Advanced UnixAdvanced Unix
Mid-Term Review Part 1Oct 11, 2005
nmapnmap
Port Scanner– http://www.insecure.org/nmap/
Useful tool for conducting system and network ports scans
It is not a vulnerability scanner
Types of ScansTypes of Scans
TCP connect TYP SYN (a.k.a. half-open) TCP FIN (a.k.a. stealth) TCP SYN/FIN using IP fragments TCP ftp proxy (a.k.a. bounce attack) UCP raw ICMP port unreachable RPC scan ACK/WIN scan Ping scan
TCP connectTCP connect
Goal: find open TCP ports; option –sT Open a connection to port p on the target If it succeeds, something is listening on that
port Repeat for desired values of pAdvantages:
– fast; can do many ports in parallel– no special privileges needed
Disadvantages:– easy to detect and block (filter)
TYP SYN (TYP SYN (a.k.a.a.k.a. half-open) half-open)
Goal: find open TCP ports; option –sS Craft and send a SYN to port p on target ACK: someone listening; RST: no-one listening Send RST to tear down (incipient) connection Repeat for desired values of p
Advantages:– many sites don’t log this
Disadvantages:– need root to craft the initial SYN
Network ToolsNetwork Tools
The netstat command (Page 521) is one such tool
It will show you the number of tcp/udp connections and the services that are listening on your system
Demo netstat
Network ToolsNetwork Tools
One tool overlooked by the book is lsof lsof or "list open files" is one of the
systems administrator's number one tools
You trace what processes are using which services as well as which files are open and by which processes
Demo lsof
Network ToolsNetwork Tools
Many “root kits” deployed by vandals replace the tools an SA would use to detect the attack– ps, ls, netstat, lsof, etc.
Always have original binaries and/or the tool source code available
Network ServicesNetwork Services
They are the Points of AttackRemove/Disable all unneeded
services– /etc/services – a test file that relates the
ports to the services (page 523)
TCP WrappersTCP Wrappers
For the services that you need to have running (Page 525)– Provides for added access control– The Super Daemon xinetd now has tcp
wrappers built in so any service using xinetd can take advantage of tcp wrappers
TCP WrappersTCP Wrappers
Other services also use tcp wrappers such as “Very Secure FTP” – vsftpd FTP server (Page 525)– Controlled in the vsftpd configuration
fileAccess to rsync can be controlled by
TCP Wrappers via xinetd
TCP WrappersTCP Wrappers
Uses two files to define the access to the services– /etc/hosts.allow– /etc/hosts.deny
You can create a deny-by-default to all services that use tcp wrappers
Don’t be misled into thinking this can secure you server 100%– Understand that not all services can or do use tcp
wrappers– tcp wrappers is not a Firewall but an access control
TCP WrappersTCP Wrappers
Good Example in the book (Page 526)Demo: tcp wrappers– hosts.allow– hosts.deny
FirewallsFirewalls
Several types of Firewalls:– Packet filter
• Iptables – layer 2 network
– Stateful filter• Cisco PIX – layer 3 and 4
– Stateful inspection• Checkpoint Firewall-1
– Application proxy • Sidewinder – layers 5 thru 7
– Good reference for firewalls:http://www.interhack.net/pubs/fwfaq/
IptablesIptables
iptables is a filtering firewall Comes standard as part of Linux– Older versions of Linux have ipchains
FC4 comes with a relatively good initial configuration
Using chkconfig, check to see if your iptables is configured to start on boot
chkconfig --list iptables
IptablesIptables
If is not then enabled it via the following command:
chkconfig –levels 235 iptables onTo start iptables enter:
/etc/init.d/iptables start
Or
service iptables start
IptablesIptables
Many ways to implement iptables– Demo Shorewall
See: http://www.linuxguruz.com/iptables/
Iptables - IP FilterIptables - IP Filter
IP Filter– Used to filter packets– The command to enter a rule is called iptables– The framework inside kernel is called Netfilter– Full matching on IP, TCP, UDP and ICMP packet
headers– Lesser matching on other packet headers possible– Exception in TCP is the Options field
IP Filter rule consists of:– Insertion point, Matching IP and Target IP
Iptables - Stateful firewallingIptables - Stateful firewalling
Full state matching (TCP, UDP & ICMP) Other protocols Uses a generic connection tracking module
– The generic conntrack module is less specific– Custom modules can be written – Certain protocols are more complex
• Requires extra modules called "conntrack helpers"
• Examples are FTP, IRC (DCC), AH/ESP and ntalk
Iptables - Stateful firewalling (cont.)Iptables - Stateful firewalling (cont.)
