BIND Domain Name System DNS

an article added by: Philip A Clare at 04092007


In: Root » Computers and technology » Linux » BIND Domain Name System DNS

French Spanish Portuguese Italian German Japanese Chinese Korean Russian Arabic

BIND (Berkley Internet Name Domain) is the most used DNS server on the Internet. Nowadays, every Linux distribution has a BIND package for DNS services.
The problem with BIND and any DNS server is that in order to be able to translate names into IP addresses it has to communicate with a whole lot of other DNS servers, and so, filtering DNS packets is not possible. DNS services are vital for internet connection; so in order to disrupt services to victims, attackers have a great interest in bringing down DNS servers. Although BIND is well known for its security issues, there are many vulnerable BIND servers out there, and so you have to be really careful running BIND. A DNS server survey at http://mydns.bboy.net/survey shows the popularity of BIND, and that there are still quite a lot of vulnerable versions out there. Here is some of my advice on what would provide a more secure BIND:

  • Don't use the BIND package that comes with your distribution of Linux; download the latest from BIND website (http://www.isc.org).
  • Place BIND in a chroot jail. This is the best thing to do to protect against remotely exploitable vulnerabilities in BIND that allow attackers to get a shell on the server running BIND. If you don't chroot your version of BIND and such a vulnerability is discovered, your Linux server and all data on it may be compromised before you have the time to upgrade.
  • Always apply patches and upgrade BIND whenever a bug is discovered or a new version comes out.
  • Secure zone transfers between primary and secondary DNS servers using DNS Transaction Signatures (TSIG).
  • Disable recursion and glue fetching to defend against DNS cache poisoning.

Although BIND is more popular and easier to configure, consider using TinyDNS, as it has proven to be more secure over the years.

Apache Web Server

The most popular web server is Apache, found at http://www.apache.org, which had some security issues in the past, whether they were Apache bugs or add-on modules' vulnerabilities. Here is some of my advice on what would provide a more secure Apache server:

  • Patch your server and try to keep it as up to date as possible.
  • Remove all sample scripts of add-on modules (mod_php, mod_cgi, mod_perl, etc.).
  • If running PHP, CGI, and other script languages, consider using suEXEC, a wrapper program called by Apache to allow it to call scripts from a different user ID than the one it uses for Apache.
  • Don't allow uploads of any scripts into your web server by untrusted parties.
  • Read about all vulnerabilities of any open-source projects that you install, such as PHPBB forums, for example.
  • Don't run the web server as root. Create a user with minimal rights to run the web server.
  • Modify the response token for your web server. It's harder for an attacker to bring it down when he or she doesn't know what web server you are running.

Version Control Systems

Version control systems provide tools for software developers to concurrently work on the same set of files and manage different versions of source code.
In Linux systems, the most popular version control system is CVS (Concurrent Versions System), used by many open-source software projects that allow anonymous access to their CVS repositories via the pserver protocol that runs on TCP port 2401 by default. A CVS server with remote access has the following vulnerabilities:

  • A heap-based buffer overflow that can be triggered by specially crafted entry lines. Exploit code for CVS servers was published on security lists, and allows attackers to execute arbitrary code on the CVS server.
  • There are some vulnerabilities in the implementation of other commands and functions that may be exploited by an authenticated user to cause Denial of Service or execute arbitrary code on the CVS server. Some of these may be exploited by anonymous users.

To protect against these vulnerabilities, consider the following steps:

  • Update CVS to the latest stable release. CVS can be found at http://www.cvshome.org.
  • Run the CVS server in a chroot jail.
  • Configure CVS to use the SSH protocol instead of the pserver protocol (which sends the passwords in plaintext).
  • If you don't allow anonymous access to your CVS server, try filtering port 2401 to allow only trusted hosts to connect to it.
  • Host the CVS server for anonymous read-only access on a stand-alone system.
  • Run the published exploits against your CVS servers.

Another version control system that gained popularity on Linux is subversion. A subversion repository can be remotely accessed via the svn protocol. The svn server runs on the TCP port 3690 by default and contains the following vulnerabilities:

  • A heap-based buffer overflow that can be exploited by unauthenticated attackers to execute arbitrary code on the subversion server.
  • A stack-based buffer overflow that can be triggered by a specially crafted get-date-rev svn command. In this way too an unauthenticated attacker can execute arbitrary code. For this vulnerability, multiple exploits were published on security lists.

To protect your subversion server against those vulnerabilities, consider the following steps:

1. Update your subversion software to the latest stable version from http://subversion.tigris.org/.
2. Configure subversion to use webDAV instead of the svn protocol.
3. If you don't allow anonymous access to your subversion server, try filtering the TCP port 3690 to allow only trusted hosts.
4. Run the published exploits against your subversion server.
5. Host the subversion server for anonymous read-only access on a stand-alone system.

