wesupport

Need help?

Our experts have had an average response time of 13.14 minutes in February 2024 to fix urgent issues.

We will keep your servers stable, secure, and fast at all times for one fixed price.

Agile infrastructure security – How central configuration management was used to quickly patch GHOST glibc vulnerability in data centers

by | Feb 7, 2015

GHOST vulnerability of Glibc was disclosed on 27th Jan. As with any breaking news about vulnerabilities, the initial reports were muddled about the severity of impact, and the extend of exploits running in the wild.

Bobcares Dedicated Linux Systems Administrators deliver zero-day protection against breaking vulnerabilities through agile security reaction procedures. In this case, the announcement said attackers can exploit the gethostbyname() function provided by Glibc, with a proof of concept hack done on an Exim server. So, the first order of business was to prevent any such hacks taking place in servers under our care.

Such contingent action can be initiated very quickly in server farms managed through central configuration management systems like Puppet. Within an hour of the announcement being made, Bobcares engineers made the following changes in the central configuration file of Puppet (or equivalent like Salt) servers.

# host_lookup = *
 in exim.conf

HostnameLookups Off
 in httpd.conf

UseDNS no
 in sshd_config

UseReverseDNS off
 in proftpd.conf

The changes propagated to hundreds of servers within a matter of minutes, and this effectively prevented exploits through popular service ports. So, even if there was a zero-day exploit making rounds in the wild, it could not be exploited in servers under our care.

Within 24 hours, major vendors started releasing patches for the Glibc package, and yet another Puppet manifest was applied to download and install the latest Glibc package. Update was done on the hundreds of servers within minutes of the package being available on the repositories.

This quick reaction was made possible by the following:

  1. Constant 24/7 vigil on all security update channels – This allowed us to immediately detect a vulnerability disclosure.
  2. Quick reaction and situation assessment – This allowed us to identify the severity of the issue, and first reaction steps.
  3. Centralized configuration management – This allowed us to quickly update the configuration on hundreds of servers which would have taken hours if done manually, and would leave the servers open for hacking for that much longer.

Zero-day threat mitigation is an important part of our security administration process. Security experts are on stand by 24/7 and quickly reacts to blunt any possible hack attempts. Are you looking to improve your website or infrastructure security?

See how we can help

 

0 Comments

Categories

Tags