Setting up the network, (network cards) Ubuntu interfaces. Safe surfing in Ubuntu Insecure login x window ubuntu

There is a general belief that if one switches to using a Linux distribution, such as Ubuntu on a desktop computer, then security issues will resolve themselves. Unfortunately, this does not happen in reality. Like any operating system today, Ubuntu also has potential targets for exploits. Buffer overflow, stack overflow, dirty code, user errors - and this is an incomplete list of threats that could be continued. To counter these and other possible threats, I'll show you how to simple steps, which will ensure you use smart strategies to run Ubuntu safely.

Anti-virus protection?

Protection from malicious software?

• Making it easy to write SSH and SFTP scripts using Python
• Firefox + Greasemonkey Turbocharge e-commerce site from the client side
• Linux Command Line Interface for Beginners, or, Don't Be Afraid of the Linux Command Line!
• Graphical remote computer management for Linux, part 3

Firewall protection options

OpenVPN and OpenSSH

Strengthening Remote and Local Security

Securing your Ubuntu computer for local use

Ubuntu is only as secure as you make it

Hello everyone... All novice administrators under Ubuntu have the task of setting up network interfaces (networks, network cards) In this article I will show you how to do this... It is done very simply...

If somehow you missed setting up the network or saw difficulty in installing the distribution, then now we will do it manually. And so we have the distribution installed and is waiting for us in assault... We need to configure 2 network cards..... One of us faces the provider and the other faces local network. Let’s agree right away and designate our interfaces and addresses.

eth0— 192.168.0.1 (let’s say this is the address issued by the provider) Interface that looks at the Internet (provider)
eth1— 10.0.0.1 (the address that we want to give to this interface) The interface facing the local network

First of all, let's check which interfaces we have already launched with the command ifconfig You will see something like this (only with your data instead of xxxxx)

Eth0 Link encap:Ethernet HWaddr хх:хх:хх:хх:хх:хх inet addr:xxx.xxx.xxx.xxx Bcast:xxx.xxx.xxxx.xxx Mask:255.255.255.252 inet6 addr: xxx::xxx:xxx :xxx:xxxx/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:31694097 errors:0 dropped:0 overruns:0 frame:0 TX packets:15166512 errors:0 dropped:0 overruns:0 carrier: 0 collisions: 0 txqueulen: 100 rx bytes: 2215593127 (2.2 GB) TX Bytes: 1577680249 (1.5 GB) Memory: B8820000-B8840000 ETH1 Link ENCAP: Ethernet Hwaddr: XX: XX: XX: XX: XX ENT A DDR: 10.0. 0.1 Bcast:10.0.0.255 Mask:255.255.255.0 inet6 xxxx: xxxx::xxxx:xxxf:xxx:xxx/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:11352041 errors:0 dropped:0 overruns :0 frame:0 TX packets:21539638 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:1262641422 (1.2 GB) TX bytes:1922838889 (1.9 GB) Memory:b8800000-b8820000 lo Link encap:Local loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:3823 errors:0 dropped:0 overruns: 0 frame:0 TX packets:3823 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:717663 (717.6 KB) TX bytes:717663 (717.6 KB)

If one of the interfaces does not display, then it’s okay. It's just disabled, let's turn it on with the command sudo ifconfig eth1 up(instead of eth1, type your interface, if you have 2 network cards, then there are only 2 interfaces: eth0 and eth1) And so we enable our interface:

And so let's start setting up.

Let's assign the eth0 interface the IP address issued by the provider with the following command:

And specify the network mask:

Settings made in this way are reset after the server is rebooted.
To prevent this from happening, you need to change the settings in the network interfaces configuration file. For this you need Root rights. Let's get the rights Root with the following command:

The network interfaces configuration file is located at /etc/network/interfaces To edit it we use the Nano editor (you can use your own editor) I like it Nano

We see the following:

It is necessary to reduce it to the following form

Save the changes by pressing Ctrl + O and exit by pressing Ctrl + X

DNS server addresses can be set in the /etc/network/interfaces file, but DNS server addresses in Ubuntu are managed through the /etc/resolv.conf file; for me it looks like this:

Let's configure DNS; to do this, enter the following command in the line:

Sudo nano /etc/resolv.conf # IP addresses of your provider's DNS servers nameserver хх.ххх.ххх.ххх nameserver ххх.ххх.хх.ххх

Let's save Ctrl + O and we go out Ctrl +x you also need to reboot the network with the following command.

