1 / 65

Advanced Unix

Advanced Unix. Mid-Term Review Part 1 Oct 11, 2005. nmap. Port Scanner http://www.insecure.org/nmap/ Useful tool for conducting system and network ports scans It is not a vulnerability scanner. Types of Scans. TCP connect TYP SYN ( a.k.a. half-open) TCP FIN ( a.k.a. stealth)

dacia
Download Presentation

Advanced Unix

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Advanced Unix Mid-Term Review Part 1Oct 11, 2005

  2. nmap • Port Scanner • http://www.insecure.org/nmap/ • Useful tool for conducting system and network ports scans • It is not a vulnerability scanner

  3. Types of Scans • TCP connect • TYP SYN (a.k.a. half-open) • TCP FIN (a.k.a. stealth) • TCP SYN/FIN using IP fragments • TCP ftp proxy (a.k.a. bounce attack) • UCP raw ICMP port unreachable • RPC scan • ACK/WIN scan • Ping scan

  4. TCP connect Goal: find open TCP ports; option –sT • Open a connection to port p on the target • If it succeeds, something is listening on that port • Repeat for desired values of p Advantages: • fast; can do many ports in parallel • no special privileges needed Disadvantages: • easy to detect and block (filter)

  5. TYP SYN (a.k.a. half-open) Goal: find open TCP ports; option –sS • Craft and send a SYN to port p on target • ACK: someone listening; RST: no-one listening • Send RST to tear down (incipient) connection • Repeat for desired values of p Advantages: • many sites don’t log this Disadvantages: • need root to craft the initial SYN

  6. Network Tools • The netstat command (Page 521) is one such tool • It will show you the number of tcp/udp connections and the services that are listening on your system • Demo netstat

  7. Network Tools • One tool overlooked by the book is lsof • lsof or "list open files" is one of the systems administrator's number one tools • You trace what processes are using which services as well as which files are open and by which processes • Demo lsof

  8. Network Tools • Many “root kits” deployed by vandals replace the tools an SA would use to detect the attack • ps, ls, netstat, lsof, etc. • Always have original binaries and/or the tool source code available

  9. Network Services • They are the Points of Attack • Remove/Disable all unneeded services • /etc/services – a test file that relates the ports to the services (page 523)

  10. TCP Wrappers • For the services that you need to have running (Page 525) • Provides for added access control • The Super Daemon xinetd now has tcp wrappers built in so any service using xinetd can take advantage of tcp wrappers

  11. TCP Wrappers • Other services also use tcp wrappers such as “Very Secure FTP” • vsftpd FTP server (Page 525) • Controlled in the vsftpd configuration file • Access to rsync can be controlled by TCP Wrappers via xinetd

  12. TCP Wrappers • Uses two files to define the access to the services • /etc/hosts.allow • /etc/hosts.deny • You can create a deny-by-default to all services that use tcp wrappers • Don’t be misled into thinking this can secure you server 100% • Understand that not all services can or do use tcp wrappers • tcp wrappers is not a Firewall but an access control

  13. TCP Wrappers • Good Example in the book (Page 526) • Demo: tcp wrappers • hosts.allow • hosts.deny

  14. Firewalls • Several types of Firewalls: • Packet filter • Iptables – layer 2 network • Stateful filter • Cisco PIX – layer 3 and 4 • Stateful inspection • Checkpoint Firewall-1 • Application proxy • Sidewinder – layers 5 thru 7 • Good reference for firewalls: http://www.interhack.net/pubs/fwfaq/

  15. Iptables • iptables is a filtering firewall • Comes standard as part of Linux • Older versions of Linux have ipchains • FC4 comes with a relatively good initial configuration • Using chkconfig, check to see if your iptables is configured to start on boot chkconfig --list iptables

  16. Iptables • If is not then enabled it via the following command: chkconfig –levels 235 iptables on • To start iptables enter: /etc/init.d/iptables start Or service iptables start

