Can you hack your own server?

Can you hack your own server?

Posted by Brad Wood
Sep 11, 2008 22:41:00 UTC
I am not just a programmer, but to some extent a sys admin. Because of that responsibility (and the fact I have had servers compromised before) I am always interested in security. I think to stop crackers; you've got to think like them. When was the last time you tried to hack into your own server? If you don't know what your vulnerabilities are, how can you close them?I can't say enough about strong passwords. My Linux VPS logs hundreds of brute force attempts every day, and there is really no way around that. (Running services on a non-standard port can mitigate it though) I was recently creating some rainbow tables to learn more about how they work. A rainbow table is a table that lists every single possible combination of characters for a password, and a hash value for it. Upper and lower case letters, and numbers give you 62 possible characters for each position. Watch how the possible number of password combinations sky rockets the longer you make them. 1 character = 62^1 = 62
2 characters = 62^2 = 3844
3 characters = 62^3 = 238,328
4 characters = 62^4 = 14,776,336
5 characters = 62^5 = 916,132,832
6 characters = 62^6 = 56,800,235,584
7 characters = 62^7 = 3,521,614,606,208
8 characters = 62^8 = 218,340,105,584,896
9 characters = 62^9 = 13,537,086,546,263,552
10 characters = 62^10 = 839,299,365,868,340,224
MS SQL on my box can generate 900 million passwords and SHA-1 hashes in only 7 hours. I hope your passwords are longer than 5 characters! Did you know you can actually purchase pre-made rainbow tables online? One user's login with a weak password can compromise the whole box. In fact, root isn't even allowed to SSH to my box. Do you know where to find the logs for authentication failures on your server? How many public-facing logins exist on your server and do you enforce a password policy? Can you tell me what ports on your server are currently accepting connections? How many of them should be open? Do you know how to find the ports being listened on? Do you know how to scan your entire subnet for servers with port 22 open? Does your SQL Server allow for remote connections? Are your guest accounts disabled? Do you have RDS enabled on your production server? Is your ColdFusion administrator accessible to the public? Do you know how to use a network sniffer? If you sniffed me logging into ColdFusion administrator could you get the password? Do you know where the CF Admin password is stored and how to disallow the password requirement all together? What about your datasources? Do you know where their passwords are stored? Did you know those passwords can be easily decrypted if someone gets their hands on the correct XML file? This is all pretty much server level stuff. Application security is another topic all together. For instance, do your Ajax web services require you to be logged in to call them? To sum up all these rhetorical questions-- I didn't post them to try and scare people-- just to raise awareness. Please don't answer any of the questions. I didn't answer most of them on purpose. I don't want to just be another source of information on how to hack ColdFusion. I do encourage you to think like a hacker for a day. If you were to try to get into your server how would you do it?

Ciqala Burt

I must be a great hacker, every single time I try to hack my own boxes I can guess the password on the first try and i get straight in!

just kidding :)

nice post. anything that gets people thinking more about security is a good thing.

David Sparkman

This is a great post. You might consider extending it to be a series to help other cf admins combat these issues.