On 07/26/2016 06:25 PM, Franz wrote:
On Tue, Jul 26, 2016 at 11:38 AM, Steve Coleman
<[email protected] <mailto:[email protected]>> wrote:
Another hack to avoid having to manually type in the addresses is
done with the attached script. Its like Mareks solution, but does
the parsing on the dom0 side
I understand this means this script should be executed directly in dom0,
but isn't this a security problem?
Yes, there is one risk I know. If the VM that had been firewalled off
from the Internet has already been 0wned, then the hacker could replace
the tcpdump utility with something that passes a ";" back withing the ip
address field and has a shell command after that. DNS could be hacked,
or a man in the middle could do it too. Then that ";" in the field might
then get parsed by the python script and passed to the command line
where the qvm-firewall command is invoked with the bogus IP/hostname,
thus executing something nefarious in the dom0 shell. All that would be
needed to correct this flaw is a little sanitation of the IP/host
parameter, proper detection of that hack-attack, and that problem is
solved, except that your VM was rooted.
That being said the script is only a work in progress shared for input,
and if your VM is already 0wned then you already do have a real problem.
Firewalling the VM off obviously is too little too late. Detection then
becomes key to resiliency and recovery. The one problem I have with this
architecture in general is that detection of an attack is not an
inherent feature of the overall design. Ideally I would want something
like an selinux targeted policy in each VM, generating avc messages,
that would then be forwarded by the kernel in realtime and then somehow
feeding a central intrusion monitor which could then notify the owner
when important system resources are being tampered with. Before that
tampering leads to a full scale system circumvention. Perhaps just
monitoring a checksum on the copy-on-write system image? or just detect
a page write back to the cow? Whatever it is it needs to be realtime and
not easily interceptable by the adversary considering they already have
root in at least one VM.
As in the above example, if you knew that your tcpdump executable had
just been replaced, before you locked down your firewall on that VM,
then you would have a much better chance at getting your system back
under your own control before they can start attacking the hypervisor.
Without knowing if your system is hacked or not can you really feel
safe? I don't feel unsafe, but I do feel blind. Don't get me wrong,
qubes is a *beautiful* design, I love it and use it daily and tell
*everyone* about it, its just that prevention of a hack only takes you
so far. Application level protocol attacks that bypass network
restrictions are way too easy, and too numerous, so system level
detection can be equally important. This is because there are people out
there that do this for a living. You really don't want to be their
target, but if for some reason you are, you _really_ need to detect that
they have arrived. Its nice when you can tell if someone is jiggling
your doorknob or not. Detection doesn't always work, but neither does
system software. It absolutely needs to be a multilayered solution to be
resilient.
best regards.
and the syntax is a little easier. It does the remote tcpdump
command in the vm and the results are returned through the pass-io
mechanism. With the -A option the script then generates the
qvm-firewall add commands to its stdout.
Then, if you want to add that address to the firewall you simply
copy and paste the lines you want from that dom0 command terminal
window into another dom0 command window, and the address is added to
the firewall without any manual typing. If you want, you can add a
netmask (e.g. address/24) to an IP in the target window before
pressing enter.
[user@dom0 ~]$ qvm-fwdenied -A <MyVmName>
qvm-firewall <MyVmName> -add
ec2-54-200-125-198.us-west-2.compute.amazonaws.com
<http://ec2-54-200-125-198.us-west-2.compute.amazonaws.com> any
qvm-firewall <MyVmName> -add 104.244.43.140 any
qvm-firewall <MyVmName> -add 104.244.43.44 any
qvm-firewall <MyVmName> -add
ec2-54-148-80-75.us-west-2.compute.amazonaws.com
<http://ec2-54-148-80-75.us-west-2.compute.amazonaws.com> any
qvm-firewall <MyVmName> -add
ec2-52-88-118-150.us-west-2.compute.amazonaws.com
<http://ec2-52-88-118-150.us-west-2.compute.amazonaws.com> any
qvm-firewall <MyVmName> -add
ec2-52-25-189-162.us-west-2.compute.amazonaws.com
<http://ec2-52-25-189-162.us-west-2.compute.amazonaws.com> any
...
Note that these appear in batches on the console because tcpdump is
in a mode where it exits after some number of captured packets have
been filtered, with the default set to 200 packets. By default it
will repeatedly restart tcpdump for another batch. The -C ### option
allows that default number of packets to be changed.
It would be far better if the script was made to be multi-threaded
so the output of tcpdump could be read while another thread outputs
the commands and asks the user if each entry should be added or not.
