Securing Network Traffic With SSH Tunnels

Introduction to SSH Tunnels

Secure Shell, or SSH, is used to create a secure channel between a local and remote computer. While SSH is commonly used for secure terminal access and file transfers, it can also be used to create a secure tunnel between computers for forwarding other network connections that are not normally encrypted. SSH tunnels are also useful for allowing outside access to internal network resources.

To create an SSH tunnel, you need:

• Target server offering network services (http, vnc, etc.) to the client
• SSH server listening for connections from the client
• SSH client configured to forward traffic from a local listening port, through the SSH server, to the target server

The SSH server may be running on the same machine as the target server, or on a different machine. Network communications between the SSH server and the target server are NOT encrpyted by the SSH tunnel (see diagram below), so if the servers are running on different machines, ideally they should be located together on a secure network.

Configuring an SSH server(link is external) is beyond the scope of this article, but popular options include OpenSSH(link is external) for unix-based systems and Bitvise SSH Server(link is external) for Windows. The SSH server will need to have access to the listening port on the target server. Common SSH clients(link is external) include OpenSSH(link is external) and PuTTY for Windows(link is external).

Scenario - Connecting to an insecure service

In this scenario, a client wishes to connect to a service that does not natively use encryption, but does not want the traffic to be sent unencrypted through the Internet. The environment for this scenario:

• Target server: VNC service is listening on port 5900 at IP address 1.2.3.4
• SSH server: SSH service is listening on port 22 at IP address 1.2.3.5
• Client machine: SSH and VNC clients installed

Creating the SSH tunnel using PuTTY:

1. Open the PuTTY client user interface
2. In the Session window, under "Basic options for your PuTTY session", enter the IP address and listening port for the SSH server:
   
3. In the left-pane, select Connection->SSH->Tunnel
4. Under "Options controlling SSH port forwarding", enter the following settings (see screen shot):
   • Source port: Pick an arbitrary port not in use on your client, the example uses 15900.
   • Destination: IP address and listening port for the target server, 1.2.3.4:5900
   • Leave "Local" and "Auto" radio buttons selected
5. Click "Add" to save these settings
6. Click "Open" to create the SSH tunnel. Enter your username and password for the SSH server when prompted.

Creating the SSH tunnel using OpenSSH:

The following command can be used to create the SSH tunnels using the OpenSSH client:

ssh -L 15900:1.2.3.4:5900 1.2.3.5 -N

The option 15900:1.2.3.4:5900 specifies the local port, 15900, to be forwarded to the remote port, 5900, on the target server, 1.2.3.4. The local port can be any arbitary port not in use on the client. Enter your SSH username and password when prompted, unless you have configured your SSH server for public key authentication.

Connecting to the service through the tunnel:

To connect to the service on the target server, configure your client to connect to the client machine using the local listening port defined in the SSH tunnel configuration. Use the local loopback address, 127.0.0.1 (see screen shot). Traffic will be forwarded through the SSH tunnel to the target server.

Alternative -- use a client that natively supports SSH tunnels:

Some clients for unecrypted network services, such as FTP, VNC, etc., natively  support connections using SSH tunnels. In this case, there is no need to manually create the SSH tunnel using an SSH client such as OpenSSH or PuTTY. Just enter the SSH server information directly into the VNC client supporting SSH tunnels. This screen shot example uses the TightVNC client:

While the example above demonstrates SSH tunnels for VNC, a popular service often configured without requiring encryption, these same settings can be used to conenct to other network services when replacement with an alternative that supports encyrption natively is not an option.

SQL Injection vulnerability email notification from security@berkeley.edu

Security Contacts that receive a SQL Injection vulnerability notice are responsible for identifying and notifying any stakeholders about the SQL Injection attack including functional owners, developers, system administrators, and database administrators in order to determine the vulnerable and potentially compromised resources.

Immediate action must be taken to address any confirmed SQL Injection flaws discovered:

• Once a person responsible for coordinating remediation is identified, please respond to the notice so that Information Security and Policy can work directly with the coordinator to ensure full remediation
• Coordinate an investigation of potentially vulnerable web pages and resources amongst developers or other stakeholders
• A review of web, application, and database logs may reveal the point of vulnerability and source of attacks
• Develop a plan to remediate any confirmed SQL Injection flaws and prevent future attacks

Additionally, if your system stores, processes, or transmits sensitive data such as Protection Level 1 or Protection Level 2 data as described in the Berkeley Data Classification Standard, you should immediately reply to the security notice (to security@berkeley.edu(link sends e-mail)(link sends e-mail)) and notify the Information Security and Policy office.

