Title: Advanced Unix
1Advanced Unix
- Mid-Term Review Part 1Oct 11, 2005
2nmap
- Port Scanner
- http//www.insecure.org/nmap/
- Useful tool for conducting system and network
ports scans - It is not a vulnerability scanner
3Types of Scans
- TCP connect
- TYP SYN (a.k.a. half-open)
- TCP FIN (a.k.a. stealth)
- TCP SYN/FIN using IP fragments
- TCP ftp proxy (a.k.a. bounce attack)
- UCP raw ICMP port unreachable
- RPC scan
- ACK/WIN scan
- Ping scan
4TCP connect
- Goal find open TCP ports option sT
- Open a connection to port p on the target
- If it succeeds, something is listening on that
port - Repeat for desired values of p
- Advantages
- fast can do many ports in parallel
- no special privileges needed
- Disadvantages
- easy to detect and block (filter)
5TYP SYN (a.k.a. half-open)
- Goal find open TCP ports option sS
- Craft and send a SYN to port p on target
- ACK someone listening RST no-one listening
- Send RST to tear down (incipient) connection
- Repeat for desired values of p
- Advantages
- many sites dont log this
- Disadvantages
- need root to craft the initial SYN
6Network Tools
- The netstat command (Page 521) is one such tool
- It will show you the number of tcp/udp
connections and the services that are listening
on your system - Demo netstat
7Network Tools
- One tool overlooked by the book is lsof
- lsof or "list open files" is one of the systems
administrator's number one tools - You trace what processes are using which services
as well as which files are open and by which
processes - Demo lsof
8Network Tools
- Many root kits deployed by vandals replace the
tools an SA would use to detect the attack - ps, ls, netstat, lsof, etc.
- Always have original binaries and/or the tool
source code available
9Network Services
- They are the Points of Attack
- Remove/Disable all unneeded services
- /etc/services a test file that relates the
ports to the services (page 523)
10TCP Wrappers
- For the services that you need to have running
(Page 525) - Provides for added access control
- The Super Daemon xinetd now has tcp wrappers
built in so any service using xinetd can take
advantage of tcp wrappers
11TCP Wrappers
- Other services also use tcp wrappers such as
Very Secure FTP - vsftpd FTP server (Page 525)
- Controlled in the vsftpd configuration file
- Access to rsync can be controlled by TCP Wrappers
via xinetd
12TCP Wrappers
- Uses two files to define the access to the
services - /etc/hosts.allow
- /etc/hosts.deny
- You can create a deny-by-default to all services
that use tcp wrappers - Dont be misled into thinking this can secure you
server 100 - Understand that not all services can or do use
tcp wrappers - tcp wrappers is not a Firewall but an access
control
13TCP Wrappers
- Good Example in the book (Page 526)
- Demo tcp wrappers
- hosts.allow
- hosts.deny
14Firewalls
- Several types of Firewalls
- Packet filter
- Iptables layer 2 network
- Stateful filter
- Cisco PIX layer 3 and 4
- Stateful inspection
- Checkpoint Firewall-1
- Application proxy
- Sidewinder layers 5 thru 7
- Good reference for firewalls
- http//www.interhack.net/pubs/fwfaq/
15Iptables
- iptables is a filtering firewall
- Comes standard as part of Linux
- Older versions of Linux have ipchains
- FC4 comes with a relatively good initial
configuration - Using chkconfig, check to see if your iptables is
configured to start on boot - chkconfig --list iptables
16Iptables
- If is not then enabled it via the following
command - chkconfig levels 235 iptables on
- To start iptables enter
- /etc/init.d/iptables start
- Or
- service iptables start
17Iptables
- Many ways to implement iptables
- Demo Shorewall
- See http//www.linuxguruz.com/iptables/
18Iptables - IP Filter
- IP Filter
- Used to filter packets
- The command to enter a rule is called iptables
- The framework inside kernel is called Netfilter
- Full matching on IP, TCP, UDP and ICMP packet
headers - Lesser matching on other packet headers possible
- Exception in TCP is the Options field
- IP Filter rule consists of
- Insertion point, Matching IP and Target IP
19Iptables - Stateful firewalling
- Full state matching (TCP, UDP ICMP)
- Other protocols
- Uses a generic connection tracking module
- The generic conntrack module is less specific
- Custom modules can be written
- Certain protocols are more complex
- Requires extra modules called "conntrack helpers"
- Examples are FTP, IRC (DCC), AH/ESP and ntalk
20Iptables - Stateful firewalling (cont.)
- Userland states
- NEW
- All new connections
- Includes Non SYN TCP packets
- ESTABLISHED
- All connections that has seen traffic in both
directions - RELATED
- All connections/packets related to other
connections - Examples ICMP errors, FTP-Data, DCC
- INVALID
- Certain invalid packets depending on states
- E.g. FIN/ACK when no FIN was sent
21Iptables - NAT
- NAT - Network Address Translation
- The science of switching Source or Destination
Addresses - Two types of NAT in Linux 2.4
- Netfilter NAT
- Fast NAT
- Usage
- Makes a LAN look as if it came from a single
source (firewall) - Netfilter NAT
- DNAT - Destination Network Address Translation
- SNAT - Source Network Address Translation
- Requires Connection tracking to keep states and
expectations
22Iptables - basic syntax
- iptables command options ltmatchesgt lttargetgt
- Commands
- append, insert, replace, delete, list, policy,
etc. - Options
- verbose, line numbers, exact, etc.
