Daemon Security is a "Silver Sponsor" of vBSDCon 2015, the biennial BSD conference hosted by Verisign, Inc. The conference will bring together members of the BSD community in a series of round-table discussions including presentations on various BSD topics including system administration, networking and security. Daemon Security is proud to be sponsoring this event for a second time to help solidify the BSD operating systems as the only choice for deploying security tools and solutions. The conference is only days away, so be sure to register as soon as possible. Hope to see everyone at the Hacker Lounge to discuss Network Security with BSD, HardenedBSD and the MetaBoF.
vBSDCon 2015 at the Sheraton in Reston, VA.
Hunter NSM is a simple install script for Snort or Bro IDS with JSON logging configured for FreeBSD. This is a simplified version of the snorby install script, as the goal is to provide a modular platform to plug into any existing security architecture. The current version has been tested on FreeBSD 10.1 and HardenedBSD.
The script is available on github:
First off, if you are interested in all of the latest news and information on the BSD operating systems, you should checkout the BSD Now podcast. In the segment where Allan Jude and Kris Moore discuss viewer's questions, Allan was talking about creating zfs snapshots of your home directory every 30 minutes or so. This seemed like a great idea to capture changes that may have occurred since the last daily backup in your user home directory. zfscron.sh has been added to the zfsbackup scripts and only needs to be setup as a cronjob for a user account that has privilege to perform zfs snapshots.
$ crontab -e Now as you work throughout the day, snapshots will be rolled every 30 minutes, allowing you to go back if you have accidentally deleted files or directories from your user account within the past hour.
(Then add the following to setup the cronjob for the user):
∗/30 ∗ ∗ ∗ ∗ /usr/home/test/zfscron.sh
zfscron.sh on github:
Several websites have discussed this writeup by Marc-Etienne M.Leveille of ESET in regards to the Mumblehard malware ESET discovered while working with a customer. Though Linux malware (just like OSX malware) is nothing new, this software included a very interesting binary packer that actually detects BSD systems. The attack vector for this malware was by way of Joomla and Wordpress exploits, and an illegal copy of DirectMailer, which installs the backdoor once the software is loaded (M.Leveille, 2015).
The malware is packed with perl code inside of an ELF binary (the executable file format on UNIX and UNIX-like systems). Using specific system calls, the malware can determine whether the binary is executing on Linux or BSD. The following is the specific disassembled code from the M.Leveille report:
mov eax, SYS_time; //BSD_fchdirThere is no specific data on the number of BSD systems that were compromised, except for the compromised systems showing up in the ESET sinkholes. The key thing from this report is that even BSD systems may be unpatched, or misconfigured and as vulnerable as Linux systems when care is not taken to keep systems up-to-date, and to promptly patch web applications when vulnerabilities are discovered. To check your BSD systems, look for binaries running from /var/tmp or /tmp. The malware also sets $0 to httpd to hide itself, and it will place a cronjob to run every 15 minutes:
push ebx; //Set to NULL or 0
int 80h;//syscall 13
//saves EAX and compares
cmp eax, 0
//jumps to a specific location for BSD systems if the value is less than 0 (negative)
//Or jumps to specific location for Linux systems when EAX is set to current number of seconds since the UNIX EPOCH
(M.Leveille, 2015, p. 6)
∗/15 ∗ ∗ ∗ ∗ /var/tmp/qCVwOWA >/dev/null 2>&1Make sure you are monitoring your BSD systems and keeping your applications up-to-date.
(M.Leveille, 2015, p. 6)
M.Leveille, M.E. (2015). Unboxing Linux/Mumblehard: Muttering spam from your servers. Retrieved from http://www.welivesecurity.com/wp-content/uploads/2015/04/mumblehard.pdf
If you are still using FreeBSD 9.x, you will want to migrate your jails to the new jail.conf format when you upgrade to FreeBSD 10. The new jail.conf format has been around since FreeBSD 9.1:
In an effort to assist with migrating to the new jail.conf format, a template file is created based on the configuration of the jails within your rc.conf file. In the following example, a jail called "testjail" is configured in rc.conf then started on a FreeBSD 10.1 system:
jail_testjail_rootdir="/usr/jails/testjail"If you run the jail, you will receive the following output:
# service jail start testjailWhen you use the old rc.conf variables, the jail service script will create the new format for you, in this case /var/run/jail.testjail.conf. This file can be copied to /etc/jail.conf and used to start your jail with the new format. The following is the contents of the converted jail.testjail.conf:
Starting jails:/etc/rc.d/jail: WARNING: /var/run/jail.testjail.conf is created and used for jail testjail.
/etc/rc.d/jail: WARNING: Per-jail configuration via jail_* variables is obsolete. Please consider to migrate to /etc/jail.conf
# Generated by rc.d/jail at 2015-04-28 13:23:43The generated jail.conf files can be consolidated into a single /etc/jail.conf file as documented by Dan Rue (2014):
host.hostname = "testjail";
path = "/usr/jails/testjail";
ip4.addr += "192.168.1.22/32";
allow.raw_sockets = 0;
exec.system_user = "root";
exec.jail_user = "root";
exec.start += "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown";
exec.consolelog = "/var/log/jail_testjail_console.log";
mount.fstab = "/etc/fstab.testjail";
allow.set_hostname = 0;
allow.sysvipc = 0;
cat /var/run/jail.HoneyPy.conf /var/run/jail.limbo.conf /var/run/jail.lussuria.conf >> /etc/jail.confIf you do not want to run the jail, you can use the "config" option with the service script and it will create the jail.conf file based on the content of your rc.conf file:
# service jail config If you are supporting a number of customers (and jails), you can simply copy all of the generated configs into a single /etc/jail.conf file. Tools like ezjail handle the updating of the jail.conf for you when creating or modifying FreeBSD jails. With the "config" option, you can avoid having to run the jail in order to generate the proper jail.conf file for your jails.
testjail/etc/rc.d/jail: WARNING: /var/run/jail.testjail.conf is created and used for jail testjail.
testjail: parameters are in /var/run/jail.testjail.conf.
Rue, D. (2014) Convert FreeBSD 10 jails from rc.conf to jail.conf. Retrieved from http://therub.org/2014/08/11/convert-freebsd-jails-from-rc.conf-to-jail.conf
zfsbackup.sh has been modified to use a non-root user with the necessary privileges to perform ZFS send/receive and to administer snapshots. The script was initially a proof-of-concept for providing an easy way to do backups. Now the zfsbackup.sh script requires a non-root user to operate. Checkout the updated code on github: http://github.com/shirkdog/zfsbackup