480 likes | 503 Views
Learn about security fundamentals, threats, firewalls, port scanning, and Apache administration. Discover components of security, goals, and measures to manage risks effectively. Enhance your knowledge of digital threats and defense strategies.
E N D
CIT 500: IT Fundamentals Security and System Administration
Topics • Security Fundamentals • Threats • Firewalls • Port scanning • Apache Administration
What is Security? Security is the prevention of certain types of intentional actions from occuring in a system. • These potential actions are threats. • Threats that are carried out are attacks. • Intentional attacks are carried out by an attacker. • Objects of attacks are assets.
Goals of Security Prevention • Prevent attackers from violating security policy Detection • Detect attackers’ violation of security policy Recovery • Stop attack, assess and repair damage Survivability • Continue to function correctly even if attack succeeds
Components of Security Confidentiality • Keeping data and resources hidden. Privacy. Integrity • Preventing unauthorized changes to data or resources. Availability • Enabling access to data and resources
Confidentiality Authentication Passwords, mother’s maiden name Corporations Trade secrets, e.g., the formula for Coca Cola. Databases SSN, Driver’s license Governments National security Embarrassing information: www.thememoryhole.org
Integrity Data Integrity • content of the information. • ex: 2005 Walmart $1.5 million bar code scam. Origin Integrity (authentication) • source of the information. • ex: 1997 Kurt Vonnegut MIT commencement address email. Vonnegut was not the 1997 speaker and the content wasn’t his. Prevention vs Detection
Availability Prevent loss of system access. Denial of service attacks common. • Easy to launch, difficult to track down. • In 2000, a 15-year old (mafiaboy) took down Amazon, CNN, Dell, eBay, and Yahoo. • Can be just part of another attack.
States of Information • Storage Information not currently being accessed. • Processing Information currently being used by processor. • Transmission Information in transit btw one node and another.
Security Measures Technology. • Hardware/software used to ensure confidentiality, integrity, or availability. Policy and practice. • Security requirements and activities. Education, training, and awareness. • Understanding of threats and vulnerabilities and how to protect against them.
How to evaluate security solutions? • What assets are you trying to protect? • What are the risks to those assets? • How well does the security solution mitigate those risks? • What other risks does the security solution cause? • What costs and trade-offs does the security solution impose?
Aspects of Risks To evaluate a risk, we need to evaluate both: • Probability of risk occurring. • Cost incurred by risk if it occurs. Minimize product of probability and cost. Risks are impacted by environment. • Building a house in a flood plain incurs additional risks beyond that of house itself. • Similarly, installion and configuration options impact risk of software systems.
Digital Threats • Theft • Vandalism • Extortion • Con Games • Fraud • Stalking • Voyeurism
Digital Threats: What’s Different Automation • Salami Attack from Office Space. Action at a Distance • Volodya Levin, from St. Petersburg, Russia, stole over $10million from US Citibank. Arrested in London. • Operators of CA BBS tried and convicted in TN court because TN had d/led pornography f/ CA. Technique Propagation • Criminals share techniques rapidly and globally.
Current Threat Information • SANS Internet Storm Center • Bugtraq • CERT • Packet Storm • Risks Digest
Firewalls Virus Scanners Spyware Scanners Patches Backups What Are Our Defences? Prevent Detect Recover Respond
What is a Firewall? A software or hardware component that restricts network communication between two computers or networks. In buildings, a firewall is a fireproof wall that restricts the spread of a fire. Network firewall prevents threats from spreading from one network to another.
Internet Firewalls Many organizations/individuals deploy a firewall to restrict access to their network from Internet.
Packet Filtering Forward or drop packets based on TCP/IP header information, most often: • IP source and destination addresses • Protocol (ICMP, TCP, or UDP) • TCP/UDP source and destination ports • TCP Flags, especially SYN and ACK • ICMP message type Routers can also make decisions based on: • Network interface the packet arrived on. • Network interface the packet will depart on.
Filter Actions Pass • Forward acceptable packet on to destination. Drop • Drop unacceptable packets. Log • Record action taken on packet. • Use syslog to log to internal loghost.
