check and hide BIND version

Nowadays, the security of a Linux server starts with the security of each application. Running an outdated software version (Apache, MySQL, Exim, Bind) would leave your server vulnerable, as many of those old version have a bunch of security issues. This is why a good starting point would be to hide your services versions, as this information can be useful to an attacker, to focus on the specific version that you are running.

BIND (or named) is the most commonly used DNS (Domain Name Server) on the Internet. Many BIND version are vulnerable to different types of attacks, and this is why we will focus this small tutorial on how to hide your BIND version, on the Chaos class (CH):

[dragos@dragos-laptop ~]$ dig @domain.com -c CH -t txt version.bind

; <<>> DiG 9.7.1-P2-RedHat-9.7.1-2.P2.fc13 <<>> @auxell.ro -c CH -t txt version.bind
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65190
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;version.bind.            CH    TXT

;; ANSWER SECTION:
version.bind.        0    CH    TXT    “9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2”

;; AUTHORITY SECTION:
version.bind.        0    CH    NS    version.bind.

;; Query time: 38 msec
;; SERVER: 85.204.103.34#53(85.204.103.34)
;; WHEN: Sun Nov 14 00:09:19 2010
;; MSG SIZE  rcvd: 91

As you can see on the output the version that I’m running on one of my servers is 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2. This could help an attacker to focus his ‘work’ on this version’s vulnerabilities (if any), and this is why I will hide to version, at least to make his work less easy.

For this you will need to open the configuration file of the BIND service (since I’m running it on a chroot environment the path for it is /var/named/chroot/etc/named.conf), and find the option directive. Here I will add a new entry with this format: version “desired string”; .

vi /var/named/chroot/etc/named.conf

options {
directory “/var/named”;
dump-file “/var/named/data/cache_dump.db”;
statistics-file “/var/named/data/named_stats.txt”;
version “Try again, fail again. Fail better.”;
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below.  Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
};

Finally, save and restart the DNS server and perform the same query again:

[root@server ~]# service named reload
Reloading named:                                           [  OK  ]

[dragos@dragos-laptop ~]$ dig @domain.com -c CH -t txt version.bind +short
“Try again, fail again. Fail better.”

ProFTPD Telnet IAC processing stack overflow

If you are running a Linux server with Plesk control panel,  please be aware there was a flaw discovered in the ProFTPD server that potentially allows unauthenticated attackers to compromise your server. The problem is caused by a buffer overflow in the pr_netio_telnet_gets() function for evaluating TELNET IAC sequences. The ProFTPD bug report is available here: http://bugs.proftpd.org/show_bug.cgi?id=3521

A Proftpd update for Plesk has been provided by Atomic Rocket Turtle. To apply the update, execute the commands below:

wget -O – http://www.atomicorp.com/installers/atomic | sh
yum upgrade psa-proftpd

Please review http://www.parallels.com/products/plesk/ProFTPD for updates to this security issue.