Advanced Unix - PowerPoint PPT Presentation

1 / 65
About This Presentation
Title:

Advanced Unix

Description:

dport, dst, sport, src, states, TCP options, owner, etc. Targets: ... Common logchecking utilities are also an excellent way to keep tabs on your logs ... – PowerPoint PPT presentation

Number of Views:34
Avg rating:3.0/5.0
Slides: 66
Provided by: bilbob
Learn more at: http://www.wildbill.org
Category:
Tags: advanced | unix

less

Transcript and Presenter's Notes

Title: Advanced Unix


1
Advanced Unix
  • Mid-Term Review Part 1Oct 11, 2005

2
nmap
  • Port Scanner
  • http//www.insecure.org/nmap/
  • Useful tool for conducting system and network
    ports scans
  • It is not a vulnerability scanner

3
Types of Scans
  • TCP connect
  • TYP SYN (a.k.a. half-open)
  • TCP FIN (a.k.a. stealth)
  • TCP SYN/FIN using IP fragments
  • TCP ftp proxy (a.k.a. bounce attack)
  • UCP raw ICMP port unreachable
  • RPC scan
  • ACK/WIN scan
  • Ping scan

4
TCP connect
  • Goal find open TCP ports option sT
  • Open a connection to port p on the target
  • If it succeeds, something is listening on that
    port
  • Repeat for desired values of p
  • Advantages
  • fast can do many ports in parallel
  • no special privileges needed
  • Disadvantages
  • easy to detect and block (filter)

5
TYP SYN (a.k.a. half-open)
  • Goal find open TCP ports option sS
  • Craft and send a SYN to port p on target
  • ACK someone listening RST no-one listening
  • Send RST to tear down (incipient) connection
  • Repeat for desired values of p
  • Advantages
  • many sites dont log this
  • Disadvantages
  • need root to craft the initial SYN

6
Network Tools
  • The netstat command (Page 521) is one such tool
  • It will show you the number of tcp/udp
    connections and the services that are listening
    on your system
  • Demo netstat

7
Network Tools
  • One tool overlooked by the book is lsof
  • lsof or "list open files" is one of the systems
    administrator's number one tools
  • You trace what processes are using which services
    as well as which files are open and by which
    processes
  • Demo lsof

8
Network Tools
  • Many root kits deployed by vandals replace the
    tools an SA would use to detect the attack
  • ps, ls, netstat, lsof, etc.
  • Always have original binaries and/or the tool
    source code available

9
Network Services
  • They are the Points of Attack
  • Remove/Disable all unneeded services
  • /etc/services a test file that relates the
    ports to the services (page 523)

10
TCP Wrappers
  • For the services that you need to have running
    (Page 525)
  • Provides for added access control
  • The Super Daemon xinetd now has tcp wrappers
    built in so any service using xinetd can take
    advantage of tcp wrappers

11
TCP Wrappers
  • Other services also use tcp wrappers such as
    Very Secure FTP
  • vsftpd FTP server (Page 525)
  • Controlled in the vsftpd configuration file
  • Access to rsync can be controlled by TCP Wrappers
    via xinetd

12
TCP Wrappers
  • Uses two files to define the access to the
    services
  • /etc/hosts.allow
  • /etc/hosts.deny
  • You can create a deny-by-default to all services
    that use tcp wrappers
  • Dont be misled into thinking this can secure you
    server 100
  • Understand that not all services can or do use
    tcp wrappers
  • tcp wrappers is not a Firewall but an access
    control

13
TCP Wrappers
  • Good Example in the book (Page 526)
  • Demo tcp wrappers
  • hosts.allow
  • hosts.deny

14
Firewalls
  • Several types of Firewalls
  • Packet filter
  • Iptables layer 2 network
  • Stateful filter
  • Cisco PIX layer 3 and 4
  • Stateful inspection
  • Checkpoint Firewall-1
  • Application proxy
  • Sidewinder layers 5 thru 7
  • Good reference for firewalls
  • http//www.interhack.net/pubs/fwfaq/

15
Iptables
  • iptables is a filtering firewall
  • Comes standard as part of Linux
  • Older versions of Linux have ipchains
  • FC4 comes with a relatively good initial
    configuration
  • Using chkconfig, check to see if your iptables is
    configured to start on boot
  • chkconfig --list iptables

