Advanced Unix

1
Advanced Unix

• Mid-Term Review Part 1Oct 11, 2005

2
nmap

• Port Scanner
• http//www.insecure.org/nmap/
• Useful tool for conducting system and network
  ports scans
• It is not a vulnerability scanner

3
Types of Scans

• TCP connect
• TYP SYN (a.k.a. half-open)
• TCP FIN (a.k.a. stealth)
• TCP SYN/FIN using IP fragments
• TCP ftp proxy (a.k.a. bounce attack)
• UCP raw ICMP port unreachable
• RPC scan
• ACK/WIN scan
• Ping scan

4
TCP connect

• Goal find open TCP ports option sT
• Open a connection to port p on the target
• If it succeeds, something is listening on that
  port
• Repeat for desired values of p
• Advantages
• fast can do many ports in parallel
• no special privileges needed
• Disadvantages
• easy to detect and block (filter)

5
TYP SYN (a.k.a. half-open)

• Goal find open TCP ports option sS
• Craft and send a SYN to port p on target
• ACK someone listening RST no-one listening
• Send RST to tear down (incipient) connection
• Repeat for desired values of p
• Advantages
• many sites dont log this
• Disadvantages
• need root to craft the initial SYN

6
Network Tools

• The netstat command (Page 521) is one such tool
• It will show you the number of tcp/udp
  connections and the services that are listening
  on your system
• Demo netstat

7
Network Tools

• One tool overlooked by the book is lsof
• lsof or "list open files" is one of the systems
  administrator's number one tools
• You trace what processes are using which services
  as well as which files are open and by which
  processes
• Demo lsof

8
Network Tools

• Many root kits deployed by vandals replace the
  tools an SA would use to detect the attack
• ps, ls, netstat, lsof, etc.
• Always have original binaries and/or the tool
  source code available

9
Network Services

• They are the Points of Attack
• Remove/Disable all unneeded services
• /etc/services a test file that relates the
  ports to the services (page 523)

10
TCP Wrappers

• For the services that you need to have running
  (Page 525)
• Provides for added access control
• The Super Daemon xinetd now has tcp wrappers
  built in so any service using xinetd can take
  advantage of tcp wrappers

11
TCP Wrappers

• Other services also use tcp wrappers such as
  Very Secure FTP
• vsftpd FTP server (Page 525)
• Controlled in the vsftpd configuration file
• Access to rsync can be controlled by TCP Wrappers
  via xinetd

12
TCP Wrappers

• Uses two files to define the access to the
  services
• /etc/hosts.allow
• /etc/hosts.deny
• You can create a deny-by-default to all services
  that use tcp wrappers
• Dont be misled into thinking this can secure you
  server 100
• Understand that not all services can or do use
  tcp wrappers
• tcp wrappers is not a Firewall but an access
  control

13
TCP Wrappers

• Good Example in the book (Page 526)
• Demo tcp wrappers
• hosts.allow
• hosts.deny

14
Firewalls

• Several types of Firewalls
• Packet filter
• Iptables layer 2 network
• Stateful filter
• Cisco PIX layer 3 and 4
• Stateful inspection
• Checkpoint Firewall-1
• Application proxy
• Sidewinder layers 5 thru 7
• Good reference for firewalls
• http//www.interhack.net/pubs/fwfaq/

15
Iptables

• iptables is a filtering firewall
• Comes standard as part of Linux
• Older versions of Linux have ipchains
• FC4 comes with a relatively good initial
  configuration
• Using chkconfig, check to see if your iptables is
  configured to start on boot
• chkconfig --list iptables

16
Iptables

• If is not then enabled it via the following
  command
• chkconfig levels 235 iptables on
• To start iptables enter
• /etc/init.d/iptables start
• Or
• service iptables start

17
Iptables

• Many ways to implement iptables
• Demo Shorewall
• See http//www.linuxguruz.com/iptables/