I just have not had time to look into that yet. its obviously a work
in progress.
Also it logs everything to /var/tmp/qvm-fwdenied.log if you need to
look at what happened in your last session.
On 07/25/2016 02:14 PM, Franz wrote:
On Mon, Jul 25, 2016 at 2:51 PM, Marek Marczykowski-Górecki
<[email protected]
<mailto:[email protected]>
<mailto:[email protected]
<mailto:[email protected]>>> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Mon, Jul 25, 2016 at 02:46:55PM -0300, Franz wrote:
> On Mon, Jul 25, 2016 at 1:24 PM, Marek Marczykowski-Górecki <
> [email protected]
<mailto:[email protected]>
<mailto:[email protected]
<mailto:[email protected]>>> wrote:
> > On Mon, Jul 25, 2016 at 12:06:54PM -0300, Franz wrote:
> > > On Mon, Jul 25, 2016 at 11:11 AM, Marek
Marczykowski-Górecki <
> > > [email protected]
<mailto:[email protected]>
<mailto:[email protected]
<mailto:[email protected]>>> wrote:
> > > > On Mon, Jul 25, 2016 at 09:37:10AM -0400, Steve
Coleman wrote:
> > > Anyway regarding Marek script I tried it in a dispVM,
it writes:
> > > tcpdump: listening on eth0, link-type EN10MB
(Ethernet), capture size
> > > 262144 bytes
> > >
> > > but then if on the same dispVM I use firefox to go to
a gmail account or
> > > another account, nothing appears on the terminal.
> > >
> > > I even looked if anything changed on dispVM firewall
rules, but found
> > > nothing different.
> > >
> > > So how is this script working?
> >
> > I've just tried and it is still working. It should
output list of
> > blocked destinations in format of qvm-firewall commands
ready to load
> > into Qubes firewall.
> >
> ,
> "blocked destinations"? This makes me think that I should
block
> destinations somehow before running the script. Is that so?
Yes, change VM firewall to deny by default.
ok now it works, it outputted a list of addresses. But I have to
paste
this list on firewall rules of that VM and this is on Qubes
Manager that
is on Dom0, so normal copy paste between VMs does not work.
I can only imagine of writing the addresses on a text file, then
copying
the file to Dom0, using
|qvm-run --pass-io <src-vm> 'cat /path/to/file_in_src_domain' >
/path/to/file_name_in_dom0|
opening the file in Dom0 (which seems half prohibited) and finally
copying the adresses to Qubes Manager.
Otherwise I'll have to digit manually the addresses to Qubes
Manager.
Which is the suggested way to do that?
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally
read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJXllGTAAoJENuP0xzK19cswBgH/A0OxAIaR7hzEfET8uAcNeiC
IjTNevVwL/z1ymB4HLwdQmOi3AQ5q8db/AoMd37AC06yzxEJkEQzt5HsMbnEK4UI
SFlKbKr5t7/eyK9R7B6dQH2dBL69ODZf8wQWl5T3oEJj3cZOCLOkAQZcjNHgPefU
AX2cKoi3q7TLxy810f08o+KicA2VclBA5Q66tf6GSoFG44VWfBtxZgkHTZ/s9aWW
cUvNfHIZtSZNiIOEJKLHP3y7tLAFZXOvdtIqIo2/jxWIJSc+47ypPxpOSiAdiA79
erUry7spy9ta5GNlblBf5fSGaQaYRBeEGl91+b++pX/zTg1/sMbv3hoCFpVHYnI=
=XmDi
-----END PGP SIGNATURE-----
--
You received this message because you are subscribed to the Google
Groups "qubes-users" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to [email protected]
<mailto:qubes-users%[email protected]>.
To post to this group, send email to [email protected]
<mailto:[email protected]>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/d154763d-ce5f-e02c-dee6-481ec0d4b02c%40jhuapl.edu.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google
Groups "qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to [email protected]
<mailto:[email protected]>.
To post to this group, send email to [email protected]
<mailto:[email protected]>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/CAPzH-qAOek%2BGoWcy%3DtrgDTM9kiu10iUDg1%3D0r6c4xJ1iu%3DFFAg%40mail.gmail.com
<https://groups.google.com/d/msgid/qubes-users/CAPzH-qAOek%2BGoWcy%3DtrgDTM9kiu10iUDg1%3D0r6c4xJ1iu%3DFFAg%40mail.gmail.com?utm_medium=email&utm_source=footer>.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/db98a901-36cf-6fce-fc30-74b8afa95dce%40jhuapl.edu.
For more options, visit https://groups.google.com/d/optout.