16
Iptables
  • If is not then enabled it via the following
    command
  • chkconfig levels 235 iptables on
  • To start iptables enter
  • /etc/init.d/iptables start
  • Or
  • service iptables start

17
Iptables
  • Many ways to implement iptables
  • Demo Shorewall
  • See http//www.linuxguruz.com/iptables/

18
Iptables - IP Filter
  • IP Filter
  • Used to filter packets
  • The command to enter a rule is called iptables
  • The framework inside kernel is called Netfilter
  • Full matching on IP, TCP, UDP and ICMP packet
    headers
  • Lesser matching on other packet headers possible
  • Exception in TCP is the Options field
  • IP Filter rule consists of
  • Insertion point, Matching IP and Target IP

19
Iptables - Stateful firewalling
  • Full state matching (TCP, UDP ICMP)
  • Other protocols
  • Uses a generic connection tracking module
  • The generic conntrack module is less specific
  • Custom modules can be written
  • Certain protocols are more complex
  • Requires extra modules called "conntrack helpers"
  • Examples are FTP, IRC (DCC), AH/ESP and ntalk

20
Iptables - Stateful firewalling (cont.)
  • Userland states
  • NEW
  • All new connections
  • Includes Non SYN TCP packets
  • ESTABLISHED
  • All connections that has seen traffic in both
    directions
  • RELATED
  • All connections/packets related to other
    connections
  • Examples ICMP errors, FTP-Data, DCC
  • INVALID
  • Certain invalid packets depending on states
  • E.g. FIN/ACK when no FIN was sent

21
Iptables - NAT
  • NAT - Network Address Translation
  • The science of switching Source or Destination
    Addresses
  • Two types of NAT in Linux 2.4
  • Netfilter NAT
  • Fast NAT
  • Usage
  • Makes a LAN look as if it came from a single
    source (firewall)
  • Netfilter NAT
  • DNAT - Destination Network Address Translation
  • SNAT - Source Network Address Translation
  • Requires Connection tracking to keep states and
    expectations

22
Iptables - basic syntax
  • iptables command options ltmatchesgt lttargetgt
  • Commands
  • append, insert, replace, delete, list, policy,
    etc.
  • Options
  • verbose, line numbers, exact, etc.
  • Matches
  • dport, dst, sport, src, states, TCP options,
    owner, etc.
  • Targets
  • ACCEPT, DROP, REJECT, SNAT, DNAT, TOS, LOG, etc.

23
Iptables - matches
  • Protocol
  • -p, --protocol ! protocol
  • tcp, udp, icmp or all
  • Numeric value
  • /etc/protocols
  • Destination IP Port
  • -d, --destination ! address/mask
  • Destination address
  • Resolvable (/etc/resolve.conf)
  • --dport, --destination-port ! portport
  • Destination port
  • Numeric or resolvable (/etc/services)
  • Port range

24
Iptables - matches (cont.)
  • Source IP Port
  • -s, --source ! address/mask
  • Source address
  • Resolvable (/etc/resolve.conf)
  • --sport, --source-port ! portport
  • Source port
  • Numeric or resolvable (/etc/services)
  • Port range

25
Iptables - matches (cont.)
  • Incoming and Outgoing interface
  • -i, --in-interface ! interface
  • -o, --out-interface ! interface

26
Iptables - targets
  • ACCEPT
  • Accepts the packet
  • Ends further processing of the specific chain
  • Ends processing of all previous chains
  • Except other main chains and tables
  • DROP
  • Drops the packet
  • No reply
  • Ends all further processing

27
Iptables - targets (cont.)
  • REJECT
  • Drops packet
  • Returns a reply
  • User specified reply
  • Calculated reply
  • TCP-RST or ICMP errors
  • Ends all further processing
  • RETURN
  • Returns from a chain to the calling chain

28
Iptables - a few simple rules
  • iptables -A INPUT -p tcp -m state --state NEW !
    --syn -j REJECT --reject-with-tcp-reset
  • iptables -A INPUT -p tcp --dport 801024 -j DROP
  • iptables -A FORWARD -p tcp --dport 22113 -j DROP
  • iptables -A FORWARD -p tcp --dport ftp-dataftp
    -j DROP
  • iptables -A OUTPUT -p tcp -o eth0 -j ACCEPT
  • iptables -A OUTPUT -p tcp -o lo -j ACCEPT
  • iptables -P OUTPUT DROP