We all know that the operating room Linux system much safer than Windows thanks to its architecture and a special system for distributing access between users. But programmers are people too, no matter how much we like it, they also make mistakes. And because of these errors, holes appear in the system through which attackers can bypass security systems.

These errors are called vulnerabilities; they can occur in various programs and even in the very core of the system, undermining its security. In recent years, the popularity of Linux has begun to grow and security researchers are paying more attention to this system. More and more vulnerabilities are being discovered, and thanks to open source code it turns out to eliminate them very quickly. In this article we will look at the most dangerous Linux vulnerabilities that have been discovered over the past few years.

Before moving on to the list of vulnerabilities, it is important to understand what they are and what they are. As I said, a vulnerability is a bug in a program that allows a user to use the program in a way that was not intended by its developer.

This may be a lack of checking for the correctness of the received data, checking the data source and, most interestingly, the size of the data. The most dangerous vulnerabilities are those that allow the execution of arbitrary code. IN random access memory all data has a certain size and the program is designed to write data from the user of a certain size into memory. If the user passes more data, it should throw an error.

But if the programmer makes a mistake, the data will overwrite the program code and the processor will try to execute it, thus creating buffer overflow vulnerabilities.

Also, all vulnerabilities can be divided into local ones, which only work if the hacker has access to local computer and remote, when access via the Internet is sufficient. Now let's move on to the list of vulnerabilities.

1.Dirty COW

The first on our list will be a fresh vulnerability that was discovered this fall. The name Dirty COW stands for Copy on Write. An error occurs in the file system during copy-on-write. This is a local vulnerability that allows any unprivileged user to gain full access to the system.

In short, to exploit the vulnerability you need two files, one is writable only on behalf of the superuser, the second for us. We begin to write data to our file many times and read from the superuser file, through certain time there will come a time when the buffers of both files are mixed and the user will be able to write data to a file that he cannot write, thus giving himself root rights in the system.

The vulnerability was in the kernel for about 10 years, but after discovery it was quickly fixed, although there are still millions of Andoid devices in which the kernel has not been updated and does not think, and where this vulnerability can be exploited. The vulnerability code was CVE-2016-5195.

2. Glibc vulnerability

The vulnerability code was CVE-2015-7547. This has been one of the most talked about vulnerabilities among open source projects. In February 2016, it was discovered that the Glibc library has a very serious vulnerability that allows an attacker to execute his code on a remote system.

It is important to note that Glibc is an implementation of the standard C and C++ library, which is used in most Linux programs, including services and programming languages ​​such as PHP, Python, Perl.

An error was made in the response parsing code DNS servers. Thus, the vulnerability could be exploited by hackers whose DNS was accessed by vulnerable machines, as well as by those performing a MITM attack. But the vulnerability gave complete control over the system

The vulnerability has been in the library since 2008, but after discovery, patches were released fairly quickly.

3.Heartbleed

In 2014, one of the most serious vulnerabilities in terms of scale and consequences was discovered. It was caused by a bug in the heartdead module of the OpenSSL program, hence the name Heartbleed. The vulnerability allowed attackers to gain direct access to 64 kilobytes of server RAM; the attack could be repeated until all memory was read.

Even though the fix was released very quickly, many sites and applications were affected. In fact, all sites that used HTTPS to secure traffic were vulnerable. Attackers could obtain user passwords, their personal data, and everything that was in memory at the time of the attack. The vulnerability code was CVE-2014-0160.

4.Stagefright

If a vulnerability has received a code name, this clearly means that it deserves attention. The Stagerfight vulnerability is no exception. True, this is not really a Linux problem. Stagefright is a processing library multimedia formats in Android.