Linux Firewall: iptables iptables is a firewall built into the kernel • Use iptables command to configure. • Configuration will be reset on reboot. • Use iptables –L to list configuration. Red Hat Linux keeps permanent configuration • /etc/sysconfig/iptables • RH-Firewall-1-INPUT chain contains rules • To change: service iptables restart
iptables iptables [-t table] cmd [matches] [target] Commands: -A chain rule-spec: Append rule to chain. -D chain rule-spec: Delete a rule from chain -L chain: List all rules in chain. -F chain: Flush all rules from chain. -P chain target: Set default policy for chain. -N chain: Create a new chain. -X chain: Remove a user-defined chain.
iptables Matches -p protocol: Specify protocol to match. tcp, udp, icmp, etc. -s address/mask: Source IP address to match. -d address/mask: Dest IP address to match. --sport: Source port (TCP/UDP) to match. --dport: Dest port (TCP/UDP) to match.
iptables Extended Matches -m match: Specify match module to use. Example: limit Only accept 3 ICMP packets per hour. -m limit --limit 3/hour -p icmp -j REJECT Example: state Useful stateful packet filtering. -m state --state NEW: match only new conns -m state --state ESTABLISHED: match only established connections.
iptables Targets -j ACCEPT Accept packet. -j DROP Drop packet w/o reply. -j REJECT Drop packet with reply. -j RETURN Return from this chain to calling chain. -j LOG Log packet; chain processing continues.
Chain Targets INPUT test -p ICMP -j DROP -s 192.168.1.1 -p TCP -j test -d 192.168.1.1 -p UDP -j DROP Rules are followed in order from top until one matches. If a rule matches, the action specified after -j is performed: -j test Process packet with rules of the test table. -j LOG Log the packet. All other actions stop rule processing and specify the final packet destination.
Creating a Packet Filter • Create a security policy for a service. ex: allow only outgoing telnet service • Specify security policy in terms of which types of packets are allowed/forbidden • Write packet filter in terms of vendor’s filtering language
Example: outgoing telnet • TCP-based service • Outbound packets • Destination port is 23 • Source port is random port >1023 • iptables will flag as NEW connection package • and store details of connection internally for • Incoming packets • Source port is 23, as server runs on port 23 • Destination port is high port used for outbound packets • iptables will flag as ESTABLISHED,RELATED package
Implementing the Filter with iptables iptables –A INPUT -m state --state NEW -m tcp -p tcp --dport 23 -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED –m tcp –d tcp --sport 23 -j ACCEPT iptables -A INPUT -j REJECT
Example RH Firewall Configuration *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] # Do firewall processing using the RH-Firewall-1-INPUT table -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT # Don’t bother firewalling the lookpack (lo) interface -A RH-Firewall-1-INPUT -i lo -j ACCEPT # Accept ICMP packets, including ping -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT # Multicast DNS is a UDP protocol on port 5353 using multicast address 224.0.0.251 -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT # Accept new incoming SSH connections -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT # Accept packets continuing TCP connections first accepted with NEW above -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Reject anything that is not accepted above -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT
Ping Scanning • Method of identifying which machines are on network by sending a packet to each IP address in a network + checking for responses. • Scan types • ICMP echo (the standard meaning of ping) • TCP port 80 • TCP/UDP specific port • Fragmented packets
Ping Scanning > nmap -sP 10.17.0.0/24 Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-04-05 13:57 EDT Host pc_elan.lc3net (10.17.0.1) appears to be up. Host 10.17.0.31 appears to be up. Host 10.17.0.35 appears to be up. Host sun02 (10.17.0.55) appears to be up. Host sun09 (10.17.0.64) appears to be up. Host pc208p01 (10.17.0.66) appears to be up. Host sun14 (10.17.0.80) appears to be up. Host 10.17.0.241 appears to be up. Host 10.17.0.247 appears to be up. Nmap run completed -- 256 IP addresses (54 hosts up) scanned in 4.510 seconds
Port Scanning Method of discovering exploitable communication channels by probing a machine on network to find which TCP and UDP ports it is listening on. • Use to verify functionality of firewall. • Use to detect unauthorized servers. • Bad guys use to find holes in defenses.