18
Iptables - IP Filter

• IP Filter
• Used to filter packets
• The command to enter a rule is called iptables
• The framework inside kernel is called Netfilter
• Full matching on IP, TCP, UDP and ICMP packet
  headers
• Lesser matching on other packet headers possible
• Exception in TCP is the Options field
• IP Filter rule consists of
• Insertion point, Matching IP and Target IP

19
Iptables - Stateful firewalling

• Full state matching (TCP, UDP ICMP)
• Other protocols
• Uses a generic connection tracking module
• The generic conntrack module is less specific
• Custom modules can be written
• Certain protocols are more complex
• Requires extra modules called "conntrack helpers"
• Examples are FTP, IRC (DCC), AH/ESP and ntalk

20
Iptables - Stateful firewalling (cont.)

• Userland states
• NEW
• All new connections
• Includes Non SYN TCP packets
• ESTABLISHED
• All connections that has seen traffic in both
  directions
• RELATED
• All connections/packets related to other
  connections
• Examples ICMP errors, FTP-Data, DCC
• INVALID
• Certain invalid packets depending on states
• E.g. FIN/ACK when no FIN was sent

21
Iptables - NAT

• NAT - Network Address Translation
• The science of switching Source or Destination
  Addresses
• Two types of NAT in Linux 2.4
• Netfilter NAT
• Fast NAT
• Usage
• Makes a LAN look as if it came from a single
  source (firewall)
• Netfilter NAT
• DNAT - Destination Network Address Translation
• SNAT - Source Network Address Translation
• Requires Connection tracking to keep states and
  expectations

22
Iptables - basic syntax

• iptables command options ltmatchesgt lttargetgt
• Commands
• append, insert, replace, delete, list, policy,
  etc.
• Options
• verbose, line numbers, exact, etc.
• Matches
• dport, dst, sport, src, states, TCP options,
  owner, etc.
• Targets
• ACCEPT, DROP, REJECT, SNAT, DNAT, TOS, LOG, etc.

23
Iptables - matches

• Protocol
• -p, --protocol ! protocol
• tcp, udp, icmp or all
• Numeric value
• /etc/protocols
• Destination IP Port
• -d, --destination ! address/mask
• Destination address
• Resolvable (/etc/resolve.conf)
• --dport, --destination-port ! portport
• Destination port
• Numeric or resolvable (/etc/services)
• Port range

24
Iptables - matches (cont.)

• Source IP Port
• -s, --source ! address/mask
• Source address
• Resolvable (/etc/resolve.conf)
• --sport, --source-port ! portport
• Source port
• Numeric or resolvable (/etc/services)
• Port range

25
Iptables - matches (cont.)

• Incoming and Outgoing interface
• -i, --in-interface ! interface
• -o, --out-interface ! interface

26
Iptables - targets

• ACCEPT
• Accepts the packet
• Ends further processing of the specific chain
• Ends processing of all previous chains
• Except other main chains and tables
• DROP
• Drops the packet
• No reply
• Ends all further processing

27
Iptables - targets (cont.)

• REJECT
• Drops packet
• Returns a reply
• User specified reply
• Calculated reply
• TCP-RST or ICMP errors
• Ends all further processing
• RETURN
• Returns from a chain to the calling chain

28
Iptables - a few simple rules

• iptables -A INPUT -p tcp -m state --state NEW !
  --syn -j REJECT --reject-with-tcp-reset
• iptables -A INPUT -p tcp --dport 801024 -j DROP
• iptables -A FORWARD -p tcp --dport 22113 -j DROP
• iptables -A FORWARD -p tcp --dport ftp-dataftp
  -j DROP
• iptables -A OUTPUT -p tcp -o eth0 -j ACCEPT
• iptables -A OUTPUT -p tcp -o lo -j ACCEPT
• iptables -P OUTPUT DROP

29
Iptables additional syntax

• Listing the rules
• -L, --list chain
• -F, --flush chain
• Flushes (erases) all rules in a chain
• Or a table
• -N, --new chain
• Creates a user-specified chain
• There must be no target with that name previously
• -X, --delete-chain chain
• Deletes a user-created chain
• No rules may reference the chain
• Can delete all user-created chains in a table