It is implemented in C++, which means it bypasses all Java security mechanisms. In 2015, a whole group of vulnerabilities were discovered that made it possible to remotely execute arbitrary code on the system. Here they are: CVE-2015-1538, CVE-2015-1539, CVE-2015-3824, CVE-2015-3826, CVE-2015-3827, CVE-2015-3828 and CVE-2015-3829.

All an attacker had to do was send an MMS to a vulnerable smartphone with a specially modified media file, and he would gain full control over the device with the ability to write and read data from a memory card. The vulnerability was fixed by Android developers but millions of devices still remain vulnerable.

5. Kernel zero-day vulnerability

This is a local vulnerability that allows the current user to be elevated to root due to an error in the system for working with kernel cryptographic data stored in memory. It was discovered in February 2016 and covered all kernels starting from 3.8, which means that the vulnerability existed for 4 years.

The bug could have been used by hackers or malware to increase their power in the system, but was fixed very quickly.

6. Vulnerability in MySQL

This vulnerability received the code CVE-2016-6662 and affected all available versions of the database server MySQL data(5.7.15, 5.6.33 and 5.5.52), Oracle databases and MariaDB and PerconaDB clones.

Attackers could gain full access to the system through SQL query code was transmitted that allowed you to replace my.conf with your version and reboot the server. It was also possible to execute malicious code with superuser rights.

MariaDB and PerconaDB solutions released patches quite quickly, Oracle responded, but much later.

7.Shellshock

This vulnerability was discovered in 2014 before lasting 22 years. It was assigned CVE-2014-6271 and codenamed Shellshock. This vulnerability is comparable in danger to Heartbleed, which we already know. It is caused by a bug in the Bash command interpreter, which is used by default in most Linux distributions.

Bash allows you to declare environment variables without user authentication, but together you can execute any command in them. This is particularly dangerous in CGI scripts, which are supported by most sites. Not only servers are vulnerable, but also personal computers users, routers and other devices. In fact, an attacker can execute any command remotely, this is a full-fledged remote control without authentication.

All versions of Bash were affected, including 4.3, although after the problem was discovered, the developers quickly released a fix.

8. Quadrooter

This is a whole series of vulnerabilities in Android, which was discovered in August 2016. They received codes CVE-2016-5340, CVE-2016-2059, CVE-2016-2504, CVE-2016-2503. More than 900 million are affected by the error Android devices. All vulnerabilities were found in the ARM driver Qualcomm processor and all of them can be used for getting root access to the device.

Like DirtyCOW, you don’t need any permissions here, just install a malicious application and it will be able to obtain all your data and transfer it to the attacker.

9. Vulnerability in OpenJDK

This is a very serious Linux 2016 vulnerability in the OpenJDK Java machine with code CVE-2016-0636, it affects all users running Oracle Java SE 7 Update 97 and 8 Update 73 and 74 for Windows, Solaris, Linux and Mac OS X. This vulnerability allows an attacker to execute arbitrary code outside the Java machine if you open a special page in a browser with a vulnerable version of Java.

This allowed the attacker to gain access to your passwords, personal data, and also run programs on your computer. In all versions Java error was fixed very quickly, it has existed since 2013.

10. HTTP/2 protocol vulnerability

This is a whole series of vulnerabilities that were discovered in 2016 in the HTTP/2 protocol. They received codes CVE-2015-8659, CVE-2016-0150, CVE-2016-1546, CVE-2016-2525, CVE-2016-1544. All implementations of this protocol in Apache, Nginx Microsoft, Jetty and nghttp2 were vulnerable.

All of them allow an attacker to greatly slow down the web server and perform a denial of service attack. For example, one of the errors led to the possibility of sending a small message, which on the server was unpacked into gigabytes. The bug was fixed very quickly and therefore did not cause much noise in the community.

Are you safe?

In this article, we looked at the most dangerous Linux vulnerabilities of 2016, 2015 and 2014. Most of them could cause serious harm to systems if they were not corrected in time. Thanks to open source code, such Linux vulnerabilities are effectively detected and fixed quickly. Just remember to update your system. The problem remains only with Android. Some devices no longer receive updates and there is no solution to this problem yet.