Mail Transport Agents (MTA)

Email is one of the most popular services on the Internet and for a company it is a vital service in almost every department. SMTP (Send Mail Transport Protocol) is one of the oldest protocols on the Internet and it is used by MTAs to send email from the sender to the recipients. SMTP listens on the TCP port 25 by default, and if it is used to receive email from any email address on the Internet, it must not be filtered.
The most popular MTA for Linux is Sendmail, which had a lot of security issues including buffer overruns that could be remotely exploited to compromise the MTA server. Popular alternatives to Sendmail are Postfix, Qmail, Exim, and Courier-MTA.
MTAs' most popular problems are the following:

  • Vulnerabilities such as buffer overruns, heap overflows, etc., which can be used by remote or local attackers to compromise the server running the MTA.
  • Missconfiguration of the MTA allowing everyone to use it for sending mail. This is called open relay. Missconfigured MTAs as open relays immediately fall in the hands of spammers, which may cause big damages to your company by having your email server in one of the many email servers blacklists, plus the fact that all the spam consumes your bandwidth. You can check your mail server to see if it is an open relay at http://www.abuse.net/relay.html,  which runs a set of tests to see if there's any way for a spammer to use your email server to send mail to other people.
  • User-account database disclosure vulnerabilities.

legal disclaimer

Our website is not responsible for the information contained by this article. Web-articles is a free articles resource.
Suggestion: If you need fresh, daily updated content for your website, feel free to use our service. Click here for more information.

related articles

1. Public and Private IP Addresses
The Internet is a public network, and therefore a device connected directly to the Internet has a public IP address. Those IP addresses must be administered by someone in such way that two devices connected to the public network don't use the same IP address or that two networks don't have the same network address. This job was done by InterNIC (Internet Network Information Center), which has been succeeded by IANA (Internet Assigned Numbers Authority). IANA makes sure to provide unique IP network addresses to Internet Service Provide...

2. IP Supernetting or CIDR
CIDR stands for "Classless Inter-Domain Routing". It is a new addressing scheme for the Internet, intended to replace the old classful (Class A, B, C) address scheme. CIDR allows a more efficient allocation of IP addresses and uses routing aggregation for minimizing the routing table entries, and is also called supernetting. A recapitulation of classful IP addressing shows us the following: Address ...

3. Linux Security Threats
Creating firewalls may block some malicious attempts on your network, but this step is far from running an entirely secure network. As a network administrator or security consultant, to design a proper firewall for your network you need to know what you defend your network from. We cannot fully discuss this topic, even in 1000 pages, but we want to explain some principles that you should consider in running a safe network. As hard as it may seem to protect your network from the outside world, the most dangerous threats always come f...

4. IP Spoofing
An attacker might spoof a trusted IP address when communicating to a host in order to gain unauthorized access on that host. There are a variety of tools that can be found on the Internet to do IP spoofing. Using IP spoofing, attackers can also initiate Denial of Service by sending data with the source IP spoofed to the attacked IP address. The receiver then sends back replies that can contain large amounts of data to the attacked IP address resulting in...

5. Simple Network Management Protocol SNMP
These days, most network devices use SNMP for remote monitoring and configuration. SNMP is a simple protocol used usually to create monitoring software that can retrieve information such as network traffic, CPU load, disk load, etc., and also to modify configuration of devices such as wireless equipment, broadband routers, etc. Most SNMP implementations on those kinds of network devices use version 1 or version 2, which have a very weak authentication method. SNMP version 1 contains a set of bugs in the way SNMP traps and reques...

6. Firewalls, netfilter/iptables
The two things needed to build firewalls and Quality of Service (QoS) with Linux are two packages named netfilter and iproute. While netfilter is a packet filtering framework included in the Linux kernels 2.4 and 2.6, iproute is a package containing a few utilities that allow Linux users to do advanced routing and traffic shaping. This article is intended to introduce the tools we will use throughout this article. However, netfilter ...

7. Iptables Target Specifications in Linux
For the filter table, the most used targets for firewall rules are DROP and ACCEPT. If a rule matches the filtering specifications and has a DROP target, the packet will simply be discarded. If a packet matches a rule with a DROP target, the Linux kernel will drop the packet without consulting other rules in the firewall. If the target is ACCEPT, then the packet is accepted without further consultation of other firewall rules. An alternative to DROP is the REJECT target, which drops the packet but sends an ICMP packet to the sou...