CentOS - Feb 2011 - BInd Problem or Update SSL ?

> From: Larry Vaden <vaden at texoma.net>
> Date: Sun, Jan 23, 2011 at 8:03 PM
> Subject: sources of bind-9.7.2-P3 rpms for Centos 4.8 and 5.5?
> Our site running Centos 4.8 and 5.5 name servers was hacked with
> the result that www.yahoo.com is now within our /19 and causing
> some grief.
Don't understand what you mean by 'within our /19'. Have your IP
ranges
changed?  If your Bind date is corrupt, why not re-install Centos and
then restore the domains data from one of your regular backups?

Is it a wise business decision to use C 4.8 instead of C 5 or the latest
which is C 5.5 ?
> Google hasn't led me to an RPM for bind-9.7.2-P3 nor has the
> search facility at centos.org.  However, it is obvious from said
> searches that Mandriva upgraded last year.
I believe C6 will include an updated Bind.
> An attempt to install bind-9.7.2-P3 from source yields the warning
> below the sig for both 4.8 and 5.5 machines.
> WARNING WARNING WARNING WARNING WARNING ..........
>
> Your OpenSSL crypto library may be vulnerable to .....
> one or more of the the following known security ....
> flaws:
>
> CAN-2002-0659, CAN-2006-4339, CVE-2006-2937 and 
> CVE-2006-2940.
>
> It is recommended that you upgrade to OpenSSL
> version 0.9.8d/0.9.7l (or greater).
Well, on my C 5.5 desktop my OpenSSL is (yum info openssl)

Name       : openssl
Arch       : x86_64
Version    : 0.9.8e
Release    : 12.el5_5.7
Size       : 3.4 M

The same version for i686.

Larry, why can't you install the latest OpenSSL ?

On C 5.5 the latest Bind is 9.3.6 (Release: 4.P1.el5_5.3)

If you really need the latest Bind and can not wait about a month for C6
why don't you use a different flavour of Linux?  In business one can not
be too sentimental and difficult decisions have to be made all the time.


With best regards,

Paul.
England,
EU.

On Fri, Feb 18, 2011 at 3:15 PM, Always Learning <centos at g7.u22.net>
wrote:
> Don't understand what you mean by 'within our /19'. Have your
IP ranges
> changed? ?If your Bind date is corrupt, why not re-install Centos and
> then restore the domains data from one of your regular backups?
Our network consists of aaa.bbb.ccc.0/19.  That's CIDR notation for
8,192 addresses.
> Is it a wise business decision to use C 4.8 instead of C 5 or the latest
> which is C 5.5 ?
IMHO, fully updated purpose-built servers running 4.8 should have more
or less the same vulnerablity profile as 5.5 IFF RH is doing a good
job of backporting security fixes.

I am supported in that statement by my mentor at FedEx but NOT by my
mentor at Internet2.

The open ?s about human error wrt the SRPMs in SL6 could arguably lead
to a different conclusion.

> I believe C6 will include an updated Bind.
Yes, it will be based on a later release.
> Larry, why can't you install the latest OpenSSL ?
We installed openssl-1.0.0c Jan 23 20:30 27 minutes after filing the
original post IIRC.

kind regards/ldv/vaden at texoma.net

On Fri, Feb 18, 2011 at 4:15 PM, Always Learning <centos at g7.u22.net>
wrote:
>> From: Larry Vaden <vaden at texoma.net>
>> Date: Sun, Jan 23, 2011 at 8:03 PM
>> Subject: sources of bind-9.7.2-P3 rpms for Centos 4.8 and 5.5?
>
>
>> Our site running Centos 4.8 and 5.5 name servers was hacked with
>> the result that www.yahoo.com is now within our /19 and causing
>> some grief.
>
> Don't understand what you mean by 'within our /19'. Have your
IP ranges
> changed? ?If your Bind date is corrupt, why not re-install Centos and
> then restore the domains data from one of your regular backups?
>
> Is it a wise business decision to use C 4.8 instead of C 5 or the latest
> which is C 5.5 ?
>
>> Google hasn't led me to an RPM for bind-9.7.2-P3 nor has the
>> search facility at centos.org. ?However, it is obvious from said
>> searches that Mandriva upgraded last year.
>
> I believe C6 will include an updated Bind.
It's also in RHEL 5.6, so I expect it in CentOs 5.6, from the SRPM
bind97-9.7.0-6.P2.el5.src.rpm. Grab that one from your nearest RedHat
SRPM repository, such mirrors.kernel.org/redhat/, if you're in a rush.
>> An attempt to install bind-9.7.2-P3 from source yields the warning
>> below the sig for both 4.8 and 5.5 machines.
>
>> WARNING WARNING WARNING WARNING WARNING ..........
>>
>> Your OpenSSL crypto library may be vulnerable to .....
>> one or more of the the following known security ....
>> flaws:
>>
>> CAN-2002-0659, CAN-2006-4339, CVE-2006-2937 and
>> CVE-2006-2940.
>>
>> It is recommended that you upgrade to OpenSSL
>> version 0.9.8d/0.9.7l (or greater).
>
> Well, on my C 5.5 desktop my OpenSSL is (yum info openssl)
>
> Name ? ? ? : openssl
> Arch ? ? ? : x86_64
> Version ? ?: 0.9.8e
> Release ? ?: 12.el5_5.7
> Size ? ? ? : 3.4 M
>
> The same version for i686.
>
> Larry, why can't you install the latest OpenSSL ?
>
> On C 5.5 the latest Bind is 9.3.6 (Release: 4.P1.el5_5.3)
>
> If you really need the latest Bind and can not wait about a month for C6
> why don't you use a different flavour of Linux? ?In business one can
not
> be too sentimental and difficult decisions have to be made all the time.
>
>
> With best regards,
>
> Paul.
> England,
> EU.
>
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>