Installing and configuring administration tools, network configuration

After we have installed the basic operating system ubuntu14.04 from a minimal distribution, the first thing you need to worry about is how to manage it comfortably. Basically, ssh/telnet is used to configure and manage *nix-based servers, but in Lately For this purpose, quite suitable tools based on web interfaces have also appeared. I use free solutions Webmin And Ajenti. Both of these panels deserve attention and despite the fact that they can do everything individually, each of them is better suited for some things, so it’s better to have both of them. I should note that on combat production servers such solutions are not installed based on security. After all, the more control systems there are, the greater the likelihood of finding a vulnerability in them. Therefore, if your security requirements are at the “paranoid” level, then simply accept the fact that you will have to work with the server only via ssh (via the console).

Setting up a network in ubuntu 14.04

To communicate with our server over the network, you first need to configure it. By default, during installation the network was configured automatically and if the installer detected a DHCP server on the network, then most likely it has already configured everything as needed. If there is no DHCP server on the network, then the installer still configured everything based on polling the router to which the network card is connected. In order to see how the network is currently configured, just type in the terminal:

What do we see here:

We have two network interfaces eth0 and lo where lo is the “loopback interface” and eth0 is the name of our network card, and if lo is an unchanged network interface, then all other interfaces may differ in name. If in system unit two network cards are installed, their interfaces will most likely look like eth0 and eth1 and so on. The type of interface name depends on the type of network card, for example, if the network card operates on WiFi protocol then most likely its name will be wlan0.

To configure the network, let's edit the following file:

sudo nano /etc/network/interfaces

Let's bring it to this form:

iface eth0 inet static
address 192.168.0.184
netmask 255.255.255.0
gateway 192.168.0.1
auto eth0
dns-nameservers 8.8.8.8 8.8.4.4

Where: iface eth0 inet static— indicates that the interface (iface eth0) is in the range of IPv4 (inet) addresses with a static ip (static);
address 192.168.0.184— indicates that the IP address of our network card is 192.168.0.184;
netmask 255.255.255.0— indicates that our subnet mask (netmask) is 255.255.255.0;
gateway 192.168.0.1— default gateway address 192.168.0.254;
auto eth0— indicates to the system that the eth0 interface must be enabled automatically when the system boots with the above parameters.
eth0— the name of the interface to be connected. The list of interfaces can be viewed by typing ifconfig
dns-nameservers— DNS servers are written separated by a space.

As you can see in my case, I decided to set a static ip 192.168.0.184

reboot the server with the command

We ping our server from the network and make sure that it is visible. Now it’s time to establish a connection with it via SSH; to do this, we’ll actually install the ssh server:

sudo apt-get install ssh

Now you can connect to our server via ssh through the putty program, for example, now you can enter commands not manually, but by copying and pasting the lines we need into the ssh client, because in the future this will make the setup surprisingly easier, as you will soon see for yourself:

ALL COMMANDS BELOW THIS LINE ARE ENTERED AS SUPERUSER, and in order to enter superuser mode, you need to type:

Installing webmin

echo "deb https://download.webmin.com/download/repository sarge contrib" >> /etc/apt/sources.list echo "deb https://webmin.mirror.somersettechsolutions.co.uk/repository sarge contrib" >> /etc/apt/sources.list wget https://www.webmin.com/jcameron-key.asc apt-key add jcameron-key.asc apt-get update apt-get install -y webmin

All! 6 sequentially entered commands and webmin is installed and configured. Now you can log into your browser at:

https://192.168.0.184:10000

By default webmin looks minimalistic, the default interface is displayed on English language, but everything is customizable!

We do it like this:

It turns out like this:

According to cvedetails.com, since 1999 Linux kernel 1,305 vulnerabilities were found, of which 68 were found in 2015. Most of them do not pose any special problems, they are marked as Local and Low, and some can only be called with reference to certain applications or OS settings. In principle, the numbers are small, but the kernel is not the entire OS. Vulnerabilities are also found in GNU Coreutils, Binutils, glibs and, of course, in user applications. Let's look at the most interesting ones.

