novell course 3058 suse linux security workbook

7/31/2019 Novell Course 3058 SUSE Linux Security WorkBook

1/110

Novell Training Services

SELF-STUDY WORKBOOK

www.novell.com

SUSE LINUX Security

COURSE 3058

Version 1


2/110

Pr

oprietar

y Statement

Copyright 2005 Novell, Inc. All rights reserved.

No part of this publication may be reproduced, photocopied, stored on a retrieval

system, or transmitted without the express prior consent of the publisher. This

manual, and any portion thereof, may not be copied without the express written

permission of Novell, Inc.

Novell, Inc.1800 South Novell Place

Provo, UT 84606-2399

Disc

laimer

Novell, Inc. makes no representations or warranties with respect to the contents

or use of this manual, and specifically disclaims any express or implied

warranties of merchantability or fitness for any particular purpose.

Further, Novell, Inc. reserves the right to revise this publication and to make

changes in its content at any time, without obligation to notify any person or

entity of such revisions or changes.

Further, Novell, Inc. makes no representations or warranties with respect to any

NetWare software, and specifically disclaims any express or implied warranties

of merchantability or fitness for any particular purpose.

Further, Novell, Inc. reserves the right to make changes to any and all parts ofNetWare software at any time, without obligation to notify any person or entity

of such changes.

This Novell Training Manual is published solely to instruct students in the use of

Novell networking software. Although third-party application software packages

are used in Novell training courses, this is for demonstration purposes only and

shall not constitute an endorsement of any of these software applications.

Further, Novell, Inc. does not represent itself as having any particular expertise

in these application software packages and any use by students of the same shall

be done at the students own risk.

Software Pirac

y

Throughout the world, unauthorized duplication of software is subject to both

criminal and civil penalties.

If you know of illegal copying of software, contact your local SoftwareAntipiracy Hotline.

For the Hotline number for your area, access Novells World Wide Web page at

http://www.novell.com and look for the piracy page under Programs.

Or, contact Novells anti-piracy headquarters in the U.S. at 800-PIRATES (747-

2837) or 801-861-7101.

T

rademarks

Novell, Inc. has attempted to supply trademark information about company

names, products, and services mentioned in this manual. The following list of

trademarks was derived from various sources.

No

vell,

Inc.

T

rademarks

NetWare, the N-Design, and Novell are registered trademarks of Novell, Inc. in

the United States and other countries. CNA, CDE, CNI, NAEC, and NovellAuthorized Education Center are service marks and CNE is a registered service

mark of Novell, Inc. in the United States and other countries. ConsoleOne,

DirXML, and eDirectory are trademarks of Novell, Inc. GroupWise is a

registered trademark of Novell, Inc. Hot Fix, and IPX is a trademark of Novell,

Inc. NDS, Novell Directory Services, and NDPS are registered trademarks of

Novell, Inc. NetWire is a registered service mark of Novell, Inc. in the United

States and other countries. NLM and Novell Certificate Server are trademarks of

Novell, Inc. Novell Client, Novell Cluster Services, and Novell Distributed Print

Services are trademarks of Novell, Inc. ZENworks is a registered trademark of

Novell, Inc.

Other T

rademarks

Adaptec is a registered trademark of Adaptec, Inc. AMD is a trademark of

Advanced Micro Devices. AppleShare and AppleTalk are registered trademarks

of Apple Computer, Inc. ARCserv is a registered trademark of Cheyenne

Software, Inc. Btrieve is a registered trademark of Pervasive Software, Inc.

EtherTalk is a registered trademark of Apple Computer, Inc. Java is a trademarkor registered trademark of Sun Microsystems, Inc. in the United States and other

countries. Linux is a registered trademark of Linus Torvalds. LocalTalk is a

registered trademark of Apple Computer, Inc. Lotus Notes is a registered

trademark of Lotus Development Corporation. Macintosh is a registered

trademark of Apple Computer, Inc. Netscape Communicator is a trademark of

Netscape Communications Corporation. Netscape Navigator is a registered

trademark of Netscape Communications Corporation. Pentium is a registered

trademark of Intel Corporation. Solaris is a registered trademark of Sun

Microsystems, Inc. The Norton AntiVirus is a trademark of Symantec

Corporation. TokenTalk is a registered trademark of Apple Computer, Inc. Tru64

is a trademark of Digital Equipment Corp. UNIX is a registered t rademark of the

Open Group. WebSphere is a trademark of International Business Machines

Corporation. Windows and Windows NT are registered trademarks of Microsoft

Corporation.


3/110

Contents

Version 1

Copying all or part of this manual, or distrib

uting suc

h copies, is strictly pr

ohibited.

1-1

T

o r

eport suspected copying

, please call 1-800-PIRA

TES.

Contents

SUSE LINUX Security Self-Stud

y W

orkbook

Introduction

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Intro-1

SUSE LINUX Enterprise Server 9 Setup Instructions

. . . . . . . . . . . . . . . . . . . . . . .

Intro-2

Access the SUSE LINUX Enterprise Server 9 as a VMware Server

. . . . . . . . . . . . . . Intro-2

Install the SUSE LINUX Enterprise Server 9 Student Server with AutoYaST . . . . . . Intro-8

Scenario

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Intro-11

SECTION

2

Host Security

Exercise

2-1 Install SLES 9 with a Customized Partition Scheme

. . . . . . . . . . . . . . . . . . . . .

2-2

Exercise

2-2 Change PAM Configuration to Disable Graphical Root Login

. . . . . . . . . . . . .

2-6

Exercise

2-3 Subscribe to the SUSE Security Announcements

. . . . . . . . . . . . . . . . . . . . . . .

2-8

Exercise

2-4 Use nmap to Scan for Open Ports

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

2-9

Exercise

2-5 Run a nessus Scan

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

2-10

SECTION

3

Cr

yptograph

y:

Basics and Practical Application

Exercise

3-1 Create a CA and Certificates on the Command Line

. . . . . . . . . . . . . . . . . . . . .

3-2

Exercise

3-2 (optional) Create a Root CA and Certificates Using YaST

. . . . . . . . . . . . . . . .

3-5

Exercise

3-3 (optional) Work with GPG

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

3-6

SECTION

4

Netw

ork Security

Exercise

4-1 Configure the TCP Wrapper

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

4-2

Exercise

4-2 Use stunnel to Secure POP3 with SSL

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

4-5

SECTION

6

P

ac

ket Filter

s

Exercise

6-1 Get Familiar with Basic iptables Syntax

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

6-2

Exercise

6-2 Modify the Script to Set and Delete iptables Rules

. . . . . . . . . . . . . . . . . . . . .

6-15

Exercise Answers

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-19


4/110

1-2

Copying all or part of this manual, or distrib

uting suc

h copies, is strictly pr

ohibited.

Version 1

T

o r

eport suspected copying

, please call 1-800-PIRA

TES.