How to protect a web site or application from SQL Injection attacks

Developers can prevent SQL Injection vulnerabilities in web applications by utilizing parameterized database queries with bound, typed parameters and careful use of parameterized stored procedures in the database.

This can be accomplished in a variety of programming languages including Java, .NET, PHP, and more.

Please consult the following resources for implementing parameterized database queries and preventing SQL Injection in your code base:

• 
  
• (link is external)

Additionally, developers, system administrators, and database administrators can take further steps to minimize attacks or the impact of successful attacks:

1. Keep all web application software components including libraries, plug-ins, frameworks, web server software, and database server software up to date with the latest security patches available from vendors.
2. Utilize the  when provisioning accounts used to connect to the SQL database.  For example, if a web site only needs to retrieve web content from a database using SELECT statements, do not give the web site's database connection credentials other privileges such as INSERT, UPDATE, or DELETE privileges. In many cases, these privileges can be managed using appropriate database roles for accounts.  Never allow your web application to connect to the database with Administrator privileges (the "sa" account on Microsoft SQL Server, for instance).
3. Do not use shared database accounts between different web sites or applications. 
4. Validate user-supplied input for expected data types, including input fields like drop-down menus or radio buttons, not just fields that allow users to type in input.
5. Configure proper error reporting and handling on the web server and in the code so that database error messages are never sent to the client web browser. Attackers can leverage technical details in verbose error messages to adjust their queries for successful exploitation.

String Data Type

char(x): This data type is space padded to fill the number of characters specified. Here x is the number of characters to store.

varchar(x): This type got its name from Varying Characters. This data type doesn’t pad unnecessary space. Here x is the number of characters to store

text: This type is used to store long textual information.

Few numeric data type has syntax of data_type(x). Here x is meant for precision value.

Date Time Data Type

datetime: This data type is used to store complete date and time information. The date to be stored has range from 01/01/1753 to 12/31/9999. This data type takes 8 bit for storage purpose. This data type is also termed as timestamp in few database systems.

date: This data type is used to store only date information.

time: This data type is used to store only time specific information.

Few numeric data type has syntax of data_type(x). Here x is meant for precision value.

Numeric Data Type

Few numeric data type has syntax of data_type(x). Here x is meant for precision value.

SQL Database Data Types

DATA TYPES represents the type of data an object is holding. Data Types are defined for columns of a table, local/global variables, input/output arguments of procedures etc..

Each database system (MS SQL Server, MYSQL, DB2, Oracle etc.) have its own long list of data types but several data types are common in most of them. This article will list down common data types across various database systems.

How to protect a web site or application from SQL Injection attacks

Developers can prevent SQL Injection vulnerabilities in web applications by utilizing parameterized database queries with bound, typed parameters and careful use of parameterized stored procedures in the database.

This can be accomplished in a variety of programming languages including Java, .NET, PHP, and more.

Please consult the following resources for implementing parameterized database queries and preventing SQL Injection in your code base:

• OWASP Guide to SQL Injection(link is external)
• OWASP SQL Injection Prevention Cheat Sheet(link is external)

Additionally, developers, system administrators, and database administrators can take further steps to minimize attacks or the impact of successful attacks:

1. Keep all web application software components including libraries, plug-ins, frameworks, web server software, and database server software up to date with the latest security patches available from vendors.
2. Utilize the principle of least privilege(link is external) when provisioning accounts used to connect to the SQL database.  For example, if a web site only needs to retrieve web content from a database using SELECT statements, do not give the web site's database connection credentials other privileges such as INSERT, UPDATE, or DELETE privileges. In many cases, these privileges can be managed using appropriate database roles for accounts.  Never allow your web application to connect to the database with Administrator privileges (the "sa" account on Microsoft SQL Server, for instance).
3. Do not use shared database accounts between different web sites or applications. 
4. Validate user-supplied input for expected data types, including input fields like drop-down menus or radio buttons, not just fields that allow users to type in input.
5. Configure proper error reporting and handling on the web server and in the code so that database error messages are never sent to the client web browser. Attackers can leverage technical details in verbose error messages to adjust their queries for successful exploitation.