30
Iptables additional syntax

• Creating...
• iptables -t filter -N badtcppackets
• and Deleting a chain
• iptables -t filter -X badtcppackets
• and Deleting all user-created chains
• iptables -t filter -X

31
Logging

• Need to know
• where they are and what they contains
• permissions and ownership
• how often they are rotated
• You need to
• Review logfile contents regularly
• Archive important logs

32
Logging

• Pages 541-542 list most of the common logs
• These logs are found in the /var/log directory
• /var/log/messages
• /var/log/boot.log
• /var/log/wtmp
• /var/log/dmesg

33
Logging

• What to look for in a log?
• Unusual activity
• Take a look at your logs daily
• /var/log/messages
• /var/log/secure
• /var/log/sshd
• Other service related logs like ftpd, etc.

34
Logging

• Some common things
• Sendmail messages
• SSH logins/logouts
• FTP logins/logouts
• Based on what you see regularly, you will know
  when something is amuck.
• Common logchecking utilities are also an
  excellent way to keep tabs on your logs

35
Logcheck

• Was developed by Psionic (http//www.psionic.com)
• Portsentry
• Logcheck
• Easy configuration
• Very customizable
• Demo logcheck

36
Logwatch

• Part of FC3 default install
• It is a customizable, pluggable log-monitoring
  application
• It will go through your logs for a given
  period of time and make a report in the areas
  that you wish with the detail that you wish.
• Default setup is to email root daily

37
Syslog Daemon

• syslogd the system event logger
• how syslog works
• its configuration file
• the software that uses syslog
• debugging syslog

38
What gets logged?

• The accounting system
• The kernel
• Various utilities and applications
• many produce data that needs to be logged
• most of the data has a limited useful lifetime,
  and needs to be summarized, compressed, archived
  and eventually deleted

39
Logging policies

• Log data immediately
• Reset log files at periodic intervals
• Rotate log files, keeping data for a fixed time
• Compress and archive to tape or other permanent
  media

40
Logging Options

• Depends on
• how much disk space you have
• how security-conscious you are
• How important the system is
• Whatever scheme you select, regular maintenance
  of log files should be automated using cron

41
Throwing away log files

• not recommend
• security problems ( accounting data and log files
  provide important evidence of break-ins)
• helpful for alerting you to hardware and software
  problems.
• In general, keep one or two months
• in a real world, it may take one or two weeks for
  SA to realize that site has been compromised by a
  hacker and need to review the logs

42
Throwing away (cont.)

• Most sites store each days log info on disk,
  sometimes in a compressed format
• These daily files are kept for a specific period
  of time and then deleted
• One common way to implement this policy is called
  rotation

43
Rotating log files

• Keep backup files that are one day old, two days
  old, and so on.
• logfile, logfile.1 , logfile.2, logfile.7
• Each day rename the files to push older data
  toward the end of the chain
• script to archive three days files

44
Archiving log files

• Some sites must archive all accounting data and
  log files as a matter of policy, to provide data
  for a potential audit
• Log files should be first rotate on disk, then
  written to tape or other permanent media
• see chap 11, Backups

45
Finding log files

• Normally in /var/log but to locate log files you
  can read the system startup scripts /etc/rc
  or /etc/init.d/
• Some programs handle logging via syslog
• check /etc/syslog.conf to find out where this
  data goes
• Again, normally to /var/log

46
Finding log files

• Different operating systems put log files in
  different places
• /var/log/
• /var/cron/log
• /usr/adm
• /var/adm
• On linux, almost all the log files are in
  /var/log directory.

47
What is syslog

• A comprehensive logging system, used to manage
  information generated by the kernel and system
  utilities.
• Allow messages to be sorted by their sources and
  importance, and routed to a variety of
  destinations
• log files, users terminals, or even other
  machines.

