securing linux

what people can see securing linux

Big Picture How rob a bank

A bit of History • 1954 & 1960 Bell System Tech Journals, trunk routing and frequencies • Pranks Wozniak called Pope • 2600 Hz Tone Captain Crunch whistle • Phone Phreaking • Steve Wozniak’s blue box tone generator • 1990 Phone system became digital • War dialing early form of scanning • Wargames 1983

Socket Programming • USPS Addressing • 1520 Orchard Road Apt 2A • IP Addressing • 192.168.10.50/5900 • Service / Application listens on open port • Instance messaging, VOIP in Games, telnet, FTP, HHTP • Protocols – languages

overview • Network topologies • eggshell architectures • where to get information • news groups and mailing lists • mapping a network • ping sweeps and traceroutes • mapping a host • port scans and OS fingerprinting • network scanners • everything in a single powerful package • social engineering • exploiting human nature

where to get information • news groups and mailing lists • forums • WHOIS database • www.arin.org • DNS

Traditional topology

Enhanced traditional topology

Secure network topology

news groups / mailing lists / forums • these are valuable resources • system administrator • newbie • BUT people get over excited and reveal too much information (gear head syndrome) • golden rule - remain faceless and traceless • security through obscurity • post only using generic terms

news groups / forums • they are a source of information • personal information • name, address, title, phone, e-mail • system configuration • network architecture • real host names and IP addresses • hardware: brand names and model numbers • archives • this information never goes away!!! • http://www.archive.org

news groups / mailing lists • countermeasures: • use generic titles, not real names • use switchboard numbers, not personal numbers • separate e-mail address • work-related communication (generic title) • webadmin@cs.lewisu.edu • personal communication • smithpaul@cs.lewisu.edu • limit any public description of network • fictitious IP addresses & fictitious host names

WHOIS databasewww.arin.org • whenever a URL is registered • information must be submitted with registration • this information is publicly available • whois utility • may require installation • linux example: • whois lewisu.edu • whois ibm.com

WHOIS database • countermeasures: • use generic titles, not real names • use switchboard numbers, not personal numbers • separate e-mail address • work-related communication (generic title) • techdirector@cs.lewisu.edu • personal communication • smithpaul@cs.lewisu.edu • obviously you MUST give valid information • the goal is NOT to give away valuable information unnecessarily

DNS issues • zone files have numerous options which provide information • HINFO system info: CPU and OS • TXT additional text • RP responsible person information • zone transfers • mandatory from primary server to secondary server

DNS Basics • Domain name system performs ip to name resolutions on the internet • Started in 1983 RFC 882 has grown to one of the largest and most powerful parts of the net. • Other than name translation a number of protocols and applications use DNS for their main activity • SMTP for mapping email address to their server • SPF records, telephone numbers & addresses, certificates and other info stored in DNS zone records

BIND • Berkeley Internet Name Domain Server • BIND is open-source software that implements the DNS protocols for the Internet.

DNS issues • dig DNS lookup utility (domain information groper) is a flexible tool for interrogating DNS name servers. • linux example: • dig -t hinfo hostname • dig -t txt hostname

DNS issues • reverse lookups (IP address --> URL) often provide too much free information • 129.42.58.216 --> www.ibm.com • www is a standard prefix for a web server • linux example: • dig www.lewisu.edu • dig -x 204.248.57.178

DNS issues • every version of bind (4, 8, and 9) has its flaws! • 9 was a total rewrite and still had issues • the following command • host -c chaos -t txt version.bind <server> • will usually tell you the specific vesion • linux example: • dig -c chaos -t txt version.bind

DNS issues • countermeasures: faceless & traceless • edit /etc/named.conf • delete HINFO records • delete TXT records • RP records should contain generic title • eliminate zone transfers • primary to secondary server • allow-transfer { 233.45.164.27; }; • otherwise • allow-transfer { none; }; • disable the version.bind response • version “not available”;

protocols and services • network layer • IP: internet protocol • transport layer • ICMP: internet control message protocol • UDP: user datagram protocol • TCP: transmission control protocol • services

IP: internet protocol • foundational layer for higher level protocols • packet header contains • source IP address • destination IP address

ICMP: internet control message protocol • purpose of ICMP is to provide feedback about IP performance • packet header contains • source IP address, destination IP address • packet type, checksum, data • most well-known packet types • 7 echo request • 0 echo reply • 3 destination unreachable • 30 traceroute

UDP: user datagram protocol • purpose of UDP is minimal transport service with no guarantee of delivery • connection-less • packet header contains • source IP address, destination IP address • source port number, destination port number • length, checksum, data • faster communication • but packet loss possible

TCP: transmission control protocol • purpose of TCP is a transport service with guarantee of delivery • connection-oriented • packet header contains • source IP address, destination IP address • source port number, destination port number • sequence #, control bits, checksum, data • slower communication • but no packet loss

