Friday, 25 July 2008
HughesJR.com
  Home
Powered by CentOS
  
Main Menu
Home
Forum
Articles
Guides
News Feeds
Links
Search
Contact Us
Login Form





Lost Password?
No account yet? Register
Latest News
Popular
DS-Syndicate
feed image
Attacks on Package Managers - ummm...
User Rating: / 12
Written by Johnny Hughes   
Saturday, 12 July 2008

In a recent article entitled Attacks on Package Managers, there are many things discussed by a group of Computer Science students (and maybe some instructors) at the University of Arizona.  While I can not address how Debian protects their APT repositories or how Fedora (or anyone else) protects their YUM repositories, I can discuss how CentOS protects its update system used by default to deliver updates to users.

 CentOS Mirrors

First, let me explain the CentOS mirror system.  CentOS directly controls about 30 mirror servers from which we serve updates via yum and rsync to other public mirrors and to users directly.  These mirrors are members of the CentOS.org domain and are totally controlled by the CentOS project.  These mirrors can be totally trusted because only CentOS Project personel have login or update access to these machines.

A second set of mirrors are called the CentOS "Public Mirrors".  These mirrors are monitored by a system called mirmon, the results are listed here .  These public mirrors are also listed here in another format for ease of finding a close mirror.  The first major fault in the study linked above is that these mirmon monitored mirrors are only the first step in being assinged to provide updates directly to CentOS users.  Just being listed as a mirror DOES NOT MEAN that yum (as configured by CentOS by default) is going to use that mirror.  Please see the mirrorlists sectionbelow for that selection process.

Mirmon uses a couple files within the mirror to verify that a mirror is doing updates and it is a "Coarse" test that we use to decide which mirrors will be subjected to the mirrorlist tests below.  If you are rsyncing a local mirror of your own from one of the public mirrors, I recommend that you use more than one, then you can be sure one person is not in any way modifying anything.

Mirrorlists

The aspect of CentOS security which this study totally ignores is called the CentOS mirrorlists.  This system is the one that is actually used (in a default setup as published by CentOS ) to deliver updates to users.  CentOS uses a script to download a file called repomd.xml from every repo on every server listed as active in the CentOS Public Mirrors. Once we have that file, we check it against the same file from the master CentOS server.  If the file from the public mirror is different than the file on our CentOS master mirror, then that server is not published on our mirrorlists.

The mirrorlist generation process runs non-stop in a loop testing each and every CentOS "Public Mirror" on every run.  With the current number of public mirrors it takes a maximum of 2-3 hours for a mirror that does not have the same repomd.xml file in a repo to be removed from the mirrorlist.

CentOS does not just check one repo on a given public mirror, we check each and every repomd.xml file from each and every published repository on each and every public mirror.

The CentOS mirrorlist is only 10 servers long, even though we have about 200 mirrors listed in our list.  There is a different list for each country where the 10 listed servers is geographically picked and if 10 public servers are not found, CentOS.org mirrors back fill the list to 10 servers.  This means that every mirror listed is NOT even used in our mirrorlists.

If you are using the default CentOS update method, you can rest assured that you are being provided a geographically accurate (by country) and updated (tested and regenerated every 2-3 hours) mirrorlist.

The Study

Now I will discuss the issues brought up by the above article and discuss if these issues apply to CentOS.

First, lets discuss the Metadata Replay attack that they list.  This attack is not at all a concern with CentOS if the default method (the CentOS mirrorlists) is used to do updates because every 2-3 hours if an individual repository on a mirror is not updated, it is not on the mirrorlist.  If you are running your own mirror that you update from a public mirror, you can write your own script to download the repomd.xml file from the proper place at http://mirror.centos.org/ and you can check yours file against this file, if they are the same then you have a good set of metadata ... with that you will get the correct updates.

