Concerns over nntp//rss security

General discussion about nntp//rss.

Concerns over nntp//rss security

Postby jberkes on Sun Jan 30, 2005 4:24 pm

I have tried installing the software on a small Linux server, and it is working great! This really is the best way I have found so far to comfortably read RSS feeds... and NNTP also lets me share access with friends/family. However, as someone who deals with UNIX software regularly, I have some concerns about software security. Perhaps I am just not aware of some configuration options, maybe someone else knows?

1) Logging -- I did find the log.log file, but it does not contain IP addresses as they connect and do operations. There really should be some proper logging, so people have records of abuse!

2) Privileged execution. I can't find a way around running the server as root. This is definitely not good because it is running with maximum privileges while serving network clients, a potentially perilous situation. Also the software shouldn't need root privileges, since it just does simple database operations.

A solution to both of these problems would be to run nntp//rss under the UNIX inetd Internet super-daemon (tcp wrappers). This provides a parent process which binds to the privileged port, provides all logging, and which provides a text stream (rather than network socket) to an unprivileged program. Does anybody know how to do this?
jberkes
 
Posts: 3
Joined: Sun Jan 30, 2005 4:14 pm

Re: Concerns over nntp//rss security

Postby jason on Sun Jan 30, 2005 5:01 pm

jberkes wrote:1) Logging -- I did find the log.log file, but it does not contain IP addresses as they connect and do operations. There really should be some proper logging, so people have records of abuse!


Right now nntp//rss (v0.5b1) logs incoming NNTP client connections. You'll see entries in the log like:

Code: Select all
01:18:00,158 [Thread-8] INFO  NNTPServerListener - NNTP Client connection from 192.168.1.100


I'll definitely add to the TODO list an item to log some more granular information about client activity.

jberkes wrote:2) Privileged execution. I can't find a way around running the server as root. This is definitely not good because it is running with maximum privileges while serving network clients, a potentially perilous situation. Also the software shouldn't need root privileges, since it just does simple database operations.


Yes, you are correct. nntp//rss is basically a database-oriented application. The only reason for it to run as root on Unix-based platforms is that, by default, it binds to NNTP port 119, a privileged port. A quick interim workaround is to change this to a port above 1024, and reconfigure your newsreader. This will allow you to run nntp//rss as a non-privileged user. To change this port, just edit the port attribute value of the following line in nntprss-config.xml:

Code: Select all
<nntp port='119'/>


You will need to stop and restart nntp//rss for this change to take effect. You could use this in conjunction with OS-level port mapping capabilities to map port 119 to the non-privileged port, e.g. 1119, allowing existing newsreaders to connect on port 119, while the application is running as a non-privileged user on port 1119. Also there is an approach using xinetd - see my comments below. You could lock down the system even further by running nntp//rss in a chroot-ed environment.

jberkes wrote:A solution to both of these problems would be to run nntp//rss under the UNIX inetd Internet super-daemon (tcp wrappers). This provides a parent process which binds to the privileged port, provides all logging, and which provides a text stream (rather than network socket) to an unprivileged program. Does anybody know how to do this?


Probably the easiest way to do it is as I described above. Run nntp//rss as a non-priviliged user, and use redirection to handle the port 119-to-non-privileged port translation.

On Linux/Unix you can used xinetd. This will give you inetd capabilities, including logging, while also allowing you to securely redirect from one port to another. This would not require any changes to the nntp//rss code. The only thing you would need to do is configure nntp//rss to auto-start at system boot time under a non-privileged user, listening on the non-priviliged port.

There's a great article on the IBM developerWorks site about securing Linux for Java Services. In their example they discuss Tomcat, however the concepts are very applicable to an nntp//rss deployment.

Here's the link to the article:

http://www-106.ibm.com/developerworks/java/library/l-secjav.html

xinetd home page:

http://www.synack.net/xinetd/
jason
Site Admin
 
Posts: 114
Joined: Sat May 03, 2003 10:44 pm
Location: West Orange, NJ

Re: Concerns over nntp//rss security

Postby jberkes on Sun Jan 30, 2005 7:36 pm

Right now nntp//rss (v0.5b1) logs incoming NNTP client connections. You'll see entries in the log like:


Great! I was using the previous release, indeed 0.5b1 is logging as expected.

Yes, you are correct. nntp//rss is basically a database-oriented application. The only reason for it to run as root on Unix-based platforms is that, by default, it binds to NNTP port 119, a privileged port. A quick interim workaround is to change this to a port above 1024, and reconfigure your newsreader. This will allow you to run nntp//rss as a non-privileged user. To change this port, just edit the port attribute value of the following line in nntprss-config.xml:


OK, that works well. I've configured it to run at a higher port (1190) and am doing port forwarding with Linux using:

iptables -t nat -A PREROUTING -p tcp --dport 119 -j REDIRECT --to-port 1190
jberkes
 
Posts: 3
Joined: Sun Jan 30, 2005 4:14 pm

Re: Concerns over nntp//rss security

Postby jberkes on Mon Jan 31, 2005 6:51 am

iptables -t nat -A PREROUTING -p tcp --dport 119 -j REDIRECT --to-port 1190


Thought I had better point something out, using just this rule would be too wide reaching and would capture all kinds of port 119 connections meant to go to other news servers as well!

Use -i (incoming interface), -s (source addr), -d (dest addr) to provide better forwarding. For example:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 119 -j REDIRECT --to-port 1190
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 119 -d 192.168.0.15 -j REDIRECT --to-port 1190
jberkes
 
Posts: 3
Joined: Sun Jan 30, 2005 4:14 pm


Return to General Discussion

Who is online

Users browsing this forum: No registered users and 1 guest

cron