Security Guide


Our Security Guide provide further information on security incidents reported with e-mail Reports to Users and how to fix the issues.

The open services can be abused – or have already been actively abused – for DDoS reflection attacks against third parties. Currently, incidents on the following openly accessible services are taken into account:

Table of contents

  1. NTP servers with ‘monlist’ enabled - port 123
  2. DNS Open-resolver - port 53
  3. Openly accessible Multicast DNS (mDNS) services - port 5353
  4. Openly accessible SSDP servers - port 1900
  5. Openly accessible SNMP servers - port 161
  6. Openly accessible Telnet servers - port 23
  7. Openly accessible LDAP servers - port 389
  8. Openly accessible Elasticsearch servers - port 9200
  9. Openly accessible Memcached servers - port 11211
  10. Openly accessible Redis servers - port 6379
  11. Openly accessible MongoDB servers - port 27017
  12. Openly accessible MySQL/MariaDB servers - port 3306
  13. Openly accessible PostgreSQL servers - port 5432
  14. Openly accessible Apache Cassandra NoSQL servers - ports 9042, 9160, 7000, 7001, 7199, 8888, 61620, 61621
  15. Openly accessible Microsoft SQL-Server (MSSQL) browser services - ports 1433, 1434
  16. Openly accessible Portmapper services - port 111
  17. Openly accessible Sphinx servers - ports 9306, 9312
  18. Openly accessible Ubiquiti Device Discovery services - port 10001
  19. Openly accessible NetBIOS name services - ports 135, 137, 138, 139, 445

NTP servers with ‘monlist’ enabled - port 123


Defenition:
The Network Time Protocol (NTP) is a networking protocol for clock synchronization between IT systems. NTP supports a monitoring service that allows administrators to query the server for traffic counts of connected clients via the ‘monlist’ command.

Problem:
The NTP ‘monlist’ feature can be abused for DDoS reflection attacks against third parties.

Verification:
In this section, we show how to check a host for an openly accessible service. All tests are performed using tools commonly included with standard Linux/Unix distributions. To verify the service is openly accessible from the Internet, the test should not be run on the host itself or the local network but instead from a different node on the Internet, for example a host on a cable/DSL line. In all examples, replace 000.000.00.00 with the IP address of the host to check.

To check if an NTP server is openly accessible from the Internet and has the ‘monlist’ feature enabled, you can use ‘ntpdc’ like this:

# ntpdc -n -c monlist 000.000.00.00

An NTP server with the ‘monlist’ feature enabled will return a list of clients that recently queried the NTP server:

remote address          port local address      count m ver rstr avgint  lstint
===============================================================================
123.56.67.89             123 000.000.00.00       3559 4 4      0    446     119
34.56.78.90              123 000.000.00.00      16992 4 4      0    137     207
98.76.54.32              123 000.000.00.00      17005 4 4      0    137     232
111.22.33.44           58708 000.000.00.00          3 3 4      0 423826   72192
222.33.44.55           35560 000.000.00.00          8 3 4      0 180029  236607
33.44.55.66            59053 000.000.00.00          1 3 3      0 615565  615565
44.55.66.77            59040 000.000.00.00          2 3 4      0 637297  664374

If the list of clients is currently empty, it will instead return:

***Server reports data not found

If there is no openly accessible NTP server with the ‘monlist’ feature enabled, the request will run into a timeout: Timeout:

000.000.00.00: timed out, nothing received
***Request timed out

Solution:
Update to ntpd version 4.2.7p26 or later. If an update is not possible, disable status queries in the NTP server’s configuration or restrict access to trusted clients.

Further Information:

DNS Open-resolver - port 53


Defenition:
DNS Open-resolvers are DNS servers responding to recursive queries for arbitrary domain names from anywhere on the Internet.

Problem:
DNS Open-resolvers can be abused for DDoS reflection attacks against third parties.

Verification:
In this section, we show how to check a host for an openly accessible service. All tests are performed using tools commonly included with standard Linux/Unix distributions. To verify the service is openly accessible from the Internet, the test should not be run on the host itself or the local network but instead from a different node on the Internet, for example a host on a cable/DSL line. In all examples, replace 000.000.00.00 with the IP address of the host to check.

To check if a DNS server is configured as an open resolver allowing recursive queries, you can use the ‘dig’ tool for sending a DNS request for an arbitrary domain name (the server is not authoritative for) to the IP address of the DNS server in question:

$ dig cert-bund.de @000.000.00.00

An open resolver allowing recursive queries will return a response like this, followed by a set of DNS records:

; <<>> DiG 9.8.1-P1 <<>> cert-bund.de @000.000.00.00
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43941
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

A DNS server not allowing recursive queries will instead respond with an error message like this:

; <<>> DiG 9.8.1-P1 <<>> cert-bund.de @000.000.00.00
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 42022
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

Solution:
Disable recursion or limit recursion to trusted clients in the DNS server’s configuration. For instructions how to disable/limit recursion with other DNS servers, please consult the manual.

