FAQ

From: Larry Vaden <vaden at texoma.net>
Date: Sun, Jan 23, 2011 at 8:03 PM
Subject: sources of bind-9.7.2-P3 rpms for Centos 4.8 and 5.5?
Our site running Centos 4.8 and 5.5 name servers was hacked with
the result that www.yahoo.com is now within our /19 and causing
some grief.
Don't understand what you mean by 'within our /19'. Have your IP ranges
changed? If your Bind date is corrupt, why not re-install Centos and
then restore the domains data from one of your regular backups?

Is it a wise business decision to use C 4.8 instead of C 5 or the latest
which is C 5.5 ?
Google hasn't led me to an RPM for bind-9.7.2-P3 nor has the
search facility at centos.org. However, it is obvious from said
searches that Mandriva upgraded last year.
I believe C6 will include an updated Bind.
An attempt to install bind-9.7.2-P3 from source yields the warning
below the sig for both 4.8 and 5.5 machines.
WARNING WARNING WARNING WARNING WARNING ..........

Your OpenSSL crypto library may be vulnerable to .....
one or more of the the following known security ....
flaws:

CAN-2002-0659, CAN-2006-4339, CVE-2006-2937 and
CVE-2006-2940.

It is recommended that you upgrade to OpenSSL
version 0.9.8d/0.9.7l (or greater).
Well, on my C 5.5 desktop my OpenSSL is (yum info openssl)

Name : openssl
Arch : x86_64
Version : 0.9.8e
Release : 12.el5_5.7
Size : 3.4 M

The same version for i686.

Larry, why can't you install the latest OpenSSL ?

On C 5.5 the latest Bind is 9.3.6 (Release: 4.P1.el5_5.3)

If you really need the latest Bind and can not wait about a month for C6
why don't you use a different flavour of Linux? In business one can not
be too sentimental and difficult decisions have to be made all the time.


With best regards,

Paul.
England,
EU.

Search Discussions

  • Larry Vaden at Feb 18, 2011 at 5:17 pm

    On Fri, Feb 18, 2011 at 3:15 PM, Always Learning wrote:
    Don't understand what you mean by 'within our /19'. Have your IP ranges
    changed? ?If your Bind date is corrupt, why not re-install Centos and
    then restore the domains data from one of your regular backups?
    Our network consists of aaa.bbb.ccc.0/19. That's CIDR notation for
    8,192 addresses.
    Is it a wise business decision to use C 4.8 instead of C 5 or the latest
    which is C 5.5 ?
    IMHO, fully updated purpose-built servers running 4.8 should have more
    or less the same vulnerablity profile as 5.5 IFF RH is doing a good
    job of backporting security fixes.

    I am supported in that statement by my mentor at FedEx but NOT by my
    mentor at Internet2.

    The open ?s about human error wrt the SRPMs in SL6 could arguably lead
    to a different conclusion.

    I believe C6 will include an updated Bind.
    Yes, it will be based on a later release.
    Larry, why can't you install the latest OpenSSL ?
    We installed openssl-1.0.0c Jan 23 20:30 27 minutes after filing the
    original post IIRC.

    kind regards/ldv/vaden at texoma.net
  • James Hogarth at Feb 18, 2011 at 5:37 pm

    Our network consists of aaa.bbb.ccc.0/19. ?That's CIDR notation for
    8,192 addresses.
    But what has that got to do with "www.yahoo.com moved into our /19"
    .... your comment is pretty unclear.
    IMHO, fully updated purpose-built servers running 4.8 should have more
    or less the same vulnerablity profile as 5.5 IFF RH is doing a good
    job of backporting security fixes.
    Why are you so sure it was a bind issue? What logs/research has come
    to that conclusion?

    Would bind 9.7 really have helped you if you were hacked or was your
    vulnerability elsewhere - and if so where? Was this the same server
    that you posted where you had mangled the install with force
    reinstalling rpms from SL and/or oracle that you posted about before
    for instance?