The next attack they discuss is the Mirror Control attack.  This one is also NOT a problem for people using the default CentOS update system, since each and every repomd.xml file (the same one you get if you use yum and the default mirrorlist) is verifed on every mirror every 2-3 hours.  Is it possible for someone to provide a fake file to the centos testing machine, and a different one to other people.  Yes, if they know the IP address of each and every machine we might possibly use to test the mirror then they might be able to give us a redirected file and give everyone else a different metadata file.  Even IF they did that, they do not have packages signed by a centos.org key.  Because of our repomd.xml file checking, the likelyhood of this attack (as with the first one) is almost 0.

The other major problem that they discuss is a man-in-the-middle attack.  Without using HTTPS, a person MIGHT be able to use a man in the middle attack.  It is not a simple thing to do, and it does not get any "malicious" software (since CentOS requires signed packages) ... though it might be possible to list old files so that updates are not done.  This would be a very hard thingto undertake just to prevent an update, though possible in theory.

The Bottom Line

Being listed as a "Public Mirror" DOES NOT MEAN that a system is being listed in the CentOS yum mirrorlist.  CentOS does other checks and our mirrorlists are safe.  You can easily make sure that your system is updated by running yum at consistent intervals and requiring  all packages are signed.

If you are creating your own mirror, you can check your repomd.xml file against those at http://mirror.centos.org/

If you use packages signed by a centos.org key, you can be sure we released it.  If you monitor the CentOS Announce mailing list you can see when Security Patches are released.

Should you be concerned about security updates and install them when they are released ... YES.

 Is the sky falling ... NO.

 

 
Last Updated ( Saturday, 12 July 2008 )
 
Using php-suhosin on CentOS-4 or CentOS-5
User Rating: / 3
Written by Johnny Hughes   
Saturday, 11 August 2007

php-suhosin is the CentOS RPM name for the Suhosin package built from the sources provided at the Hardend PHP Project .

Suhosin's creator says:  " Suhosin is an advanced protection system for PHP installations. It was designed to protect servers and users from known and unknown flaws in PHP applications and the PHP core."

The are two parts to the protection provided by Suhosin.  One is a patch that is applied to the core PHP source, causing the PHP to have to be recompiled.  The other is a PHP module that is loaded as an extension by PHP.  Most of the protection provided by Suhosin is via the extension, which does not require new PHP rpms, and that is all the protection that is provided by the CentOS php-suhosin RPMs.

Prior to starting this Guide, you will need a working lamp server, with at least PHP and Apache (called httpd in CentOS), also mysql may or may not be installed.  See this guide for a basic lamp server install, if required.

 

 
Last Updated ( Saturday, 11 August 2007 )
Read more...
 
Using mod_gnutls on CentOS-5
User Rating: / 1
Written by Johnny Hughes   
Saturday, 11 August 2007

Apache web server has named based virtual host capability, whereby you may host many websites of different names on the same web server using the same IP address.  This works great with HTTP websites, however when using mod_ssl to do the same for SSL-Based (HTTPS) sites there are problems.

Server Name Indication (SNI) is a TLS extension which makes the configuration of HTTPS name-based virtual hosts on Apache possible.  mod_gnutls is an Apache Dynamic Shared Object (DSO) that implements SNI using gnutls and can be used in place of mod_ssl on servers where this capability is required.

Note: The mod_gnutls website says this about its current state.

mod_gnutls is a very new module.  If you truely care about making your server secure, do not use this module yet.  With time and love, this module can be a viable alternative to mod_ssl, but it is not ready.
     

So, mod_gnutls can currently be labeled as experimental and is currently not recommended for use on critical live sites.

Last Updated ( Saturday, 11 August 2007 )
Read more...
 
Which free Enterprise Linux is best?
User Rating: / 10
Written by Johnny Hughes   
Monday, 02 October 2006

I have written several articles in the past concerning Enterprise Linux distributions and how they are different than other linux distributions. There are 2 such articles currently linked from HughesJR.com:

Introduction to Enterprise Linux

CentOS Review

This article is going to be a little different. It is going to recommend a free enterprise linux distro, CentOS, as the one you should pick for your Enterprise needs.
Last Updated ( Sunday, 05 August 2007 )
Read more...
 