nmap TCP connect() scan > nmap -sT at204m02 (1645 ports scanned but not shown are in state: closed) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 111/tcp open rpcbind 443/tcp open https 515/tcp open printer 2049/tcp open nfs 4045/tcp open lockd 5432/tcp open postgres 5901/tcp open vnc-1 6000/tcp open X11 32775/tcp open sometimes-rpc13 Nmap run completed -- 1 IP address (1 host up) scanned in 43.846 seconds
Version Scanning • Port scanning reveals which ports are open • Guess services on well-known ports. • How can we do better? • Find what server: vendor and version • telnet/netcat to port and check for banner • Version scanning
Banner Checking > nc www.nku.edu 80 GET / HTTP/1.1 HTTP/1.1 400 Bad Request Date: Sun, 07 Oct 2007 19:27:08 GMT Server: Apache/1.3.34 (Unix) mod_perl/1.29 PHP/4.4.1 mod_ssl/2.8.25 OpenSSL/0.9.7a Connection: close Transfer-Encoding: chunked Content-Type: text/html; charset=iso-8859-1 127 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD> <TITLE>400 Bad Request</TITLE> </HEAD><BODY> <H1>Bad Request</H1> Your browser sent a request that this server could not understand.<P> client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /<P> </BODY></HTML>
Version Scanning • If port is TCP, open connection. • Wait for service to identify self with banner. • If no identification or port is UDP, • Send probe string based on well-known service. • Check response against db of known results. • If no match, test all probe strings in list.
nmap version scan > nmap -sV at204m02 (The 1645 ports scanned but not shown below are in state: closed) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 3.7.1p2 (protocol 1.99) 80/tcp open http Apache httpd 2.0.48 (mod_python/3.1.3 … DAV/2) 111/tcp open rpcbind 2-4 (rpc #100000) 443/tcp open ssl/http Apache httpd 2.0.48 (mod_python/3.1.3 … DAV/2) 515/tcp open printer? 2049/tcp open nfs 2-3 (rpc #100003) 4045/tcp open nlockmgr 1-4 (rpc #100021) 5432/tcp open postgres? 5901/tcp open vnc VNC (protocol 3.3) 6000/tcp open X11? 32775/tcp open status 1 (rpc #100024)
OS Fingerprinting Identify OS by specific features of its TCP/IP network stack implementation. • Explore TCP/IP differences between OSes. • Build database of OS TCP/IP fingerprints. • Send set of specially tailored packets to host • Match results to identical fingerprint in db to identify operating system type and version.
nmap OS fingerprint examples > nmap –O at204m02 ... Device type: general purpose Running: Sun Solaris 8 OS details: Sun Solaris 8 Uptime 10.035 days (since Sat Mar 27 08:59:38 2004) > nmap –O 10.17.0.1 … Device type: router Running: Bay Networks embedded OS details: Bay Networks BLN-2 Network Router or ASN Processor revision 9
Apache Web Server Open source web server for any platform • Majority of Internet web sites run Apache. • Over 100,000,000 web sites in total. • Default server for Linux, MacOS. • Used in IBM WebSphere and other systems. History • Started as set of patches for NCSA server in 1994. • Version 2 in 2002 was a complete re-write.
Web Servers Provide access to static documents • Usually specified as files on filesystem. • Can apply ACLs to limit who can access. Provide access to dynamic content • Server runs external program to access OR • Interpreter integrated into server runs code OR • Other program integrated into web server.
Apache Configuration RHEL 5 uses a single configuration file /etc/httpd/conf/httpd.conf File format # at start of line indicates a comment Variable Value sets Variable to the specified value <Directive>s surrounded by angle brackets followed by text that applies only to the directive </Directive> ends a directive
Apache Configuration Examples ServerTokens OS ServerRoot "/etc/httpd" PidFile run/httpd.pid Timeout 120 KeepAlive Off MaxKeepAliveRequests 100 KeepAliveTimeout 15 LoadModule auth_basic_module modules/mod_auth_basic.so LoadModule include_module modules/mod_include.so Include conf.d/*.conf User apache Group apache ServerAdmin root@localhost UseCanonicalName Off DocumentRoot "/var/www/html" <Directory /> Options FollowSymLinks AllowOverride None </Directory>
Apache Modules Modules provide custom functionality You only need to load the modules you use. Anyone can write new modules to add features. Some popular modules Deflate: compresses content before sending Perl: embedded interpreter for Perl language PHP: embedded interpreter for PHP language SSL: provides encrypted connections suexec: run user programs as specified user account
Final Exam Comprehensive coverage of all topics • Conceptual questions from notes • Lab questions using your virtual machine Exam will be open book and notes • You can use your graded assignments
References • Matt Bishop, Introduction to Computer Security, Addison-Wesley, 2005. • Gordon Lyon, NMAP Network Scanning, Fyodor, 2008. • Ed Skoudis, Counter Hack Reloaded, Prentice Hall, 2006. • Nicholas Wells, The Complete Guide to Linux System Administration, Thomson Course Technology, 2005. • Elizabeth Zwicky, Brent Chapman, Simon Cooper, Building Internet Firewalls, 2nd edition, O’Reilly & Associates, 2000.