Further Information:

Openly accessible Multicast DNS (mDNS) services - port 5353


Defenition:
Multicast DNS (mDNS) is used for resolving host names to IP addresses within small networks that do not include a local DNS server. It is implemented e. g. by the Apple ‘Bonjour’ and Linux/BSD ‘Avahi’ (nss-mdns) services. mDNS uses port 5353/udp.

Problem:
Openly accessible mDNS services can be abused for DDoS reflection attacks against third parties. Furthermore, they allow potential attackers to gather information on the system or network the service is running on for preparation of further attacks.

Verification:
In this section, we show how to check a host for an openly accessible service. All tests are performed using tools commonly included with standard Linux/Unix distributions. To verify the service is openly accessible from the Internet, the test should not be run on the host itself or the local network but instead from a different node on the Internet, for example a host on a cable/DSL line. In all examples, replace 000.000.00.00 with the IP address of the host to check.

To check if an mDNS service is openly accessible from the Internet, the ‘dig’ tool can be used like this:

$ dig +short -p 5353 -t ptr _services._dns-sd._udp.local @000.000.00.00

An openly accessible mDNS service will return a response like this:

_workstation._tcp.local.
_udisks-ssh._tcp.local.

Otherwise, the request will run into a timeout:

;; connection timed out; no servers could be reached

Solution:
If the mDNS service is not required, disable or deinstall it. Otherwise, restrict access to trusted clients, for example by blocking incoming connections to port 5353/udp on the firewall.

On Debian/Ubuntu based Linux systems, the mDNS service can be removed using the following command:

# apt-get remove avahi-daemon

Further Information:

Openly accessible SSDP servers - port 1900


Defenition:
The Simple Service Discovery Protocol (SSDP) is a network protocol for advertisement and discovery of network services and presence information. SSDP is the basis of the discovery protocol of Universal Plug and Play (UPnP). SSDP uses port 1900/udp.

Problem:
Openly accessible SSDP servers can be abused for DDoS reflection attacks against third parties.

Verification:
In this section, we show how to check a host for an openly accessible service. All tests are performed using tools commonly included with standard Linux/Unix distributions. To verify the service is openly accessible from the Internet, the test should not be run on the host itself or the local network but instead from a different node on the Internet, for example a host on a cable/DSL line. In all examples, replace 000.000.00.00 with the IP address of the host to check.

To check if an SSDP server is openly accessible from the Internet, run ‘tcpdump’ in a first terminal:

# tcpdump -n -A host 000.000.00.00

Then, in a second terminal, use the Bash shell to send an SSDP request:

$ perl -e 'print "M-SEARCH * HTTP/1.1\r\nHost:239.255.255.250:1900\r\n
ST:upnp:rootdevice\r\nMan:\"ssdp:discover\"\r\nMX:3\r\n\r\n"'
> /dev/udp/000.000.00.00/1900

If the SSDP server is openly accessible from the Internet, you will see a response like this in the first terminal:

HTTP/1.1 200 OK
Location: http://000.000.00.00:32469/DeviceDescription.xml
Cache-Control: max-age=1800
Server: UPnP/1.0 DLNADOC/1.50 Platinum/1.0.4.11
EXT: 
USN: uuid:abcdb3c3-eada-b308-2e21-6edbab9cf4ed::upnp:rootdevice
ST: upnp:rootdevice
Date: Fri, 01 Apr 2016 11:15:08 GMT

Solution:
If the SSDP server is not required, disable or deinstall it. Otherwise, restrict access to trusted clients, for example by blocking incoming connections to port 1900/udp on the firewall.

Further Information:

Openly accessible SNMP servers - port 161


Defenition:
The Simple Network Management Protocol (SNMP) is a networking protocol for device management and monitoring.

Problem:
Openly accessible SNMP servers using the default ‘public’ community can be abused for DDoS reflection attacks against third parties. Furthermore, they allow potential attackers to gather information on the server or network for preparation of further attacks.

Verification:
In this section, we show how to check a host for an openly accessible service. All tests are performed using tools commonly included with standard Linux/Unix distributions. To verify the service is openly accessible from the Internet, the test should not be run on the host itself or the local network but instead from a different node on the Internet, for example a host on a cable/DSL line. In all examples, replace 000.000.00.00 with the IP address of the host to check.

