has a database server, a Web application server, and a reverse proxy server (Nginx), as shown below:

Among them:

  • The Web server connects to the database server through an Intranet IP address and port
  • The Nginx server connects to the Web server through an Intranet IP address and port
  • Only port 80 of the Web service is exposed to customer access

In general, servers that do not need external services are well isolated from the public network.

5.2 Developing the Configuration diagram

You can use the following mode to connect a database to a public network server during development and commissioning:

5.3 Method Summary

The idea of the port mapping approach above is based on proxy mapping. That is, an intermediary will be used to deliver the message, and the internal system is in a black box state. Then the security personnel can concentrate on guarding the gate. After all, guarding the gate is much easier than guarding a large manor with a radius of ten kilometers.

A similar method can be used to log in to the management server over SSH. To log in to other servers in the cluster, a developer must log in to an intermediate server and then access the Intranet of other servers through the intermediate server.

After all: the deeper you hide, the safer and easier it is. There’s no need to bother, even if the technology is perfect.

6 summary

The knowledge mentioned above, for those who specialize in the security industry, it is estimated to be a natural knowledge reserve. The main purpose of these penetrations in this article is to give developers a warning about how to develop good development habits and prevent future problems, based on some security recommendations for server deployment.

This article is just the beginning. It only proposes a feasible method of port masquerading for the behavior of server port scanning. There will be some topics to follow:

  • Prevention of password burst
  • Server authority control, prevent small vulnerabilities lead to big problems
  • other

Warning: some ideas and methods provided in this article are only used for learning and internal penetration testing, do not attack external servers, otherwise it will be investigated by law, the consequences.