    I am supported in that statement by my mentor at FedEx but NOT by my
    mentor at Internet2.
    Your mentor? What do you mean by that?
    We installed openssl-1.0.0c Jan 23 20:30 27 minutes after filing the
    original post IIRC.
    If you were so gung ho about security that you wanted bleeding edge
    bind even newer than current centos 5 why are you so out of date on
    your openssl libraries. Given that you are out of date on those as per
    your previous posts would the currently released bind on rhel5 iff it
    was already on c5 really have been installed? If you were that
    desperate you could have built the srpms yourself.... or taken 9.7
    from c5-testing.

    You have posted the same rubbish over and over without any
    substantiation with wild allegations.

    Post details if you need help or just please stop ranting to no point.

    James
  • Larry Vaden at Feb 18, 2011 at 7:54 pm

    On Fri, Feb 18, 2011 at 4:37 PM, James Hogarth wrote:
    Your mentor? What do you mean by that?
    The same thing Wikipedia says, namely:

    a trusted friend, counselor or teacher, usually a more experienced
    person. Some professions have "mentoring programs" in which newcomers
    are paired with more experienced people, who advise them and serve as
    examples as they advance.

    Joe, Randy and James are my mentors of 15, 5 and 5 years,
    respectively, and all said the same thing, namely "nuke and repave, be
    sure to be current on BIND" since it is a purpose-built box (ns1).

    Since others have asked for details, they are below the sig.

    With 20/20 hindsight, it is clear that I shouldn't have posted the
    original post asking the list for help and hopefully informing other
    potential targets of the risk (read: there were no responses to the
    original post, therefore it was posted to the wrong audience).

    regards/ldv/vaden at texoma.net

    There was no time for forensics at the time of the discovery; just
    time to get advice and react.
    What follows is from a few moments ago.

    ===details===
    ===box was last nuked and repaved Jul 28 2008
    ===much unnecessary software removed Jul 28 2008, 57 tasks active per
    'ps auxw | wc -l'
    ===current nmap (same nmap results as on problem day)
    Starting Nmap 5.21 ( http://nmap.org ) at 2011-02-18 18:38 CST
    Note: Host seems down. If it is really up, but blocking our ping probes, try -PN
    Nmap done: 1 IP address (0 hosts up) scanned in 0.19 seconds
    vaden at turtlehill:/opt$ nmap -A -PN ns1.texoma.net
    Starting Nmap 5.21 ( http://nmap.org ) at 2011-02-18 18:38 CST
    Nmap scan report for ns1.texoma.net (209.151.96.2)
    Host is up (0.0012s latency).
    Not shown: 998 filtered ports
    PORT STATE SERVICE VERSION
    53/tcp open domain
    987/tcp open ssh OpenSSH 3.9p1 (protocol 2.0)
    ssh-hostkey: 1024 36:dc:c8:29:b1:d3:8a:b1:e6:cf:2b:4c:70:ed:c8:9a (DSA)
    _1024 10:f9:a6:d2:32:68:15:3a:9f:04:3a:89:05:1e:b8:52 (RSA)
    Service detection performed. Please report any incorrect results at
    http://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 26.44 seconds
    vaden at turtlehill:/opt$
    ===named.conf security in 2008
    [root at ns1 data]# cat /var/named/chroot/etc/named.conf | more
    ###
    #
    # attribution: By Rob Thomas, noc at cymru.com
    # <http://www.cymru.com/Documents/secure-bind-template.html>
    # -and-
    #
    <http://www.knowplace.org/pages/howtos/split_view_with_bind_9_howto.php>
    #
    # at the behest of
    # Dr. Joe Redacted (redacted1.edu)
    # Dr. Randall Redacted (redacted2.edu)
    ===
    ssh port not on 22
    ===
    distro's standard iptables save ssh port
  • James Hogarth at Feb 18, 2011 at 8:39 pm

    Joe, Randy and James are my mentors of 15, 5 and 5 years,
    respectively, and all said the same thing, namely "nuke and repave, be
    sure to be current on BIND" since it is a purpose-built box (ns1).
    Perhaps is it a difference in language and what you mean by mentor and
    where I would mean old colleague/peer who I have discussed this with.

    They have stated their opinions and you can follow that - but then you
    would be diverging from the point of RHEL somewhat with a custom built
    BIND.

    Remember that the version number you see on BIND is not always the
    equivalent of upstream due to backports. You should check the relevant
    RHEL errata, the package %changelog and CVE to get a better
    understanding of what exploits are known and what has been patched.