Use SQL Parameters for Protection

To protect a web site from SQL injection, you can use SQL parameters.

SQL parameters are values that are added to an SQL query at execution time, in a controlled manner.

ASP.NET Razor Example

txtUserId = getRequestString("UserId");
txtSQL = "SELECT * FROM Users WHERE UserId = @0";
db.Execute(txtSQL,txtUserId);

Note that parameters are represented in the SQL statement by a @ marker.

The SQL engine checks each parameter to ensure that it is correct for its column and are treated literally, and not as part of the SQL to be executed.

Another Example

txtNam = getRequestString("CustomerName");
txtAdd = getRequestString("Address");
txtCit = getRequestString("City");
txtSQL = "INSERT INTO Customers (CustomerName,Address,City) Values(@0,@1,@2)";
db.Execute(txtSQL,txtNam,txtAdd,txtCit);

---

Examples

The following examples shows how to build parameterized queries in some common web languages.

SELECT STATEMENT IN ASP.NET:

txtUserId = getRequestString("UserId");
sql = "SELECT * FROM Customers WHERE CustomerId = @0";
command = new SqlCommand(sql);
command.Parameters.AddWithValue("@0",txtUserID);
command.ExecuteReader();

INSERT INTO STATEMENT IN ASP.NET:

txtNam = getRequestString("CustomerName");
txtAdd = getRequestString("Address");
txtCit = getRequestString("City");
txtSQL = "INSERT INTO Customers (CustomerName,Address,City) Values(@0,@1,@2)";
command = new SqlCommand(txtSQL);
command.Parameters.AddWithValue("@0",txtNam);
command.Parameters.AddWithValue("@1",txtAdd);
command.Parameters.AddWithValue("@2",txtCit);
command.ExecuteNonQuery();

INSERT INTO STATEMENT IN PHP:

$stmt = $dbh->prepare("INSERT INTO Customers (CustomerName,Address,City) 
VALUES (:nam, :add, :cit)");
$stmt->bindParam(':nam', $txtNam);
$stmt->bindParam(':add', $txtAdd);
$stmt->bindParam(':cit', $txtCit);
$stmt->execute();

COLOR PICKER

HOW TO

Tabs
Dropdowns
Accordions
Convert Weights
Animated Buttons
Side Navigation
Top Navigation
Modal Boxes
Progress Bars
Parallax
Login Form
HTML Includes
Google Maps
Range Sliders
Tooltips
Slideshow
Filter List
Sort List

SHARE

 

CERTIFICATES

HTML, CSS,JavaScript, PHP,jQuery, Bootstrap andXML.

Read More »

---

SQL Injection Based on Batched SQL Statements

Most databases support batched SQL statement.

A batch of SQL statements is a group of two or more SQL statements, separated by semicolons.

The SQL statement below will return all rows from the "Users" table, then delete the "Suppliers" table.

Example

SELECT * FROM Users; DROP TABLE Suppliers

Look at the following example:

Example

txtUserId = getRequestString("UserId");
txtSQL = "SELECT * FROM Users WHERE UserId = " + txtUserId;

And the following input:

User id: 

The valid SQL statement would look like this:

Result

SELECT * FROM Users WHERE UserId = 105; DROP TABLE Suppliers;

BOOTP Support

ISC DHCP server is backward compatible with BOOTP. The following is a BOOTP client declaration to be defined in DHCP's main configuration dhcpd.conf file:

host bootp {
              hardware ethernet 00:00:2e:55:12:09;
              fixed-address 123.123.1.3;
              filename "/path/to/tftpboot/bootp.boot";
            }

Host specific configuration

There maybe a need to set static IP address to a particular host on the network such as printer, web server and etc. In this case it is posible to amend DHCP server configuration to lease a choosen IP address to a specific host defined by its MAC address.

default-lease-time 600;
max-lease-time 7200;

subnet 10.1.1.0 netmask 255.255.255.0 {
  range 10.1.1.3 10.1.1.254;
  option domain-name-servers 10.1.1.1, 8.8.8.8;
  option routers 10.1.1.1;
}

subnet 192.168.0.0 netmask 255.255.0.0 {
}

host printer {
  hardware ethernet 00:16:d3:b7:8f:86;
  fixed-address 10.1.1.100;
}

host web-server {
  hardware ethernet 00:17:a4:c2:44:22;
  fixed-address 10.1.1.200;
}

The above DHCP configuration file will permanently assign the IP address 10.1.1.100 to a host "printer" with a MAC address 00:16:d3:b7:8f:86 and IP address 10.1.1.200 to host "web-server" with MAC address 00:17:a4:c2:44:22.