Minimal CentOS, Scientific Linux, or White Box Enterprise Linux (WBEL) install
User Rating: / 2
Written by Johnny Hughes   
Sunday, 01 October 2006

In several of the guides on HughesJR.com, the first couple steps were how to do a minimal install of an Enterprise Linux distro.  We were repeating it enough that I decided to do the minimal install as a seperate guide.  It will be linked from many of our other guides.

This guide will address how to get the minimum install completed and yum configured for CentOS, Scientific Linux, or White Box Enterprise Linux (WBEL).  From that point on, the rest of the install should be the same in all three Linux versions.

Note:  Tao Linux has retired and become part of CentOS.

 
Last Updated ( Sunday, 05 August 2007 )
Read more...
 
Installing a LAMP (Linux Apache Mysql Php) Server on RHEL Clones
User Rating: / 19
Written by Johnny Hughes   
Sunday, 01 October 2006
This is a guide to install a LAMP (Linux Apache Mysql Php) Web Server on CentOS. You can also use WBEL, Scientific Linux, or Tao Linux.
Last Updated ( Sunday, 05 August 2007 )
Read more...
 
PostFix with DoveCot Install for CentOS-4 (WBEL-4 / TaoLinux-4 / RHEL-4) Part 1
User Rating: / 16
Written by Johnny Hughes   
Saturday, 30 September 2006
This is a guide to install a PostFix mailserver (with DoveCot, MailScanner, ClamAV, SquirrelMail, and SpamAssassin) on CentOS-4.X. There are 4 parts, this is part 1. This install procedure also works with White Box Enterprise Linux 4 and TaoLinux-4

Part 3 | Part 4
Last Updated ( Sunday, 05 August 2007 )
Read more...
 
PostFix Install for CentOS-4 (WBEL-4 / TaoLinux-4 / RHEL-4) Part 3
User Rating: / 4
Written by Johnny Hughes   
Saturday, 30 September 2006
This is a guide to install a PostFix mailserver (with MailScanner, ClamAV, SquirrelMail, and SpamAssassin) on CentOS-4.X. There are 4 parts, this is part 3. This install procedure also works with White Box Enterprise Linux 4 and TaoLinux-4

Part 1 | Part 4
Last Updated ( Sunday, 05 August 2007 )
Read more...
 
PostFix Install for CentOS-4 (WBEL-4 / TaoLinux-4 / RHEL-4) Part 4
User Rating: / 32
Written by Johnny Hughes   
Saturday, 30 September 2006
This is a guide to install a PostFix mailserver (with MailScanner, ClamAV, SquirrelMail, and SpamAssassin) on CentOS-4.X. There are 4 parts, this is part 4. This install procedure also works with White Box Enterprise Linux 4 and TaoLinux-4

Part 1 | Part 3
Last Updated ( Sunday, 05 August 2007 )
Read more...
 
CentOS Review
User Rating: / 3
Written by Johnny Hughes   
Saturday, 30 September 2006

The following review of the CentOS operating system was written by Johnny Hughes for Linux-Magazine.com. It details what can be done with CentOS and discusses the differences between enterprise linux distributions and non enterprise versions.

CentOS Review

 
Introduction to Enterprise Linux
User Rating: / 2
Written by Johnny Hughes   
Saturday, 30 September 2006

This is an article written by Johnny Hughes for OSNews.com called Introduction to Enterprise Linux. It explains the difference between normal linux distros and Enterprise distros and why you would want one or the other.

Introduction to Enterprise Linux

 
Polls
What is your favorite Linux Distro
 
Who's Online
RHEL5 Updates
RHEL4 Updates
RHEL3 Updates

© 2008 HughesJR.com
Powered by CentOS