29
Iptables additional syntax
  • Listing the rules
  • -L, --list chain
  • -F, --flush chain
  • Flushes (erases) all rules in a chain
  • Or a table
  • -N, --new chain
  • Creates a user-specified chain
  • There must be no target with that name previously
  • -X, --delete-chain chain
  • Deletes a user-created chain
  • No rules may reference the chain
  • Can delete all user-created chains in a table

30
Iptables additional syntax
  • Creating...
  • iptables -t filter -N badtcppackets
  • and Deleting a chain
  • iptables -t filter -X badtcppackets
  • and Deleting all user-created chains
  • iptables -t filter -X

31
Logging
  • Need to know
  • where they are and what they contains
  • permissions and ownership
  • how often they are rotated
  • You need to
  • Review logfile contents regularly
  • Archive important logs

32
Logging
  • Pages 541-542 list most of the common logs
  • These logs are found in the /var/log directory
  • /var/log/messages
  • /var/log/boot.log
  • /var/log/wtmp
  • /var/log/dmesg

33
Logging
  • What to look for in a log?
  • Unusual activity
  • Take a look at your logs daily
  • /var/log/messages
  • /var/log/secure
  • /var/log/sshd
  • Other service related logs like ftpd, etc.

34
Logging
  • Some common things
  • Sendmail messages
  • SSH logins/logouts
  • FTP logins/logouts
  • Based on what you see regularly, you will know
    when something is amuck.
  • Common logchecking utilities are also an
    excellent way to keep tabs on your logs

35
Logcheck
  • Was developed by Psionic (http//www.psionic.com)
  • Portsentry
  • Logcheck
  • Easy configuration
  • Very customizable
  • Demo logcheck

36
Logwatch
  • Part of FC3 default install
  • It is a customizable, pluggable log-monitoring
    application
  • It will go through your logs for a given
    period of time and make a report in the areas
    that you wish with the detail that you wish.
  • Default setup is to email root daily

37
Syslog Daemon
  • syslogd the system event logger
  • how syslog works
  • its configuration file
  • the software that uses syslog
  • debugging syslog

38
What gets logged?
  • The accounting system
  • The kernel
  • Various utilities and applications
  • many produce data that needs to be logged
  • most of the data has a limited useful lifetime,
    and needs to be summarized, compressed, archived
    and eventually deleted

39
Logging policies
  • Log data immediately
  • Reset log files at periodic intervals
  • Rotate log files, keeping data for a fixed time
  • Compress and archive to tape or other permanent
    media

40
Logging Options
  • Depends on
  • how much disk space you have
  • how security-conscious you are
  • How important the system is
  • Whatever scheme you select, regular maintenance
    of log files should be automated using cron

41
Throwing away log files
  • not recommend
  • security problems ( accounting data and log files
    provide important evidence of break-ins)
  • helpful for alerting you to hardware and software
    problems.
  • In general, keep one or two months
  • in a real world, it may take one or two weeks for
    SA to realize that site has been compromised by a
    hacker and need to review the logs

42
Throwing away (cont.)
  • Most sites store each days log info on disk,
    sometimes in a compressed format
  • These daily files are kept for a specific period
    of time and then deleted
  • One common way to implement this policy is called
    rotation

43
Rotating log files
  • Keep backup files that are one day old, two days
    old, and so on.
  • logfile, logfile.1 , logfile.2, logfile.7
  • Each day rename the files to push older data
    toward the end of the chain
  • script to archive three days files

44
Archiving log files
  • Some sites must archive all accounting data and
    log files as a matter of policy, to provide data
    for a potential audit
  • Log files should be first rotate on disk, then
    written to tape or other permanent media
  • see chap 11, Backups

45
Finding log files
  • Normally in /var/log but to locate log files you
    can read the system startup scripts /etc/rc
    or /etc/init.d/
  • Some programs handle logging via syslog
  • check /etc/syslog.conf to find out where this
    data goes
  • Again, normally to /var/log

46
Finding log files
  • Different operating systems put log files in
    different places
  • /var/log/
  • /var/cron/log
  • /usr/adm
  • /var/adm
  • On linux, almost all the log files are in
    /var/log directory.

47
What is syslog
  • A comprehensive logging system, used to manage
    information generated by the kernel and system
    utilities.
  • Allow messages to be sorted by their sources and
    importance, and routed to a variety of
    destinations
  • log files, users terminals, or even other
    machines.