VULNERABILITIES IN THE LINUX KERNEL

OS: Linux
Level: Medium, Low
Vector: Remote
CVE: CVE-2015-3331, CVE-2015-4001, CVE-2015-4002, CVE-2015-4003
Exploit: concept, https://lkml.org/lkml/2015/5/13/740, https://lkml.org/lkml/2015/5/13/744

A vulnerability found in June in the Linux kernel before 3.19.3 in the __driver_rfc4106_decrypt function in arch/x86/crypto/aesni-intel_glue.c is due to the implementation of RFC4106 for x86 processors supporting the AES instruction set extension AES-NI (proposed Intel, Intel Advanced Encryption Standard Instructions) does not correctly calculate buffer addresses in some cases. If the IPsec tunnel is configured to use this mode (AES algorithm - CONFIG_CRYPTO_AES_NI_INTEL), the vulnerability can lead to memory corruption, crashes, and potentially remote CryptoAPI code execution. Moreover, the most interesting thing is that the problem can arise on its own, on completely legal traffic, without outside intervention. At the time of publication, the issue has been resolved.

Five vulnerabilities have been identified in the Linux 4.0.5 ozwpan driver, which has experimental status, four of which allow you to organize a DoS attack by crashing the kernel by sending specially designed packets. The problem is related to a buffer overflow due to incorrect handling of signed integers, in which the calculation in memcpy between required_size and offset returned a negative number, resulting in the data being copied to the heap.

Found in the oz_hcd_get_desc_cnf function in drivers/staging/ozwpan/ozhcd.c and in the oz_usb_rx and oz_usb_handle_ep_data functions of the drivers/staging/ozwpan/ozusbsvc1.c file. Other vulnerabilities involved possible division by 0, system looping, or the ability to read from areas outside the bounds of the allocated buffer.

The ozwpan driver, one of the new Linux products, can be interfaced with existing wireless devices compatible with Ozmo Devices technology (Wi-Fi Direct). Provides an implementation of a USB host controller, but the trick is that instead of physical connection peripherals communicate via Wi-Fi. The driver accepts network packets c type (ethertype) 0x892e, then parses them and translates them into various USB functionality. For now it is used in rare cases, so it can be disabled by unloading the ozwpan.ko module.

LINUX UBUNTU

OS: Linux Ubuntu 04/12–04/15 (core until June 15, 2015)
Level: Critical
Vector: Local
CVE: CVE-2015-1328
Exploit: https://www.exploit-db.com/exploits/37292/

A critical vulnerability in the OverlayFS file system allows for root access on Ubuntu systems that allow mounting of OverlayFS partitions by an unprivileged user. The default settings required to exploit the vulnerability are used in all branches of Ubuntu 12.04–15.04. OverlayFS itself appeared in the Linux kernel relatively recently - starting with 3.18-rc2 (2014), it is a SUSE development to replace UnionFS and AUFS. OverlayFS allows you to create a virtual multilayer file system, which combines several parts of other file systems.

The file system is created from a lower and upper layer, each of which is attached to separate directories. The bottom layer is used for reading only in directories of any file systems supported in Linux, including network ones. The top layer is usually writable and will override the data in the bottom layer if the files are duplicated. It is in demand in Live distributions, container virtualization systems, and for organizing the operation of containers for some desktop applications. User namespaces allow you to create your own sets of user and group IDs in containers. The vulnerability is caused by incorrect check of access rights when creating new files in the directory of the underlying file system.

If the kernel is built with CONFIG_USER_NS=y (enabling the user namespace) and the FS_USERNS_MOUNT flag is specified when mounting, OverlayFS can be mounted by a normal user in a different namespace, including where operations with root rights. In this case, operations with files with root rights performed in such namespaces receive the same privileges when performing actions with the underlying file system. Therefore, you can mount any FS partition and view or modify any file or directory.