On Friday, February 18, 2011 04:15:28 pm Always Learning
wrote:
> > From: Larry Vaden <vaden at texoma.net>
> > Our site running Centos 4.8 and 5.5 name servers was hacked with
> > the result that www.yahoo.com is now within our /19 and causing
> > some grief.
> 
> Don't understand what you mean by 'within our /19'. 
I think I do; he's an ISP, and apparently someone inside his address block
(the CIDR notation /19; his actual block is publicly found by doing a quick
nslookup of his domain name, noting the IP address of the DNS server(s) listed,
and then a whois of the IP address of the DNS server(s).  His /19 shows up) has
hacked in some way the zone file(s) or the cache for his nameserver so that his
customers, who would ordinarily use his DNS server as their recursive resolver,
now see www.yahoo.com (among who knows what others) as pointing to a different
address, the one inside his /19 (which I hope he has tracked and duly removed in
grand Texas style), for the purpose of phishing.

Now whether this was done by actually hacking into his DNS server or by a cache
poisoning attack or what, I don't know since those details Larry hasn't
made public.  And that's ok.

A fully up-to-date C4 or C5 should be covered when it comes to those sorts of
things, but to prevent such things I would recommend to Larry that he use the
great iptables tools that CentOS provides, or use some other iptables
configurator, or simple hosts.allow and hosts.deny, to restrict the addresses
that can actually ssh into his server, and only allow port 53 UDP and TCP
traffic into and out of his DNS servers to his cutsomers.

If he has routers/switches with access lists I would apply those as a second
layer of traffic filtering, going both ingress and egress relative to his DNS
server.  A DNS/BIND vulnerability alone won't kill you, other than the
previously mentioned cache poisoning attacks (and those are mitigated with other
well-known techniques); it's the TCP connection from the vulnerability
shellcode back to the attacker's box that is the killer, and that's what
the aggressive iptables/acls will do for you.

Hmmm, the Bastille hardening script might help you, but I don't know that
for sure.  DNS servers should only serve DNS, and the only other connections in
or out should be tightly controlled.

Easier said than done, especially with limited staff and funds, I know, but
still the best practice.

I say that having had a DNS server hit, on May 1, 1998, with a BIND 4
vulnerability.  Got a quick education on BIND best practices, even though it is
sometimes is tempting to 'do it later....'

On Saturday, February 19, 2011 12:57:40 am Larry Vaden
wrote:
>  Through this experience,
> starting with a hacked or poisoned name server, or, quite frankly, the
> perception of one, I have learned what people really see.
Having a server hacked is one of the worst things that can happen in IT; not of
course as bad as a real heart attack, for sure.

Having a server hacked puts you in a wierd mindset, most certainly.

If your server was really hacked, I'd start from scratch, and set the new
one up more defensively.

On Saturday, February 19, 2011 01:51:55 am Larry Vaden
wrote:
> My trust in RedHat went down when I learned they are not shipping all
> the SRPMs.  Some say it is due to human error.  If that is the case,
> why should I think they are better at backporting security fixes than
> at making sure a manifest of SRPMs is complete and correct?
To be fair to Red Hat, it might be different people doing the backporting than
are responsible for the packaging.  Might not, but might be.

And for their purposes a missing build requirement package isn't really a
bug, since it builds fine for them, and they get the patched package out to
their customers.  And their customers won't typically be rebuilding from
source RPM.  So, like in any other job, the less important tasks and issues go
to the bottom of the list, while the more important 'get the deliverable to
the customer' takes top spot.

They have finite resources; they're going to use those finite resources
frugally, and thus stay in business (which everybody using CentOS should want
them to do).