Switching from PBKDF2 to SHA256 user hashes (mainly to prevent transm…

…ission of plaintext password during login)
jezdikm · Dec 29, 2015 · 0a121b3 · 0a121b3
1 parent 0fbc728
commit 0a121b3
Show file tree

Hide file tree

Showing 6 changed files with 16 additions and 66 deletions.
diff --git a/README.md b/README.md
@@ -146,13 +146,15 @@ Detected events are stored inside the **Server**'s logging directory (i.e. optio
 
 Server's configuration can be found inside the `maltrail.conf` section `[Server]`:
 
-![Server's configuration](http://i.imgur.com/bPhU1Dl.png)
+![Server's configuration](http://i.imgur.com/wWGXaPM.png)
 
 Option `HTTP_ADDRESS` contains the web server's listening address (Note: use `0.0.0.0` to listen on all interfaces). Option `HTTP_PORT` contains the web server's listening port. Default listening port is set to `8338`. If option `USE_SSL` is set to `true` then `SSL/TLS` will be used for accessing the web server (e.g. `https://192.168.6.10:8338/`). In that case, option `SSL_PEM` should be pointing to the server's private/cert PEM file. 
 
-Subsection `USERS` contains user's configuration settings. Each user entry consists of the `username:pbkdf2_hash(password):UID:filter_netmask(s)`. Utility `core/pbkdf2.py` is used to calculate valid `pbkdf2_hash(password)` values. Value `UID` represents the unique user identifier, where it is recommended to use values lower than 1000 for administrative accounts, while higher value for non-administrative accounts. The part `filter_netmask(s)` represents the comma-delimited hard filter(s) that can be used to filter the shown events depending on the user account(s). Default entry is as follows:
+Subsection `USERS` contains user's configuration settings. Each user entry consists of the `username:sha256(password):UID:filter_netmask(s)`. Value `UID` represents the unique user identifier, where it is recommended to use values lower than 1000 for administrative accounts, while higher value for non-administrative accounts. The part `filter_netmask(s)` represents the comma-delimited hard filter(s) that can be used to filter the shown events depending on the user account(s). Default entry is as follows:
 
-![Configuration users](http://i.imgur.com/o0Tp0IY.png)
+![Configuration users](http://i.imgur.com/PYwsZkn.png)
+
+Option `UDP_ADDRESS` contains the server's log collecting listening address (Note: use `0.0.0.0` to listen on all interfaces), while option `UDP_PORT` contains listening port value. If turned on, when used in combination with option `LOG_SERVER`, it can be used for distinct (multiple) **Sensor** <-> **Server** architecture.
 
 Same as for **Sensor**, when running the **Server** (e.g. `python server.py`) for the first time and/or after a longer period of non-running, if option `USE_SERVER_UPDATE_TRAILS` is set to `true`, it will automatically update the trails from trail definitions (Note: stored inside the `trails` directory). Its basic function is to store the log entries inside the logging directory (i.e. option `LOG_DIR`) and provide the web reporting interface for presenting those same entries to the end-user (Note: there is no need install the 3rd party web server packages like Apache):
 

diff --git a/core/httpd.py b/core/httpd.py
@@ -11,6 +11,7 @@
 import httplib
 import glob
 import gzip
+import hashlib
 import io
 import json
 import mimetypes
@@ -32,7 +33,6 @@
 from core.common import get_regex
 from core.common import ipcat_lookup
 from core.common import worst_asns
-from core.pbkdf2 import pbkdf2
 from core.settings import config
 from core.settings import DATE_FORMAT
 from core.settings import DISABLED_CONTENT_EXTENSIONS
@@ -255,10 +255,9 @@ def _login(self, params):
                 for entry in (config.USERS or []):
                     entry = re.sub(r"\s", "", entry)
                     username, stored_hash, uid, netfilter = entry.split(':')
-                    hash_parts = stored_hash.split('$')
                     if username == params.get("username"):
                         try:
-                            if (pbkdf2(params.get("password"), hash_parts[1].decode("hex"), int(hash_parts[2])).encode("hex") == hash_parts[3]):
+                            if params.get("password") == stored_hash:
                                 valid = True
                                 break
                         except:

diff --git a/core/pbkdf2.py b/core/pbkdf2.py
diff --git a/core/settings.py b/core/settings.py
@@ -20,7 +20,7 @@
 trails = {}
 
 NAME = "Maltrail"
-VERSION = "0.8.335"
+VERSION = "0.8.336"
 SERVER_HEADER = "%s/%s" % (NAME, VERSION)
 DATE_FORMAT = "%Y-%m-%d"
 ROTATING_CHARS = ('\\', '|', '|', '/', '-')
@@ -224,6 +224,8 @@ def read_config(config_file):
     for entry in (config.USERS or []):
         if len(entry.split(':')) != 4:
             exit("[!] invalid USERS entry '%s'" % entry)
+        if re.search(r"\$\d+\$", entry):
+            exit("[!] invalid USERS entry '%s'\n[?] (hint: please update PBKDF2 hashes to SHA256 in your configuration file)" % entry)
 
     if config.SSL_PEM:
         config.SSL_PEM = config.SSL_PEM.replace('/', os.sep)

diff --git a/html/js/main.js b/html/js/main.js
@@ -112,11 +112,13 @@ function initDialogs() {
                 $(this).dialog("close");
             },
             "Log In": function() {
+                var SHA256 = new Hashes.SHA256;
+
                 $.ajax({
                     type: "POST",
                     url: "login",
                     dataType: "text",
-                    data: "username=" + $(this).find("#username")[0].value.trim() + "&password=" + $(this).find("#password")[0].value.trim(),
+                    data: "username=" + $(this).find("#username")[0].value.trim() + "&password=" + SHA256.hex($(this).find("#password")[0].value.trim()),
                     cache: false,
                     beforeSend: function() {
                         $("input").prop("disabled", true);

diff --git a/maltrail.conf b/maltrail.conf
@@ -12,12 +12,11 @@ USE_SSL false
 # SSL/TLS (private/cert) PEM file (e.g. openssl req -new -x509 -keyout server.pem -out server.pem -days 1023 -nodes)
 #SSL_PEM misc/server.pem
 
-# User entries (username:pbkdf2_hash(password):UID:filter_netmask(s))
-# Note(s): use 'core/pbkdf2.py' to calculate 'pbkdf2_hash'
-#          UID >= 1000 have only rights to display results
+# User entries (username:sha256(password):UID:filter_netmask(s))
+# Note(s): UID >= 1000 have only rights to display results
 #          filter_netmask(s) is/are used to filter results
 USERS
-    admin:$ff0ae5570e1f39a8$10000$d42e622afe0b0ede53b64b97a59d65c221edbf9dde2f0e95:0:0.0.0.0/0                        # changeme!
+    admin:9ab3cd9d67bf49d01f6a2e33d0bd9bc804ddbe6ce1ff5d219c42624851db5dbc:0:0.0.0.0/0                        # changeme!
 
 # Listen address of (log collecting) UDP server
 #UDP_ADDRESS 0.0.0.0