    With 20/20 hindsight, it is clear that I shouldn't have posted the
    original post asking the list for help and hopefully informing other
    potential targets of the risk (read: there were no responses to the
    original post, therefore it was posted to the wrong audience).
    Err... this isn't the whole story/truth.

    I just searched your emails on this list. the first reference to bind
    was the 16th feb with the thread "Blasphemous" with complaints (and no
    substance) to Redhat not having current Bind - despite the fact 9.7 is
    in the then released 5.6... you suggested an alt repo "for critical
    internet functions." No where did you indicate you had a name server
    hacked/altered/poisoned... although you pointed out your credit card
    prcessing system was running Redhat linux 7.3 (Valhalla) and was
    nearing 10 years old.... this from someone complaining about teh
    'age'' of BIND in RHEL/CentOS.

    There was no time for forensics at the time of the discovery; just
    time to get advice and react.
    Then you have no way of telling what happened. For future reference a
    better reaction is to isolate the server (whether physical or virtual)
    and put a new system in place to serve the need for it whilst you
    analyze what happened to the previous. Without that knowledge you
    cannot mitigate any issues or discover where the failure was, if any.
    What follows is from a few moments ago.

    ===details===
    ===box was last nuked and repaved Jul 28 ?2008
    ===much unnecessary software removed Jul 28 2008, 57 tasks active per
    'ps auxw | wc -l'
    This is irrelevant to the point at hand.
    ===current nmap (same nmap results as on problem day)
    Starting Nmap 5.21 ( http://nmap.org ) at 2011-02-18 18:38 CST
    Note: Host seems down. If it is really up, but blocking our ping probes, try -PN
    Nmap done: 1 IP address (0 hosts up) scanned in 0.19 seconds
    vaden at turtlehill:/opt$ nmap -A -PN ns1.texoma.net
    Starting Nmap 5.21 ( http://nmap.org ) at 2011-02-18 18:38 CST
    Nmap scan report for ns1.texoma.net (209.151.96.2)
    Host is up (0.0012s latency).
    Not shown: 998 filtered ports
    PORT ? ?STATE SERVICE VERSION
    53/tcp ?open ?domain
    987/tcp open ?ssh ? ? OpenSSH 3.9p1 (protocol 2.0)
    ssh-hostkey: 1024 36:dc:c8:29:b1:d3:8a:b1:e6:cf:2b:4c:70:ed:c8:9a (DSA)
    _1024 10:f9:a6:d2:32:68:15:3a:9f:04:3a:89:05:1e:b8:52 (RSA)
    Service detection performed. Please report any incorrect results at
    http://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 26.44 seconds
    So you have SSH exposed and Domain requests exposed. Not surprising
    but irrelevant in and of itself.
    vaden at turtlehill:/opt$
    ===named.conf security in 2008
    [root at ns1 data]# cat /var/named/chroot/etc/named.conf | more
    ###
    #
    # ?attribution: By Rob Thomas, noc at cymru.com
    # ? ? ? ? ? ? ? <http://www.cymru.com/Documents/secure-bind-template.html>
    # ?-and-
    #
    <http://www.knowplace.org/pages/howtos/split_view_with_bind_9_howto.php>
    #
    # ?at the behest of
    # ?Dr. Joe Redacted (redacted1.edu)
    # ?Dr. Randall Redacted (redacted2.edu)
    ===
    Without adequate details such as whether IP requests were limited to
    your allotted IP addresses and other config details this doesn't help.
    ssh port not on 22
    ===
    This is fundamentally irrelevant. This is a very visible server given
    it is a primary nameserver for you. A simple nmap as you showed above
    presents any potential hacker with the correct port for SSH given a
    targeted attack.
    distro's standard iptables save ssh port
    Perhaps here you made a security mistake and should have configured it
    differently - for example limiting connection attempts, set up
    fail2ban, limit inbound SSH from known IPs for management purposes
    from your corporate network, not had SSH publically visable, etc.
    Without more detail it is impossible to say what went wrong and how
    the system could be potentially secured.

    If you have a specific point of vulnerability you have encountered -
    whether a known CVE or not - I would urge you to open a bugzilla
    ticket with reproducible steps.