To check if an SNMP server is openly accessible from the Internet, you can use the ‘snmpget’ tool:

$ snmpget -c public -v 2c 000.000.00.00 1.3.6.1.2.1.1.1.0

An openly accessible SNMP server will return a ‘System Description’ string like this:

iso.3.6.1.2.1.1.1.0 =
STRING: "Linux easy.box 2.6.32.32 #1 Fri Jun 12 11:16:35 CST 2015 mips"

Otherwise, snmpget will run into a timeout:

Timeout: No Response from 000.000.00.00.

Solution:
Configure a ‘private’ community with mandatory authentication instead of using the default ‘public’ community. Restrict access to the SNMP server to trusted clients in the server’s configuration and/or by blocking incoming connections to port 161/udp on the firewall.

Further Information:

Openly accessible Telnet servers - port 23


Defenition:
Telnet is an outdated network protocol for text-oriented command-line access to remote hosts.

Problem:
With Telnet, all communication including username and password is transmitted unencrypted in clear text and is therefore susceptible to eavesdropping.

Many IoT devices (routers, network cameras, etc.) are running Telnet servers by default. If the devices are openly accessible from the Internet and standard login credentials have not been changed, an attacker can easily gain full control of the devices. Malware like Mirai automatically exploits insecure Telnet servers openly accessible from the Internet using to compromise devices and connect them to a botnet.

Solution:
If the Telnet server is not required, disable or deinstall it. Otherwise, restrict access to trusted local networks. In particular for IoT devices: Check if default login credentials have been changed.

We recommends using (Open)SSH with key-based authentication for secure access to remote hosts.

Further Information:

Openly accessible LDAP servers - port 389


Defenition:
The Lightweight Directory Access Protocol (LDAP) is a networking protocol for accessing and maintaining distributed directory information services.

Problem:
Openly accessible LDAP servers can be abused for DDoS reflection attacks against third parties. Furthermore, they allow potential attackers to gather information on the server or network for preparation of further attacks.

Verification:
In this section, we show how to check a host for an openly accessible service. All tests are performed using tools commonly included with standard Linux/Unix distributions. To verify the service is openly accessible from the Internet, the test should not be run on the host itself or the local network but instead from a different node on the Internet, for example a host on a cable/DSL line. In all examples, replace 000.000.00.00 with the IP address of the host to check.

To check if an LDAP server is openly accessible from the Internet, you can use the ‘ldapsearch’ tool:

$ ldapsearch -x -h 000.000.00.00 -s base

An openly accessible LDAP server will return information like this:

dn:
currentTime: 20161227101121.0Z
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=MYDOMAIN,DC=DE
dsServiceName: CN=NTDS Settings,CN=SRV01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=MYDOMAIN,DC=DE
namingContexts: DC=MYDOMAIN,DC=de
namingContexts: CN=Configuration,DC=MYDOMAIN,DC=de
namingContexts: CN=Schema,CN=Configuration,DC=MYDOMAIN,DC=de
defaultNamingContext: DC=MYDOMAIN,DC=de
schemaNamingContext: CN=Schema,CN=Configuration,DC=MYDOMAIN,DC=de
configurationNamingContext: CN=Configuration,DC=MYDOMAIN,DC=de
rootDomainNamingContext: DC=MYDOMAIN,DC=de

Otherwise, ldapsearch will run into a timeout.

Solution:

  • Restrict access to the LDAP server to trusted clients, e. g. by blocking incoming connections to ports 389/tcp and 389/udp on the firewall.
  • Use LDAP with StartTLS or LDAPS (LDAP over TLS/SSL) which provides secure and encrypted communication between clients and the LDAP server.

Further Information:

Openly accessible Elasticsearch servers - port 9200


Defenition:
Elasticsearch is a popular search engine based on Apache Lucene, often used with web applications.

Problem:
If an Elasticsearch server is openly accessible from the Internet and not protected by any forms of authentification, anyone who can connect to the server has unrestricted access to the data stored with it. This allows attackers to modify or delete any data or potentially steal sensitive information. In addition, prior to versions 1.2.x an attacker can use dynamic scripting to perform arbitrary code execution on the machine that Elasticsearch is hosted on.

Verification:
In this section, we show how to check a host for an openly accessible service. All tests are performed using tools commonly included with standard Linux/Unix distributions. To verify the service is openly accessible from the Internet, the test should not be run on the host itself or the local network but instead from a different node on the Internet, for example a host on a cable/DSL line. In all examples, replace 000.000.00.00 with the IP address of the host to check.

