Custom HTTP Headers (nginx, WordPress)

If you have a website and you are not implementing some custom headers you may want to look into it. These are not set by default and can help in protecting your site from all types of attacks.

To start with go to https://securityheaders.io/ and scan your site. If you have none of these headers implemented your site will score very poorly. Don’t forget with these headers we aren’y only protecting our site, but also our site visitors as well.

The ones we are going to look at are for protecting against Cross-Site-Scripting, malicious content, drive-by downloads, and stop your site being viewed in an iframe.  We will also stop the site advertising Server and software details, for example the Server build, and php version. The reason for this is not covered here but if you are intersted you can go here and read this brilliant  article by @Scott_Helme.

For today we will be concetrating on WordPress installed on LEMP stack. Firstly we need to backup our config, and then go to our active config file. (yours may be different depending on your setup). Also note that the Strict Transport Security header is for https sites only.

sudo nano /etc/nginx/sites-enabled/wordpress

Then in our http server block we add the following. ( if using https on your site then put the headers in both blocks.

add_header X-Frame-Options "SAMEORIGIN";

add_header Content-Security-Policy "default-src yoursite.com";

add_header X-Xss-Protection "1; mode=block";

add_header X-Content-Type-Options "nosniff";

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

server_tokens off;

You can see the layout in the screenshot.

We save the changes then run the following to test for typo’s.

sudo nginx -t

Then

sudo service nginx restart

Finally we go change a setting in the php.ini file for our version to disable version broadcast.

sudo nano /etc/php5/fpm/php.ini

We need to change

expose_php = on

To

expose_php = off

Save and close the file and restart php

sudo service php5-fpm restart

To check all this is working correctly go back to Security Headers and check your site again. Your sites rating should be significantly better.

Security Onion

I’ve been meaning to try this out for a while but I get carried away with Red Team fun that I neglect my Blue Team skills! I heard alot about about Security Onion so I  set about setting up a server.

To get full functionality out of it you will need to setup a mirrored port on your switch or router to ensure you are seeing all the network traffic, but that won’t be covered here. The Security Onion Machine needs 2 adapters, one for remote connection to administer it and also to enable you to download updates frommthe internet etc, and the second is the monitoring adapter which connects to your mirrored port.

Initially I wanted to run Security Onion in HyperV however after hours of banging my head against a brick wall I gave up and installed on a physical machine.

The main issue is the way that HyperV uses it’s virtual switches in 2008R2 it seems impossible to be able to run one in full promiscuous mode. I tried numerous powershell scripts but when checking Wireshark there was still traffic missing. Virtualbox allows a real bridged connection to a NIC and is simple to configure for network monitoring, the fact the fact you can’t do this in HyperV infuriates me! If anyone knows how to do it please let me know, but in the end I got bored fighting HyperV and installed on a physical machine.

The official guide is here:

I use Ubuntu quite a bit so wanted to install the Security Onion tools on one of my templated server images rather than download the ISO.

On an Ubuntu Server we Clear the apt repository, and then update:

sudo rm -rf /var/lib/apt/lists/*
sudo apt-get update

Then we add the stable repos, (Also found here) and update again.

sudo apt-get -y install software-properties-common
sudo add-apt-repository -y ppa:securityonion/stable
sudo apt-get update

You then need to configure MySql to NOT prompt for root password.

echo "debconf debconf/frontend select noninteractive" | sudo debconf-set-selections

Now we can use apt to install the Security Onion Package.

sudo apt-get -y install securityonion-all syslog-ng-core

Before running setup we should have both network adapters connected.

Run setup for the first time

sudo sosetup

Follow the prompts and make sure you choose the correct interface when asked which one will be monitored.

Now restart

Before completing setup we need to check we are seeing all trafiic, fire up wireshark

sudo wireshark

Run a simple test like sending pings between machines on your network and make sure you acn see them in Wireshark, if all good then we can continue.

Now if you haven’t already got one go to snort.org and get an ‘oinkcode’

sudo sosetup

This time we can skip network configuration and select:

  1. Production Mode
  2. Standalone
  3. Custom
  4. Create a username and password
  5. Retain Logs ’30’
  6. Re-run database repair ‘7’
  7. IDS engine ‘Suricata’
  8. Select ‘Snort VRT Ruleset and Emerging Threats NoGPL Ruleset’ then paste in your oinkcode.
  9. PF_RING_slots ‘65534’
  10. Make sure the correct interface is selected for monitoring
  11. Enable the IDS engine ‘yes’
  12. If you are only monitoring one interface select ‘2’
  13. Add your internal network IP range/s
  14. Enable Bro ‘yes’
  15. Enable exe extraction ‘no’ (If you want to do this you can, I will test this further before implementing)
  16. Enable http_agent ‘no’ (As we will be using Bro’s http.log via ELSA)
  17. Disable Argus
  18. Disable Prads
  19. Enable full packet capture ‘yes’
  20. Pcap file size ‘150’
  21. PF_RING buffer size ‘512’
  22. The log purge threshold hold will purge your logs once this threshold is reached, so you need to choose this based on how long you want to retain logs for and how much storage you have available. I went with the default 90%.
  23. Enable ELSA ‘yes’
  24. ELSA storage, I left at default.
  25. Confirm your changes.

