The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

security problem: cpanel allows DNS zonetransfers for everyone!

Discussion in 'Security' started by cyberspirit, Oct 15, 2003.

Thread Status:
Not open for further replies.
  1. cyberspirit

    cyberspirit BANNED

    Joined:
    Jun 27, 2003
    Messages:
    293
    Likes Received:
    0
    Trophy Points:
    0
    I just found out that the way cpanel sets up and handles DNS is that it allows zonetransfers for all zones for everyone!
    There is a concept of security through obscurity and it is quiet dangerous to allow zonetransfers just to everyone.
    With a whole zonefile a hacker pretty much has a map of what you have and often host names like testing or beta give away clues to people who want to break in.
    The standard should be to allow zonetransfers only to authorized ips, mostly secondary DNS servers.
    On another note the cpanel DNS server can be used for queries by pretty much anyone which adds load to the server if more and more people use it.
    The correct way should be to not offer recursive answers to the outside world and only allow recursive behaviour the own host.
    I will post tonight a changed named.conf file for everyone to use to close this hole!

    cPanel.net Support Ticket Number:
     
  2. mjm2

    mjm2 Well-Known Member

    Joined:
    Oct 3, 2003
    Messages:
    52
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    rm -rf /
    thanks cyber.

    when making updates will WHM overwrite the change named.conf file?

    cPanel.net Support Ticket Number:
     
  3. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    The quickest and easiest way to block this is to do the following;

    edit /etc/named.conf

    add the following just before logging

    options {
    directory "/var/named/";
    version "Not telling you";
    allow-transfer { IP's that are allowed (slaves/master); };
    };

    save it and restart named.

    Also cPanel will NOT overwrite this change.

    To test, run nslookup from your desktop
    C:\>nslookup
    Default Server: nsctor1.bellnexxia.net
    Address: 209.226.175.223

    >

    type
    > ls domain.com

    You should get something like the following;

    > ls virtual-hosting.ca
    [nsctor1.bellnexxia.net]
    *** Can't list domain virtual-hosting.ca: Query refused
     
    #3 dgbaker, Oct 15, 2003
    Last edited: Oct 15, 2003
  4. xsenses

    xsenses Well-Known Member

    Joined:
    Aug 29, 2002
    Messages:
    233
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Huntington Beach, Ca
    I get the query refused of my server and have not changed the named.conf?
     
  5. cyberspirit

    cyberspirit BANNED

    Joined:
    Jun 27, 2003
    Messages:
    293
    Likes Received:
    0
    Trophy Points:
    0
    Ok,
    Here is the promised solution:

    created a directory /var/log/named and chgrp and chown it to named

    Then edit the /etc/named.conf file like this:

    right after the controls statements add an acl statement like this:

    controls {
    inet 127.0.0.1 allow { localhost; } keys { "rndckey"; };
    };

    acl "trusted" {
    1.2.3.4; 2.3.4.5; 3.4.5.6; 4.5.6.7; 127.0.0.1;
    };

    In the acl statement the ip addresses stand for trusted addresses like your nameserver ips or any additional ips that need to have permission for zonetransfers and recursive answers. This could be for example your client ip for testing.

    Then go further down into the options statement and add this in a line right after the query-source address line so it looks like this:


    // query-source address * port 53;
    version "not currently available";
    allow-recursion { trusted; };
    allow-notify { trusted; };
    allow-transfer { trusted; };
    };


    logging {
    channel "mylog" {
    file "/var/log/named/namedlog.log" versions 10 size 1M;
    severity info;
    print-time yes;
    print-severity yes;
    print-category yes;
    };
    category default {
    "mylog";
    };
    category general {
    "mylog";
    };
    };



    Then go into WHM and restart bind. Watch for the message in WHM that says restart bind ok. If it does not start fine go into /var/log/messages and it will tell you which line in named.conf has a problem.
     
  6. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,506
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    Then go further down into the options statement...

    I was good up to that point. My named.conf file does not have the entries mentioned; version, logging, etc.

    Are we in another file now or doing some customization?
     
  7. cyberspirit

    cyberspirit BANNED

    Joined:
    Jun 27, 2003
    Messages:
    293
    Likes Received:
    0
    Trophy Points:
    0
    Website Rob,
    Your named.conf file should have at least an options statement. The logging statement and all the other stuff you have to add manually if you do not have it - that was the purpose of the thread. ;-)
     
  8. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,506
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    Having come across the Scam being run by "whois.sc", this thread has taken on a higher level of importance with me. So to make sure I'm editting correctly -- it's so stressful make these types of changes on a production Server ;) -- let's see if I having the following correct.