To check if an Elasticsearch server is openly accessible from the Internet, you can use ‘netcat’ as follows:

$ printf "GET / HTTP/1.0\r\n\r\n" | netcat 000.000.00.00 9200

An openly accessible Elasticsearch server will return information like this:

{
  "status" : 200,
  "name" : "My Database",
  "cluster_name" : "My Cluster",
  "version" : {
    "number" : "1.7.5",
    "build_hash" : "00f95f4ffca6de89d68b7ccaf80d148f1f70e4d4",
    "build_timestamp" : "2016-02-02T09:55:30Z",
    "build_snapshot" : false,
    "lucene_version" : "4.10.4"
  },
  "tagline" : "You Know, for Search"
}

Otherwise, netcat will return an error message:

netcat: connect to 000.000.00.00 port 9200 (tcp) failed: Connection refused

or

netcat: connect to 000.000.00.00 port 9200 (tcp) failed: Connection timed out

Solution:

  • Do not expose your Elasticsearch server to the Internet!
  • Restrict access to the Elasticsearch server to trusted systems (e. g., the web application server) in the server’s configuration and/or by blocking incoming connections from the Internet to port 9200/tcp on the firewall.
  • Check the security best practices provided by the Elasticsearch developers.
  • Keep your Elasticsearch installation up-to-date. Install available security updates asap.

Further Information:

Openly accessible Memcached servers - port 11211


Defenition:
Memcached is an open-source distributed memory object caching system which is generic in nature but often used for speeding up dynamic web applications. In the default configuration, memcached listens on port 11211/tcp and (up to including version 1.5.5) also on port 11211/udp.

Problem:
memcached servers openly accessible from anywhere on the Internet via UDP are abused for DDoS reflection attacks against third parties on a regular basis. This way, extremely high amplification factors can be achieved which poses a serious security threat.

If a memcached server is openly accessible from the Internet via TCP or UDP and no SASL authentification has been configured, anyone who can connect to the server has unrestricted access to the data stored with it. This allows attackers to modify or delete any data or potentially steal sensitive information like login credentials for web applications or customer data from online shops.

Verification:
In this section, we show how to check a host for an openly accessible service. All tests are performed using tools commonly included with standard Linux/Unix distributions. To verify the service is openly accessible from the Internet, the test should not be run on the host itself or the local network but instead from a different node on the Internet, for example a host on a cable/DSL line. In all examples, replace 000.000.00.00 with the IP address of the host to check.

TCP
To check if a Memcached server is openly accessible from the Internet via TCP, you can use ‘netcat’ as follows:

$ echo "stats" | netcat 000.000.00.00 11211

An openly accessible Memcached server will return information like this:

STAT pid 1090
STAT uptime 1808125
STAT time 1483622758
STAT version 1.4.14 (Ubuntu)
STAT libevent 2.0.21-stable
STAT pointer_size 64
STAT rusage_user 57.424253
STAT rusage_system 54.322505
STAT curr_connections 5
STAT total_connections 643
STAT connection_structures 9
STAT reserved_fds 20

Otherwise, netcat will return an error message:

netcat: connect to 000.000.00.00 port 11211 (tcp) failed: Connection refused

or

netcat: connect to 000.000.00.00 port 11211 (tcp) failed: Connection timed out

UDP
To check if a Memcached server is openly accessible from the Internet via UDP, you can use ‘netcat’ as follows:

$ echo -en "\x00\x00\x00\x00\x00\x01\x00\x00stats\r\n" | netcat -u 000.000.00.00 11211

An openly accessible Memcached server will return information like shown above.

Solution:

  • Do not expose your Memcached server to the Internet!
  • Restrict access to the Memcached server to trusted systems (e. g., the web application server) in the server’s configuration and/or by blocking incoming connections from the Internet to ports 11211/tcp and 11211/udp on the firewall.
  • The UDP port is usually not required. Start memcached with option ‘-U 0’ to disable it.
  • Keep your Memcached installation up-to-date. Install available security updates asap.

Further Information:

Openly accessible Redis servers - port 6379


Defenition:
Redis is an open-source in-memory database server with a simple key-value data structure often used with dynamic web applications.

Problem:
If a Redis server is openly accessible from the Internet and no SASL authentification has been configured, anyone who can connect to the server has unrestricted access to the data stored with it. This allows attackers to modify or delete any data or potentially steal sensitive information like login credentials for web applications or customer data from online shops.

Verification:
In this section, we show how to check a host for an openly accessible service. All tests are performed using tools commonly included with standard Linux/Unix distributions. To verify the service is openly accessible from the Internet, the test should not be run on the host itself or the local network but instead from a different node on the Internet, for example a host on a cable/DSL line. In all examples, replace 000.000.00.00 with the IP address of the host to check.