Userland states– NEW
• All new connections• Includes Non SYN TCP packets
– ESTABLISHED• All connections that has seen traffic in both directions
– RELATED• All connections/packets related to other connections• Examples: ICMP errors, FTP-Data, DCC
– INVALID• Certain invalid packets depending on states• E.g. FIN/ACK when no FIN was sent
Iptables - NATIptables - NAT
NAT - Network Address Translation– The science of switching Source or Destination Addresses
Two types of NAT in Linux 2.4– Netfilter NAT– Fast NAT
Usage– Makes a LAN look as if it came from a single source (firewall)
Netfilter NAT– DNAT - Destination Network Address Translation– SNAT - Source Network Address Translation– Requires Connection tracking to keep states and
expectations
Iptables - basic syntaxIptables - basic syntax
iptables [command] [options] <matches> <target> Commands:
– append, insert, replace, delete, list, policy, etc. Options:
– verbose, line numbers, exact, etc. Matches:
– dport, dst, sport, src, states, TCP options, owner, etc. Targets:
– ACCEPT, DROP, REJECT, SNAT, DNAT, TOS, LOG, etc.
Iptables - matchesIptables - matches
Protocol-p, --protocol [!] [protocol]
– tcp, udp, icmp or all– Numeric value– /etc/protocols
Destination IP & Port-d, --destination [!] address[/mask]
– Destination address– Resolvable (/etc/resolve.conf)
--dport, --destination-port [!] port[:port]– Destination port– Numeric or resolvable (/etc/services)– Port range
Iptables - matches (cont.)Iptables - matches (cont.)
Source IP & Port-s, --source [!] address[/mask]– Source address– Resolvable (/etc/resolve.conf)
--sport, --source-port [!] port[:port]– Source port– Numeric or resolvable (/etc/services)– Port range
Iptables - matches (cont.)Iptables - matches (cont.)
Incoming and Outgoing interface-i, --in-interface [!] interface-o, --out-interface [!] interface
Iptables - targetsIptables - targets
ACCEPT– Accepts the packet– Ends further processing of the specific chain– Ends processing of all previous chains– Except other main chains and tables
DROP– Drops the packet– No reply– Ends all further processing
Iptables - targets (cont.)Iptables - targets (cont.)
REJECT– Drops packet– Returns a reply
• User specified reply• Calculated reply• TCP-RST or ICMP errors
– Ends all further processing
RETURN– Returns from a chain to the calling chain
Iptables - a few simple rulesIptables - a few simple rules
iptables -A INPUT -p tcp -m state --state NEW ! --syn -j REJECT --reject-with-tcp-reset
iptables -A INPUT -p tcp --dport 80:1024 -j DROP
iptables -A FORWARD -p tcp --dport 22:113 -j DROP
iptables -A FORWARD -p tcp --dport ftp-data:ftp -j DROP
iptables -A OUTPUT -p tcp -o eth0 -j ACCEPT
iptables -A OUTPUT -p tcp -o lo -j ACCEPT
iptables -P OUTPUT DROP
Iptables additional syntaxIptables additional syntax
Listing the rules– -L, --list [chain]
-F, --flush [chain]– Flushes (erases) all rules in a chain– Or a table
-N, --new chain– Creates a user-specified chain– There must be no target with that name previously
-X, --delete-chain [chain]– Deletes a user-created chain– No rules may reference the chain– Can delete all user-created chains in a table
Iptables additional syntax Iptables additional syntax
Creating...– iptables -t filter -N badtcppackets
and Deleting a chain– iptables -t filter -X badtcppackets
and Deleting all user-created chains– iptables -t filter -X
Need to know:– where they are and what they contains– permissions and ownership– how often they are rotated
You need to: – Review logfile contents regularly– Archive important logs
LoggingLogging
Pages 541-542 list most of the common logsThese logs are found in the /var/log directory
– /var/log/messages– /var/log/boot.log– /var/log/wtmp– /var/log/dmesg
LoggingLogging
LoggingLogging
What to look for in a log?– Unusual activity– Take a look at your logs daily• /var/log/messages• /var/log/secure• /var/log/sshd• Other service related logs like ftpd, etc.