At the time of publication, a kernel update with a fixed OverlayFS module from Ubuntu was already available. And if the system is updated, there should be no problems. In the same case, when the update is not possible, as a temporary measure, you should stop using OverlayFS by removing the overlayfs.ko module.

VULNERABILITIES IN KEY APPLICATIONS

OS: Linux
Level: Critical
Vector: local, remote
CVE: CVE-2015-0235
Exploit: https://www.qualys.com/research/security-advisories/exim_ghost_bof.rb

A dangerous vulnerability in the GNU glibc standard library, which is a core part of the Linux OS, and in some versions of Oracle Communications Applications and Oracle Pillar Axiom, discovered during a code audit by hackers from Qualys. Received the code name GHOST. This is a buffer overflow inside the __nss_hostname_digits_dots() function, which is used by glibc functions like gethostbyname() and gethostbyname2() to get the host name (hence the name GetHOST). To exploit the vulnerability, you must cause a buffer overflow using an invalid hostname argument to an application performing name resolution through DNS. That is, theoretically, this vulnerability can be applied to any application that uses the network to one degree or another. Can be called locally or remotely, allowing arbitrary code to be executed.

The most interesting thing is that the error was fixed back in May 2013, a patch was presented between the releases of glibc 2.17 and 2.18, but the problem was not classified as a security patch, so no attention was paid to it. As a result, many distributions turned out to be vulnerable. It was initially reported that the very first vulnerable version was 2.2 dated November 10, 2000, but there is a possibility that it will appear up to 2.0. Among others, the distributions RHEL/CentOS 5.x–7.x, Debian 7 and Ubuntu 12.04 LTS were affected. Hotfixes are currently available. The hackers themselves proposed a utility that explains the essence of the vulnerability and allows you to check your system. Everything is fine in Ubuntu 12.04.4 LTS:

Checking the system on GHOST

Almost immediately, a module was released to allow remote code execution on x86 and x86_64 Linux with a running Exim mail server (with the helo_try_verify_hosts or helo_verify_hosts parameter enabled). Later, other implementations appeared, for example, the Metasploit module for checking a blog on WordPress.

A little later, in 2015, three more vulnerabilities were discovered in GNU glibc that allowed a remote user to perform a DoS attack or overwrite memory cells outside the stack boundary: CVE-2015-1472, CVE-2015-1473, CVE-2015-1781.

OS: Linux (GNU Coreutils)
Level: Low
Vector: Local, Remote
CVE: CVE-2014-9471
Exploit: No

GNU Coreutils is one of the main *nix packages, including almost all the basic utilities (cat, ls, rm, date...). The problem was found in date. A flaw in the parse_datetime function could allow a remote attacker without an account on the system to cause a denial of service and possibly execute arbitrary code via a specially crafted date string using timezone. The vulnerability looks like this:

Vulnerability in GNU Coreutils

If there is no vulnerability, we will receive a message about the incorrect date format. Almost all Linux distribution developers have reported the presence of the vulnerability. An update is currently available.

OS: Linux (grep 2.19–2.21)
Level: Low
Vector: Local
CVE: CVE-2015-1345
Exploit: No

Vulnerabilities are rarely found in the grep utility, which is used to search for text using a pattern. But this utility is often called by other programs, including system ones, so the presence of vulnerabilities is much more problematic than it seems at first glance. A bug in the bmexec_trans function in kwset.c could result in reading uninitialized data from an area outside the allocated buffer or causing the application to crash. A hacker can take advantage of this by creating a special set of data supplied to the application input using grep -F. Updates are currently available. There are no exploits that use the vulnerability or a module for Metasploit.