48
Syslog three parts

• Syslogd and /etc/syslog.conf
• the daemon that does the actual logging
• its configuration file
• openlog, syslog, closelog
• library routines that programs use to send data
  to syslogd
• logger
• user-level command for submitting log entries

49
syslog-aware programs
Using syslog lib. Routines write log entries to a
special file
/dev/log
/dev/klog

reads
consults
syslogd

/etc/syslog.conf
dispatches
Other machines
Log files
Userss terminals
50
Configuring syslogd

• The configuration file /etc/syslog.conf controls
  syslogds behavior.
• It is a text file with simple format, blank lines
  and lines beginning with are ignored.
• Selector ltTABgt action
• eg. mail.info /var/log/maillog

51
Configuration file - Selector

• Identify
• source -- the program (facility) that is
  sending a log message
• importance -- the messagess severity level
• eg. mail.info /var/log/maillog
• Syntax
• facility.level
• facility names and severity levels must chosen
  from a list of defined values

52
Sample syslog output
Dec 27 024500 x-wing netinfod 71 cannt
lookup child Dec 27 025000 bruno ftpd
27876 open of pid file failed not a
directory Dec 27 025047 anchor vmunix
spurious VME interrupt at processor level 5 Dec
27 025217 bruno pingem107
moose.cs.colorado.edu has not answered 34
times Dec 27 025533 bruno sendmail 28040
host name/address mismatch 192.93.110.26 !
bull.bull..fr
53
Linux networking

• Understand basic configuration of Network
  Interface
• IP address
• Subnetmask
• Gateway
• Talk about other types of interfaces (PPP, IPSec,
  etc)
• Use network utilities (ipconfig, mii-tool, etc)

54
The TCP/IP protocol

• Internet Protocol (IP) address
• Four 8-bit numbers (Octets)
• Identifies a computer on the network
• Subnet mask
• Four 8-bit numbers
• Determine the network and host portions of an IP
  address
• Default gateway
• Router that sends packets to remote networks

55
Configuring a NIC interface

• ifconfig command
• Assigns TCP/IP configuration to a NIC
• Displays configuration of all network interfaces
• packet internet groper command
• Checks connectivity to other computers

56
Configuring a NIC interface

• Multiple Tools to accomplish this
• Command line ifconfig
• Curses based netconfig
• Graphical system-config-network

57
Name resolution

• Hostnames
• Name assigned to a computer
• Uses plain language
• Fully Qualified Domain Name (FQDN)
• Hostname that follows DNS convention
• Domain Name Space (DNS) server
• Resolves FQDNs to IP address

58
The Domain Name Space
59
Common network services

• Port
• Number that identifies a network service
• 65,535 possible ports
• Well-known port
• used by common networking services
• 0 to 1,024

60
traceroute command

• Used to troubleshoot routing
• Displays all routers between the current computer
  and a remote computer

61
The mii-tool

• An easy way to determine which speed is used by
  an Ethernet card
• The Ethernet card needs to have Media Independent
  Interface circuitry

62
Secure Shell Without Passwords

• Using ssh without passwords
• Everybody pair up
• Insure each of you has an account/password on
  each other system
• Refer to the Text Book for the commands and see
  if you can get this to work

63
Secure Shell Without Passwords

• When we last left the intrepid students they were
  struggling with secure shell and keys.
• But wait.Daria and Chuck have made it work.
• Is this the break through weve been waiting for?

64
Secure Shell Without Passwords

• Pair Up
• Insure you have an account on your partners
  system and you know the password
• Generate the ssh key
• cd /.ssh
• ssh-keyget t dsa
• Do not enter a passphrase when prompted
• (this generates public and private keys)

65
Secure Shell Without Passwords

• Copy public key from your system to your partners
• scp id_dsa.pub userid_at_partner/tmp
• Then enter the following (same line)
• ssh userid_at_partner cat /tmp/id_dsa.pub gtgt
  /home/userid/.ssh/authorized_keys2
• Clean up
• ssh userid_at_partner rm /tmp/id_dsa.pub