To check if a Redis server is openly accessible from the Internet, you can use ‘netcat’ as follows:

$ (printf "info\r\n"; sleep 1) | netcat 000.000.00.00 6379

An openly accessible Redis server will return information like this:

# Server
redis_version:2.8.17
redis_git_sha1:00000000
redis_git_dirty:0
redis_build_id:4c1d5710660b9479
redis_mode:standalone
os:Linux 3.16.0-4-amd64 x86_64
arch_bits:64
multiplexing_api:epoll
gcc_version:4.9.2
process_id:12738
run_id:178e1ca5be355158cabdb51aa848b4cdd68a5d54
tcp_port:6379
uptime_in_seconds:8785215
uptime_in_days:101
hz:10
lru_clock:7298172
config_file:/etc/redis/redis.conf

Otherwise, netcat will return an error message:

netcat: connect to 000.000.00.00 port 6379 (tcp) failed: Connection refused

or

netcat: connect to 000.000.00.00 port 6379 (tcp) failed: Connection timed out

Solution:

  • Do not expose your Redis server to the Internet!
  • Restrict access to the Redis server to trusted systems (e. g., the web application server) in the server’s configuration and/or by blocking incoming connections from the Internet to port 6379/tcp on the firewall.
  • Check the security best practices provided by the Redis developers.
  • Keep your Redis installation up-to-date. Install available security updates asap.

Further Information:

Openly accessible MongoDB servers - port 27017


Defenition:
MongoDB is a popular NoSQL database system commonly used as a backend for web applications.

Problem:
Access to a MongoDB server should be restricted to trusted systems. If a MongoDB server is openly accessible from the Internet, an attacker can take advantage of this to access the server and modify or delete data, or even obtain sensitive information like customer data from an online shop.

Verification:
In this section, we show how to check a host for an openly accessible service. All tests are performed using tools commonly included with standard Linux/Unix distributions. To verify the service is openly accessible from the Internet, the test should not be run on the host itself or the local network but instead from a different node on the Internet, for example a host on a cable/DSL line. In all examples, replace 000.000.00.00 with the IP address of the host to check.

To check if a MongoDB server is openly accessible from the Internet, the MongoDB client tool ‘mongo’ can be used as follows:

$ mongo --host 000.000.00.00

If a connection to the MongoDB server was successfully established, the output looks like:

MongoDB shell version: 2.4.10
connecting to: 000.000.00.00:27017/test
>

Otherwise the connection will run into a timeout:

Fri Feb  5 10:25:42 Error: couldn't connect to server 000.000.00.00:27017 shell/mongo.js:86
exception: connect failed

Solution:

  • Do not expose your MongoDB server to the Internet!
  • Restrict access to the MongoDB server to trusted systems (e. g., the web application server) in the server’s configuration and/or by blocking incoming connections from the Internet to port 27017/tcp on the firewall.
  • Check the security best practices provided by the MongoDB developers.
  • Keep your MongoDB installation up-to-date. Install available security updates asap.

Further Information:

Openly accessible MySQL/MariaDB servers - port 3306


Defenition:
MySQL/MariaDB is the world’s most popular open-source database.

Problem:
Access to a MySQL/MariaDB server should be restricted to trusted systems. If a MySQL/MariaDB server is openly accessible from the Internet, an attacker can take advantage of this to access the server and modify or delete data, or even obtain sensitive information like customer data from an online shop.

Verification:
In this section, we show how to check a host for an openly accessible service. All tests are performed using tools commonly included with standard Linux/Unix distributions. To verify the service is openly accessible from the Internet, the test should not be run on the host itself or the local network but instead from a different node on the Internet, for example a host on a cable/DSL line. In all examples, replace 000.000.00.00 with the IP address of the host to check.

To check if a MySQL/MariaDB server is openly accessible from the Internet, the MySQL/MariaDB client tool ‘mysql’ can be used as follows:

$ mysql --host 000.000.00.00

If a connection to the MySQL/MariaDB server was successfully established, the output looks like:

Your Mysql connection id is 000
Server version: 5.5.5-10.1.34-MariaDB0Ubuntu.18.04.1 Ubuntu 18.04
>

Otherwise the connection will run into a timeout:

Fri Feb  5 10:25:42 Error: couldn't connect to server 000.000.00.00:3306 shell/mysql.js:86
exception: connect failed

Solution:

  • Do not expose your MySQL/MariaDB server to the Internet!
  • Restrict access to the MySQL/MariaDB server to trusted systems (e. g., the web application server) in the server’s configuration and/or by blocking incoming connections from the Internet to port 3306/tcp on the firewall.
  • Check the security best practices provided by the MySQL/MariaDB developers.
  • Keep your MySQL/MariaDB installation up-to-date. Install available security updates asap.