  17. Iptables • Many ways to implement iptables • Demo Shorewall • See: http://www.linuxguruz.com/iptables/

  18. Iptables - IP Filter • IP Filter • Used to filter packets • The command to enter a rule is called iptables • The framework inside kernel is called Netfilter • Full matching on IP, TCP, UDP and ICMP packet headers • Lesser matching on other packet headers possible • Exception in TCP is the Options field • IP Filter rule consists of: • Insertion point, Matching IP and Target IP

  19. Iptables - Stateful firewalling • Full state matching (TCP, UDP & ICMP) • Other protocols • Uses a generic connection tracking module • The generic conntrack module is less specific • Custom modules can be written • Certain protocols are more complex • Requires extra modules called "conntrack helpers" • Examples are FTP, IRC (DCC), AH/ESP and ntalk

  20. Iptables - Stateful firewalling (cont.) • Userland states • NEW • All new connections • Includes Non SYN TCP packets • ESTABLISHED • All connections that has seen traffic in both directions • RELATED • All connections/packets related to other connections • Examples: ICMP errors, FTP-Data, DCC • INVALID • Certain invalid packets depending on states • E.g. FIN/ACK when no FIN was sent

  21. Iptables - NAT • NAT - Network Address Translation • The science of switching Source or Destination Addresses • Two types of NAT in Linux 2.4 • Netfilter NAT • Fast NAT • Usage • Makes a LAN look as if it came from a single source (firewall) • Netfilter NAT • DNAT - Destination Network Address Translation • SNAT - Source Network Address Translation • Requires Connection tracking to keep states and expectations

  22. Iptables - basic syntax iptables [command] [options] <matches> <target> • Commands: • append, insert, replace, delete, list, policy, etc. • Options: • verbose, line numbers, exact, etc. • Matches: • dport, dst, sport, src, states, TCP options, owner, etc. • Targets: • ACCEPT, DROP, REJECT, SNAT, DNAT, TOS, LOG, etc.

  23. Iptables - matches Protocol -p, --protocol [!] [protocol] • tcp, udp, icmp or all • Numeric value • /etc/protocols Destination IP & Port -d, --destination [!] address[/mask] • Destination address • Resolvable (/etc/resolve.conf) --dport, --destination-port [!] port[:port] • Destination port • Numeric or resolvable (/etc/services) • Port range

  24. Iptables - matches (cont.) Source IP & Port -s, --source [!] address[/mask] • Source address • Resolvable (/etc/resolve.conf) --sport, --source-port [!] port[:port] • Source port • Numeric or resolvable (/etc/services) • Port range

  25. Iptables - matches (cont.) Incoming and Outgoing interface • -i, --in-interface [!] interface • -o, --out-interface [!] interface

  26. Iptables - targets • ACCEPT • Accepts the packet • Ends further processing of the specific chain • Ends processing of all previous chains • Except other main chains and tables • DROP • Drops the packet • No reply • Ends all further processing

  27. Iptables - targets (cont.) • REJECT • Drops packet • Returns a reply • User specified reply • Calculated reply • TCP-RST or ICMP errors • Ends all further processing • RETURN • Returns from a chain to the calling chain

  28. Iptables - a few simple rules iptables -A INPUT -p tcp -m state --state NEW ! --syn -j REJECT --reject-with-tcp-reset iptables -A INPUT -p tcp --dport 80:1024 -j DROP iptables -A FORWARD -p tcp --dport 22:113 -j DROP iptables -A FORWARD -p tcp --dport ftp-data:ftp -j DROP iptables -A OUTPUT -p tcp -o eth0 -j ACCEPT iptables -A OUTPUT -p tcp -o lo -j ACCEPT iptables -P OUTPUT DROP

  29. Iptables additional syntax • Listing the rules • -L, --list [chain] • -F, --flush [chain] • Flushes (erases) all rules in a chain • Or a table • -N, --new chain • Creates a user-specified chain • There must be no target with that name previously • -X, --delete-chain [chain] • Deletes a user-created chain • No rules may reference the chain • Can delete all user-created chains in a table

  30. Iptables additional syntax Creating... • iptables -t filter -N badtcppackets and Deleting a chain • iptables -t filter -X badtcppackets and Deleting all user-created chains • iptables -t filter -X

  31. Logging • Need to know: • where they are and what they contains • permissions and ownership • how often they are rotated • You need to: • Review logfile contents regularly • Archive important logs

  32. Logging • Pages 541-542 list most of the common logs • These logs are found in the /var/log directory • /var/log/messages • /var/log/boot.log • /var/log/wtmp • /var/log/dmesg

  33. Logging • What to look for in a log? • Unusual activity • Take a look at your logs daily • /var/log/messages • /var/log/secure • /var/log/sshd • Other service related logs like ftpd, etc.