    If you got hacked through poor configuration and monitoring then it's
    your own fault quite frankly and perhaps for something you see as such
    a key service you should hire a proper admin and pay for a Redhat
    license so you have an SLA to full back on for bugs. That is what it
    is there for.

    Regardless of the above I urge you to stop posting irrelevant nonsense
    and pushing the signal to noise ratio of the list to such intolerable
    levels.

    James
  • Larry Vaden at Feb 19, 2011 at 12:57 am

    On Fri, Feb 18, 2011 at 7:39 PM, James Hogarth wrote:
    With 20/20 hindsight, it is clear that I shouldn't have posted the
    original post asking the list for help and hopefully informing other
    potential targets of the risk (read: there were no responses to the
    original post, therefore it was posted to the wrong audience).
    Err... this isn't the whole story/truth.
    As a result of "this isn't whole story/truth," I searched GMail and
    Thunderbird and here's what I found:

    1) GMail says I sent a message To: centos at centos.org Sun, 23 Jan 2011
    20:03:22 -0600 Subject: sources of bind-9.7.2-P3 rpms for Centos 4.8
    and 5.5? Message-ID:
    <AANLkTimmNnEs-=oTzp29J3vhGFgvc9pc4eeoJCfOceDZ at mail.gmail.com>
    2) GMail says there was neither a bounce nor a echo post from the mailing list
    3) Thunderbird agrees with Gmail re #2
    4) New to me (see #7, but more likely as a result of the stress of the
    situation of wondering what other big URLs were pointing at leaf
    nodes) is a log entry indicating I got a request for a confirmation
    from centos-request Jan 23 and Jan 26 and a welcome Jan 26
    5) It is possible that I may have unsubscribed from centos but
    apparently not from centos-devel
    6) If I was unsubscribed, it was definitely posted to the wrong list
    7) One nice thing about Alzheimers is that you meet so many new people
    each day and they act like they've known you all your life :)
    8) apologies to the CentOS Community and CentOS Team are due and issued.

    This has been revealing; I used to think that with 9 stents and a
    pacemaker, I could be a stand in on the "6 (read: 1) Million Dollar
    Man" TV show if it ever went into reruns :) Through this experience,
    starting with a hacked or poisoned name server, or, quite frankly, the
    perception of one, I have learned what people really see.

    best regards/ldv/vaden at texoma.net
  • Lamar Owen at Feb 19, 2011 at 10:51 am

    On Saturday, February 19, 2011 12:57:40 am Larry Vaden wrote:
    Through this experience,
    starting with a hacked or poisoned name server, or, quite frankly, the
    perception of one, I have learned what people really see.
    Having a server hacked is one of the worst things that can happen in IT; not of course as bad as a real heart attack, for sure.

    Having a server hacked puts you in a wierd mindset, most certainly.

    If your server was really hacked, I'd start from scratch, and set the new one up more defensively.
  • Larry Vaden at Feb 19, 2011 at 5:37 pm

    On Sat, Feb 19, 2011 at 9:51 AM, Lamar Owen wrote:
    If your server was really hacked, I'd start from scratch, and set the new one up more defensively.
    THANKS for your input; there exists a consensus, so that's what will
    be done (replace 4.8 with 5.x). Troy says Fermi (a great target for
    the miscreants/actors) runs stock BIND as it appears in
    RHEL/CentOS/SL, so, to be redundant, what is good enough for the
    national labs is good enough for us.
    Joe won't be happy with us, but we need to be pragmatic.
  • John R. Dennison at Feb 19, 2011 at 6:07 pm

    On Sat, Feb 19, 2011 at 04:37:57PM -0600, Larry Vaden wrote:
    THANKS for your input; there exists a consensus, so that's what will
    be done (replace 4.8 with 5.x). Troy says Fermi (a great target for
    the miscreants/actors) runs stock BIND as it appears in
    RHEL/CentOS/SL, so, to be redundant, what is good enough for the
    national labs is good enough for us.
    Joe won't be happy with us, but we need to be pragmatic.
    Just out of curiosity, have you ever thought about hiring a
    competent admin?





