security problem: cpanel allows DNS zonetransfers for everyone!

Status
Not open for further replies.

cyberspirit

BANNED
Jun 27, 2003
293
0
166
I just found out that the way cpanel sets up and handles DNS is that it allows zonetransfers for all zones for everyone!
There is a concept of security through obscurity and it is quiet dangerous to allow zonetransfers just to everyone.
With a whole zonefile a hacker pretty much has a map of what you have and often host names like testing or beta give away clues to people who want to break in.
The standard should be to allow zonetransfers only to authorized ips, mostly secondary DNS servers.
On another note the cpanel DNS server can be used for queries by pretty much anyone which adds load to the server if more and more people use it.
The correct way should be to not offer recursive answers to the outside world and only allow recursive behaviour the own host.
I will post tonight a changed named.conf file for everyone to use to close this hole!

cPanel.net Support Ticket Number:
 

mjm2

Well-Known Member
Oct 3, 2003
52
0
156
rm -rf /
thanks cyber.

when making updates will WHM overwrite the change named.conf file?

cPanel.net Support Ticket Number:
 

dgbaker

Well-Known Member
PartnerNOC
Sep 20, 2002
2,561
9
343
Toronto, Ontario Canada
cPanel Access Level
DataCenter Provider
The quickest and easiest way to block this is to do the following;

edit /etc/named.conf

add the following just before logging

options {
directory "/var/named/";
version "Not telling you";
allow-transfer { IP's that are allowed (slaves/master); };
};

save it and restart named.

Also cPanel will NOT overwrite this change.

To test, run nslookup from your desktop
C:\>nslookup
Default Server: nsctor1.bellnexxia.net
Address: 209.226.175.223

>

type
> ls domain.com

You should get something like the following;

> ls virtual-hosting.ca
[nsctor1.bellnexxia.net]
*** Can't list domain virtual-hosting.ca: Query refused
 
Last edited:

cyberspirit

BANNED
Jun 27, 2003
293
0
166
Ok,
Here is the promised solution:

created a directory /var/log/named and chgrp and chown it to named

Then edit the /etc/named.conf file like this:

right after the controls statements add an acl statement like this:

controls {
inet 127.0.0.1 allow { localhost; } keys { "rndckey"; };
};

acl "trusted" {
1.2.3.4; 2.3.4.5; 3.4.5.6; 4.5.6.7; 127.0.0.1;
};

In the acl statement the ip addresses stand for trusted addresses like your nameserver ips or any additional ips that need to have permission for zonetransfers and recursive answers. This could be for example your client ip for testing.

Then go further down into the options statement and add this in a line right after the query-source address line so it looks like this:


// query-source address * port 53;
version "not currently available";
allow-recursion { trusted; };
allow-notify { trusted; };
allow-transfer { trusted; };
};


logging {
channel "mylog" {
file "/var/log/named/namedlog.log" versions 10 size 1M;
severity info;
print-time yes;
print-severity yes;
print-category yes;
};
category default {
"mylog";
};
category general {
"mylog";
};
};



Then go into WHM and restart bind. Watch for the message in WHM that says restart bind ok. If it does not start fine go into /var/log/messages and it will tell you which line in named.conf has a problem.
 

Website Rob

Well-Known Member
Mar 23, 2002
1,504
1
318
Alberta, Canada
cPanel Access Level
Root Administrator
Then go further down into the options statement...

I was good up to that point. My named.conf file does not have the entries mentioned; version, logging, etc.

Are we in another file now or doing some customization?
 

cyberspirit

BANNED
Jun 27, 2003
293
0
166
Website Rob,
Your named.conf file should have at least an options statement. The logging statement and all the other stuff you have to add manually if you do not have it - that was the purpose of the thread. ;-)
 

Website Rob

Well-Known Member
Mar 23, 2002
1,504
1
318
Alberta, Canada
cPanel Access Level
Root Administrator
Having come across the Scam being run by "whois.sc", this thread has taken on a higher level of importance with me. So to make sure I'm editting correctly -- it's so stressful make these types of changes on a production Server ;) -- let's see if I having the following correct.

After creating a directory "/var/log/named" and chgrp and chown it to named, the "/etc/named.conf" file is editted thusly:


controls {
inet 127.0.0.1 allow { localhost; } keys { "rndckey"; };
};


acl "trusted" {
1.2.3.4; 2.3.4.5; 3.4.5.6; 4.5.6.7; 127.0.0.1;
};


options {
directory "/var/named/";
version "Not telling you";
allow-transfer { IP's that are allowed (slaves/master);

// query-source address * port 53;
version "not currently available";
allow-recursion { trusted; };
allow-notify { trusted; };
allow-transfer { trusted; };
};


logging {

channel "mylog" {
file "/var/log/named/namedlog.log" versions 10 size 1M;
severity info;
print-time yes;
print-severity yes;
print-category yes;
};

category default {
"mylog";
};

category general {
"mylog";
};

};


zone "." {
type hint;
file "/var/named/named.ca";
};

Rest of "zone" entries.


Is that correct?
 

cyberspirit

BANNED
Jun 27, 2003
293
0
166
looks good to me. restart bind and check /var/log/messages for any errors in the named.conf file detected during bind startup.
 

Website Rob

Well-Known Member
Mar 23, 2002
1,504
1
318
Alberta, Canada
cPanel Access Level
Root Administrator
Ok, that was sort of exciting -- what with the errors and all. Results of error log showed the following:

One problem I fixed:
allow-transfer { IP's that are allowed (slaves/master); << that was a trick entry, right? ;)

One problem I think I know how to fix:
acl "trusted" << this requires all IPs registered to the Server - yes/no?

