Cloudflare and Dome9 Blacklister Scripts (Bash/Python)
One of my servers was under attack from an IP in China recently (some lame automated SQLi), but I figured I’d blackhole the source IP anyway.
My first step was to blacklist in Dome9, which I use to manage that server’s firewall, but after noticing that the attacks were still hitting my server I remembered that because I also use Cloudflare and those attacks were getting tunnelled through their network. So the solution (for that particular attack) was to also blacklist the source IP in Cloudflare. When another stupid attack came in a day or so later, I did the same and realised that it would be much easier if I automated the whole process.
So I threw together a Bash script (and then a Python script) that leverages the Cloudflare and Dome9 APIs to submit a given IP address to one or both services.
I’ve put these into my scripts repo on GitHub. Simply insert your Cloudflare and/or Dome9 API keys into the configuration portion of the script and go. Using this you could conceivably fully automate it by auto-detecting brute-force type attacks using a script on the server and calling this script to make the blacklist updates.
Bearing in mind these were very hastily put together, any feedback/improvements are welcome!
Kernel.org Compromised, OpenSSH Source Not Backdoored
Kernel.org, the primary site for the Linux kernel source, was compromised sometime in August. It is believed that the attackers gained access using compromised user credentials, and then escalated their privileges to root. Early pieces of information implied that some OpenSSH source code was stored on the compromised Kernel.org server(s), apparently this may not be the case. So far the investigation has found that several modifications were made to the compiled OpenSSH client and server binaries running on the system to log user activity. The full extent of the changes is not yet known, and nobody has yet come forward to claim this hack.
If you’ve installed or updated your kernel or OpenSSH recently, you may want to reinstall from a known good version, although it is not yet known if any kernel sources were modified. Although in this case OpenSSH wasn’t compromised, admins can consider running some form of Single Packet Authorization, such as fwknop, as an additional layer of protection for your SSH server against these kinds of issues (backdoors) and other potential future 0days.
Hopefully more info will come to light as the investigation progresses. Hit the jump for more details.
Safari AutoFill Information Disclosure (with PoC)
Thanks to Safari’s nifty AutoFill feature, it has long been susceptible to an information disclosure vulnerability which could allow an malicious web page to extract various details stored in your personal vCard in Address Book.
This was highlighted a while back, and today re-emphasized by Jeremiah Grossman with a proof-of-concept attack.
The issue exists due to the way that Safari tries (by default) to auto-populate some of your details, including name, address, telephone number, etc, when you fill out forms. This can only happen if you have ‘AutoFill web forms’ enabled in Safari’s preferences, as shown in the screenshot below:
Uncheck these boxes to prevent this attack… but note that you’ll have to type your own info in afterwards! It’s not a high-risk vulnerability, but if you’re concerned about your privacy whilst browsing and in general, do what I do and don’t actually set an empty card as your personal card in Address Book. You can do this by creating a new card (enter some dummy info if you want), selecting it, and then choosing “Make this my card” from the Card menu.
Apple’s been notified of the issue, however as this is a ‘feature’ and not a bug, it’ll be interesting to see whether they’ll actually choose to do anything about it.