    John

    --
    Much of what looks like rudeness in hacker circles is not intended to give
    offense. Rather, it's the product of the direct, cut-through-the-bullshit
    communications style that is natural to people who are more concerned about
    solving problems than making others feel warm and fuzzy.

    http://www.tuxedo.org/~esr/faqs/smart-questions.html
    -------------- next part --------------
    A non-text attachment was scrubbed...
    Name: not available
    Type: application/pgp-signature
    Size: 189 bytes
    Desc: not available
    Url : http://lists.centos.org/pipermail/centos/attachments/20110219/969df4d4/attachment.bin
  • Larry Vaden at Feb 19, 2011 at 6:19 pm

    On Sat, Feb 19, 2011 at 5:07 PM, John R. Dennison wrote:
    ? ? ? ?Just out of curiosity, have you ever thought about hiring a
    ? ? ? ?competent admin?
    Yes.
  • Larry Vaden at Feb 19, 2011 at 1:51 am

    On Fri, Feb 18, 2011 at 7:39 PM, James Hogarth wrote:

    Joe, Randy and James are my mentors of 15, 5 and 5 years,
    respectively, and all said the same thing, namely "nuke and repave, be
    sure to be current on BIND" since it is a purpose-built box (ns1).
    Perhaps is it a difference in language and what you mean by mentor and
    where I would mean old colleague/peer who I have discussed this with.
    Wikipedia says "This is the source of the modern use of the word
    mentor: a trusted friend, counselor or teacher, usually a more
    experienced person." I am not their peer; they are my mentors. They
    have been invaluable over the 25 combined years of mentorship to this
    rural ISP.
    Remember that the version number you see on BIND is not always the
    equivalent of upstream due to backports. You should check the relevant
    RHEL errata, the package %changelog and CVE to get a better
    understanding of what exploits are known and what has been patched.
    Johnny has remarked on the importance of trust.

    My trust in RedHat went down when I learned they are not shipping all
    the SRPMs. Some say it is due to human error. If that is the case,
    why should I think they are better at backporting security fixes than
    at making sure a manifest of SRPMs is complete and correct?
  • James Hogarth at Feb 19, 2011 at 7:58 am

    Johnny has remarked on the importance of trust.

    My trust in RedHat went down when I learned they are not shipping all
    the SRPMs. ?Some say it is due to human error. ?If that is the case,
    why should I think they are better at backporting security fixes than
    at making sure a manifest of SRPMs is complete and correct?
    Larry seriously now that's enough.

    If you don't trust Redhat - great! go elsewhere!. IN fact pleas do
    since then you shouldn't be using centos and you can then leave this
    list alone.

    For the record an archive of all mails sent to the mailing list
    appears here... in this case in date order.

    http://lists.centos.org/pipermail/centos/2011-January/date.html

    To give you the benefit of the doubt I search there for your mail by
    subject and by the datestamp you allege.

    It is not there - ergo it never arrived at the list.
  • Larry Vaden at Feb 19, 2011 at 10:04 am

    On Sat, Feb 19, 2011 at 6:58 AM, James Hogarth wrote:
    For the record an archive of all mails sent to the mailing list
    appears here... in this case in date order.

    http://lists.centos.org/pipermail/centos/2011-January/date.html

    To give you the benefit of the doubt I search there for your mail by
    subject and by the datestamp you allege.

    It is not there - ergo it never arrived at the list.
    OR it was silently dropped ... only the list manager and others in the
    know would know if mail from former subscribers is silently dropped.
  • Eero Volotinen at Feb 19, 2011 at 8:39 am

    My trust in RedHat went down when I learned they are not shipping all
    the SRPMs. ?Some say it is due to human error. ?If that is the case,
    why should I think they are better at backporting security fixes than
    at making sure a manifest of SRPMs is complete and correct?
    Centos, SL and oracle enterprise linux are based on redhat.

    Maybe you should start paying for SLES?

    --
    Eero
  • Lamar Owen at Feb 19, 2011 at 10:57 am

    On Saturday, February 19, 2011 01:51:55 am Larry Vaden wrote:
    My trust in RedHat went down when I learned they are not shipping all
    the SRPMs. Some say it is due to human error. If that is the case,
    why should I think they are better at backporting security fixes than
    at making sure a manifest of SRPMs is complete and correct?
    To be fair to Red Hat, it might be different people doing the backporting than are responsible for the packaging. Might not, but might be.