LoggingLogging
Some common things:– Sendmail messages– SSH logins/logouts– FTP logins/logouts
Based on what you see regularly, you will know when something is amuck.
Common logchecking utilities are also an excellent way to keep tabs on your logs
LogcheckLogcheck
Was developed by Psionic (http://www.psionic.com)
– Portsentry– Logcheck
Easy configurationVery customizableDemo: logcheck
LogwatchLogwatch
Part of FC3 default install It is a customizable, pluggable log-
monitoring applicationIt will go through your logs for a
given period of time and make a report in the areas that you wish with the detail that you wish.
Default setup is to email root daily
Syslog DaemonSyslog Daemon
syslogd: the system event logger– how syslog works– its configuration file – the software that uses syslog – debugging syslog
What gets logged?What gets logged?
The accounting systemThe kernel Various utilities and applications –many produce data that needs to be logged–most of the data has a limited useful
lifetime, and needs to be summarized, compressed, archived and eventually deleted
Logging policiesLogging policies
Log data immediatelyReset log files at periodic intervalsRotate log files, keeping data for a
fixed timeCompress and archive to tape or
other permanent media
Logging OptionsLogging Options
Depends on :– how much disk space you have– how security-conscious you are– How important the system is
Whatever scheme you select, regular maintenance of log files should be automated using cron
Throwing away log filesThrowing away log files
not recommend– security problems ( accounting data and log
files provide important evidence of break-ins)– helpful for alerting you to hardware and
software problems.
In general, keep one or two months– in a real world, it may take one or two weeks
for SA to realize that site has been compromised by a hacker and need to review the logs
Throwing away (cont.)Throwing away (cont.)
Most sites store each day’s log info on disk, sometimes in a compressed format
These daily files are kept for a specific period of time and then deleted
One common way to implement this policy is called “rotation”
Rotating log filesRotating log files
Keep backup files that are one day old, two days old, and so on. – logfile, logfile.1 , logfile.2, … logfile.7
Each day rename the files to push older data toward the end of the chain– script to archive three days files
Archiving log filesArchiving log files
Some sites must archive all accounting data and log files as a matter of policy, to provide data for a potential audit
Log files should be first rotate on disk, then written to tape or other permanent media– see chap 11, Backups
Finding log filesFinding log files
Normally in /var/log but to locate log files you can read the system startup scripts : /etc/rc* or /etc/init.d/*
Some programs handle logging via syslog– check /etc/syslog.conf to find out where
this data goes– Again, normally to /var/log
Finding log filesFinding log files
Different operating systems put log files in different places:– /var/log/*– /var/cron/log– /usr/adm– /var/adm …
On linux, almost all the log files are in /var/log directory.
What is syslogWhat is syslog
A comprehensive logging system, used to manage information generated by the kernel and system utilities.
Allow messages to be sorted by their sources and importance, and routed to a variety of destinations:– log files, users’ terminals, or even
other machines.
