Agile infrastructure security – How central configuration management was used to quickly patch GHOST glibc vulnerability in data centers
GHOST vulnerability of Glibc was disclosed on 27th Jan. As with any breaking news about vulnerabilities, the initial reports were muddled about the severity of impact, and the extend of exploits running in the wild.
Bobcares Dedicated Linux Systems Administrators deliver zero-day protection against breaking vulnerabilities through agile security reaction procedures. In this case, the announcement said attackers can exploit the gethostbyname() function provided by Glibc, with a proof of concept hack done on an Exim server. So, the first order of business was to prevent any such hacks taking place in servers under our care.
Such contingent action can be initiated very quickly in server farms managed through central configuration management systems like Puppet. Within an hour of the announcement being made, Bobcares engineers made the following changes in the central configuration file of Puppet (or equivalent like Salt) servers.
# host_lookup = * in exim.conf HostnameLookups Off in httpd.conf UseDNS no in sshd_config UseReverseDNS off in proftpd.conf
The changes propagated to hundreds of servers within a matter of minutes, and this effectively prevented exploits through popular service ports. So, even if there was a zero-day exploit making rounds in the wild, it could not be exploited in servers under our care.
Within 24 hours, major vendors started releasing patches for the Glibc package, and yet another Puppet manifest was applied to download and install the latest Glibc package. Update was done on the hundreds of servers within minutes of the package being available on the repositories.
This quick reaction was made possible by the following:
- Constant 24/7 vigil on all security update channels – This allowed us to immediately detect a vulnerability disclosure.
- Quick reaction and situation assessment – This allowed us to identify the severity of the issue, and first reaction steps.
- Centralized configuration management – This allowed us to quickly update the configuration on hundreds of servers which would have taken hours if done manually, and would leave the servers open for hacking for that much longer.
Zero-day threat mitigation is an important part of our security administration process. Security experts are on stand by 24/7 and quickly reacts to blunt any possible hack attempts. Are you looking to improve your website or infrastructure security?