- Matches
- dport, dst, sport, src, states, TCP options,
owner, etc. - Targets
- ACCEPT, DROP, REJECT, SNAT, DNAT, TOS, LOG, etc.
23Iptables - matches
- Protocol
- -p, --protocol ! protocol
- tcp, udp, icmp or all
- Numeric value
- /etc/protocols
- Destination IP Port
- -d, --destination ! address/mask
- Destination address
- Resolvable (/etc/resolve.conf)
- --dport, --destination-port ! portport
- Destination port
- Numeric or resolvable (/etc/services)
- Port range
24Iptables - matches (cont.)
- Source IP Port
- -s, --source ! address/mask
- Source address
- Resolvable (/etc/resolve.conf)
- --sport, --source-port ! portport
- Source port
- Numeric or resolvable (/etc/services)
- Port range
25Iptables - matches (cont.)
- Incoming and Outgoing interface
- -i, --in-interface ! interface
- -o, --out-interface ! interface
26Iptables - targets
- ACCEPT
- Accepts the packet
- Ends further processing of the specific chain
- Ends processing of all previous chains
- Except other main chains and tables
- DROP
- Drops the packet
- No reply
- Ends all further processing
27Iptables - targets (cont.)
- REJECT
- Drops packet
- Returns a reply
- User specified reply
- Calculated reply
- TCP-RST or ICMP errors
- Ends all further processing
- RETURN
- Returns from a chain to the calling chain
28Iptables - a few simple rules
- iptables -A INPUT -p tcp -m state --state NEW !
--syn -j REJECT --reject-with-tcp-reset - iptables -A INPUT -p tcp --dport 801024 -j DROP
- iptables -A FORWARD -p tcp --dport 22113 -j DROP
- iptables -A FORWARD -p tcp --dport ftp-dataftp
-j DROP - iptables -A OUTPUT -p tcp -o eth0 -j ACCEPT
- iptables -A OUTPUT -p tcp -o lo -j ACCEPT
- iptables -P OUTPUT DROP
29Iptables additional syntax
- Listing the rules
- -L, --list chain
- -F, --flush chain
- Flushes (erases) all rules in a chain
- Or a table
- -N, --new chain
- Creates a user-specified chain
- There must be no target with that name previously
- -X, --delete-chain chain
- Deletes a user-created chain
- No rules may reference the chain
- Can delete all user-created chains in a table
30Iptables additional syntax
- Creating...
- iptables -t filter -N badtcppackets
- and Deleting a chain
- iptables -t filter -X badtcppackets
- and Deleting all user-created chains
- iptables -t filter -X
31Logging
- Need to know
- where they are and what they contains
- permissions and ownership
- how often they are rotated
- You need to
- Review logfile contents regularly
- Archive important logs
32Logging
- Pages 541-542 list most of the common logs
- These logs are found in the /var/log directory
- /var/log/messages
- /var/log/boot.log
- /var/log/wtmp
- /var/log/dmesg
33Logging
- What to look for in a log?
- Unusual activity
- Take a look at your logs daily
- /var/log/messages
- /var/log/secure
- /var/log/sshd
- Other service related logs like ftpd, etc.
34Logging
- Some common things
- Sendmail messages
- SSH logins/logouts
- FTP logins/logouts
- Based on what you see regularly, you will know
when something is amuck. - Common logchecking utilities are also an
excellent way to keep tabs on your logs
35Logcheck
- Was developed by Psionic (http//www.psionic.com)
- Portsentry
- Logcheck
- Easy configuration
- Very customizable
- Demo logcheck
36Logwatch
- Part of FC3 default install
- It is a customizable, pluggable log-monitoring
application - It will go through your logs for a given
period of time and make a report in the areas
that you wish with the detail that you wish. - Default setup is to email root daily
37Syslog Daemon
- syslogd the system event logger
- how syslog works
- its configuration file
- the software that uses syslog
- debugging syslog
38What gets logged?
- The accounting system
- The kernel
- Various utilities and applications
- many produce data that needs to be logged
- most of the data has a limited useful lifetime,
and needs to be summarized, compressed, archived
and eventually deleted
39Logging policies
- Log data immediately
- Reset log files at periodic intervals
- Rotate log files, keeping data for a fixed time
- Compress and archive to tape or other permanent
media
40Logging Options
- Depends on
- how much disk space you have
- how security-conscious you are
- How important the system is
- Whatever scheme you select, regular maintenance
of log files should be automated using cron
41Throwing away log files
- not recommend
- security problems ( accounting data and log files
provide important evidence of break-ins) - helpful for alerting you to hardware and software
