Security

Security WeeSan Lee <weesan@cs.ucr.edu> http://www.cs.ucr.edu/~weesan/cs183/

What’s wrong with this picture? www db The Internet eon kilo-1

What’s wrong with this picture? www db fw The Internet eon kilo-1

What’s wrong with this picture? DMZ www db fw fw2 The Internet eon kilo-1

What’s wrong with this picture? DMZ www db fw fw2 The Internet fw3 eon kilo-1

Roadmap • Introduction • How security is compromised? • Security Tips • Security Tools • iptables • Q&A

Introduction • The philosophy of Unix/Linux was optimized for convenience over security • Until the “Internet Worm” from Robert Morris, Jr. • CERT was formed as a result • Even so, Unix/Linux is still more secure than Windows • In general, Windows/Unix/Linux is not secure, get a dedicate firewall

How security is compromised? • Social engineering • The users/admins are often the weakest links in the chain of security • 60% of security incidents involve an insider • Educate the users • Configuration errors • Accounts without passwd • Software vulnerabilities • Buffer overflow • Use of relative paths

How security is compromised? • system("/bin/cat " . $_POST["filename"]); OOPS!

Security Tips • Employ packet filtering • Update software patches • Put “yum update” in the crontab • Frequent backups • Logging • /var/log/messages • /var/log/secure • /var/log/maillog • /var/log/wtmp • Centralized remote logging • $ man syslog.conf

Security Tips • Turn off unnecessary services • $ /bin/netstat -ta | grep LISTEN • tcp 0 0 *:submission *:* LISTEN • tcp 0 0 *:sunrpc *:* LISTEN • tcp 0 0 *:x11 *:* LISTEN • tcp 0 0 *:38516 *:* LISTEN • tcp 0 0 localhost:ipp *:* LISTEN • tcp 0 0 *:smtp *:* LISTEN • … • $ /usr/sbin/lsof -i :38516 • COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME • rpc.statd 911 nobody 9u IPv4 1952 TCP *:38516 (LISTEN)

Security Tips • Passwords • To check for null passwords • $ perl -F: -ane ‘print if not $F[1];’ /etc/shadow • To find logins without passwords • $ perl -F: -ane ‘print if not $F[2];’ /etc/passwd • Password aging

Security Tips • Minimize the # of setuid programs • 35 setuid programs on average • $ find / -user root -perm -4000 -print | mail –s ‘setuid root files’ sysadm • File permissions • /etc/{passwd,group} should have 644 • /etc/shadow should have 600

Security Tips • Don’t use /etc/hosts.equiv and ~/.rhosts • Create unwritable, zero-length ~/.rhosts • Use LDAP instead of NIS • Use NFSv4 • Run ClamAV, antivirus software • /etc/hosts.{allow,deny} • $ cat /etc/hosts.deny • ALL:ALL • $ cat /etc/hosts.allow • sshd: 10.0.0.0/255.255.0.0 • Sendmail: ALL

Security Tools - simple • less • $ /usr/bin/less /var/log/maillog • last • $ /usr/bin/last -f /var/log/wtmp -t 20080520144258

Security Tools • lastlog • $ lastlog -u weesan • Username Port From Latest • weesan pts/14 xx.xx.xx Tue May 27 22:39:35 -0700 2008 • grep • $ /bin/grep "Relaying denied" /var/log/maillog • May 27 21:54:58 fw sm-mta[4463]: m4S4swAI004463: ruleset=check_rcpt,arg1=<ssmmttpp0509@yahoo.com.cn>, relay=219-84-62-105-adsl-tpe.dynamic.so-net.net.tw [219.84.62.105], reject=550 5.7.1 <ssmmttpp0509@yahoo.com.cn>... Relaying denied

Security Tools • cat • /bin/cat /var/log/secure • May 27 21:14:05 fw vsftpd[4068]: refused connect from 66.11.116.140 • May 27 22:24:15 fw vsftpd[4474]: refused connect from 204.8.216.130 • May 27 23:10:02 fw in.rshd[4558]: connect from 10.0.0.33 • May 27 23:11:36 fw su[4606]: + pts/4 weesan-root • tail -f • $ /usr/bin/tail -f /var/log/messages • May 27 22:10:52 fw sshd[4118]: Accepted publickey for weesan from 10.0.0.33 port 41551 ssh2 • May 27 21:58:12 fw -- MARK -- • May 27 22:18:13 fw -- MARK -- • May 27 22:38:13 fw -- MARK --