Syslog: three partsSyslog: three parts
Syslogd and /etc/syslog.conf – the daemon that does the actual logging– its configuration file
openlog, syslog, closelog– library routines that programs use to send
data to syslogd
logger– user-level command for submitting log entries
syslog-aware programs
Using syslog lib. Routineswrite log entries to a special file
/dev/log
syslogd /etc/syslog.conf
reads consults
dispatches
Logfiles
Users’sterminals
Other machines
/dev/klog
Configuring syslogdConfiguring syslogd
The configuration file /etc/syslog.conf controls syslogd’s behavior.
It is a text file with simple format, blank lines and lines beginning with ‘#’ are ignored.– Selector <TAB> action– eg. mail.info /var/log/maillog
Configuration file - SelectorConfiguration file - Selector
Identify – source -- the program (‘facility’) that is sending
a log message – importance -- the messages’s severity level – eg. mail.info /var/log/maillog
Syntax– facility.level– facility names and severity levels must chosen
from a list of defined values
Sample syslog outputSample syslog output
Dec 27 02:45:00 x-wing netinfod [71]: cann’t lookup childDec 27 02:50:00 bruno ftpd [27876]: open of pid file
failed: not a directoryDec 27 02:50:47 anchor vmunix: spurious VME interrupt
at processor level 5Dec 27 02:52:17 bruno pingem[107]: moose.cs.colorado.edu
has not answered 34 timesDec 27 02:55:33 bruno sendmail [28040] : host name/address
mismatch: 192.93.110.26 != bull.bull..fr
Linux networkingLinux networking
Understand basic configuration of Network Interface– IP address– Subnetmask– Gateway
Talk about other types of interfaces (PPP, IPSec, etc)
Use network utilities (ipconfig, mii-tool, etc)
The TCP/IP protocolThe TCP/IP protocol
Internet Protocol (IP) address– Four 8-bit numbers (Octets)– Identifies a computer on the network
Subnet mask– Four 8-bit numbers– Determine the network and host portions of an
IP address
Default gateway– Router that sends packets to remote networks
Configuring a NIC interfaceConfiguring a NIC interface
ifconfig command– Assigns TCP/IP configuration to a NIC– Displays configuration of all network
interfacespacket internet groper command– Checks connectivity to other computers
Configuring a NIC interfaceConfiguring a NIC interface
Multiple Tools to accomplish this:– Command line: ifconfig– Curses based: netconfig– Graphical: system-config-network
Name resolutionName resolution
Hostnames– Name assigned to a computer– Uses plain language
Fully Qualified Domain Name (FQDN)– Hostname that follows DNS convention
Domain Name Space (DNS) server– Resolves FQDNs to IP address
The Domain Name SpaceThe Domain Name Space
Common network servicesCommon network services
Port– Number that identifies a network service– 65,535 possible ports
Well-known port– used by common networking services– 0 to 1,024
traceroute commandtraceroute command
Used to troubleshoot routingDisplays all routers between the
current computer and a remote computer
The mii-toolThe mii-tool
An easy way to determine which speed is used by an Ethernet card
The Ethernet card needs to have Media Independent Interface circuitry
Secure Shell Without Passwords Secure Shell Without Passwords
Using ssh without passwords– Everybody pair up– Insure each of you has an
account/password on each other system
Refer to the Text Book for the commands and see if you can get this to work
Secure Shell Without PasswordsSecure Shell Without Passwords
When we last left the intrepid students they were struggling with secure shell and keys….
But wait….Daria and Chuck have made it work.
Is this the break through we’ve been waiting for?
Secure Shell Without PasswordsSecure Shell Without Passwords
1. Pair Up2. Insure you have an account on your
partners system and you know the password
3. Generate the ssh keycd ~/.sshssh-keyget –t dsa
Do not enter a passphrase when prompted(this generates public and private keys)
Secure Shell Without PasswordsSecure Shell Without Passwords
4. Copy public key from your system to your partnersscp id_dsa.pub userid@partner:/tmp
5. Then enter the following (same line)ssh userid@partner ‘cat /tmp/id_dsa.pub >> /home/userid/.ssh/authorized_keys2
6. Clean up ssh userid@partner rm /tmp/id_dsa.pub