Lesson LPI 202 Chapter 4 Advancer Linux Netword Administration System Security give you the knowledge: Ipchains and Iptables, Configuring a router, Securing FPT Servers,... With the specialized technology your information, this is a useful reference.
Chapter 07 Advanced Linux Network Administration System Security SaigonCTT All rights reserved Objectives • Ipchains and Iptables • Configuring a router • Securing FTP servers • Secure shell (OpenSSH) • TCP_wrappers • Security tasks LPI Linux What is a Firewall? • A set of related programs that protects the resources of a private network from users from other networks. • A mechanism for filtering network packets based on information contained within the IP header • A means of maintaining sanity LPI Linux Firewall Programs • Ipfwadm : Linux kernel 2.0.34 • Ipchains : Linux kernel 2.2.* • Iptables Linux kernel 2.4.* : LPI Linux Firewalls • Network Level • Two Types – Packet Filter – Stateful Packet Inspection – SPI • IPTables is Both LPI Linux Filtering • Information Needed – IP Address (Phone Number) – Port (Extension) • Can Filter by Source or Destination • Can Filter by State LPI Linux IPTables • SPI – NEW – ESTABLISHED – RELATED – INVALID • Network Address Translation – NAT • DNAT • SNAT • REDIRECT LPI Linux IPTables notes only LPI Linux IPTables • Packet Mangling – Modify Packets Before/After Decision – Example • Prioritize Traffic • MinimizeDelay • MaximizeReliability • MinimizeCost • NormalService LPI Linux IPTables 10 LPI Linux SSH key installation • 3 versions of ssh: interoperability is good, but poorly documented • sshkeyinstall utility automates the creation and installation – “sshkeyinstall –s SshServerName” creates keys, if needed, and installs them on the remote server – Need password during key install only 49 LPI Linux Using SSH keys • ssh SshServerName • ssh –l UserName SshServerName • ssh SshServerName CommandToRun • ssh –v SshServerName 50 LPI Linux sshagent • Remembers your private key(s) • Other applications can ask sshagent to authenticate you automatically • Unattended remote sessions • sshagent bash • sshagent startx • eval `sshagent` #Less preferred • sshadd [KeyName] 51 LPI Linux File Transfer Protocol (sftp) • Runs on top of Connection Layer • Provides file transfer • Provides general file system access • Driven by commands similar to FTP • Sshd server configuration: sshd_config – Subsystem sftp /usr/local/libexec/sftpserver • Client use sftp username@sshserver 52 LPI Linux TCP_wrappers • Services do not need to offer should be disabled • There are a number of ways to disable services: – Disable service from xinetd server, /etc/xinetd.d/service_name • Disable = yes – delete entirely packagename • Most Linux distributions ship with tcp_wrappers "wrapping" all your TCP services • tcp_wrapper (tcpd) is invoked from inetd instead of the real server • tcpd checks the host that is requesting the service, and either executes the real server, or denies access from that host 53 LPI Linux TCP_wrappers • Edit /etc/inetd.conf and replace the path to each network service daemon that you wish to place under access control with the path to tcpd • For example, the entry for the finger daemon in /etc/inetd.conf finger stream tcp6 nowait nobody /usr/sbin/in.fingerd in.fingerd • The value in the sixth field is /usr/sbin/in.fingerd. To monitor access to the finger daemon, replace this value with /usr/sbin/tcpd, as in the following entry: finger stream tcp6 nowait nobody /usr/sbin/tcpd in.fingerd 54 LPI Linux TCP_wrappers • tcpd access control files • /etc/hosts.allow : the list of hosts that are allowed to access the network's services • /etc/hosts.deny : the list of hosts that are denied access • The format of entries in both files is the same: servicelist : hostlist [: shellcommand] • A hosts.allow file might contain: imapd, ipopd3 : 172.16.12 ALL EXCEPT imapd, ipopd3 : ALL 55 LPI Linux Controlling Access with xinetd • xinetd has capabilities similar to those of wrapper • xinetd reads the /etc/hosts.allow , /etc/hosts.deny files and implements the access controls defined in those files. • Additionally, xinetd provides its own logging and its own access controls • The three parameters are: – only_from: identifies the hosts that are allowed to connect to the service – no_access: defines the hosts that are denied access to the service – access_times: defines the time of day a service is available, in the form hour:minhour:min 56 LPI Linux Controlling Access with xinetd • /etc/xinetd.d/imap # default: off # description: The IMAP service allows remote users to access their mail using # an IMAP client such as Mutt, Pine, fetchmail, or Netscape \ # Communicator service imap { disable = no socket_type = stream wait = no user = root server = /usr/sbin/imapd only_from = 127.0.0.1 bind = 127.0.0.1 log_on_success += HOST DURATION log_on_failure += HOST } LPI Linux 57 lsof • show open files used by processes lsof lsof | grep LISTEN • Traditionally used to list PIDs of processes running on a given directory: lsof +D DIRECTORY • Lsof can also be used to display network sockets. – For example the following line will list all internet connections: • lsof I 58 LPI Linux Lsof output NAME: name of the process PID: process ID USER: name of the user to whom the process belongs FD: File desciptor (e.g u = read write, r = read, w = write) TYPE: The file type (e.g REG = regular file) DEVICE: Major/Minor number (e.g 3,16 =/dev/hda16 ) SIZE: Size or offset of the file NODE: Inode of the file NAME: The name of the file 59 LPI Linux NMAP • nmap Network exploration tool and security scanner • Example: scan Ip range to find opened port and OS – Nmap sS O 10.11.2.1100 • Scan Types: – SYN or Halfopen: sS – UDP: sU – TCP NULL: sN – TCP Xmas: sX – ++++ many more, Ack scans sA, RPC scan sR 60 LPI Linux Other tools • tcpdump – dump traffic on a network • netstat Print network connections, routing tables • Main options: – r display routing tables – l only listening services – C display route cache – inet restrict to network sockets 61 LPI Linux Security tasks • Update security alerts from Bugtraq, CERT, CIAC or other sources • Test for open mail relays and anonymous FTP servers • Installing and configuring an intrusion detection system such as snort or Tripwire • Update the IDS configuration as new vulnerabilities are discovered • Apply security patches and bugfixes 62 LPI Linux Summary • Ipchains and Iptables • Configuring a router • Securing FTP servers • Secure shell (OpenSSH) • TCP_wrappers • Security tasks 63 LPI Linux ... +-+ - +-+ - +-+ - +-+ - +-+ - +-+ - +-+ - +-+ - +-+ - +-+ - +-+ - +-+ - +-+ - +-+ - +-+ - +-+ -+ | Source Address | +-+ - +-+ - +-+ - +-+ - +-+ - +-+ - +-+ - +-+ - +-+ - +-+ - +-+ - +-+ - +-+ - +-+ - +-+ - +-+ -+ | Destination Address | +-+ - +-+ - +-+ - +-+ - +-+ - +-+ - +-+ - +-+ - +-+ - +-+ - +-+ - +-+ - +-+ - +-+ - +-+ - +-+ -+ ... +-+ - +-+ - +-+ - +-+ - +-+ - +-+ - +-+ - +-+ - +-+ - +-+ - +-+ - +-+ - +-+ - +-+ - +-+ - +-+ -+ | Source Port | Destination Port | +-+ - +-+ - +-+ - +-+ - +-+ - +-+ - +-+ - +-+ - +-+ - +-+ - +-+ - +-+ - +-+ - +-+ - +-+ - +-+ -+ | Sequence Number | +-+ - +-+ - +-+ - +-+ - +-+ - +-+ - +-+ - +-+ - +-+ - +-+ - +-+ - +-+ - +-+ - +-+ - +-+ - +-+ -+ ... +-+ - +-+ - +-+ - +-+ - +-+ - +-+ - +-+ - +-+ - +-+ - +-+ - +-+ - +-+ - +-+ - +-+ - +-+ - +-+ -+ | Acknowledgment Number | +-+ - +-+ - +-+ - +-+ - +-+ - +-+ - +-+ - +-+ - +-+ - +-+ - +-+ - +-+ - +-+ - +-+ - +-+ - +-+ -+ | | Control | | 11 LPI Linux Ipchains packet traversal