problems. - In general, keep one or two months
- in a real world, it may take one or two weeks for
SA to realize that site has been compromised by a
hacker and need to review the logs
42 Throwing away (cont.)
- Most sites store each days log info on disk,
sometimes in a compressed format - These daily files are kept for a specific period
of time and then deleted - One common way to implement this policy is called
rotation
43Rotating log files
- Keep backup files that are one day old, two days
old, and so on. - logfile, logfile.1 , logfile.2, logfile.7
- Each day rename the files to push older data
toward the end of the chain - script to archive three days files
44Archiving log files
- Some sites must archive all accounting data and
log files as a matter of policy, to provide data
for a potential audit - Log files should be first rotate on disk, then
written to tape or other permanent media - see chap 11, Backups
45Finding log files
- Normally in /var/log but to locate log files you
can read the system startup scripts /etc/rc
or /etc/init.d/ - Some programs handle logging via syslog
- check /etc/syslog.conf to find out where this
data goes - Again, normally to /var/log
46 Finding log files
- Different operating systems put log files in
different places - /var/log/
- /var/cron/log
- /usr/adm
- /var/adm
- On linux, almost all the log files are in
/var/log directory.
47What is syslog
- A comprehensive logging system, used to manage
information generated by the kernel and system
utilities. - Allow messages to be sorted by their sources and
importance, and routed to a variety of
destinations - log files, users terminals, or even other
machines.
48Syslog three parts
- Syslogd and /etc/syslog.conf
- the daemon that does the actual logging
- its configuration file
- openlog, syslog, closelog
- library routines that programs use to send data
to syslogd - logger
- user-level command for submitting log entries
49syslog-aware programs
Using syslog lib. Routines write log entries to a
special file
/dev/log
/dev/klog
reads
consults
syslogd
/etc/syslog.conf
dispatches
Other machines
Log files
Userss terminals
50Configuring syslogd
- The configuration file /etc/syslog.conf controls
syslogds behavior. - It is a text file with simple format, blank lines
and lines beginning with are ignored. - Selector ltTABgt action
- eg. mail.info /var/log/maillog
51Configuration file - Selector
- Identify
- source -- the program (facility) that is
sending a log message - importance -- the messagess severity level
- eg. mail.info /var/log/maillog
- Syntax
- facility.level
- facility names and severity levels must chosen
from a list of defined values
52Sample syslog output
Dec 27 024500 x-wing netinfod 71 cannt
lookup child Dec 27 025000 bruno ftpd
27876 open of pid file failed not a
directory Dec 27 025047 anchor vmunix
spurious VME interrupt at processor level 5 Dec
27 025217 bruno pingem107
moose.cs.colorado.edu has not answered 34
times Dec 27 025533 bruno sendmail 28040
host name/address mismatch 192.93.110.26 !
bull.bull..fr
53Linux networking
- Understand basic configuration of Network
Interface - IP address
- Subnetmask
- Gateway
- Talk about other types of interfaces (PPP, IPSec,
etc) - Use network utilities (ipconfig, mii-tool, etc)
54The TCP/IP protocol
- Internet Protocol (IP) address
- Four 8-bit numbers (Octets)
- Identifies a computer on the network
- Subnet mask
- Four 8-bit numbers
- Determine the network and host portions of an IP
address - Default gateway
- Router that sends packets to remote networks
55Configuring a NIC interface
- ifconfig command
- Assigns TCP/IP configuration to a NIC
- Displays configuration of all network interfaces
- packet internet groper command
- Checks connectivity to other computers
56Configuring a NIC interface
- Multiple Tools to accomplish this
- Command line ifconfig
- Curses based netconfig
- Graphical system-config-network
57Name resolution
- Hostnames
- Name assigned to a computer
- Uses plain language
- Fully Qualified Domain Name (FQDN)
- Hostname that follows DNS convention
- Domain Name Space (DNS) server
- Resolves FQDNs to IP address
58The Domain Name Space
59Common network services
- Port
- Number that identifies a network service
- 65,535 possible ports
- Well-known port
- used by common networking services
- 0 to 1,024
60traceroute command
- Used to troubleshoot routing
- Displays all routers between the current computer
and a remote computer
61The mii-tool
- An easy way to determine which speed is used by
an Ethernet card - The Ethernet card needs to have Media Independent
Interface circuitry
62Secure Shell Without Passwords
- Using ssh without passwords
- Everybody pair up
- Insure each of you has an account/password on
each other system - Refer to the Text Book for the commands and see
if you can get this to work
63Secure Shell Without Passwords
- When we last left the intrepid students they were
struggling with secure shell and keys. - But wait.Daria and Chuck have made it work.
- Is this the break through weve been waiting for?
64Secure Shell Without Passwords
- Pair Up
- Insure you have an account on your partners
system and you know the password - Generate the ssh key
- cd /.ssh
- ssh-keyget t dsa
- Do not enter a passphrase when prompted
- (this generates public and private keys)
65Secure Shell Without Passwords
- Copy public key from your system to your partners
- scp id_dsa.pub userid_at_partner/tmp
- Then enter the following (same line)
- ssh userid_at_partner cat /tmp/id_dsa.pub gtgt
/home/userid/.ssh/authorized_keys2 - Clean up
- ssh userid_at_partner rm /tmp/id_dsa.pub