  34. Logging • Some common things: • Sendmail messages • SSH logins/logouts • FTP logins/logouts • Based on what you see regularly, you will know when something is amuck. • Common logchecking utilities are also an excellent way to keep tabs on your logs

  35. Logcheck • Was developed by Psionic (http://www.psionic.com) • Portsentry • Logcheck • Easy configuration • Very customizable • Demo: logcheck

  36. Logwatch • Part of FC3 default install • It is a customizable, pluggable log-monitoring application • It will go through your logs for a given period of time and make a report in the areas that you wish with the detail that you wish. • Default setup is to email root daily

  37. Syslog Daemon • syslogd: the system event logger • how syslog works • its configuration file • the software that uses syslog • debugging syslog

  38. What gets logged? • The accounting system • The kernel • Various utilities and applications • many produce data that needs to be logged • most of the data has a limited useful lifetime, and needs to be summarized, compressed, archived and eventually deleted

  39. Logging policies • Log data immediately • Reset log files at periodic intervals • Rotate log files, keeping data for a fixed time • Compress and archive to tape or other permanent media

  40. Logging Options • Depends on : • how much disk space you have • how security-conscious you are • How important the system is • Whatever scheme you select, regular maintenance of log files should be automated using cron

  41. Throwing away log files • not recommend • security problems ( accounting data and log files provide important evidence of break-ins) • helpful for alerting you to hardware and software problems. • In general, keep one or two months • in a real world, it may take one or two weeks for SA to realize that site has been compromised by a hacker and need to review the logs

  42. Throwing away (cont.) • Most sites store eachday’s log info on disk, sometimes in a compressed format • These daily files are kept for a specific period of time and then deleted • One common way to implement this policy is called “rotation”

  43. Rotating log files • Keep backup files that are one day old, two days old, and so on. • logfile, logfile.1 , logfile.2, … logfile.7 • Each day rename the files to push older data toward the end of the chain • script to archive three days files

  44. Archiving log files • Some sites must archive all accounting data and log files as a matter of policy, to provide data for a potential audit • Log files should be first rotate on disk, then written to tape or other permanent media • see chap 11, Backups

  45. Finding log files • Normally in /var/log but to locate log files you can read the system startup scripts : /etc/rc* or /etc/init.d/* • Some programs handle logging via syslog • check /etc/syslog.conf to find out where this data goes • Again, normally to /var/log

  46. Finding log files • Different operating systems put log files in different places: • /var/log/* • /var/cron/log • /usr/adm • /var/adm … • On linux, almost all the log files are in /var/log directory.

  47. What is syslog • A comprehensive logging system, used to manage information generated by the kernel and system utilities. • Allow messages to be sorted by their sources and importance, and routed to a variety of destinations: • log files, users’ terminals, or even other machines.

  48. Syslog: three parts • Syslogd and /etc/syslog.conf • the daemon that does the actual logging • its configuration file • openlog, syslog, closelog • library routines that programs use to send data to syslogd • logger • user-level command for submitting log entries

  49. syslog-aware programs Using syslog lib. Routines write log entries to a special file /dev/log /dev/klog reads consults syslogd /etc/syslog.conf dispatches Other machines Log files Users’s terminals

  50. Configuring syslogd • The configuration file /etc/syslog.conf controls syslogd’s behavior. • It is a text file with simple format, blank lines and lines beginning with ‘#’ are ignored. • Selector <TAB> action • eg. mail.info /var/log/maillog

More Related