Remaining problems:
unknown option 'logging' << no idea what's on with this.
-and-
unknown option 'zone' << I think this is related though, to the syntax error mentioned above.

So, has anyone successfully initiated this code and willing to share their experience?
 

ee99ee

Well-Known Member
Aug 15, 2003
70
0
156
Originally posted by Website Rob
Having come across the Scam being run by "whois.sc", this thread has taken on a higher level of importance with me. So to make sure I'm editting correctly -- it's so stressful make these types of changes on a production Server ;) -- let's see if I having the following correct.

After creating a directory "/var/log/named" and chgrp and chown it to named, the "/etc/named.conf" file is editted thusly:


controls {
inet 127.0.0.1 allow { localhost; } keys { "rndckey"; };
};


acl "trusted" {
1.2.3.4; 2.3.4.5; 3.4.5.6; 4.5.6.7; 127.0.0.1;
};


options {
directory "/var/named/";
version "Not telling you";
allow-transfer { IP's that are allowed (slaves/master);

// query-source address * port 53;
version "not currently available";
allow-recursion { trusted; };
allow-notify { trusted; };
allow-transfer { trusted; };
};


logging {

channel "mylog" {
file "/var/log/named/namedlog.log" versions 10 size 1M;
severity info;
print-time yes;
print-severity yes;
print-category yes;
};

category default {
"mylog";
};

category general {
"mylog";
};

};


zone "." {
type hint;
file "/var/named/named.ca";
};

Rest of "zone" entries.


Is that correct?
How does that stop whois.sc?

-ee99ee
 

rpmws

Well-Known Member
Aug 14, 2001
1,802
9
318
back woods of NC, USA
ee99ee said:
How does that stop whois.sc?

-ee99ee
It doesn't. this thread should be followed regardless. Whois.sc uses regular lookups to then databases them and then uses cross queries on their own system to display results of how many sites on on a IP. I may be wrong but I ***think*** this is how they do it. If it's not the way they do it then I know that they **could** do it this way if they wanted.

All they have to do is do lookups for IPs for everydomain name, store the results in a database and then allow quries for a domain or IP. That IP is then found in x# of other records. Then they tell you (321) other sites ..bla bla bla
 

jeffheld

Active Member
Jan 7, 2004
26
0
156
financial capital

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,453
31
473
Go on, have a guess
Well, logging separately isn't really necessary, but if you want it, the chown command is:

chown -R named:named /var/log/named

If you do a chown that way, there's no need for a chgrp.
 

mahdionline

Well-Known Member
Oct 18, 2003
127
0
166
dgbaker said:
The quickest and easiest way to block this is to do the following;

edit /etc/named.conf

add the following just before logging

options {
directory "/var/named/";
version "Not telling you";
allow-transfer { IP's that are allowed (slaves/master); };
};

save it and restart named.

Also cPanel will NOT overwrite this change.

To test, run nslookup from your desktop
C:\>nslookup
Default Server: nsctor1.bellnexxia.net
Address: 209.226.175.223

>

type
> ls domain.com

You should get something like the following;

> ls virtual-hosting.ca
[nsctor1.bellnexxia.net]
*** Can't list domain virtual-hosting.ca: Query refused
i do this instruction but in nslookup.exe , it show me list of names ! what's th eproblem.

regard
 

jsteel

Well-Known Member
Jul 4, 2002
646
0
166
Atlanta, GA
jeffheld said:
find out if your dns server is fuc*i* lame.
dnstuff.com

http://www.dnsstuff.com/tools/lookup.ch?name=cpanel.net&type=ALL

should like the above. also...

http://www.dnsreport.com/tools/dnsreport.ch?domain=cpanel.net

will give you more info and let you know what needs to be setup correctly. otherwise.. hand over your ip :P
Dont' trust everything at dnsreport.com. They will red flag things that are still permissible by the DNS RFC (such as stealth nameservers). It unfortunately can give people a false sense that something is wrong, when in fact there is nothing wrong.
 

icanectc

Well-Known Member
Mar 10, 2003
344
0
166
This is what I get:

Oct 20 10:31:50 *** named[******]: /etc/named.conf:21: missing ';' before '(slaves'
Oct 20 10:31:50 *** named[******]: /etc/named.conf:21: missing ';' before '/'
Oct 20 10:31:50 *** named[******]: /etc/named.conf:21: expected IP match list element near '/'

LINE 21 is : allow-transfer { IP's that are allowed (slaves/master);
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,453
31
473
Go on, have a guess
icanectc said:
This is what I get:

Oct 20 10:31:50 *** named[******]: /etc/named.conf:21: missing ';' before '(slaves'
Oct 20 10:31:50 *** named[******]: /etc/named.conf:21: missing ';' before '/'
Oct 20 10:31:50 *** named[******]: /etc/named.conf:21: expected IP match list element near '/'

LINE 21 is : allow-transfer { IP's that are allowed (slaves/master);
Well, it should read:

allow-transfer { IP's that are allowed (slaves/master); };

Note the number of semi-colons. So, if you want to allow transfer requests from 11.22.33.44 and 44.33.22.11, then that line would look like this:

allow-transfer { 11.22.33.44; 44.33.22.11; };
 
Status
Not open for further replies.