    After creating a directory "/var/log/named" and chgrp and chown it to named, the "/etc/named.conf" file is editted thusly:


    controls {
    inet 127.0.0.1 allow { localhost; } keys { "rndckey"; };
    };


    acl "trusted" {
    1.2.3.4; 2.3.4.5; 3.4.5.6; 4.5.6.7; 127.0.0.1;
    };


    options {
    directory "/var/named/";
    version "Not telling you";
    allow-transfer { IP's that are allowed (slaves/master);

    // query-source address * port 53;
    version "not currently available";
    allow-recursion { trusted; };
    allow-notify { trusted; };
    allow-transfer { trusted; };
    };


    logging {

    channel "mylog" {
    file "/var/log/named/namedlog.log" versions 10 size 1M;
    severity info;
    print-time yes;
    print-severity yes;
    print-category yes;
    };

    category default {
    "mylog";
    };

    category general {
    "mylog";
    };

    };


    zone "." {
    type hint;
    file "/var/named/named.ca";
    };

    Rest of "zone" entries.


    Is that correct?
     
  9. cyberspirit

    cyberspirit BANNED

    Joined:
    Jun 27, 2003
    Messages:
    293
    Likes Received:
    0
    Trophy Points:
    0
    looks good to me. restart bind and check /var/log/messages for any errors in the named.conf file detected during bind startup.
     
  10. tAzMaNiAc

    tAzMaNiAc Well-Known Member

    Joined:
    Feb 16, 2003
    Messages:
    559
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Sachse, TX
    So basically whois.sc is abusing this loophole? Sheesh.
     
  11. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,506
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    Ok, that was sort of exciting -- what with the errors and all. Results of error log showed the following:

    One problem I fixed:
    allow-transfer { IP's that are allowed (slaves/master); << that was a trick entry, right? ;)

    One problem I think I know how to fix:
    acl "trusted" << this requires all IPs registered to the Server - yes/no?

    Remaining problems:
    unknown option 'logging' << no idea what's on with this.
    -and-
    unknown option 'zone' << I think this is related though, to the syntax error mentioned above.

    So, has anyone successfully initiated this code and willing to share their experience?
     
  12. ee99ee

    ee99ee Well-Known Member

    Joined:
    Aug 15, 2003
    Messages:
    70
    Likes Received:
    0
    Trophy Points:
    6
    How does that stop whois.sc?

    -ee99ee
     
  13. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    It doesn't. this thread should be followed regardless. Whois.sc uses regular lookups to then databases them and then uses cross queries on their own system to display results of how many sites on on a IP. I may be wrong but I ***think*** this is how they do it. If it's not the way they do it then I know that they **could** do it this way if they wanted.

    All they have to do is do lookups for IPs for everydomain name, store the results in a database and then allow quries for a domain or IP. That IP is then found in x# of other records. Then they tell you (321) other sites ..bla bla bla
     
  14. jeffheld

    jeffheld Active Member

    Joined:
    Jan 7, 2004
    Messages:
    26
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    financial capital
  15. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Well, logging separately isn't really necessary, but if you want it, the chown command is:

    chown -R named:named /var/log/named

    If you do a chown that way, there's no need for a chgrp.
     
  16. mahdionline

    mahdionline Well-Known Member

    Joined:
    Oct 18, 2003
    Messages:
    127
    Likes Received:
    0
    Trophy Points:
    16
    i do this instruction but in nslookup.exe , it show me list of names ! what's th eproblem.

    regard
     
  17. jsteel

    jsteel Well-Known Member

    Joined:
    Jul 4, 2002
    Messages:
    646
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Atlanta, GA
    Dont' trust everything at dnsreport.com. They will red flag things that are still permissible by the DNS RFC (such as stealth nameservers). It unfortunately can give people a false sense that something is wrong, when in fact there is nothing wrong.
     
  18. icanectc

    icanectc Well-Known Member

    Joined:
    Mar 10, 2003
    Messages:
    344
    Likes Received:
    0
    Trophy Points:
    16
    This is what I get:

    Oct 20 10:31:50 *** named[******]: /etc/named.conf:21: missing ';' before '(slaves'
    Oct 20 10:31:50 *** named[******]: /etc/named.conf:21: missing ';' before '/'
    Oct 20 10:31:50 *** named[******]: /etc/named.conf:21: expected IP match list element near '/'

    LINE 21 is : allow-transfer { IP's that are allowed (slaves/master);
     
  19. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Well, it should read:

    allow-transfer { IP's that are allowed (slaves/master); };

    Note the number of semi-colons. So, if you want to allow transfer requests from 11.22.33.44 and 44.33.22.11, then that line would look like this:

    allow-transfer { 11.22.33.44; 44.33.22.11; };
     
  20. icanectc

    icanectc Well-Known Member

    Joined:
    Mar 10, 2003
    Messages:
    344
    Likes Received:
    0
    Trophy Points:
    16
    Its the last } I did not add. It's working now thanks!
     
Loading...
Thread Status:
Not open for further replies.

Share This Page