SUSE LINUX Administration

/Self-Study W

orkbook

SECTION

7

Application-le

vel Gateway

Exercise 7-1 Install and Configure Squid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2

Exercise 7-2 Configure SSL in Squid. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-7

Exercise 7-3 Configure Proxy Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-10

Exercise 7-4 Configure Content Filtering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-14

Exercise 7-5 Analyze Squid Log File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-17

Exercise 7-6 Use Dante. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-19

Exercise 7-7 Configure rinetd. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-25

SECTION 8 Virtual Private Networks

Exercise 8-1 Establish a VPN Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2

Exercise 8-2 (optional) Create a VPN Configuration Using YaST . . . . . . . . . . . . . . . . . . . . 8-6

Exercise 8-3 (optional) Filter IPSec Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-8

SECTION 9 Intrusion Detection and Incident Response

Exercise 9-1 Log to a Remote Host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-2

Exercise 9-2 Use Argus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-4

SECTION 10 LifeFire Exercise

Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-2

Section 1 Set Up the Application-Level Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-4

Section 2 Set Up the Screening Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-5

Section 3 Set Up a Web Server in the DMZ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-6

Section 4 Set Up the Mail Server in the LAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-7

Section 5 Set Up the VPN Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-8


5/110

SUSE LINUX Security Self-Study Workbook

Version 1 Copying all or part of this manual, or distributing such copies, is strictly prohibited. WorkbookIntro-1

To report suspected copying, please call 1-800-PIRATES.

SUSE LINUX SecuritySelf-Study Workbook

This workbook is designed to help you practice the skills associated

with Course 3058 (SUSE LINUX Security) objectives outside of a

classroom.

Introduction

The skills introduced in this workbook are critical for performing

administrative tasks with regard to security with SUSE LINUX

Enterprise Server 9, and are necessary for passing the Novell CLE9

(Certified Linux Engineer) practicum.

The exercises in this workbook are the same as those included in

your Course 3058 SUSE LINUX Security manual, but with

modifications and notes to help you perform the exercises on a

single computer without relying on an instructor or partner SUSE

LINUX Enterprise Server 9 server.

xIf you experience any problems using the SUSE LINUX Enterprise Server 9VMware Server DVD or the Self-Study Workbook, please email yourquestions or comments to [email protected].


6/110

WorkbookIntro-2 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Version 1


SUSE LINUX Security/Self-Study Workbook

SUSE LINUX Enterprise Server 9 Setup

Instructions

Before starting the exercises in this workbook, you need to set up a

SUSE LINUX Enterprise Server 9 server with the same

configuration as that provided in the classroom.

There are two solutions provided for you:

Access the SUSE LINUX Enterprise Server 9 as a VMware

Server on Intro-2

Install the SUSE LINUX Enterprise Server 9 Student Server

with AutoYaST on Intro-8

Access the SUSE LINUX Enterprise Server 9 as aVMware Server

If you want to avoid dedicating a computer to a SUSE LINUX

Enterprise Server 9 installation, you can use the SUSE LINUX

Enterprise Server 9 VMware virtual server provided on the SUSE

LINUX Enterprise Server 9 VMware Server DVD.

The following guides you through installing and using the SUSE

LINUX Enterprise Server 9 VMware server:

Check Setup Prerequisites

Install the SUSE LINUX Enterprise Server 9 VMware Server

Configure the SUSE LINUX Enterprise Server 9 VMware

Server

Start the SUSE LINUX Enterprise Server 9 VMware Server

VMware Workstation Tips


7/110




Check Setup Prerequisites

The following items are required to run the SUSE LINUX

Enterprise Server 9 VMware server on your computer:

Although you can run the SUSE LINUX Enterprise Server 9

VMware server with 256 MB of RAM, processing time for

performing some Linux administration tasks (such as using YaST)

can be significantly reduced by increasing memory for the VMware

server.

If you do not own a copy of VMware Workstation (or have a version

earlier than 5), you can download and install a VMware Workstation

5 30-day evaluation copy from www.vmware.com.

Table Intro-1 Item Requirement

Memory 256 MB RAM (minimum)

Hard Drive Space 3.4 GB

DVD-ROM Drive For reading the SUSE LINUX

Enterprise Server 9 Self-Study Server

DVD and other CDs required for the

exercises.

Software VMware Workstation 5 or later

(Windows or Linux)

SUSE LINUX Enterprise

Server 9 Self-Study Server

DVD

Contains the SUSE LINUX Enterprise

Server 9 VMware Server files


8/110




Install the SUSE LINUX Enterprise Server 9 VMware Server

Once you have VMware Workstation 5 installed on your host

computer, do the following to install the SUSE LINUX Enterprise

Server 9 VMware server:

1. Insert the SUSE LINUX Enterprise Server 9 Self-Study Server

DVD in your DVD-ROM drive.

2. Copy the VMware server files on the DVD to a directory on your

hard drive.

We recommend creating a specific directory (such as

/tmp/vmware/SLES9_3058) to store the files.

3. Start VMware Workstation 5.

4. Select File > Open ...

5. Browse to and open the sles.vmx file.

The SLES9_3058 VMware server opens in VMwareWorkstation and is ready to start.

6. Some exercises require a second computer. Create a second

VMware machine by creating another directory (like

/tmp/vmware/SLES9_3058-2) on the VMware host and repeat

Steps 2 - 5.

To avoid mixing up the machines, you could give the second

machine another hostname.


9/110




Configure the SUSE LINUX Enterprise Server 9 VMware

Server

Before starting SUSE LINUX Enterprise Server 9, do the following:

1. Select VM > Settings.A Virtual Machine Settings dialog appears.

From this dialog you can adjust the settings for several devices

such as memory, floppy drive, and network adaptor before

starting the virtual server.

2. Check the following device settings:

Memory. This memory setting indicates the amount ofmemory used by the SUSE LINUX Enterprise Server 9

virtual server on the host computer.

Although you can run the SUSE LINUX Enterprise Server

9 virtual server with 256 MB of memory, we recommend

increasing the amount (when possible) to increase the

speed of certain administrative tasks (such as starting X

Window or using the GUI version of YaST).

DVD/CD-ROM. This is the DVD drive on your hostcomputer, and should be set as a physical drive.

We recommend leaving the default setting at auto detect

for Windows.

If you are running VMware Workstation on Linux, enter the

device name of the DVD drive (such as /dev/hdc). You can

normally select the device name from the drop-down list

for the Device field.

Floppy Drive. This is the floppy drive on your hostcomputer.

The default is set to A: for a Windows computer. If you

are running VMware Workstation on Linux, change the

setting to the device for the floppy drive (such as /dev/fd0).


10/110




Network Adaptor. The NAT network connection defaultsetting provides a VMware Workstation DHCP server for

the SUSE LINUX Enterprise Server 9 server (which is

configured to use DHCP).

While you can select another setting (such as Bridged),these have not been tested and can cause problems

completing the exercises.

We recommend keeping the default NAT setting.

The rest of the settings should work properly to provide you

with the access you need to devices for USB, sound, and mouse

control.

If not, return to this dialog to make the necessary adjustments to

the settings.

3. When you finish reviewing the virtual server configuration, save

any changes and close the dialog by selecting OK.

During the exercises, you use Ctrl + Alt to access features suchas terminal consoles. VMware Workstation also uses this hot

key combination to switch you out of the virtual server to the

host machine.

4. To change the VMware hot key configuration, select Edit >Preferences.

A Preferences dialog appears.

5. Select the Hot keys tab; then select the Ctrl-Shift-Alt option.

Once you start the SUSE LINUX Enterprise Server 9 VMware

server, you can press Ctrl + Shift + Alt to access the hostmachine, including the VMware Workstation menu options.

6. Save the change by selecting OK.


11/110




Start the SUSE LINUX Enterprise Server 9 VMware Server

Do the following:

1. Start the SUSE LINUX Enterprise Server 9 VMware server by

selecting the Power On Button (or select Start this virtualmachine).

2. The SUSE LINUX Enterprise Server 9 server starts booting.

3. (conditional) If you cannot see the entire SUSE LINUX

Enterprise Server 9 window on your monitor, select the VMware

Workstation full screen mode.

After starting the SUSE LINUX Enterprise Server 9 services, a

blank screen is displayed while the X Window GUI interface is

loaded.

Depending on the amount of memory allocated to the virtual

server, loading the GUI interface can take almost a minute.

4. The VMware Tools package enhances the graphics resolution

and color depth capabilities of your virtual server.

This package is already installed in the SUSE LINUX

Enterprise Server 9 VMware image on the Student CD. No

action is needed on your part to install it.

5. Click in the virtual server window to switch keyboard and mouse

functionality from the host computer to the virtual server.

You are ready to start Exercise 2-2 Change PAM Configuration

to Disable Graphical Root Login. (Exercise 2-1 Install SLES 9

with a Customized Partition Scheme is not needed if you use

the VMware image as above.)


12/110




VMware Workstation Tips

Although we rely on your experience with VMware Workstation to

complete the exercises in a virtual server environment, the following

are some tips that can help you when using the SUSE LINUX

Enterprise Server 9 virtual server:

If you cannot use the keyboard to enter text, try selecting the

virtual server window with the mouse or try pressing Shift +Tab.

If you need to switch keyboard and mouse focus from the

virtual server to the host computer, press Ctrl + Shift + Alt;then select the virtual window again to switch focus back.

If you want to save a copy of the SUSE LINUX Enterprise

Server 9 virtual server before continuing on with an exercise or

the next exercise, use the Snapshot feature (VM > Snapshot >Take Snapshot).

Before powering off the SUSE LINUX Enterprise Server 9

virtual server, make sure you shut down the server to avoid any

problems caused by not shutting down the server cleanly.

Install the SUSE LINUX Enterprise Server 9 StudentServer with AutoYaST

If you want to install the SUSE LINUX Enterprise Server 9 student

server on an available computer, the3058_Course_CD includes an

AutoYaST file (/setup/student.xml) that automatically configures

SUSE LINUX Enterprise Server 9 for you during installation. Allyou need to do is swap CDs during the installation.

xBy installing SUSE LINUX Enterprise Server 9 with AutoYaST, you removethe existing operating system and all files on your hard drive. Before startingthe installation, make sure you back up any important files you want to keep.


13/110




To install and configure SUSE LINUX Enterprise Server 9 on your

computer with AutoYaST, do the following:

1. Check to make sure your computer meets the following hardware

requirements:

A Pentium III or AMD 750 Mhz or faster computer

512 MB RAM (256 minimum)

20 GB hard disk

CD-ROM drive

Internet access is optional for completing the exercises.

2. Copy the file student.xml (on your3058 Setup CD) to the rootof a floppy diskette.

3. Boot the server from SUSE LINUX Enterprise Server 9 CD 1.

4. When the GRUB installation screen appears, highlight the

Installation option.You have 20 seconds to highlight the option before GRUB

boots from the hard drive.

5. Set the display resolution by pressing F2; then select a displayresolution of at least 1024x768.

If a resolution of 1024x768 is not available, select the highest

resolution available (such as 640x480).

6. Insert the floppy diskette with the file student.xml into the serverdiskette drive.

7. In the Boot Options field (bottom of the screen), type the

following:

autoyast=floppy:///student.xml

Make sure you enter 3 forward slashes (///) or the installationprogram will not be able to find the file student.xml.

8. When you are ready to begin installation, press Enter.


14/110




The kernel loads and the SUSE LINUX Enterprise Server 9

installation program detects the available hardware.

A Novell Software License Agreement dialog appears. YaST

takes care of accepting this agreement and interfacing with all

other dialogs during installation.9. At certain points, YaST requests a particular SUSE LINUX

Enterprise Server 9 installation CD.

Insert the requested SUSE LINUX Enterprise Server 9 CD;

then continue by selecting OK. Continue swapping CDs asindicated by the YaST installation program.

The installation screen keeps you updated on the installation

progress (time remaining and percentage completed).

After copying files from the CDs, YaST performs tasks such as

updating the configuration, copying files to the installed system,

installing the boot manager, and preparing for an initial system

boot.

When these tasks are completed, YaST reboots the system.

10. Remove the student.xml diskette and the last SUSE LINUX

Enterprise Server 9 CD from the computer drives, and then wait

for the system to boot.

After the system automatically reboots and finishes configuring,

a GUI login screen appears.

11. Log in as geeko with a password ofN0v3ll (a zero, not anuppercase O).


15/110




Scenario

The Digital Airlines management has made the decision to secure

access from the local networks to the Internet with firewalls

consisting of packet filters and application level gateways. The

Digital Airlines offices will be connected using a VPN based on

IPSec.

To implement various components of this network topology, you

need additional experience in the following areas:

System administration with a strong focus on security

Using cryptography to secure network services

Setting up packet filters

Setting up application-level gateways

Connecting networks using VPN technology

You decide to set up test servers in the lab to enhance your skills in

these areas.


16/110





17/110

Host Security

Version 1 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Workbook2-1


S E C T I O N 2 Host Security

In this section of the workbook, you learn how to do the following:

Install SLES 9 with a Customized Partition Scheme on 2-2

Change PAM Configuration to Disable Graphical Root Login

on 2-6

Subscribe to the SUSE Security Announcements on 2-8

Use nmap to Scan for Open Ports on 2-9

Run a nessus Scan on 2-10


18/110

Workbook2-2 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Version 1



Exercise 2-1 Install SLES 9 with a Customized Partition Scheme

Before you start to work on this

exercise, think about whichpartitioning scheme makes

sense to use for which serverpurpose.

The purpose of this exercise is to show how security can be

improved by selecting an appropriate partitioning scheme for the

harddisk.

During the exercises of this section, you will install the SLES9

server you will be using during the rest of the course.

As this exercise assumes you are familiar with installation of SLES

9 in general, not every single step is described.

To partition the hard disk, do the following:

1. Turn on your machine and insert SLES 9 CD 1 in the CD ROM

drive. Select Installation in the installation menu.

2. Follow the installation workflow until the Installation Settingsscreen appears.

3. Remove any partitions from the hard drive by doing the

following:

a. Select Partitioning.

b. Select Create custom partition setup; then select Next.

c. Select Custom Partitioning -- for experts; then select Next.

d. Remove any existing partitions by selecting the device

/dev/hda; then select Delete.

A dialog appears asking if you really want to delete all the

partitions on /dev/hda.

e. Confirm the deletion by selecting Yes.

All partitions are removed from the list.


19/110

Host Security



4. Create new partitions according to the partitioning scheme which

has been outlined by the instructor. If you are a self study student,

you can use the following scheme:

swap (1GB)

/ (3GB) /usr (3GB)

/opt (3GB)

/var (2GB)

/tmp (2GB)

/home (1GB)

/srv (Rest of the harddisc)

The sizes will vary depending on the disk space available and

the purpose of the server.

The following is the basic procedure to create partitions in theexpert partitioner:

1. Select Create.

2. Choose Primary Partition or Extended Partition. (Youcan create the first three partitions as Primary Partitions.

Then you need to create one Extended Partition. In this

Extended Partition you can then create further Logical

Partitions.)

3. Select the Format checkbox and choose a filesystem. SelectSwap for the swap partition and Reiser for all otherpartitions.

4. Adjust the End Cylinder Value. Type for example +3GB fora 3GB partition.

5. Select a mount point for the partition according to your

partitioning scheme. You dont have to select a Mount Point

for the Swap partition.

6. Select OK, and start again with step1 for the next partition.


20/110




5. When you have created all partitions, close the Expert Partitioner

and return to the Installation Settings overview.

6. In the Installation Settings overview window select Software.

a. Select Minimum graphical system (without KDE) and then

Detailed selection

b. If you prefer to use a desktop environment select KDE orGNOME.

c. Select Analyzing Tools, as you will be using several of theseduring the course.

d. Select Accept.

7. If a Automatic Changes dialog pops up, select Continue.

Software installation takes

some time.

Note: You will install further packages during this course to

perform the exercises.

8. Once all settings have been made in the Installation Settingsdialog, select Accept and then Yes, install.

9. Proceed with the installation:

There is no need to create a CA at this point, as this will be

done later in the course. Therefore, select Skip configuration atthis point.

Do not activate LDAP, use local authentication.

When prompted for the root password, select Expert Optionsand choose the encryption type Blowfish.

Use novell as root password for the purpose of this course.

Create a user geeko with the password N0v3ll.

Unless the instructor tells you otherwise, use DHCP in the

networking setup; domainname is digitalairlines.com; use10.0.0.254 as default gateway.


21/110

Host Security



When done with the installation, log in to the graphical user

interface as geeko.

(End of Exercise)


22/110




Exercise 2-2 Change PAM Configuration to Disable Graphical Root

Login

In this exercise, you change the PAM configuration by doing the

following:

1. Log out of the KDE desktop environment.

2. When the KDM login screen appears, log in with the following:

Username: root

Password: novell

Notice that you can log in as root without a root entry in the

login screen.

3. Log out again from the KDE desktop environment.

4. Log in as geeko with a password ofN0v3ll.

5. Open a terminal window and su to root.

6. Open the file/etc/pam.d/xdmin a text editor.

7. Add the following as the second line of the file:

auth required pam_securetty.so

8. Save and close the file.

9. Log out and try to log in as root user at the KDM login screenagain.

The root login is denied.

10. Log in as geeko again.

xIf you cannot log in as geeko, restart the X server by pressingCtrl + Alt + Backspaceand try again. You might also need to rebootyour server.

11. Open a terminal window and su to root.


23/110

Host Security



12. Open the file/etc/pam.d/xdm in a text editor and remove orcomment out the following line (the line you added):

auth required pam_securetty.so


14. Log out and try to log in as root at the KDM login screen again.

You can now log in as root.

xIf you cannot log in as root, restart the X-server usingCtrl + Alt + Backspaceand try again.

15. Log out of the KDE desktop environment and log back in as

geeko.

(End of Exercise)


24/110




Exercise 2-3 Subscribe to the SUSE Security Announcements

In this exercise, you subscribe to the SUSE security mailing list.

This means that Novell/SUSE will inform you by email about

current security issues of SUSE Linux products.

If you don't want to receive these messages, skip this exercise.

Do the following:

1. From the KDE start menu, select Internet > Web Browser.

2. In the address bar of the browser, enter the following:

http://www.suse.com/en/business/mailinglists.html

3. Scroll down to the entry suse-security-announce; then select thecheck box for that entry.

4. Scroll down to the bottom of that page. In the E-mail Addressfield, enteryour email address.

5. Subscribe to the list by selecting OK.

6. Close the web browser window.

(End of Exercise)


25/110

Host Security



Exercise 2-4 Use nmap to Scan for Open Ports

The purpose of this exercise is to familiarize you with nmap and

port scans. You will work with another student in this exercise.

Do the following:

1. Open a terminal window an sux - to root with a password ofnovell.

2. Perform a TCP connect scan on the computer of your partner by

entering the following command:

nmap -sT .

Compare the result with the output ofnetstat -patune on his orher computer.

3. Start Ethereal by typing ethereal.

4.Select Capture > Start.

5. Select OK.

6. Let your partner scan your computer with nmap.

7. Select Stop in the ethereal capture dialog.

8. Have a look at the packet list in ethereal. Can you identify the

packets nmap used for the port scan?

(End of Exercise)


26/110




Exercise 2-5 Run a nessus Scan

The purpose of this exercise is to show you how to set up nessusd

and nessus client to scan hosts in the network. You will work with a

partner.

Do the following:

1. Open a terminal window an sux - to root with a password ofnovell.

2. Create a certificate for the nessusd and add a user who might

access nessusd by entering:

nessus-mkcert

nessus-adduser

Answer any questions appropriately. Use geeko as the user toadd. When prompted to enter rules within the adduser-script

press CTRL-D without entering any rules.

3. Start nessusd by entering:

rcnessussd start

4. Start the user interface by entering

nessus

5. Log in as geeko with the password you provided within the

script.

6. Enter the IP address of your partners computer as the target host

and scan it.

7. View the report by selecting the entries shown in the reportwindow.

(End of Exercise)


27/110

Cryptography: Basics and Practical Application



S E C T I O N 3 Cryptography: Basics and Practical

Application


Create a CA and Certificates on the Command Line on 3-2

(optional) Create a Root CA and Certificates Using YaST on

3-5

(optional) Work with GPG on 3-6


28/110




Exercise 3-1 Create a CA and Certificates on the Command Line

The certificates created in this

exercise are used later in theNetwork Security section of this

course.

Complete the exercisesuccesfully and do not delete

the certificates after the

exercise.

The purpose of this exercise is to familiarize you with the openssl

command. The certificates created in this exercise can be used in an

exercise in the next section.

Do the following:

1. Open a terminal window and su - to root with a password ofnovell.

2. Create the necessary directory structure in roots home directory,

(using your hostname instead ofdaxx) and change thepermissions for the private directory:

mkdir -p DAxx-ca/{certs,newcerts,private,crl}cd DAxx-cachmod 700 private

3.Edit the file

/etc/ssl/openssl.confwith a text editor and changevariables and company entries appropriately, like

/root/DAxx-CA for dir and Digitalairlines as company


29/110




The following is the example for the system da10. Please adjust

your settings to your environment..

4. To create the self-signed root certificate of your CA, enter

openssl req -newkey rsa:2048 -x509 -days 3650 \-keyout private/daxx-cakey.pem -out daxx-cacert.pem

Answer the questions.

# This definition stops the following lines choking if HOME isn't# defined.

HOME = /root/DA10-CA...dir = /root/DA10-CA# Where everything is keptcerts = $dir/certs # Where the issued certs are keptcrl_dir = $dir/crl # Where the issued crl are keptdatabase = $dir/index.txt # database index file.unique_subject = yes # Set to 'no' to allow creation of

# several certificates with same# subject.

new_certs_dir = $dir/newcerts # default place for new certs.

certificate = $dir/da10-cacert.pem # The CA certificateserial = $dir/serial # The current serial number#crlnumber = $dir/crlnumber # the current crl number

# must be commented out to leave a

V1 CRLcrl = $dir/crl.pem # The current CRLprivate_key = $dir/private/da10-cakey.pem# The private keyRANDFILE = $dir/private/.rand # private random number file...[ req_distinguished_name ]countryName = Country Name (2 letter code)countryName_default = decountryName_min = 2countryName_max = 2

stateOrProvinceName = State or Province Name (full name)stateOrProvinceName_default = Bavaria

localityName = Locality Name (eg, city)localityName_default =Munich

...


30/110




5. To view the certificate, entering:

openssl x509 -in daxx-cacert.pem -text

6. To create the files index.txt and serial, enter

touch index.txt ; echo 01 > serial7. To create a certificate signing request for your machine, enter

openssl req -new -keyout private/daxx_prv_key.pem \-out certs/daxx_req.pem -days 365

Answer the questions.

The sequence of -out and

-infiles is important. If -infiles is

first, you get a not too helpful

error message.

8. To sign the certificate signing request and create the certificate,

enter

openssl ca -policy policy_anything -notext \-out certs/daxxcert.pem -infiles certs/daxx_req.pem

9. View the files index.txt and serial with cat.10. Repeat steps 79 to create another certificate for

server.digitalairlines.com.

11. To revoke the certificate just created and create a certificate

revocation list enter

openssl ca -revoke certs/servercert.pem

openssl ca -gencrl -out crl/daxx-crl.pem

12. View the files index.txt and serial with cat.

(End of Exercise)


31/110




Exercise 3-2 (optional) Create a Root CA and Certificates Using YaST

The purpose of this exercise is to teach you how to manage a CA

using YaST.

Just a rough outline of steps is given here. Do the following:

1. Start a terminal window and sux - to root with a password ofnovell.

2. Start the YaST CA Management module by entering

yast2 ca_mgm

3. Select Create Root CA and follow the steps of the wizard tocreate a root CA.

Use values of your choice to fill in the dialogs.

4. Enter the root CA you just created.

5. Export the CA certificate to a file.

6. Create a server certificate.

7. Export the server certificate.

(End of Exercise)


32/110




Exercise 3-3 (optional) Work with GPG

The purpose of this exercise is to familiarize you with some of the

features of GPG and how keys are managed to exchange encrypted

mail.

Work with a partner to exchange keys and exchange encrypted mails

or files.

Do the following:

1. Open a terminal window and create a public/private GPG-key

pair by entering

gpg --gen-key

You have to answer several questions; the defaults will do for

this exercise. When creating your personal key pair you might

want to choose 2048 bits for the key length. Make sure that you

remember the Real name you enter during the key creationprocess.

2. To export your public key to a file, enter

gpg -a --export real name> name.asc

Choose a resonable name for the key file. Transfer this file to

your partner using scp.

3. To import the public key of your partner, enter

gpg --importpartners_name.asc

4. No mail service is set up in the course room, so you will encrypt

and transfer a file instead of mailing it. Write a message to a file,such as

echo Hello, how are you > textfile

5. To encrypt that file, enter

gpg -ea textfile


33/110




You are prompted to enter a user ID. The name that is part of

the key will do, or use the hexadecimal ID of the key if there

are several keys with the same name.

6. View the file textfile.asc using cat.

7. Transfer the file to your partner, get his encrypted file to yourcomputer, using a descriptive filename to avoid overwriting each

others files.

8. To decrypt the file, enter

gpgfilename.asc ; catfilename

To view the decrypted file directly on the screen, you can use

gpg -o - filename

9. Sign the file with

gpg --clearsign textfile

10. Verify the signature with

gpg textfile.asc

11. Load the file textfile.asc in vi and alter one letter of the message.Save the changes and close vi. Verify the signature again.

(End of Exercise)


34/110





35/110

Network Security



S E C T I O N 4 Network Security


Configure the TCP Wrapper on 4-2

Use stunnel to Secure POP3 with SSL on 4-5


36/110




Exercise 4-1 Configure the TCP Wrapper

In this exercise you work with a partner to practice configuring the

TCP wrapper. The exercise consists of the following parts:

Part I: Secure the FTP Service Part II: Configure a Twist

Part III: Configure Logging

Part I: Secure the FTP Service

In this part of the exercise, you secure the FTP service so that

everyone in the classroom except your partner can access the FTP

server on your system.

Do the following:

1. Use YaST to install the package vsftpd.

2. Open a terminal window and su to the root user.

3. Open the file/etc/xinetd.d/vsftpd with a text editor.

4. Make sure the line disable = yes starts with a# character.


6. Restart xinetd with the command rcxinetd restart.

7. Open the file/etc/hosts.deny in a text editor.

8. Add the following to the end of the file:

9. vsftpd :IP_of_partner

10. Save the file.

11. Have your partner attempt to ftp to your system; then have

another student in the classroom attempt to ftp to your host.

12. The connection for your partner is closed. However, others can

ftp to your server.


37/110

Network Security



13. Place a comment character (#) in front of the line you just addedto the file /etc/hosts.deny; then add the following line:

ALL:ALL

14. Save the file and close the editor.

15. Set the same security restriction by editing the file/etc/hosts.allow:

Open the file/etc/hosts.allow in a text editor.

16. Add the following to the end of the file:

vsftpd : ALL EXCEPTIP-of-partner


18. Have your partner try to ftp to the system; then have another

student in the classroom attempt to ftp to your host.

The results should be the same as with the file hosts.deny.

Part II: Configure a Twist

In this part of the exercise you configure TCP wrapper to execute

another program than the respective daemon.

Do the following:


2. Edit the ALL:ALLline in /etc/hosts.deny to reflect thefollowing:

ALL: ALL: twist (echo "This service is not accessible from%a!")


4. Have your partner try to ftp to the system to verify that the

message is sent.


38/110




Part III: Configure Logging

In this part of the exercise you configure logging, using the spawn

feature of TCP wrapper.

Do the following:


2. At the bottom of the file /etc/hosts.allow, change the vsftpdline to reflect the following:

vsftpd,vsftpd : ALL EXCEPTIP-of-partner:spawn (echo "%a accessed %s" >> /tmp/service-access.log)


4. Have someone in the class besides your partner attempt to ftp to

the system to verify that the entry is logged.

5. Verify that all of the activity to the services under xinetd have

been logged in /var/log/xinetd.log by enteringcat /var/log/xinetd.log.

(End of Exercise)


39/110

Network Security



Exercise 4-2 Use stunnel to Secure POP3 with SSL

The purpose of this exercise is to practice securing a service with

stunnel.

Do the following:

1. Open a terminal window and sux - to root using a password ofnovell.

2. Install the packages stunnel and qpopper by entering

yast -i stunnel qpopper

and inserting the appropriate CD when requested.

3. Use a certificate and its corresponding private key created in the

exercise Create a CA and Certificates on the Command Line

on 3-2 or in the exercise (optional) Create a Root CA and

Certificates Using YaST on 3-5.

You can either

Use the certificate and private key created for your

computer with openssl on the command line.

In this case you need to create a copy of the private key that

is not secured with a passphrase:

openssl rsa < private/daxx_prv_key.pem \> private/daxx_prv_key-unenc.pem

Copy the certificate and the private key into one file:

cat certs/daxx_cert.pem \private/daxx_prv_key-unenc.pem \>> /etc/stunnel/stunnel.pem

Also copy the RootCA certificate to the directory /tmp.

or

Use the certificate and private key created for your

computer in the YaST CA Management module.


40/110




Export it to/etc/stunnel/stunnel.pem, selecting Certificateand Key Unencrypted in PEM Format in the Exportdialog.

Also export the RootCA certificate and save it in the

directory/tmp.4. Limit access to the file /etc/stunnel/stunnel.pem by entering

chmod 600 /etc/stunnel/stunnel.pem

5. Using vi, modify the configuration of stunnel in the file

/etc/stunnel/stunnel.confto reflect the following entries (somelines need a comment symbol #, some need the comment symbol

deleted, and other lines need to be added by youyou have to

look through the file to find the lines):

#chroot = /var/lib/stunnel/#setuid = stunnel#setgid = nogroup

...[pop3s]accept = 995

# connect = 110exec = /usr/sbin/popperexecargs = popper -s

6. Start stunnel by entering rcstunnel start.

If there are any error messages, correct your configuration

accordingly.

7. Test your POP server by configuring a mail program of your

choice to pick up mail of a local account (such as geeko) from

localhost port 995.

Make sure that you use the full hostname(daxx.digitalairlines.com) in the pop server field, not just

localhost.


41/110

Network Security



When finished with the configuration, actually try to pick up

mail. You should see an error message that the server certificate

failed the authenticity test.

Do not accept the certificate at this point but select cancel (or

whatever your mail program offers at this point).8. Import the CA certificate into your application. How this is done

depends on your mail program.

If you use KMail, you do that by starting konqueror andselecting

Settings > Configure Konqueror > Crypto > SSL signersTab > Import

Change directory to /tmp and choose the CA certificate suitable

for the stunnel certificate, either the OpenSSL or the YaST one.

9. Connect again to your mailbox with your mail program.

You should not get the same error message again, since the

certificate can now be validated by the mail program.

You might get a message that the certificate does not belong to

the server if the common name in the certificate differs from the

domain name you contacted. In this case you might want to

create a new certificate with the correct name.

(End of Exercise)


42/110





43/110

Packet Filters



S E C T I O N 6 Packet Filters


Get Familiar with Basic iptables Syntax on 6-2

Modify the Script to Set and Delete iptables Rules on 6-15


44/110




Exercise 6-1 Get Familiar with Basic iptables Syntax

In this exercise the computer

that is used for testing shouldnot have any iptables rules set.

Otherwise the results alsodepend on the settings of this

testing computer.

The purpose of this exercise is to familiarize you with the iptables

syntax and to show the effect of some iptables rules.

In the first part, you use iptables on the command line only. Anyrules set with iptables are lost with the next reboot.

As rules defined on the command line are lost with the next reboot,

the rules that make up the packet filter should be included in a shell

script that is executed during system startup.

Part II and the subsequent parts of this exercise deal with writing

such a script to set and delete rules.

There is no single right way to write such a script. Keep it as simple

as possible so you dont inadvertently open security holes. Use

comments within the script liberally so you can still understand it

when you have to modify it later.

The exercise will not cover every single step but will outline what

needs to be done to create a working script.

Work with a partner in this exercise. You will have to coordinate

with each other regarding setting and testing of rules. If you both set

rules at the same time and then test them, the test might not produce

the expected result, as the rules on the testing computer might

interfere with the test.

This exercise consists of:

Part I: Set iptables Rules on the Command Line Part II: Prepare a Structure for a Script

Part III: Define General Variables

Part IV: Create a Section to Delete Any Existing Rules

Part V: Create a Section to Display the Current Rule Set

Part VI: Add Static Rules


45/110

Packet Filters



Part I: Set iptables Rules on the Command Line

The purpose of the first part of this exercise is to show you how

iptables is used and the effect the commands have.

Do the following:


2. Check if there are any rules set already by entering

iptables -v -L -n

3. If there are any rules in the INPUT, OUTPUT, or FORWARD

chain, delete them by entering

iptables -F

4. Set a rule blocking all ICMP packets to your computer coming

from other computers by enteringiptables -A INPUT -i eth0 -p icmp -j DROP

(This is only an example. Blocking all ICMP messages is

generally not advisable.)

5. Have your partner test this rule by sending an echo request (ping)

to your computer.

6. Try to send an echo request to your partners computer.

7. Delete the rule you set in Step 4 by entering

iptables -D INPUT -i eth0 -p icmp -j DROP

8. Set a rule blocking all ICMP packets from your computer to othercomputers by entering

iptables -A OUTPUT -o eth0 -p icmp -j DROP

9. Have your partner test this rule by sending an echo request (ping)

to your computer.


46/110




10. Try to send an echo request to your partners computer. (You will

notice a slightly different output of the ping command compared

to Step 6 above.)

11. Delete the rule you set in Step 8 by entering

iptables -D OUTPUT -o eth0 -p icmp -j DROP

12. Set a rule blocking all ICMP packets in the FORWARD chain by

entering

iptables -A FORWARD -p icmp -j DROP

If there is only one NIC in your computer you cannot test this

rule.

However you can test if this rule affects traffic to and from your

computer (which it shouldnt) by asking your partner to ping

your computer and by sending an echo request to your partners

computer.

13. Flush your rules by entering

iptables -F

14. Find out what happens when you use ssh to connect to yourpartners ssh port by entering

ssh geeko@partner_IP

When prompted, enter the password N0v3ll. After you havesuccessfully logged in, logout again by pressing Ctrl-D.

15. Create an iptables rule that drops TCP packets addressed to port

22 (SSH) by entering

iptables -A INPUT -i eth0 -p tcp --dport 22 -j DROP

16. After your partner sets the rule on his or her computer, try again

to login to your partners computer and notice the difference

from the results in Step 14.

17. Change the rule from Step 15 to use REJECT as its target instead

of DROP.


47/110

Packet Filters



You can either delete the rule and create a new one, or replace

the rule by entering

iptables -R INPUT 1 -i eth0 -p tcp --dport 22 -j REJECT

18. View the current ruleset by entering

iptables -v -L -n

19. After your partner sets the rule on his or her computer, try again

to ssh to your partners computer and find out if there is any

difference to before. If yes, why is that?

20. Change the rule from Step 17 once more to reject with a TCP

reset instead of the ICMP message port unreachable by entering

(on one line)

iptables -R INPUT 1 -i eth0 -p tcp --dport 22 -j REJECT--reject-with tcp-reset

21. View the current ruleset by entering

iptables -v -L -n

22. After your partner sets the rule on his or her computer, again

connect to your partners computer using ssh and find out if thereis any difference to before.

23. Flush your ruleset by entering

iptables -F

Part II: Prepare a Structure for a Script

This exercise will take quitesome time. If you do not have

some experience with shell

scripts, you will have difficultydoing this exercise.

Because any packet filter rules set with iptables are lost with thenext reboot, it is common practice to write a script to set them.

In addition to setting the rules (start), such a script should allow to

delete the rules (stop) and to show the currently active rules (status).

It should also allow integration into the runlevel concept.


48/110




The file/etc/init.d/skeleton gives an outline of how such a scriptcould be structured.

The purpose of this and the following parts of this exercise is to

show you the basic elements of such a script to set up and delete

iptables rules.

Do the following:


2. Change directory to/etc/init.d/.

3. Copy the file skeleton to fw-script.

4. Change the permissions so that the script can be executed by

entering

chmod 744 /etc/init.d/fw-script

5. Open the file fw-script in a text editor.

6. Keep the sections on init info and the case sections start, stop,

status, and *. Delete the comments and sections you do not need.


49/110

Packet Filters



Your result could look similar to the following:

#! /bin/sh## /etc/init.d/fw-script and its symbolic link

# /(usr/)sbin/rcfw-script#### BEGIN INIT INFO# Provides: packetfilter# Required-Start: $syslog $network# Required-Stop: $syslog $network# Default-Start: 3 5# Default-Stop: 0 1 2 6# Short-Description: Sets packet filter rules# Description: Sets packet filter rules### END INIT INFO#. /etc/rc.status

# Reset status of this servicerc_reset

case "$1" instart|restart|reload)

echo -n "Starting Firewall "# Remember status and be verbose

rc_status -v;;

stop)echo -n "Shutting down Firewall "

# Remember status and be verboserc_status -v;;

status)echo "Current Firewall-rules "

rc_status -v

;;*)

echo "Usage: $0 {start|stop|status|restart|reload}"exit 1;;

esacrc_exit


50/110




(A template similar to the above can be found on the student

CD in the directory for this section.)

Part III: Define General Variables

The use of variables makes it easier to maintain the script.

Do the following:

1. Within the start section, define the following variables:

EXT_IF=eth0EXT_IP=INT_IF=INT_IP=

x

Because the computers in the class room might have only one NIC, this

exercise is limited to defining rules for the INPUT and OUTPUT chains.

The variables INT_IF and INT_IP can be used for a second NIC and rules forthe FORWARD chain.

You can also define variables for the IP address of the nameserver and othercomputers.

Using variables facilitates later changes, as you only have to change thevariable at one point, not the IP within various rules.

2. Also in the start section, set kernel parameters like


51/110

Packet Filters



# echo 1 > /proc/sys/net/ipv4/ip_forwardecho 1 > /proc/sys/net/ipv4/tcp_syncookiesecho 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcastsecho 1 >\

/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

# Protect from ICMP redirect packets:for f in /proc/sys/net/ipv4/conf/*/accept_redirectsdo

echo 0 > $fdone

# Block source routed packetsfor f in /proc/sys/net/ipv4/conf/*/accept_source_routedo

echo 0 > $fdone...

(If you dont want to type this, have a look at the files on the

student CD.)

xTo see a brief explanation of these and other parameters, start the YaSTPowertweak module and select the Networking options.

The above values can also be set within the Powertweak module instead ofthis script.

3. Add comments to your definition of variables and kernel

parameter settings.


52/110




Part IV: Create a Section to Delete Any Existing Rules

This makes sure that you can delete any rules you set.

Go to the stop section within the case statement and add iptables

commands to delete any existing rules:

1. Add an informative message to be displayed when the script is

called with the stop parameter.

2. Flush the chains by typing

iptables -Fiptables -t nat -F

3. Delete any user-defined chains by typing

iptables -X

4. Set the policy of the built in chains to accept by typing

iptables -P INPUT ACCEPTiptables -P OUTPUT ACCEPTiptables -P FORWARD ACCEPT

5. You can also reset the kernel parameters to previous settings in

the stop section as needed.

Part V: Create a Section to Display the Current Rule Set

Viewing the current rule set helps in debugging.

Do the following:

1. Go to the status section within the case statement to add iptables

commands to display the currently active rules.

2. Add the following lines to the status section

iptables -v -n -Liptables -v -n -t nat -L POSTROUTINGiptables -v -n -t nat -L PREROUTING


53/110

Packet Filters



Part VI: Add Static Rules

Now the main part: The rules themselves.

To add static rules, do the following:

1. Go to the start section within the case statement to add your rules

with iptables commands.

2. Set the default policy to DROP by typing

iptables -P INPUT DROPiptables -P FORWARD DROPiptables -P OUTPUT DROP

3. Flush existing rules and delete existing user defined chains by

typing

iptables -Fiptables -t nat -F

iptables -X

If you do not flush the rules in the beginning, each call of the

script with the parameter start adds the rules again to the chain.

4. Allow all traffic from and to the loopback interface by typing

iptables -A OUTPUT -o lo -j ACCEPTiptables -A INPUT -i lo -j ACCEPT

5. Define rules to allow others to access the ssh server on your

computer by typing

iptables -A INPUT -p TCP -i $EXT_IF --dport 22 \-j ACCEPT

iptables -A OUTPUT -p TCP -o $EXT_IF --sport 22 \-j ACCEPT

6. (Optional) Limit the above INPUT rule to a destination IP

address as well as certain source IP addresses and source ports.

7. Add a rule that logs packets that are dropped in the INPUT chain

by typing


54/110




iptables -A INPUT -j LOG --log-prefix INPUT-DROP

8. Add a rule that rejects packets instead of having them dropped by

the default policy of the chain by typing

iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset

9. Start your script by entering in a terminal window (as root)

/etc/init.d/fw-script start

If there are any error messages, correct any mistakes in the

syntax within your script.

10. Have your partner try to access your ssh daemon.

If he cannot do so, it could be because there is something wrong

with your rules or because rules on his or her computer do not

allow him or her to contact another server (or both).

Find out what the problem is by looking at /var/log/messages

with less or tail -fon both computers.

It is actually a good idea to have a separate terminal window

with tail -f /var/log/messages constantly open while testing therules.

If it turns out his rules forbid him to contact your computer,

have him call his script with the parameter stop and try again.

Correct any errors in your own script.

11. Test if your script actually blocks traffic to other services.

Start the Apache web server with rcapache2 start and haveyour partner try to access your computer with a browser.

You should see log entries for dropped packets in

/var/log/messages.


55/110

Packet Filters



! --syn prevents other

computers from establishing a

TCP connection from port 22.

The first packet of a TCPhandshake originating at port 22

is discarded by this rule.

12. If your partner asked you if you could reach his or her ssh

daemon and you tried with the current rules active, you would

notice that your current rules do not allow you to do that.

Define rules that allow you to contact the ssh daemon on other

computers by enteringiptables -A INPUT -p TCP -i $EXT_IF ! --syn --sport 22 \-j ACCEPTiptables -A OUTPUT -p TCP -o $EXT_IF --dport 22 \-j ACCEPT

Why should you add ! --syn?

13. Add another ruleset like the one in Step 12 allowing you to

contact web servers (port 80) on other computers.

14. Add a rule that logs packets that are dropped in the OUTPUT

chain by entering

iptables -A OUTPUT -j LOG --log-prefix \OUTPUT-DROP

15. Activate your rules by entering/etc/init.d/fw-script start (yourcurrent rules will be replaced by the new ones).

16. Try to contact the sshd on your partners computer.

17. Try to contact a web server.

18. Try to ping your partners computer and watch the log file.

19. Have him turn off his rules and then have him ping you.

Watch your log file.

20. Add rules allowing incoming and outgoing ICMP messages.


56/110




21. Restart your script.

Ping your partners computer and have him ping yours.

22. Add comments to describe what your rules are supposed to do.

(End of Exercise)


57/110

Packet Filters



Exercise 6-2 Modify the Script to Set and Delete iptables Rules

The script developed in the last exercise uses static filtering rules

only.

In this exercise you will modify the script to include dynamicfiltering rules and you will create and use a user-defined chain.

Part I: Use Stateful Packet Filtering

Part II: User-Defined Chains

Part III: (optional) View the SuSEFirewall2 Configuration and

Script

Part I: Use Stateful Packet Filtering

The state module helps to simplify the script and thus make it less

error prone. And it adds the feature of statful inspection to thecomputer.

To replace the rules defined so far for TCP connections, do the

following:

1. Put a comment sign in front of those six rules (Two each for ssh

in and out, and www).

2. Define rules for the second and all subsequent packets of a

connection using the connection tracking module:

# INPUT-Chainiptables -A INPUT -m state --state

ESTABLISHED,RELATED -j ACCEPT# OUTPUT-Chainiptables -A OUTPUT -m state --state

ESTABLISHED,RELATED -j ACCEPT

3. Define a rule allowing the first packet of a connection to the ssh

daemon on your computer by entering


58/110




iptables -A INPUT -i $EXT_IF -p tcp --syn --dport 22 -mstate --state NEW -j ACCEPT

4. Set the new rules by entering


Have your partner access the ssh daemon on your computer.

Watch the log file.

5. View the entry tracking the connections in the /proc file system

by entering

cat /proc/net/ip_conntrack

6. Add rules that allow you to access the sshd and web servers on

other computers.

Test this and the access to the web server running on your

computer to see if it is still blocked as intended.

7. Add useful comments to your script.

Part II: User-Defined Chains

User-defined chains can help reduce the number of rules packets

have to run through before a hit or make the script easier to

understand (or both).

The user-defined chain has to exist before any rule uses the chain as

a target. Therefore, these rules should appear in the script above the

rules for the built in chains.

In this part, you will set up a user-defined chain for UDP packets.

You may have noticed that the script so far does not allow any name

resolution.


59/110

Packet Filters



Do the following:

1. Locate an appropriate point in the script to insert the lines and

create the chain udp-rules by typing

iptables -N udp-rules

2. Create a rule for a packet querying a nameserver by entering (on

one line)

iptables -A udp-rules -o $EXT_IF -p udp --dport 53 -m state--state NEW -j ACCEPT

(There is no need for a rule for the answer packets because they

are covered by the rule from Part I covering second and

subsequent packets.)

xUnder certain circumstances there is a fallback to TCP for name resolution.Therefore, a similar rule is needed for TCP port 53.

3. Packets that do not match any of the rules in the user-defined

chain continue down the built-in chain they came from.

This is not what is intended here; therefore, insert a rule to log

packets and another to reject them by entering

iptables -A udp-rules -j LOG --log-prefix REJECT-udp iptables -A udp-rules -j REJECT

Because this last rule matches all packets, none return to the

previous chain.

4. The rule to end all UDP packets from the output chain to the

user-defined chain has to be inserted after the general rules forsecond and subsequent packets, as otherwise the answers to the

UDP packets your computer sends out will be discarded.

Add this rule by typing at the appropriate point in the script

iptables -A OUTPUT -p upd -j udp-rules


60/110




xIf you want to allow incoming UDP traffic, a similar rule is needed forthe INPUT chain. Within the user-defined chain you can distinguishincoming and outgoing traffic by the -i and -o options.

5. Set the rules by entering


Find out if name resolution is now functional.

6. (optional)Create another user-defined chain that takes care of

the logging.

Instead of logging packets in built-in or other user-defined

chains, send those packets to a separate user-defined chain to be

logged and then dropped or rejected.

7. (optional). Watch the log file for a while.

You will see all kinds of entries for packets being rejected.

Write rules allowing IP traffic that is needed for proper

computer operation.

8. (optional). Have your partner test your filter rules with nmap

from his computer.

Part III: (optional)View the SuSEFirewall2 Configuration and

Script

The purpose of this exercise is to show you a sophisticated setup

and its complexity.

Do the following:

1. View/etc/sysconfig/SuSEfirewall2 by using less.

2. View the script/sbin/SuSEfirewall2 by using less.


61/110

Packet Filters



3. View the scripts/etc/init.d/SuSEfirewall2_* by using less.

(End of Exercise)

Exercise Answers

Exercise 6-1 Get Familiar with Basic iptables Syntax,Part VI: Add

Static Rules on 6-11:

12. Why should you add ! --syn?

The rule

iptables -A INPUT -p TCP -i $EXT_IF ! --syn --sport 22 \-j ACCEPT

allows all TCP packets from port 22 exept the first packet of a TCPconnection which has only the syn bit set. ! --syn prevents TCP

connections starting from port 22 of another computer.

In this way it is possible for you to contact other SSH servers and to

receive their answers, but it is not possible to initiate a connection

from port 22 of another computer to your computer, as the first

packet of the TCP handshake is discarded.

(End of Exercise)


62/110





63/110

Application-level Gateway



S E C T I O N 7 Application-level Gateway


Install and Configure Squid on 7-2

Configure SSL in Squid on 7-7

Configure Proxy Authentication on 7-10

Configure Content Filtering on 7-14

Analyze Squid Log File on 7-17

Use Dante on 7-19

Configure rinetd on 7-25


64/110




Exercise 7-1 Install and Configure Squid

Use Mozilla in all Squid

exercises. Konqueror does nothandle proxy authentication

very well, which might lead toconfusing error messages.

In this exercise you install and configure Squid and configure a web

browser to test your Squid setup. For some parts of the exercise you

will work with a partner.

The exercise consists of the following parts:

Part I: Install Squid and Mozilla

Part II: Configure Squid

Part III: Configure Mozilla to Use the Proxy

Part IV: Monitor Access to Squid

Part V: Test Your Partners Proxy

Part I: Install Squid and Mozilla

To install Squid, do the following:

1. Start YaST by selecting Start > System > YaST.

2. When prompted for the root password, enter novell; then selectOK.

3. Start Package Manager by selecting

Install and Remove Software

on the right side of the YaST dialog.

4. In Package Manager, make sure that the Filter menu in the upper

left corner is set to Search.5. Enter squid in the Search field; then select Search.

6. On the right side, select the check box before the squid entry inthe Results list.

7. In the Search field, enter mozilla; then select Search.


65/110

Application-level Gateway



8. On the right side, select the check box before the mozilla entryin the Results list.

9. In the lower right corner of Package Manager, select Accept.

10. When YaST displays a dialog about package dependencies,

select OK.

11. After all packages have been installed, close YaST by selecting

Close.

Part II: Configure Squid

To configure Squid, do the following:

1. Open a terminal and su to the root user.

2. Open the file/etc/squid/squid.confin a text editor.

3. Find the configuration tag http

novell course 3058 suse linux security workbook

Documents