BOOM! after another restart you will be up and running, use the new shortcuts on the desktop to login to ELSA, Sqert, and sguil and be prepared to be scared shitless by what you find!

If you want to enable remote access you need to run

sudo so-allow

This will run a script to help you setup remote access to the Security Server if you so wish.

You can also download and install OSSEC if you wish from here:

Check out the installation requirements for system. In my case I needed to run:

apt-get install build-essential

Then download the latest tar from the ossec github

Then to extract the tar.gz

tar -zxvf ossec-hids-*.tar.gz

Then go to the directory you unzipped it to. Im my case

cd Downloads/ossec-hids-*.tar.gz

Then run the install

sudo ./install.sh

If you receive no errors then to start OSSEC run

sudo /var/ossec/bin/ossec-control start

Now start digging into all the flags on your network and look at how you can resolve them! I’ll be blogging my findings in the coming weeks. It’s scary shit if you have something important your trying to protect rather than just a witty Cyber-blog! Good luck, you’re gonna need it.

Exchange 2016. New Install Issues.

Recently I did a test install of Exchange 2016 and ran into a few problems which drove me mad for a while as the issues and symptoms did not give any clue as to how they were eventually resolved!

I did a fresh install on a stand alone Hyper-V Virtual Server with 4000 GB of static RAM, 4 processor cores and a 40GB VHD.

Microsoft recommends a minimum of 8GB for mailbox role, (see here) but I couldn’t believe it would actually need this much on a test Server, and I’ve always used way less than the recommended for initial test installs as they will be under no stress at all.

The install seemed to go fine, all the prerequestites were installed by the downloaded media, and the server restarted. On trying the open the webpanel I was continually told that there was a memory error, and to try again later. I ramped up the RAM 1GB at a time but I couldn’t login to the panel until the Server had the full 8GB assigned.

After creating my first test mailbox whenever I tried to send an email I received the below error:

“You don’t have permission”? WTF after going round and round in circles looking at users permissions believing that I needed to assign user permissions I found an obscure forum post which pointed me in the right direction. The solution was to remove the secondary DNS entry from the Exchange Servers network adapter! After removing this and then restarting the server the error disappeared.

I was now able to login and send emails internally and externally, however I was not able to receive emails either internal or external. I wasn’t getting any bouncebacks which could have given me some information on what was going on, I double checked my external DNS and MX records but all were correct.

In the end I used the Microsoft Connectivity Tool and this pointed out my issue immediately, and the issue was disk space. Even though the Exchange server had only 1 mailbox and nothing else installed, 40GB wasn’t enough! I checked disk space and there was plenty of room, but after digging a bit deeper it turns out that Exchange needs a percentage of free disk space and so the VHD had to be expanded. Once this was increased I finally had a working Exchange Server. Hope this helps out someone else as this drove me crazy for a few hours and the errors were not pointing me in the right direction.

 

More WordPress Issues

It seems barely a week goes by without having to resolve a WordPress Issue. I needed to update to version 4.8, so I went to my update panel ready to use the “one click” update, but instead of opening up the update page informing me that the site is in update mode it opened to a blank page. After refreshing and returning to the update panel, I disabled all pluggins and tried again, now whenever clicking the update button I was greeted with a message telling me an update was in progress, I therefore it left it expecting that it would just eventually complete. However 12 hours later and WordPress was still not updated and clicking the update buttomn gave the same message that an update was already in process! Restarted the server no change, a bit of googling led me to https://wordpress.stackexchange.com/questions/224989/get-rid-of-another-update-is-currently-in-progress  I therefore installed wp-cli using this guide https://www.sitepoint.com/wp-cli/ and tried in vain to carry out these steps. However I was continually told by wp-cli that wp-config.php did not exist! I checked and this was not the case, so another brick wall! I had already wasted an hour by this point on what should have been a ten minute job. Therefore I simply downloaded the latest WordPress version by running

wget http://wordpress.org/latest.tar.gz

then (from the same dir)

tar xzvf latest.tar.gz

then

sudo rsync -avP ~/wordpress/ /var/www/html/

As I had manually created an uploads directory I had to reassign group ownership to allow me to upload content to that directory using the following.

sudo chown -R :www-data /var/www/html/wp-content/uploads

Hey presto! we are now running on the latest version, with all existing pluggins and content still working. (I double-checked by running wpscan from my kali box just to be sure I was on the latest version) Hope this helps someone else out. Don’t forget to backup before running these steps.

 

 

Issues Migrating WordPress Sites

I recently had to change the internal IP range of my network and that included my WordPress hosting server. I thought that I could just update the database and config file and the site would work, wrong!! The home page would display but every page and link was broken and there was no formatting and the uploaded content no longer displayed. Also when trying to login the site was still trying to access the old url as I was accessing the site by IP as it was only a testing site. I never did manage to fix the error despite an hour of my time, in the end I just had to create the a new site on the new IP and then copy the content over.If anyone else has come across this and knows how to resolve it please let me know!