Further Information:

Openly accessible PostgreSQL servers - port 5432


Defenition:
PostgreSQL is one of several free popular databases, and it is frequently used for web databases. It was one of the first database management systems to be developed, and it allows users to manage both structured and unstructured data.

Problem:
Access to a PostgreSQL server should be restricted to trusted systems. If a PostgreSQL server is openly accessible from the Internet, an attacker can take advantage of this to access the server and modify or delete data, or even obtain sensitive information like customer data from an online shop.

Verification:
In this section, we show how to check a host for an openly accessible service. All tests are performed using tools commonly included with standard Linux/Unix distributions. To verify the service is openly accessible from the Internet, the test should not be run on the host itself or the local network but instead from a different node on the Internet, for example a host on a cable/DSL line. In all examples, replace 000.000.00.00 with the IP address of the host to check.

To check if a PostgreSQL server is openly accessible from the Internet, the PostgreSQL client tool ‘psql’ can be used as follows:

$ psql --host 000.000.00.00

If a connection to the PostgreSQL server was successfully established, the output looks like:

Your PostgreSQL connection id is 000
Server version: -----
>

Otherwise the connection will run into a timeout:

Fri Feb  5 10:25:42 Error: couldn't connect to server 000.000.00.00:5432 shell/psql.js:86
exception: connect failed

Solution:

  • Do not expose your PostgreSQL server to the Internet!
  • Restrict access to the PostgreSQL server to trusted systems (e. g., the web application server) in the server’s configuration and/or by blocking incoming connections from the Internet to port 5432/tcp on the firewall.
  • Check the security best practices provided by the PostgreSQL developers.
  • Keep your PostgreSQL installation up-to-date. Install available security updates asap.

Further Information:

Openly accessible Apache Cassandra NoSQL servers - ports 9042, 9160, 7000, 7001, 7199, 8888, 61620, 61621


Defenition:
Apache Cassandra is a free and open-source, distributed, wide column store, NoSQL database management system designed to handle large amounts of data across many commodity servers, providing high availability with no single point of failure. Cassandra offers robust support for clusters spanning multiple datacenters, with asynchronous masterless replication allowing low latency operations for all clients.

Problem:
Access to a Apache Cassandra NoSQL server should be restricted to trusted systems. Malicious users able to access internode communication and JMX ports can still:

  • Craft internode messages to insert users into authentication schema
  • Craft internode messages to truncate or drop schema
  • Use tools such as sstableloader to overwrite system_auth tables
  • Attach to the cluster directly to capture write traffic

Verification:
In this section, we show how to check a host for an openly accessible service. All tests are performed using tools commonly included with standard Linux/Unix distributions. To verify the service is openly accessible from the Internet, the test should not be run on the host itself or the local network but instead from a different node on the Internet, for example a host on a cable/DSL line. In all examples, replace 000.000.00.00 with the IP address of the host to check.

To check if a Apache Cassandra NoSQL server is openly accessible from the Internet, the Apache Cassandra NoSQL client tool ‘cqlsh’ can be used as follows:

$ cqlsh --host 000.000.00.00

If a connection to the Apache Cassandra NoSQL server was successfully established, the output looks like:

OUTPUT
Connected to Linuxize Cluster at 000.000.00.00:9042.
[cqlsh 5.0.1 | Cassandra 3.9 | CQL spec 3.4.2 | Native protocol v4]
Use HELP for help.
cqlsh>

Otherwise the connection will run into a timeout:

Fri Feb  5 10:25:42 Error: couldn't connect to server 000.000.00.00:9042 shell/cqlsh.js:86
exception: connect failed

Solution:

  • Do not expose your Apache Cassandra NoSQL server to the Internet!
  • Restrict access to the Apache Cassandra NoSQL server to trusted systems (e. g., the web application server) in the server’s configuration and/or by blocking incoming connections from the Internet to next ports: 9042/tcp, 9160/tcp, 7000/tcp, 7001/tcp, 7199/tcp, 8888/tcp, 61620/tcp, 61621/tcp on the firewall.
  • Check the security best practices provided by the Apache Cassandra NoSQL developers.
  • Keep your Apache Cassandra NoSQL installation up-to-date. Install available security updates asap.

Further Information:

Openly accessible Microsoft SQL-Server (MSSQL) browser services - ports 1433, 1434


Defenition:
Microsoft SQL-Server (MSSQL) includes a ‘browser service’ which lets users connect to instances of the database engine that are not listening on the default port, without knowing the port number.