VULNERABILITY IN FREEBSD

OS: FreeBSD
Level: Low
Vector: Local, Remote
CVE: CVE-2014-0998, CVE-2014-8612, CVE-2014-8613
Exploit: https://www.exploit-db.com/exploits/35938/

There are not many vulnerabilities in the CVE database for 2015, to be more precise - only six. Three vulnerabilities were found in FreeBSD 8.4–10.x at the end of January 2015 by researchers from the Core Exploit Writers Team. CVE-2014-0998 is related to the implementation of the VT console driver (Newcons), which provides multiple virtual terminals, enabled by the kern.vty=vt parameter in /boot/loader.conf.
CVE-2014-8612 occurs when using the SCTP protocol and is caused by an error in the SCTP stream ID verification code that implements SCTP sockets (local port 4444). The essence is an out-of-memory error in the sctp_setopt() function (sys/netinet/sctp_userreq.c). This gives a local unprivileged user the ability to write or read 16 bits of kernel memory data and escalate their privileges on the system, reveal sensitive data, or crash the system.

CVE-2014-8613 allows a NULL pointer dereference to be triggered when processing an externally received SCTP packet when the SCTP_SS_VALUE SCTP socket option is set. Unlike previous versions, CVE-2014-8613 can be used to remotely cause a kernel crash by sending specially crafted packets. In FreeBSD 10.1, you can protect yourself by setting the net.inet.sctp.reconfig_enable variable to 0, thereby disabling processing of RE_CONFIG blocks. Or simply prohibit applications (browsers, mail clients and so on). Although at the time of publication the developers had already released an update.

VULNERABILITY IN OPENSSL

OS: OpenSSL
Level: Remote
Vector: Local
CVE: CVE-2015-1793
Exploit: No

In 2014, a critical Heartbleed vulnerability was discovered in OpenSSL, a widely used cryptographic package for working with SSL/TLS. The incident at one time caused massive criticism of the quality of the code, and, on the one hand, this led to the emergence of alternatives like LibreSSL, on the other hand, the developers themselves finally got down to business.

The critical vulnerability was discovered by Adam Langley of Google and David Benjamin of BoringSSL. Changes made in OpenSSL versions 1.0.1n and 1.0.2b caused OpenSSL to attempt to find an alternative certificate verification chain if the first attempt to build a trust chain was unsuccessful. This allows you to bypass the certificate verification procedure and organize a confirmed connection using a fake certificate, in other words - to calmly lure a user to fake sites or an email server, or to carry out any MITM attack where a certificate is used.

After the vulnerability was discovered, the developers released releases 1.0.1p and 1.0.2d on July 9, which fixed this problem. Versions 0.9.8 or 1.0.0 do not have this vulnerability.

Linux.Encoder

The end of autumn was marked by the appearance of a number of encryption viruses, first Linux.Encoder.0, followed by modifications Linux.Encoder.1 and Linux.Encoder.2, which infected more than 2,500 sites. According to antivirus companies, Linux and FreeBSD servers with websites running using various CMSs - WordPress, Magento CMS, Joomla and others - are being attacked. Hackers are exploiting an unidentified vulnerability. Next, a shell script was placed (file error.php), with the help of which any further actions were performed (via the browser). In particular, the Linux encoder Trojan was launched.

Encoder, which determined the OS architecture and launched the ransomware. The encoder was launched with web server rights (Ubuntu - www-data), which is quite enough to encrypt files in the directory in which CMS files and components are stored. Encrypted files receive a new extension.encrypted.

The ransomware also tries to bypass other OS directories; if the rights are configured incorrectly, then it could easily go beyond the boundaries of the website. Next, the file README_FOR_DECRYPT.txt was saved in the directory, containing instructions for decrypting the files and the hacker’s requirements. At the moment, antivirus companies have introduced utilities that allow you to decrypt directories. For example, a set from Bitdefender. But you need to remember that all utilities designed to decrypt files do not remove the shellcode and everything can happen again.

Considering that many users involved in development or experimenting with website administration often install a web server on their home computer, you should worry about security: block access from outside, update software, conduct experiments on a VM. And the idea itself could be used in the future to attack home systems.

CONCLUSION

Complex software without errors physically does not exist, so you have to come to terms with the fact that vulnerabilities will be discovered constantly. But not all of them can be truly problematic. And you can protect yourself by taking simple steps: remove unused software, monitor new vulnerabilities and be sure to install security updates, configure a firewall, install an antivirus. And don’t forget about special technologies like SELinux, which are quite capable of compromising a daemon or user application.