TCP: transmission control protocol • control bits include: • SYN, ACK, RST, FIN, ... • building a connection: • source sends SYN • destination sends SYN/ACK • source sends ACK • terminating a connection: • source sends FIN/ACK • destination sends ACK • destination sends FIN/ACK • source sends ACK

services • port numbers fall into three categories: • 0 through 1023 well-known • 1024 through 49151 registered • 49152 through 65535 dynamic / private • www.iana.org has responsibility for assigning well-known port numbers • well-known port numbers can only be used by root

services • linux example: • less /etc/services

mapping a network • ping sweeps • cracker sees what is out there? • traceroutes • cracker learns how to get there? • countermeasures

ping sweeps • types of ping sweeps • icmp ping traditional echo request • echo port ping request to port 7 (echo) • fast ping icmp ping to multiple hosts • network sweep

ping sweeps • countermeasures: • edit iptables and firewalls • no incoming / outgoing ICMP requests • limit ICMP requests to internal network only • drop ICMP at firewall • be sure echo port and chargen port are disabled • edit /etc/inetd.conf or /etc/xinetd.conf • consider disabling inetd or xinetd completely!

fundamental network tools • netcat / nc • swiss army knife of network communication • invaluable to both • the system administrator • the cracker • nmap • basic tool for • ping sweeps • port scans

ntop • ntop is a network traffic probe that shows network usage • similar to the UNIX top command • ntop is a daemon that monitors the network • ntop has a web interface

traceroutes • once potential targets have been identified via ping sweeps, the cracker can augment information about the hosts using traceroute • often provides information regarding • location • ISP names and locations often visible • hardware • descriptive names for routers, switches, and hosts

traceroutes • flavors • UNIX traceroute • command • traceroute <target> • sequence of UDP packets having increasing TTLs • Matt's traceroute • command • mtr <target> • sequence of ICMP packets having increasing TTLs

traceroutes • countermeasures: • edit iptables and firewalls • drop ICMP request packets • drop UDP packets in traceroute range • 33,435 through 33,524 • do NOT use descriptive names for components within the network • function / role • vendor

mapping a host • port scans • cracker sees what ports are open • OS fingerprinting • cracker determines underlying software • countermeasures

port scans • what ports are open on the target host? • what daemon is listening on each open port? • what software? what version?

port scans • tools • netcat • UDP scans • TCP scans • nmap • UDP scans • TCP scans • TCP stealth scans • strobe

port scans • countermeasures: • klaxon • incorporated into /etc/inetd.conf or /etc/xinetd.conf • to listen on unused ports • scanlogd • monitors ports for sudden increase in activity • portsentry • monitors up to 64 ports • able to take action against an intruder! • tcp wrappers and/or iptables • psad • analysis of firewall logs

port scans • identifying software listening on a given port is usually as simple as • telnet <target> <port> • software typically displays a banner announcing itself and its version number! • countermeasures: • remove / modify banner display • example: • in /etc/sendmail.cf • OsmtpGreetingMessage=$jUPS 2005;$b

OS fingerprinting • OS fingerprinting • telnet is notorious for identifying • the operating system, the distribution, even the kernel • open ports often provide clues • smtp, ssh, and portmap => UNIX • netbios => Windows • /etc/issue, /etc/issue.net, and /etc/motd • often convey too much information

OS fingerprinting • active OS fingerprinting • send sequence of special IP packets to target • catalog responses • compare with database of responses from various operating systems • software • queso • nmap • xprobe

OS fingerprinting • countermeasures: • utilize a firewall in front of servers • operating system detected is that of firewall and not that of the server • disable ICMP packets at the firewall • negates xprobe • install IP Personality • only for Linux 2.4 kernels? • using iptables, can impersonate ANY operating system

OS fingerprinting • passive OS fingerprinting • does not initiate any additional IP traffic • uses packet sniffing to gather information • software • siphon • pOf

OS fingerprinting • countermeasures • can change some parameters of the operating system • cat /proc/sys/net/ipv4/ip_default_ttl • default value is 64 • echo 35 > /proc/sys/net/ipv4/ip_default_ttl • change to 35 • edit error messages masquerade as something else • apache httpd.conf

network scanners • combine ping sweeps, traceroutes, port scans, and OS fingerprinting together and you have a • network scanner • ISS: Internet Security Scanner • first publicly available • NESSUS • the Cadillac of network scanners!

network scanners • other network scanners • Nmap • SATAN: Security Administrator's Tool for Analyzing Networks • SANTA! • SAINT: Security Administrator's Integrated Network Tool • SARA: Security Auditor's Research Assistant • NSAT: Network Security Analysts Tool • text based! • raccess: Remote Access System • doesn't just check host; it exploits if possible!

social engineering • ten common techniques of social engineering • impersonation • pretend to be some from inside the company to obtain passwords • usually coupled with research regarding IT personnel • sympathy • usually request access to hardware: server room or PC • usually coupled with dire consequences if unable to complete the task

securing linux

securing linux

Presentation Transcript

Securing change

Securing

Securing VoIP

Securing Personas

Securing Network using Linux

Securing Communications…

Securing OCB

Securing BGP

Securing Schools

IS3440 Linux Security Unit 2 Securing a Linux Platform―Core Components

IS3440 Linux Security Unit 7 Securing the Linux Kernel

IS3440 Linux Security Unit 4 Securing the Linux Filesystem

Securing IT Assets with Linux Presented by:

Securing Linux

Securing the Linux Operating System Erik P. Friebolin

Securing PHP

Welcome to Securing Linux Intro to Linux

securing linux

Securing funding

Securing Email

Securing Email