Problem:
In addition to disclosing information about the network the SQL-Server is running on (which can be used by potential attackers for preparation of further attacks), openly accessible MSSQL browser services can be abused for DDoS reflection attacks against third parties.

Verification:
In this section, we show how to check a host for an openly accessible service. All tests are performed using tools commonly included with standard Linux/Unix distributions. To verify the service is openly accessible from the Internet, the test should not be run on the host itself or the local network but instead from a different node on the Internet, for example a host on a cable/DSL line. In all examples, replace 000.000.00.00 with the IP address of the host to check.

To check if an MSSQL browser service is openly accessible from the Internet, connect to the MS-SQL server using ‘netcat’ as follows:

$ netcat -u 000.000.00.00 1434

Then, press <Ctrl+B> followed by . An openly accessible MSSQL browser service will return a response like this:

ServerName;S16362421;InstanceName;MSSQLSERVER2012;
IsClustered;No;Version;11.0.2100.60;tcp;49511;np;
\\S16462341\pipe\MSSQL$MSSQLSERVER2012\sql\query;;

Otherwise, there will be no response.

Solution:
If the MSSQL browser service is not needed, disable it. Otherwise, restrict access to trusted clients, for example by blocking incoming connections to port 1434/udp on the firewall. Microsoft recommends: “The SQL Server Browser service lets users connect to instances of the Database Engine that are not listening on port 1433, without knowing the port number. To use SQL Server Browser, you must open UDP port 1434. To promote the most secure environment, leave the SQL Server Browser service stopped, and configure clients to connect using the port number.” (https://msdn.microsoft.com/library/ms175043.aspx)

Further Information:

Openly accessible Portmapper services - port 111


Defenition:
The Portmapper (portmap, rpcbind) is required for mapping RPC requests (remote procedure calls) to a network service. It is needed e. g. for mounting network shares using the Network File System (NFS).

Problem:
Openly accessible Portmapper services can be abused for DDoS reflection attacks against third parties.

Verification:
In this section, we show how to check a host for an openly accessible service. All tests are performed using tools commonly included with standard Linux/Unix distributions. To verify the service is openly accessible from the Internet, the test should not be run on the host itself or the local network but instead from a different node on the Internet, for example a host on a cable/DSL line. In all examples, replace 000.000.00.00 with the IP address of the host to check.

To check if a Portmapper service is openly accessible from the Internet, the tool ‘rpcinfo’ can be used:

$ rpcinfo -T udp -p 000.000.00.00

An openly accessible Portmapper service will return a response like this:

program vers proto   port  service
100000    4   tcp    111  portmapper
100000    3   tcp    111  portmapper
100000    2   tcp    111  portmapper
100000    4   udp    111  portmapper
100000    3   udp    111  portmapper
100000    2   udp    111  portmapper
100024    1   udp  48035  status
100024    1   tcp  52605  status

Otherwise, rpcinfo will run into a timeout:

rpcinfo: can't contact portmapper: RPC: Remote system error - Connection timed out

Solution:
If the Portmapper service (portmap, rpcbind) is not required, disable or deinstall it. Otherwise, restrict access to trusted clients, for example by blocking incoming connections to port 111/tcp and 111/udp on the firewall.

On Debian/Ubuntu based Linux systems, the portmapper service can be removed using the following command:

# apt-get remove rpcbind

Further Information:

Openly accessible Sphinx servers - ports 9306, 9312


Defenition:
Sphinx is an open-source search server commonly used as a backend for web applications.

Problem:
In the default configuration, the Sphinx server listens on ports 9306/tcp and 9312/tcp on all network interfaces. Sphinx does not provide any authentication mechanisms. If a Sphinx server is openly accessible from the Internet, an attacker can take advantage of this to read, modify or delete any data stored in the Sphinx database.

Verification:
In this section, we show how to check a host for an openly accessible service. All tests are performed using tools commonly included with standard Linux/Unix distributions. To verify the service is openly accessible from the Internet, the test should not be run on the host itself or the local network but instead from a different node on the Internet, for example a host on a cable/DSL line. In all examples, replace 000.000.00.00 with the IP address of the host to check.

To check if a Sphinx server is openly accessible from the Internet, you can use ‘netcat’ as follows:

$ netcat 000.000.00.00 9306

If a connection to the Sphinx server was successfully established, it will return the version information:

2.2.11-id64-release (95ae9a)

Solution:

  • Do not expose your Sphinx server to the Internet!
  • Restrict access to the Sphinx server to trusted systems, e. g. by blocking incoming connections from the Internet to ports 9306/tcp and 9312/tcp on the firewall.
  • If both the Web and Sphinx servers are running on the same system, the Sphinx server should only listen on the localhost interface. To achieve this, change the following lines in the configuration file
    listen       = 9312
    listen       = 9306:mysql41
    

    to:

    listen       = localhost:9312
    listen       = localhost:9306:mysql41
    
  • Keep your Sphinx installation up-to-date. Install available security updates asap.