    And for their purposes a missing build requirement package isn't really a bug, since it builds fine for them, and they get the patched package out to their customers. And their customers won't typically be rebuilding from source RPM. So, like in any other job, the less important tasks and issues go to the bottom of the list, while the more important 'get the deliverable to the customer' takes top spot.

    They have finite resources; they're going to use those finite resources frugally, and thus stay in business (which everybody using CentOS should want them to do).
  • Nico Kadel-Garcia at Feb 18, 2011 at 5:27 pm

    On Fri, Feb 18, 2011 at 4:15 PM, Always Learning wrote:
    From: Larry Vaden <vaden at texoma.net>
    Date: Sun, Jan 23, 2011 at 8:03 PM
    Subject: sources of bind-9.7.2-P3 rpms for Centos 4.8 and 5.5?
    Our site running Centos 4.8 and 5.5 name servers was hacked with
    the result that www.yahoo.com is now within our /19 and causing
    some grief.
    Don't understand what you mean by 'within our /19'. Have your IP ranges
    changed? ?If your Bind date is corrupt, why not re-install Centos and
    then restore the domains data from one of your regular backups?

    Is it a wise business decision to use C 4.8 instead of C 5 or the latest
    which is C 5.5 ?
    Google hasn't led me to an RPM for bind-9.7.2-P3 nor has the
    search facility at centos.org. ?However, it is obvious from said
    searches that Mandriva upgraded last year.
    I believe C6 will include an updated Bind.
    It's also in RHEL 5.6, so I expect it in CentOs 5.6, from the SRPM
    bind97-9.7.0-6.P2.el5.src.rpm. Grab that one from your nearest RedHat
    SRPM repository, such mirrors.kernel.org/redhat/, if you're in a rush.
    An attempt to install bind-9.7.2-P3 from source yields the warning
    below the sig for both 4.8 and 5.5 machines.
    WARNING WARNING WARNING WARNING WARNING ..........

    Your OpenSSL crypto library may be vulnerable to .....
    one or more of the the following known security ....
    flaws:

    CAN-2002-0659, CAN-2006-4339, CVE-2006-2937 and
    CVE-2006-2940.

    It is recommended that you upgrade to OpenSSL
    version 0.9.8d/0.9.7l (or greater).
    Well, on my C 5.5 desktop my OpenSSL is (yum info openssl)

    Name ? ? ? : openssl
    Arch ? ? ? : x86_64
    Version ? ?: 0.9.8e
    Release ? ?: 12.el5_5.7
    Size ? ? ? : 3.4 M

    The same version for i686.

    Larry, why can't you install the latest OpenSSL ?

    On C 5.5 the latest Bind is 9.3.6 (Release: 4.P1.el5_5.3)

    If you really need the latest Bind and can not wait about a month for C6
    why don't you use a different flavour of Linux? ?In business one can not
    be too sentimental and difficult decisions have to be made all the time.


    With best regards,

    Paul.
    England,
    EU.


    _______________________________________________
    CentOS mailing list
    CentOS at centos.org
    http://lists.centos.org/mailman/listinfo/centos
  • Lamar Owen at Feb 18, 2011 at 6:32 pm

    On Friday, February 18, 2011 04:15:28 pm Always Learning wrote:
    From: Larry Vaden <vaden at texoma.net>
    Our site running Centos 4.8 and 5.5 name servers was hacked with
    the result that www.yahoo.com is now within our /19 and causing
    some grief.
    Don't understand what you mean by 'within our /19'.
    I think I do; he's an ISP, and apparently someone inside his address block (the CIDR notation /19; his actual block is publicly found by doing a quick nslookup of his domain name, noting the IP address of the DNS server(s) listed, and then a whois of the IP address of the DNS server(s). His /19 shows up) has hacked in some way the zone file(s) or the cache for his nameserver so that his customers, who would ordinarily use his DNS server as their recursive resolver, now see www.yahoo.com (among who knows what others) as pointing to a different address, the one inside his /19 (which I hope he has tracked and duly removed in grand Texas style), for the purpose of phishing.

    Now whether this was done by actually hacking into his DNS server or by a cache poisoning attack or what, I don't know since those details Larry hasn't made public. And that's ok.

