Apr 2, 2015

Howto: Setup SSH use another port(!22) with SELinux

List usage port of service
/usr/sbin/semanage port -l

Add port 1234 for ssh service
/usr/sbin/semanage port -a -t ssh_port_t -p tcp 1234 

Howto: Solve SSH + PAM_Radius problem

I found the log say that

"Apr  2 14:38:10 localhost audispd: node=localhost.localdomain type=AVC msg=audit
(1427960289.654:338076): avc:  denied  { name_bind } for  pid=3146 comm=”sshd” s
rc=32766 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:
object_r:port_t:s0 tclass=udp_socket"

So this is the ways to solve this problem

1. Create policy "sshd-radius.te" file
policy_module(sshd-radius, 1.0)
type sshd_t;
2. Compile it
# make -f /usr/share/selinux/devel/Makefile

3. Install it
# semodule -i sshd-radius.pp

Source:: https://bugzilla.redhat.com/show_bug.cgi?id=647043

Mar 30, 2015

Tools: Malcom - Malware Communication Analyzer

Malcom is a tool designed to analyze a system's network communication using graphical representations of network traffic, and cross-reference them with known malware sources. This comes handy when analyzing how certain malware species try to communicate with the outside world.

Malcom can help you:
  • detect central command and control (C&C) servers
  • understand peer-to-peer networks
  • observe DNS fast-flux infrastructures
  • quickly determine if a network artifact is 'known-bad'
The aim of Malcom is to make malware analysis and intel gathering faster by providing a human-readable version of network traffic originating from a given host or network. Convert network traffic information to actionable intelligence faster.

Source:: https://github.com/tomchop/malcom

Tools: Troubleshooter - Exploit SELinux (Setroubleshoot)

The revenge of GingerBreak

Abstract: This paper demonstrates vulnerabilities within the SELinux framework as well as shortcomings in the type enforcement setup. I will show how to deconstruct a SELinux setup with some simple 80's style exploit techniques. While reading this paper, I recommend listening to this music from the year of morrisworm.
When in 2012 the SELinux developers analyzed the behaivior of an exploit that was not designed to run on a SELinux system at page 32 of these slides - it triggered a review-selector for SELinux and I put it to the list of my audit targets. Not surprisingly, GingerBreak lost that "competition", just because it was not made for it. Using my QUANTUM AUDIT techniques I was now able to have a deeper look into SELinux itself to see whether the claims that were made really hold.

Source:: https://github.com/stealth/troubleshooter


Tools: Paramiko - Python SSH Backdoor

SSH Backdoor using Paramiko

Source:: https://github.com/joridos/custom-ssh-backdoor