Set default gateway

DHCP also allows for client's gateway configuration.To set any client on the local network to use default gateway 10.1.1.1, add line "option routers 10.1.1.1" into dhcpd.conf file as demonstrated below:

default-lease-time 600;
max-lease-time 7200;

subnet 10.1.1.0 netmask 255.255.255.0 {
  range 10.1.1.3 10.1.1.254;
  option domain-name-servers 10.1.1.1, 8.8.8.8;
  option routers 10.1.1.1;
}

subnet 192.168.0.0 netmask 255.255.0.0 {
}

subnet 10.1.1.0 netmask 255.255.255.0 {
  range 10.1.1.3 10.1.1.254;
  option routers 10.1.1.1;
}

DHCP will now set DHCP client with gateway 10.1.1.1.

Define DNS server

Another configuration parameter possible to be set by DHCP server to its client is a definition of DNS server. If you want your clients to use DNS server with an IP address 8.8.8.8 and 10.1.1.1 you can do it by including an option "domain-name-servers" to DHCP's configuration file.

default-lease-time 600;
max-lease-time 7200;

subnet 10.1.1.0 netmask 255.255.255.0 {
  range 10.1.1.3 10.1.1.254;
  option domain-name-servers 10.1.1.1, 8.8.8.8;
}

subnet 192.168.0.0 netmask 255.255.0.0 {
}

subnet 10.1.1.0 netmask 255.255.255.0 {
  range 10.1.1.3 10.1.1.254;
  option routers 10.1.1.1;
}

DHCP default and max lease time

At this point we can add feww aditional settings to our DHCP configuration, namely the default and max lease time expiry.

• default-lease-time is a value in seconds in which a leased IP address expiry will be set to if DHCP client does not ask for any other specific expiry lease time
• max-lease-time is a value in seconds which defines a maximum expiry time for an IP address leased by DHCP server

default-lease-time 600;
max-lease-time 7200;

subnet 10.1.1.0 netmask 255.255.255.0 {
  range 10.1.1.3 10.1.1.254;
}

subnet 192.168.0.0 netmask 255.255.0.0 {
}

Basic DHCP Configuration

By default, DHCP server configuration does not include any subnets on which DHCP server should lease IP addresses. Therefore, depends on your Linux system you may get the following error message when you attempt to start DHCP with default dhcpd.conf configuration file.

Starting ISC DHCP server: dhcpdcheck syslog for diagnostics. ... failed!

Examining log files such as /var/log/syslog reveals more details:

No subnet declaration for eth0 (some IP address). 

Your server may be connected to multiple network subnets. To start DHCP server, at least one subnet must be defined within the DHCP configuration file /etc/dhcp/dhcpd.conf. 

NOTE: if your server has access to more than one subnet, DHCP requires all subnets to be defined even though there isn't immediate intention to enable DHCP service on that subnet. 

Below is the simplest example of DHCP configuration file:

subnet 10.1.1.0 netmask 255.255.255.0 {
  range 10.1.1.3 10.1.1.254;
}

subnet 192.168.0.0 netmask 255.255.0.0 {
}

This configuration file instructs DHCP server to listen for DHCP client requests on subnet 10.1.1.0 with netmask 255.255.255.0. Furthermore, it will assign IP addresses in range 10.1.1.3 - 10.1.1.254. It also defines an empty definition for subnet with network ID 192.168.0.0. 

Alter the above code with your subnet and insert it into /etc/dhcp/dhcpd.conf. When ready, restart your DHCP server with ( restart command may vary ) :

# service isc-dhcp-server restart

How to install DHCP server in linux

Standard DHCP server implementation available in various Linux distributions is an Open source version maintained by ISC ( Internet System Consortium ).

Use the following commands to install DHCP on your Linux server:

Debian and Ubuntu:

# apt-get install isc-dhcp-server

Redhat & Fedora:

# yum install dhcp