SFTP Server for Windows Server 2008 / Windows Server 2012

Those managing and supporting Windows based web servers from the Linux world will be familiar with using Secure FTP (SFTP) which provides file transfer support over an SSH tunnel, generally using port 22. Windows Server 2008 R2 and Windows Server 2012 lack support for Secure FTP (SFTP) and only natively support FTP over SSL which is cumbersome to setup and lacks granular permission and log management.

A number of third party open source and commercial Secure FTP solutions are available for Windows servers including CYGWIN, FileZilla, FTP Shell and IPSwitch.

The fastest and easiest solution to setup is Core FTP Server which  supports SSL/TLS (FTPS), SFTP (SSH2), HTTPS, and clear FTP modes. Core FTP can be setup in a matter of minutes and provides full SFTP support including public/private key authentication.

For more information on Core FTP server click here.

Change your MAC address in BackTrack

When carrying out a network security audit it is important to change the MAC address (Media Access Control) of your auditing machine. Changing your MAC address will protect the identity of your machine on the network you are auditing as well as allow you to circumvent MAC filtering and restrictions in place.

Backtrack is my security distrobution of choice and provides an easy way to re-configure your MAC address on the fly:

1. Open Terminal
2. Type: #ifconfig eth0 down

Note: eth0 can be replaced with any other local interface

3. Change your MAC address using the macchanger application:

#macchanger --mac 00:11:22:33:44:55 eth0

Alternatively use:

#macchanger -r eth0

This will set a ‘random’ MAC address on your interface.

4. Re-enable your network interface by typing:

#ifconfig eth0 up

5. Confirm the MAC address is in place by using: #ifconfig eth0 | grep HWaddr

China Blocking VPN’s and Google

On Saturday, November 10th 2012 several news websites including Yahoo and TechInAsia announced that the Chinese government had blocked access to all of Google’s online services including the Google Search Engine, Gmail, Google Analytics, Google Docs, Google Drive, Google Maps and Google Play. In addition, a number of VPN providers began receiving notifications from their customers that they were no longer able to connect to International based VPN servers from within mainland China.

Through additional testing it became apparent that websites belonging to Facebook, Twitter, parts of Wikipedia and parts of Yahoo were also being blocked using DNS Poisoning. DNS Poisoning allows a firewall (or Internet provider) to inject invalid DNS entries into their DNS resolvers in order to null route or black hole traffic, essentially making the websites and services inaccessible. As of Monday, November 19th these websites remain blocked.

VPN providers are experiencing a number of different types of Chinese blocks including:

IP Blocks – IP addresses belonging to some VPN providers are being blocked by China’s perimeter firewalls. Several IP’s are being null routed to non-existent systems within China. This effectively breaks the “route” between the client and the server.

DNS Blocks – A number of providers who utilize DNS based resolution for their VPN services are experiencing blocks caused by DNS Poisoning.

Connection Reset – Connections to VPN services (e.g. SSL VPN, PPTP, IPSEC, L2TP) experience a “Connection Reset” which attempting to negotiate a link. This is likely caused by Deep Packet Inspection (DPI) systems and/or Intrusion Detection Systems (IDS) carrying out content inspection and blocking VPN traffic based on signatures and/or protocol detection. Most commercial and open source VPN technologies utilize a standard protocol, port and signature so they are easily blocked.

TLS-AUTH, TLS-REMOTE Blocking – Several VPN services have customers experiencing connection failures during the Transport Layer Security (TLS) authentication validation process. Many VPN services use a TLS-AUTH or TLS-REMOTE Continue reading “China Blocking VPN’s and Google”

Hardening a Microsoft IIS Web Server

Here are some quick tips on how to harden a Microsoft IIS web server for production use:

1. Enable SSL

When possible, configure your web server and sites to utilize an SSL certificate. SSL will protect client-server communication. Instructions on how to configure SSL in IIS can be found at: http://www.iis.net/learn/manage/configuring-security/how-to-set-up-ssl-on-iis

2. Disable Weak SSL and TLS Ciphers

Paste the following registry configuration into a text file:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128]
"Enabled"=dword:00000000 Continue reading "Hardening a Microsoft IIS Web Server"

Blocking Bit Torrent with IPTABLES

To block Bit Torrent traffic with IPTABLES you can edit /etc/sysconfig/iptables (CentOS) and include the following:

# Torrent ALGO Strings using Boyer-Moore
-A RH-Firewall-1-INPUT -m string --algo bm --string "BitTorrent" -j DROP
-A RH-Firewall-1-INPUT -m string --algo bm --string "BitTorrent protocol" -j DROP
-A RH-Firewall-1-INPUT -m string --algo bm --string "peer_id=" -j DROP
-A RH-Firewall-1-INPUT -m string --algo bm --string ".torrent" -j DROP
-A RH-Firewall-1-INPUT -m string --algo bm --string "announce.php?passkey=" -j DROP
-A RH-Firewall-1-INPUT -m string --algo bm --string "torrent" -j DROP
-A RH-Firewall-1-INPUT -m string --algo bm --string "announce" -j DROP
-A RH-Firewall-1-INPUT -m string --algo bm --string "info_hash" -j DROP
-A RH-Firewall-1-INPUT -m string --algo bm --string "/default.ida?" -j DROP
-A RH-Firewall-1-INPUT -m string --algo bm --string ".exe?/c+dir" -j DROP
-A RH-Firewall-1-INPUT -m string --algo bm --string ".exe?/c_tftp" -j DROP

# Torrent Keys
-A RH-Firewall-1-INPUT -m string --string "peer_id" --algo kmp -j DROP
-A RH-Firewall-1-INPUT -m string --string "BitTorrent" --algo kmp -j DROP
-A RH-Firewall-1-INPUT -m string --string "BitTorrent protocol" --algo kmp -j DROP
-A RH-Firewall-1-INPUT -m string --string "bittorrent-announce" --algo kmp -j DROP
-A RH-Firewall-1-INPUT -m string --string "announce.php?passkey=" --algo kmp -j DROP

# Distributed Hash Table (DHT) Keywords
-A RH-Firewall-1-INPUT -m string --string "find_node" --algo kmp -j DROP
-A RH-Firewall-1-INPUT -m string --string "info_hash" --algo kmp -j DROP
-A RH-Firewall-1-INPUT -m string --string "get_peers" --algo kmp -j DROP
-A RH-Firewall-1-INPUT -m string --string "announce" --algo kmp -j DROP
-A RH-Firewall-1-INPUT -m string --string "announce_peers" --algo kmp -j DROP

For more information regarding IPTABLES options visit http://linux.die.net/man/8/iptables.