> From: Larry Vaden <vaden at texoma.net> > Date: Sun, Jan 23, 2011 at 8:03 PM > Subject: sources of bind-9.7.2-P3 rpms for Centos 4.8 and 5.5?> Our site running Centos 4.8 and 5.5 name servers was hacked with > the result that www.yahoo.com is now within our /19 and causing > some grief.Don't understand what you mean by 'within our /19'. Have your IP ranges changed? If your Bind date is corrupt, why not re-install Centos and then restore the domains data from one of your regular backups? Is it a wise business decision to use C 4.8 instead of C 5 or the latest which is C 5.5 ?> Google hasn't led me to an RPM for bind-9.7.2-P3 nor has the > search facility at centos.org. However, it is obvious from said > searches that Mandriva upgraded last year.I believe C6 will include an updated Bind.> An attempt to install bind-9.7.2-P3 from source yields the warning > below the sig for both 4.8 and 5.5 machines.> WARNING WARNING WARNING WARNING WARNING .......... > > Your OpenSSL crypto library may be vulnerable to ..... > one or more of the the following known security .... > flaws: > > CAN-2002-0659, CAN-2006-4339, CVE-2006-2937 and > CVE-2006-2940. > > It is recommended that you upgrade to OpenSSL > version 0.9.8d/0.9.7l (or greater).Well, on my C 5.5 desktop my OpenSSL is (yum info openssl) Name : openssl Arch : x86_64 Version : 0.9.8e Release : 12.el5_5.7 Size : 3.4 M The same version for i686. Larry, why can't you install the latest OpenSSL ? On C 5.5 the latest Bind is 9.3.6 (Release: 4.P1.el5_5.3) If you really need the latest Bind and can not wait about a month for C6 why don't you use a different flavour of Linux? In business one can not be too sentimental and difficult decisions have to be made all the time. With best regards, Paul. England, EU.
On Fri, Feb 18, 2011 at 3:15 PM, Always Learning <centos at g7.u22.net> wrote:> Don't understand what you mean by 'within our /19'. Have your IP ranges > changed? ?If your Bind date is corrupt, why not re-install Centos and > then restore the domains data from one of your regular backups?Our network consists of aaa.bbb.ccc.0/19. That's CIDR notation for 8,192 addresses.> Is it a wise business decision to use C 4.8 instead of C 5 or the latest > which is C 5.5 ?IMHO, fully updated purpose-built servers running 4.8 should have more or less the same vulnerablity profile as 5.5 IFF RH is doing a good job of backporting security fixes. I am supported in that statement by my mentor at FedEx but NOT by my mentor at Internet2. The open ?s about human error wrt the SRPMs in SL6 could arguably lead to a different conclusion.> I believe C6 will include an updated Bind.Yes, it will be based on a later release.> Larry, why can't you install the latest OpenSSL ?We installed openssl-1.0.0c Jan 23 20:30 27 minutes after filing the original post IIRC. kind regards/ldv/vaden at texoma.net
On Fri, Feb 18, 2011 at 4:15 PM, Always Learning <centos at g7.u22.net> wrote:>> From: Larry Vaden <vaden at texoma.net> >> Date: Sun, Jan 23, 2011 at 8:03 PM >> Subject: sources of bind-9.7.2-P3 rpms for Centos 4.8 and 5.5? > > >> Our site running Centos 4.8 and 5.5 name servers was hacked with >> the result that www.yahoo.com is now within our /19 and causing >> some grief. > > Don't understand what you mean by 'within our /19'. Have your IP ranges > changed? ?If your Bind date is corrupt, why not re-install Centos and > then restore the domains data from one of your regular backups? > > Is it a wise business decision to use C 4.8 instead of C 5 or the latest > which is C 5.5 ? > >> Google hasn't led me to an RPM for bind-9.7.2-P3 nor has the >> search facility at centos.org. ?However, it is obvious from said >> searches that Mandriva upgraded last year. > > I believe C6 will include an updated Bind.It's also in RHEL 5.6, so I expect it in CentOs 5.6, from the SRPM bind97-9.7.0-6.P2.el5.src.rpm. Grab that one from your nearest RedHat SRPM repository, such mirrors.kernel.org/redhat/, if you're in a rush.>> An attempt to install bind-9.7.2-P3 from source yields the warning >> below the sig for both 4.8 and 5.5 machines. > >> WARNING WARNING WARNING WARNING WARNING .......... >> >> Your OpenSSL crypto library may be vulnerable to ..... >> one or more of the the following known security .... >> flaws: >> >> CAN-2002-0659, CAN-2006-4339, CVE-2006-2937 and >> CVE-2006-2940. >> >> It is recommended that you upgrade to OpenSSL >> version 0.9.8d/0.9.7l (or greater). > > Well, on my C 5.5 desktop my OpenSSL is (yum info openssl) > > Name ? ? ? : openssl > Arch ? ? ? : x86_64 > Version ? ?: 0.9.8e > Release ? ?: 12.el5_5.7 > Size ? ? ? : 3.4 M > > The same version for i686. > > Larry, why can't you install the latest OpenSSL ? > > On C 5.5 the latest Bind is 9.3.6 (Release: 4.P1.el5_5.3) > > If you really need the latest Bind and can not wait about a month for C6 > why don't you use a different flavour of Linux? ?In business one can not > be too sentimental and difficult decisions have to be made all the time. > > > With best regards, > > Paul. > England, > EU. > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos >
On Friday, February 18, 2011 04:15:28 pm Always Learning wrote:> > From: Larry Vaden <vaden at texoma.net> > > Our site running Centos 4.8 and 5.5 name servers was hacked with > > the result that www.yahoo.com is now within our /19 and causing > > some grief. > > Don't understand what you mean by 'within our /19'.I think I do; he's an ISP, and apparently someone inside his address block (the CIDR notation /19; his actual block is publicly found by doing a quick nslookup of his domain name, noting the IP address of the DNS server(s) listed, and then a whois of the IP address of the DNS server(s). His /19 shows up) has hacked in some way the zone file(s) or the cache for his nameserver so that his customers, who would ordinarily use his DNS server as their recursive resolver, now see www.yahoo.com (among who knows what others) as pointing to a different address, the one inside his /19 (which I hope he has tracked and duly removed in grand Texas style), for the purpose of phishing. Now whether this was done by actually hacking into his DNS server or by a cache poisoning attack or what, I don't know since those details Larry hasn't made public. And that's ok. A fully up-to-date C4 or C5 should be covered when it comes to those sorts of things, but to prevent such things I would recommend to Larry that he use the great iptables tools that CentOS provides, or use some other iptables configurator, or simple hosts.allow and hosts.deny, to restrict the addresses that can actually ssh into his server, and only allow port 53 UDP and TCP traffic into and out of his DNS servers to his cutsomers. If he has routers/switches with access lists I would apply those as a second layer of traffic filtering, going both ingress and egress relative to his DNS server. A DNS/BIND vulnerability alone won't kill you, other than the previously mentioned cache poisoning attacks (and those are mitigated with other well-known techniques); it's the TCP connection from the vulnerability shellcode back to the attacker's box that is the killer, and that's what the aggressive iptables/acls will do for you. Hmmm, the Bastille hardening script might help you, but I don't know that for sure. DNS servers should only serve DNS, and the only other connections in or out should be tightly controlled. Easier said than done, especially with limited staff and funds, I know, but still the best practice. I say that having had a DNS server hit, on May 1, 1998, with a BIND 4 vulnerability. Got a quick education on BIND best practices, even though it is sometimes is tempting to 'do it later....'
On Saturday, February 19, 2011 12:57:40 am Larry Vaden wrote:> Through this experience, > starting with a hacked or poisoned name server, or, quite frankly, the > perception of one, I have learned what people really see.Having a server hacked is one of the worst things that can happen in IT; not of course as bad as a real heart attack, for sure. Having a server hacked puts you in a wierd mindset, most certainly. If your server was really hacked, I'd start from scratch, and set the new one up more defensively.
On Saturday, February 19, 2011 01:51:55 am Larry Vaden wrote:> My trust in RedHat went down when I learned they are not shipping all > the SRPMs. Some say it is due to human error. If that is the case, > why should I think they are better at backporting security fixes than > at making sure a manifest of SRPMs is complete and correct?To be fair to Red Hat, it might be different people doing the backporting than are responsible for the packaging. Might not, but might be. And for their purposes a missing build requirement package isn't really a bug, since it builds fine for them, and they get the patched package out to their customers. And their customers won't typically be rebuilding from source RPM. So, like in any other job, the less important tasks and issues go to the bottom of the list, while the more important 'get the deliverable to the customer' takes top spot. They have finite resources; they're going to use those finite resources frugally, and thus stay in business (which everybody using CentOS should want them to do).
Reasonably Related Threads
- We haven't had a lot of demand for Fedora...people seem okay with CentOS!
- ACHTUNG: wrt CentALT repo
- deliver(redacted): Mar 08 10:13:03 Fatal: postmaster_address setting not given
- request for a learning moment
- RECALL: http://www.securityweek.com/high-severity-bind-vulnerability-advisory-issued