LDAP Stand for Lightweight Directory Access Protocol
it is a directory service protocol that runs on a layer above the TCP/IP stack.
It offers means of searching, retrieving, and manipulating directory content and ways to access a rich set of security functions.It is based on client-serve modules.
Here in this post we are basiclly going to concentrate on security threats in the LDAP protocol.
OpenLDAP Server Management
=============================
cn=config
cn=schema
cn=core
cn=Modules
dc=localhost,dc=com (if domain is ldap.nullport.com than dc=ldap,dc=nullport,dc=com)
ou=People
ou=Group
ou=Hosts
ou=sudoers
================================
cn = Common Name
dc = Domain Component
ou = Organizational Unit
LDAP Security Threats
1. Unauthorized access to directory data via data-retrieval operations.
2. Unauthorized access to directory data by monitoring access of others.
3. Unauthorized access to reusable client authentication information by monitoring access of others.
4. Unauthorized modification of directory data.
5. Unauthorized modification of configuration information.
6. Denial of Service: Use of resources (commonly in excess) in a manner intended to deny service to others.
7. Spoofing: Tricking a user or client into believing that information came from the directory when in fact it did not, either by modifying data in transit or misdirecting the client's transport connection. Tricking a user or client into sending privileged information to a hostile entity that appears to be the directory server but is not. Tricking a directory server into believing that information came from a particular client when in fact it came from a hostile entity.
8. Hijacking: An attacker seizes control of an established protocol session.
How to configure LDAP Directory Server.
Prerequisites
The LDAP server should contain valid FQDN. Add the ldap server details to your DNS server.
allow ldap ports.
Enable EPEL and REMI repository to avoid dependencies.
Google for installations of EPEL and REMI repositories.
open firewall ports for port 389 , 636 and 9830 for this add bellow lines in iptables "/etc/sysconfig/iptables"
# vi /etc/sysconfig/iptables
-A INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 636 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 9830 -j ACCEPT
# service iptables save
# service iptables restart
for more about iptables read here
now edit "/etc/sysctl.conf" and add bellow lines in the end
net.ipv4.tcp_keepalive_time = 300
net.ipv4.ip_local_port_range = 1024 65000
fs.file-max = 64000
edit "/etc/security/limits.conf" and add the bellow lines in the end.
* soft nofile 8192
* hard nofile 8192
now edit "/etc/profile" and add lines in the end
ulimit -n 8192
and then edit "/etc/pam.d/login" and add these lines in the end.
session required /lib/security/pam_limits.so
now restart the server.
Create user account and install the 389 directoy server
# useradd ldapadmin
# passwd ldapadmin
# yum install -y 389-ds openldap-clients
configuring LDAP server
# setup-ds-admin.pl
now it will ask some ques and accodingly we need to give them ans.
after this configuration make LDAP demone automatic start
# chkconfig dirsrv on
# chkconfig dirsrv-admin on
Test LDAP Server
# ldapsearch -x -b "dc=localhost,dc=local"
Manage 389 ds with Admin Server Console
# yum groupinstall Xfce
login server console by bellow commands
$ ssh -X root@192.168.73.101 /usr/bin/389-console -a http://192.168.73.101:9830
okey this above installation for the LDAP server configurations and now it's time to find the mis-configuration and explaining the security Ricks there.
it is a directory service protocol that runs on a layer above the TCP/IP stack.
It offers means of searching, retrieving, and manipulating directory content and ways to access a rich set of security functions.It is based on client-serve modules.
Here in this post we are basiclly going to concentrate on security threats in the LDAP protocol.
OpenLDAP Server Management
=============================
cn=config
cn=schema
cn=core
cn=Modules
dc=localhost,dc=com (if domain is ldap.nullport.com than dc=ldap,dc=nullport,dc=com)
ou=People
ou=Group
ou=Hosts
ou=sudoers
================================
cn = Common Name
dc = Domain Component
ou = Organizational Unit
LDAP Security Threats
1. Unauthorized access to directory data via data-retrieval operations.
2. Unauthorized access to directory data by monitoring access of others.
3. Unauthorized access to reusable client authentication information by monitoring access of others.
4. Unauthorized modification of directory data.
5. Unauthorized modification of configuration information.
6. Denial of Service: Use of resources (commonly in excess) in a manner intended to deny service to others.
7. Spoofing: Tricking a user or client into believing that information came from the directory when in fact it did not, either by modifying data in transit or misdirecting the client's transport connection. Tricking a user or client into sending privileged information to a hostile entity that appears to be the directory server but is not. Tricking a directory server into believing that information came from a particular client when in fact it came from a hostile entity.
8. Hijacking: An attacker seizes control of an established protocol session.
How to configure LDAP Directory Server.
Prerequisites
The LDAP server should contain valid FQDN. Add the ldap server details to your DNS server.
allow ldap ports.
Enable EPEL and REMI repository to avoid dependencies.
Google for installations of EPEL and REMI repositories.
open firewall ports for port 389 , 636 and 9830 for this add bellow lines in iptables "/etc/sysconfig/iptables"
# vi /etc/sysconfig/iptables
-A INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 636 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 9830 -j ACCEPT
# service iptables save
# service iptables restart
for more about iptables read here
now edit "/etc/sysctl.conf" and add bellow lines in the end
net.ipv4.tcp_keepalive_time = 300
net.ipv4.ip_local_port_range = 1024 65000
fs.file-max = 64000
edit "/etc/security/limits.conf" and add the bellow lines in the end.
* soft nofile 8192
* hard nofile 8192
now edit "/etc/profile" and add lines in the end
ulimit -n 8192
and then edit "/etc/pam.d/login" and add these lines in the end.
session required /lib/security/pam_limits.so
now restart the server.
Create user account and install the 389 directoy server
# useradd ldapadmin
# passwd ldapadmin
# yum install -y 389-ds openldap-clients
configuring LDAP server
# setup-ds-admin.pl
now it will ask some ques and accodingly we need to give them ans.
after this configuration make LDAP demone automatic start
# chkconfig dirsrv on
# chkconfig dirsrv-admin on
Test LDAP Server
# ldapsearch -x -b "dc=localhost,dc=local"
Manage 389 ds with Admin Server Console
# yum groupinstall Xfce
login server console by bellow commands
$ ssh -X root@192.168.73.101 /usr/bin/389-console -a http://192.168.73.101:9830
okey this above installation for the LDAP server configurations and now it's time to find the mis-configuration and explaining the security Ricks there.
0 comments