    A fully up-to-date C4 or C5 should be covered when it comes to those sorts of things, but to prevent such things I would recommend to Larry that he use the great iptables tools that CentOS provides, or use some other iptables configurator, or simple hosts.allow and hosts.deny, to restrict the addresses that can actually ssh into his server, and only allow port 53 UDP and TCP traffic into and out of his DNS servers to his cutsomers.

    If he has routers/switches with access lists I would apply those as a second layer of traffic filtering, going both ingress and egress relative to his DNS server. A DNS/BIND vulnerability alone won't kill you, other than the previously mentioned cache poisoning attacks (and those are mitigated with other well-known techniques); it's the TCP connection from the vulnerability shellcode back to the attacker's box that is the killer, and that's what the aggressive iptables/acls will do for you.

    Hmmm, the Bastille hardening script might help you, but I don't know that for sure. DNS servers should only serve DNS, and the only other connections in or out should be tightly controlled.

    Easier said than done, especially with limited staff and funds, I know, but still the best practice.

    I say that having had a DNS server hit, on May 1, 1998, with a BIND 4 vulnerability. Got a quick education on BIND best practices, even though it is sometimes is tempting to 'do it later....'
  • James Hogarth at Feb 18, 2011 at 6:41 pm

    I think I do; he's an ISP, and apparently someone inside his address block (the CIDR notation /19; his actual block is publicly found by doing a quick nslookup of his domain name, noting the IP address of the DNS server(s) listed, and then a whois of the IP address of the DNS server(s). ?His /19 shows up) has hacked in some way the zone file(s) or the cache for his nameserver so that his customers, who would ordinarily use his DNS server as their recursive resolver, now see www.yahoo.com (among who knows what others) as pointing to a different address, the one inside his /19 (which I hope he has tracked and duly removed in grand Texas style), for the purpose of phishing.

    Now whether this was done by actually hacking into his DNS server or by a cache poisoning attack or what, I don't know since those details Larry hasn't made public. ?And that's ok.
    That's what I assumed however given the vagueness I wasn't sure.

    At this time I'm unaware of any attacks on Bind within current Centos
    5 if it is a properly configured system (selinux enabled, bind chroot,
    iptables in place, etc) that would allow someone to mess with his zone
    files or other parts of bind.

    As such if there is such a critical vulnerability it would be nice to
    get details.... especially how he is so intent on blaming Redhat and
    Bind.... on the other hand if he has misconfigured systems it's his
    own fault and he should stop blaming Redhat/CentOS.

    If he is willing to discuss the details great!

    If he is not I would strongly suggest he stop spamming the mailing
    lists with nonsense.

    James
  • Always Learning at Feb 18, 2011 at 7:01 pm

    On Fri, 2011-02-18 at 18:32 -0500, Lamar Owen wrote:
    On Friday, February 18, 2011 04:15:28 pm Always Learning wrote:
    Don't understand what you mean by 'within our /19'.
    I think I do; he's an ISP, and apparently someone inside his address block
    ... has hacked in some way the zone file(s) or the cache for his
    nameserver so that his customers, who would ordinarily use his DNS
    server as their recursive resolver, now see www.yahoo.com (among who
    knows what others) as pointing to a different address ....
    Thank you for explaining Larry had his DNS servers hacked or poisoned.

    .... to prevent such things I would recommend to Larry that he use the
    great iptables tools that CentOS provides ...
    ... to restrict the addresses that can actually ssh into his server,
    and only allow port 53 UDP and TCP traffic into and out of his DNS
    servers to his customers.
    Agreed. IPtables is a very useful tool to block unauthorised accesses in
    and (heaven forbid) out of one's servers. Every server is screwed down
    to the barest minimum and every port that can be changed from its
    default is. No servers share the same non-standard port numbers. SSH
    access is limited to 3 static IP addresses. Aggressive blocking with
    IPtables can prevent a lot of time wasting aggro.

    I also ban some Chinese blocks and even more Taiwan blocks from port 80
    to reduce web hacking and lots of Taiwanese blocks from port 25.

    --

    With best regards,

    Paul.
    England,
    EU.

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupcentos @
categoriescentos
postedFeb 18, '11 at 4:15p
activeFeb 19, '11 at 6:19p
posts19
users7
websitecentos.org
irc#centos

People

Translate

site design / logo © 2022 Grokbase