Security Tools • watch • $ /usr/bin/watch /usr/bin/who

Security Tools - advanced • nmap • Port scanning • $ nmap -sT www.linux.is.better • Guess what OS a remote system is running • $ nmap -O -sV www.linux.is.better • Nessus • A powerful and useful software vulnerability scanner • John the Ripper • Crack replacement

Security Tools • Samhain • Host-based intrusion detection • Security-Enhanced Linux (SELinux) • Not recommended • Kerberos • Guarantees that users and services are in fact who they claim to be • PGP – Pretty Good Privary • Used to encrypt data, to generate signatures, and to verify origin of the files and messages • GnuPG

Security Tools • ssh • A replacement for telnet • scp • A replacement for ftp • One-time passwords • Generate passwd off-line and good for once only • Stunnel • Secure tunnel • Firewall • iptables

iptables • Linux kernel ver 2.4 introduced Netfilter • iptables controls Netfilter • Applies ordered “chains” of rules to network packets • 3 default chains (filter tables) • INPUT • Rules applied to incoming packets • OUTPUT • Rules applied to outgoing packets • FORWARD • Rules applied to packets from one NIC to another

iptables (cont) • In addition to 3 default filter tables • nat • For setting up NAT • mangle • For modifying the packet header • Each rule has a target • ACCEPT • DROP • REJECT • LOG • REDIRECT • RETURN • …

iptables (cont) Flush the filter tables Default to ACCEPT, why??? • $ iptables -F • $ iptables -P INPUT ACCEPT • $ iptables -P FORWARD ACCEPT • $ iptables -N RH-Firewall-1-INPUT • $ iptables -A INPUT -j RH-Firewall-1-INPUT • $ iptables -A FORWARD -j RH-Firewall-1-INPUT • $ iptables -A RH-Firewall-1-INPUT -i lo -j ACCEPT • $ iptables -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT • $ iptables -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT • $ iptables -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT • $ iptables -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT • $ iptables -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT • $ iptables -A RH-Firewall-1-INPUT -j LOG • $ iptables -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited Create a new chain Link the INPUT & FORWARD chain to the new chain In-interface Jump Log to /var/log/syslog before rejecting it Reject all others

iptables (cont) • Add the following between line 10 & 11 to reject all the adv websites • for ad in $ADV_SERVERS; do • iptables -A RH-Firewall-1-INPUT -i eth1 -p tcp -d $ad --dport 80 -j REJECT • done • To accept certain connections/services, figure out the protocol type, port number and add a new line similar to line 12 • Q. What protocol type DNS uses? On which port? • A: Check out /etc/services

iptables (cont) • To turn on NAT • $ iptables -t nat -F • # Redirect HTTP traffic to a web cache server • $ iptables -A PREROUTING -t nat -i eth1 -p tcp -d $ALL --dport 80 -j REDIRECT --to-ports 3128 • # Turn on NAT for TCP, UDP and ICMP • $ iptables -A POSTROUTING -t nat -o eth0 -p tcp -s 10.0.0.0/24 -j MASQUERADE • $ iptables -A POSTROUTING -t nat -o eth0 -p udp -s 10.0.0.0/24 -j MASQUERADE • $ iptables -A POSTROUTING -t nat -o eth0 -p icmp -s 10.0.0.0/24 -j MASQUERADE

iptables (cont) • To view the rules • $ iptables -L -v • To view the rules in the NAT table • $ iptables -L -v -t nat

Reference • LAH • Ch 20 - Security • iptables • $ man iptables • Unix Advanced System Admin. EdCert • https://www.ussg.iu.edu/edcert/course/view.php?id=7 • Cert • http://www.cert.org/ • Security Focus • http://www.securityfocus.com/

Security

Security

Presentation Transcript

Security

Computer Security Security Evaluation

Network Security: WLAN Security

Network Security: Security, Threats

Network Security: Cellular Security

Network Security: WLAN Security

Network Security: Security Protocols

Network Security: Routing security

SQL Server 2008 – Security, Security, Security ….

NATIONAL SECURITY / NATIONS SECURITY

Network Security: WLAN Security

Security Association / Security Context

Security and Cyber Security

Security

Security Guards - Psg Security

Security Doors |Security Systems | Security Alarms | London

Security Doors – home security

Security

Security

Zero-Trust Security Market by Data Security, Endpoint Security, API Security, Security Analytics, Security Policy Manage