Uberleet

Linux Systems Articles for better insights

Audit, track and block FreeIPA attackers


Sometimes you work at places with some pretty dirty networks, and having to migrate everything from a public VLAN to private NATs is always a challange of skills in security. During the process I find so many hosts which have been exploited and turned against my own network. This is quickly apparent when you stand up LDAP authentication and find tons of anonymous bind searches or notice your 'admin' principal is getting locked out.

How to identify FreeIPA attacks

Directory Server (LDAP)

Take a look at {slapd log}

If you see entries like this, you have evidence of a scan for active accounts in your directory system. This usually happens when a host inside your LAN gets compromised from the public network.

[24/Jan/2018:09:21:07.949521223 -0600] conn=26365 fd=144 slot=144 connection from 97.79.239.127 to 71.40.108.241
[24/Jan/2018:09:22:52.867453580 -0600] conn=26365 op=8 SRCH base="cn=accounts,dc=gvoperations,dc=com" scope=2 filter="(&(uid=mailnull)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))" attrs="objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn memberOf ipaUniqueID ipaNTSecurityIdentifier modifyTimestamp entryusn shadowLastChange shadowMin shadowMax shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdattribute authorizedService accountexpires useraccountcontrol nsAccountLock host logindisabled loginexpirationtime loginallowedtimemap ipaSshPubKey ipaUserAuthType usercertificate;binary mail"
[24/Jan/2018:09:21:08.127554292 -0600] conn=26365 op=7 RESULT err=0 tag=101 nentries=0 etime=1 notes=P pr_idx=0 pr_cookie=-1

DNS Server

FreeIPA ships with an open DNS server (recursion on all interfaces.) This allows your server to be abused by DNS amplifications attacks and can use excessive network resources.

You can get a view who and what your DNS is being used for by using tcpdump:

tcpdump -i eth0 port 53

DNS Server: Disable recursive DNS

For some reason FreeIPA encourages recursion on all interfaces by default, which should never be the case on public infrastructure. You must re-configure FreeIPA to only answer recursive queries for a 'trustednetwork' using network ACLs.

acl "trustednetwork" {
    1.2.3.4/24;
    5.6.7.8/24;
    9.10.11.12/24;
    localhost;
    localnets;
};

options {
        recursion yes;
        allow-recursion {"trustednetwork";};
        allow-transfer {"none";};
        version "[Ancient_Chinese_Secret]";
        rate-limit {
            responses-per-second 15;
        };
}

Be sure to place the items in options {} under your existing options section in your existing FreeIPA installation! If you have two options {} sections, the server will fail to start

DNS Server: Logging everything

Sometimes you need logging to get an idea of a current or ongoing production DNS issue. You can use these logging directives to break logs into individual files.

logging {
    channel default_file {
        file "/var/log/named/default.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel general_file {
        file "/var/log/named/general.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel database_file {
        file "/var/log/named/database.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel security_file {
        file "/var/log/named/security.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel config_file {
        file "/var/log/named/config.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel resolver_file {
        file "/var/log/named/resolver.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel xfer-in_file {
        file "/var/log/named/xfer-in.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel xfer-out_file {
        file "/var/log/named/xfer-out.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel notify_file {
        file "/var/log/named/notify.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel client_file {
        file "/var/log/named/client.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel unmatched_file {
        file "/var/log/named/unmatched.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel queries_file {
        file "/var/log/named/queries.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel network_file {
        file "/var/log/named/network.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel update_file {
        file "/var/log/named/update.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel dispatch_file {
        file "/var/log/named/dispatch.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel dnssec_file {
        file "/var/log/named/dnssec.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel lame-servers_file {
        file "/var/log/named/lame-servers.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };

    category default { default_file; };
    category general { general_file; };
    category database { database_file; };
    category security { security_file; };
    category config { config_file; };
    category resolver { resolver_file; };
    category xfer-in { xfer-in_file; };
    category xfer-out { xfer-out_file; };
    category notify { notify_file; };
    category client { client_file; };
    category unmatched { unmatched_file; };
    category queries { queries_file; };
    category network { network_file; };
    category update { update_file; };
    category dispatch { dispatch_file; };
    category dnssec { dnssec_file; };
    category lame-servers { lame-servers_file; };
};