48
Syslog three parts
  • Syslogd and /etc/syslog.conf
  • the daemon that does the actual logging
  • its configuration file
  • openlog, syslog, closelog
  • library routines that programs use to send data
    to syslogd
  • logger
  • user-level command for submitting log entries

49
syslog-aware programs
Using syslog lib. Routines write log entries to a
special file
/dev/log
/dev/klog

reads
consults
syslogd

/etc/syslog.conf
dispatches
Other machines
Log files
Userss terminals
50
Configuring syslogd
  • The configuration file /etc/syslog.conf controls
    syslogds behavior.
  • It is a text file with simple format, blank lines
    and lines beginning with are ignored.
  • Selector ltTABgt action
  • eg. mail.info /var/log/maillog

51
Configuration file - Selector
  • Identify
  • source -- the program (facility) that is
    sending a log message
  • importance -- the messagess severity level
  • eg. mail.info /var/log/maillog
  • Syntax
  • facility.level
  • facility names and severity levels must chosen
    from a list of defined values

52
Sample syslog output
Dec 27 024500 x-wing netinfod 71 cannt
lookup child Dec 27 025000 bruno ftpd
27876 open of pid file failed not a
directory Dec 27 025047 anchor vmunix
spurious VME interrupt at processor level 5 Dec
27 025217 bruno pingem107
moose.cs.colorado.edu has not answered 34
times Dec 27 025533 bruno sendmail 28040
host name/address mismatch 192.93.110.26 !
bull.bull..fr
53
Linux networking
  • Understand basic configuration of Network
    Interface
  • IP address
  • Subnetmask
  • Gateway
  • Talk about other types of interfaces (PPP, IPSec,
    etc)
  • Use network utilities (ipconfig, mii-tool, etc)

54
The TCP/IP protocol
  • Internet Protocol (IP) address
  • Four 8-bit numbers (Octets)
  • Identifies a computer on the network
  • Subnet mask
  • Four 8-bit numbers
  • Determine the network and host portions of an IP
    address
  • Default gateway
  • Router that sends packets to remote networks

55
Configuring a NIC interface
  • ifconfig command
  • Assigns TCP/IP configuration to a NIC
  • Displays configuration of all network interfaces
  • packet internet groper command
  • Checks connectivity to other computers

56
Configuring a NIC interface
  • Multiple Tools to accomplish this
  • Command line ifconfig
  • Curses based netconfig
  • Graphical system-config-network

57
Name resolution
  • Hostnames
  • Name assigned to a computer
  • Uses plain language
  • Fully Qualified Domain Name (FQDN)
  • Hostname that follows DNS convention
  • Domain Name Space (DNS) server
  • Resolves FQDNs to IP address

58
The Domain Name Space
59
Common network services
  • Port
  • Number that identifies a network service
  • 65,535 possible ports
  • Well-known port
  • used by common networking services
  • 0 to 1,024

60
traceroute command
  • Used to troubleshoot routing
  • Displays all routers between the current computer
    and a remote computer

61
The mii-tool
  • An easy way to determine which speed is used by
    an Ethernet card
  • The Ethernet card needs to have Media Independent
    Interface circuitry

62
Secure Shell Without Passwords
  • Using ssh without passwords
  • Everybody pair up
  • Insure each of you has an account/password on
    each other system
  • Refer to the Text Book for the commands and see
    if you can get this to work

63
Secure Shell Without Passwords
  • When we last left the intrepid students they were
    struggling with secure shell and keys.
  • But wait.Daria and Chuck have made it work.
  • Is this the break through weve been waiting for?

64
Secure Shell Without Passwords
  • Pair Up
  • Insure you have an account on your partners
    system and you know the password
  • Generate the ssh key
  • cd /.ssh
  • ssh-keyget t dsa
  • Do not enter a passphrase when prompted
  • (this generates public and private keys)

65
Secure Shell Without Passwords
  • Copy public key from your system to your partners
  • scp id_dsa.pub userid_at_partner/tmp
  • Then enter the following (same line)
  • ssh userid_at_partner cat /tmp/id_dsa.pub gtgt
    /home/userid/.ssh/authorized_keys2
  • Clean up
  • ssh userid_at_partner rm /tmp/id_dsa.pub
Write a Comment
User Comments (0)
About PowerShow.com