Further Information:

Openly accessible Ubiquiti Device Discovery services - port 10001


Defenition:
Ubiquiti network devices come with a ‘Device Discovery’ service which is enabled by default and listening on port 10001/udp.

Problem:
Ubiquiti Device Discovery services openly accessible from the Internet disclose potentially sensitive information about the network device running the service and can be abused for performing DDoS reflection/amplification attacks against third parties.

Verification:
In this section, we show how to check a host for an openly accessible service. All tests are performed using tools commonly included with standard Linux/Unix distributions. To verify the service is openly accessible from the Internet, the test should not be run on the host itself or the local network but instead from a different node on the Internet, for example a host on a cable/DSL line. In all examples, replace 000.000.00.00 with the IP address of the host to check.

To check if a Ubiquiti Device Discovery service is openly accessible from the Internet, you can use ‘netcat’ as follows:

$ echo -ne "\x01\x00\x00\x00" | netcat -u 000.000.00.00 10001 | hexdump -C

An openly accessible Device Discovery service will return information like this:

00000000  01 00 00 8e 02 00 0a XX  XX XX XX XX XX 50 95 fb  |.......MACADR...|
00000010  67 02 00 0a 44 d9 e7 XX  XX XX c0 a8 37 01 01 00  |g...D.......7...|
00000020  06 44 d9 e7 XX XX XX 0a  00 04 00 28 f5 ca 0b 00  |.D.........(....|
00000030  0f XX XX XX XX XX XX XX  XX XX XX XX XX XX XX XX  |...DEVICE_NAME..|
00000040  0c 00 03 4c 4d 35 0d 00  XX XX XX XX XX XX XX XX  |...LM5....ESSID.|
00000050  0e 00 01 02 03 00 20 58  XX XX XX XX XX XX XX XX  |.......FIRMWARE.|

Solution:
Disable the Device Discovery service if not required. Otherwise, restrict access to trusted clients, for example by blocking incoming connections to port 10001/udp on the firewall.

Further Information:

Openly accessible NetBIOS name services - ports 135, 137, 138, 139, 445


Defenition:
NetBIOS defines a software interface and a naming convention. NetBIOS-over-TCP/IP provides the NetBIOS programming interface over the TCP/IP protocol. NetBIOS includes a name service, often called WINS on Microsoft Windows operating systems. The NetBIOS name service uses port 137/udp.

The NetBIOS name service is only needed within local networks and with systems before Microsoft Windows 2000 which require name resolution through WINS. Otherwise,in particular on the Internet, name resolution is done via DNS. Thus, it does not make sense to expose a NetBIOS name service to the Internet.

Problem:
Openly accessible NetBIOS name services can be abused for DDoS reflection attacks against third parties. Furthermore, they allow potential attackers to gather information on the server or network for preparation of further attacks.

Verification:
In this section, we show how to check a host for an openly accessible service. All tests are performed using tools commonly included with standard Linux/Unix distributions. To verify the service is openly accessible from the Internet, the test should not be run on the host itself or the local network but instead from a different node on the Internet, for example a host on a cable/DSL line. In all examples, replace 000.000.00.00 with the IP address of the host to check.

To check if a NetBIOS name service is openly accessible from the Internet, you can use the ‘nmblookup’ tool:

$ nmblookup -A 000.000.00.00

An openly accessible NetBIOS name service will return information like this:

Looking up status of 000.000.00.00
        HOSTNAME        <00> -         B <ACTIVE>
        WORKGROUP       <00> - <GROUP> B <ACTIVE>
        HOSTNAME        <20> -         B <ACTIVE>
        WORKGROUP       <1e> - <GROUP> B <ACTIVE>
        MAC Address = 12-34-56-78-90-AB

Otherwise, nmblookup will run into a timeout:

Looking up status of 000.000.00.00
No reply from 000.000.00.00

Solution:
If NetBIOS-over-TCP/IP is not needed, disable it. Otherwise, restrict access to the NetBIOS name service to trusted clients, e. g. by blocking incoming connections to port 137 tcp/udp on the firewall. For security reasons, you should consider blocking access to ports 135, 138, 139 and 445 from anywhere on the Internet as well.

On Linux/Unix systems, the NetBIOS name service is usually provided by ‘nmbd’ included with Samba. If you don’t need Samba, disable or deinstall it. Otherwise, NetBIOS support can be disabled by setting disable netbios = Yes in the Samba configuration.

Further Information: