securing network using linux

Securing Network using Linux

Lesson Outline

• Setting up a secure system• TCP Wrapper configuration• Firewalls in Linux• Authentication Systems

– NIS– Kerberos

Types of Security Threats

• Denial of Service (DoS)– This attack disrupts a service on the system

• Intrusion– Unauthorised access by compromising a service or

logging in by stealing a password• Snooping

– This attack involves interception of the data of another user, listening to all sensitive information transmitted

• Viruses, worms and Trojan Horses

Setting up a Secure System

• There are some very basic things that you have to do in order to secure your system

• Shutting down the redundant services– You have to disable all network daemons

(services) that are not needed by the system– Any network port that is listening for connections

can be vulnerable to attacks due to probable exploits against running daemon

– To find out the ports that are opened type: # netstat -an

Setting up a secure system (cont.)

• Looking in /etc/services or by passing -p to netstat we can tell which service is running per port

• Check each port that looks like unnecessary• Examples vulnerable services:

– telnetd, sendmail, ftpd: Send clear passwords through the web. Instead of telnet use ssh

• Shutting down services involves editing the appropriate files on your system

Setting up a Secure System (cont.)

• On RedHat based systems daemons are started by scripts in the /etc/rc.d/init.d directory

• Depending on the runlevel each daemon/services in linked to the appropriate rcX.d directory where 0<X<6

Setting up a secure system

• What to have in mind all the time:– Never use simple passwords. Try to make

them complex by mixing letters,symbols and numbers

– Do NOT work on the root account unless absolutely necessary

– Do not ignore the log files– Update your system in a regular basis

TCP Wrapper Configuration

• A simple and effective way to protect the system

• TCP Wrappers “wrap” a service access (e.g. apache web server)monitoring the connections to it and refusing unauthorised sites

• It is used in conjunction with inetd and xinetd• It's a good way to control the access to services

that do not provide any native access control mechanism

TCP Wrapper Configuration (cont.)

• TCP Wrapper is the first thing encounter when a connection is established with a service protected by the wrapper

• TCP Wrapper is responsible for determining whether the connection comes from a source host that it is allowed to do so

• Depending on whether you are using TCP Wrappers with inetd or xinetd there are two different approaches

TCP Wrapper Configuration (cont.)with inetd

• If the system is using the inetd daemon you have to edit the /etc/inetd.conf file to use the TCP wrapper

• Using TCP wrappers requires just a small change to /etc/inetd.conf

• E.g. for the finger daemonfinger stream tcp nowait root /usr/sbin/in.fingerd in.fingerd

has to be changed to:finger stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.fingerd

This cause the tcpd command, representing the TCP wrapper, to be executed instead of the in.fingerd and protect the daemon

TCP Wrapper Configuration (cont.)with xinetd

• xinetd is the replacement of inetd adopted by some distros

• In most cases xinetd has built-in support for TCP wrappers

• You need to modify the TCP wrapper configuration files (/etc/hosts.allow, /etc/hosts.deny)


• /etc/hosts.allow and /etc/hosts.deny specify the access rules that are applied in daemon protection

• When a TCP wrapper is invoked it obtains the IP address of the connecting host and its hostname

• If the IP of the host is specified in the /etc/hosts.allow then access is permitted to the daemon/service

• If no match is found, the /etc/hosts.deny is consulted. If the IP is described there then the connection is closed

• If no much exists both of the files then access is granted


• The syntax of those two files is simple• Each file contains a set of rules• General rule form:

daemon_list : client_list : shell_commandwhere daemon_list is comma separated list of

daemons to which the rule applies, the client_list is comma separated list of the hostnames or IP addresses where the rule applies and shell_command is optional, specifying the command to be executed when rule matches


• Example rules:1. /etc/hosts.deny

ALL:ALL # Deny everything from everywhereIn case that nothing is specified in the

/etc/hosts.allow then this rule will refuse connection to any service by anyone

2. /etc/hosts.denyALL: ALL EXCEPT localhost

3. /etc/hosts.allowin.fingerd: ALL

Firewalls in Linux

• It is the case that TCP Wrappers work with services configured using xinetd

• For stand-alone services another tool has to be used to control access

• In modern systems is common place to get protection by IP filtering

• In IP filtering kernel inspects each network packet transmitted or received by the host machine

Firewalls in Linux (cont.)

• Kernel IP filtering mechanism decides whether to allow or deny the access of a certain packet

• IP filtering though does not provide protection from DoS attacks, Trojan’s and viruses

• IP filters take their decision according to packet headers which contain information like:– Protocol Type (TCP,UDP)– Source and Destination Port Numbers

• E.g. Web Servers like Apache use port 80 on TCP protocol


• IP filtering in Linux is implemented by the kernel

• There are three IP filtering/firewall generations in Linux:– ipfw (IP firewall) for kernel versions 2.0.X– ipchains in kernel versions 2.2.x– netfilter/iptables in kernel versions 2.4.x

• netfilter is the kernel module while iptables is the user space configuration tool


• We are going to describe netfilter/iptables that refers to the modern kernel versions 2.4.x

• Iptables command allows a rich and complex IP filtering rule definition

• E.g.iptables -A INPUT -m state --state NEW -m tcp -p tcp

--dport 22 -j ACCEPT

This command install an IP filter that accepts new incoming connections to TCP port 22 (the ssh service) on our local system.


• A set of rules defined by iptables is called chain and is applied to all packets transmitted or received

• There are three system chains defined by kernel:– INPUT: Applies to packets received – OUTPUT: Applies to packets send– FORWARD: Applies to all the packets that are

routed from one network interface (net card) of the system to an other. Helpful when system works as router or gateway


• Actions that can be performed from rules include:– ACCEPT: Accepts the packet– DROP: Drops the packet, i.e. refusing

transmitting or receiving it– The default action can be configured to be

either ACCEPT or DROP• netfilter also allows performing:

– Packet Logging– Network Address Translation (NAT) aka IP

masquerading


• Each Linux Distribution takes a slightly different approach on managing firewall

• In RedHat-based distros all the rules are stored in /etc/sysconfig/iptables

• You first specify the rules using the iptables command and the you save them typing as root:– /sbin/service iptables save


# Set default policy on the INPUT chain to DROP.# -P sets the default action of the specified chain, so here #DROP the packets of INPUT chainiptables -P INPUT DROP# ACCEPT all packets that have come from the loopback interface, that# is, from the local host. '-i lo' identifies the loopback interface.iptables -A INPUT -i lo -j ACCEPT

-j here stands for “jump” meaning that if a packet matches the rules then processing will jump to what follows. The options after –j are:ACCEPT: Allow the transmission of the packetDROP: Drop the packetQUEUE: Pass the packet to a program for processingRETURN: Returns the packet to the end of rule chain


# ACCEPT packets belonging to an existing (ESTABLISHED,RELATED) connection.'-A INPUT' is used to append to the INPUT chain. '-m state' uses the stateful inspection module.

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# ACCEPT new incoming FTP connections from 192.168.1/24.

iptables -A INPUT -m state --state NEW -m tcp -p tcp -s 192.168.1/24 \ --dport 21 -j ACCEPT


• You can see the list of rule currently applied on the system by typing:– iptalbes –L -v

Reference – Using the iptables

securing network using linux

Documents