1 / 156

UNIX SYSTEM SECURITY AND ADVANCED ADMINISTRATION

FOREWORD. No absolute security as long as system is accessed"In system administration, the evil is in details"For questions, contact is antoine.davous@aviler.com with [ESGI] in subject field otherwise, mail will be considered as spam by server rules.. A.Davous, 01/02/2009. 2. Unix Security Advanced Admin.

neal
Download Presentation

UNIX SYSTEM SECURITY AND ADVANCED ADMINISTRATION

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. UNIX SYSTEM SECURITY AND ADVANCED ADMINISTRATION (SÉCURITÉ SYSTÈME SOUS UNIX ET ADMINISTRATION AVANCÉE) A.Davous, 01/02/2009 1 Unix Security Advanced Admin

    2. FOREWORD “No absolute security as long as system is accessed” “In system administration, the evil is in details” For questions, contact is antoine.davous@aviler.com with [ESGI] in subject field – otherwise, mail will be considered as spam by server rules. A.Davous, 01/02/2009 2 Unix Security Advanced Admin

    3. INTRODUCTION SECURITY BREACHES WELL-KNOWN EXAMPLES UNIX RELEASES AND FLAVORS REMINDER : UNIX MANDATORY WELL-KNOWN ATTACKS, MALICIOUS PROGRAMS KEY CONCEPTS, RISKS, STRATEGY HOW TO SECURE, SECURED DESIGN SOME TABLE LAWS A.Davous, 01/02/2009 3 Unix Security Advanced Admin

    4. SECURITY BREACHES WELL-KNOWN EXAMPLES Sendmail debug commands mode as sendmail runs with setuid root so user can run any command with root power (try sudo and vi !...) Command passwd –f : no control of entered GECOS field so user can add any new line in password file Buffer overflow is a variant User can execute shellcode (to get run root shell) previously saved at some memory address for programs that accepts any entry without control (exploit) SYN flooding : by sending high rate of TCP open session requests (SYN), server is filling its queue with half-open sessions data SQL-injection : SQL request to database may be forged to execute malicious code A.Davous, 01/02/2009 Unix Security Advanced Admin 4

    5. FOR INFORMATION – UNIX RELEASES A.Davous, 01/02/2009 5 Unix Security Advanced Admin

    6. FOR INFORMATION – UNIX FLAVORS Unix time line http://www.levenez.com/unix/ Linux distributions time line http://futurist.se/gldt/gldt76.png A.Davous, 01/02/2009 Unix Security Advanced Admin 6

    7. REMINDER – UNIX MANDATORY Read, read again documentation man, man –k, makewhatis -u vi – what else could be expected ? vim but config and security Shells : sh – best choice for scripting then tcsh or bash… (current : ps) find, diff, touch, sort [-n] xargs grep, egrep, awk, Perl, expect A.Davous, 01/02/2009 7 Unix Security Advanced Admin Find command and shell interactionFind command and shell interaction

    8. WELL-KNOWN ATTACKS A.Davous, 01/02/2009 Unix Security Advanced Admin 8

    9. MALICIOUS PROGRAMS (MALWARES) A.Davous, 01/02/2009 Unix Security Advanced Admin 9

    10. SECURITY KEY CONCEPTS Security goals: confidentiality, integrity, availability authentication, non-repudiation 3 usual answers to threats: ignore, improvise or try to ‘over’ secure Right answer: determine field, identify and evaluate cost of resources (financial, confidentiality or production), determine security risks and strategy, monitor, upgrade A.Davous, 01/02/2009 Unix Security Advanced Admin 10

    11. STRATEGIES Strategies : Accept threat – but have a recovery plan Reduce threat – by appropriate means Transfer threat – to a vendor Bypass threat – by blocking access Understanding is key: Example of mail user privilege Protect all layers – example of firewalls Reduce exposed surface Protect but detect and answer – administrate ! Security is or must be part of : conception, operation and deployment A.Davous, 01/02/2009 Unix Security Advanced Admin 11

    12. RISKS AND STRATEGY Risks Human – malicious but often from authorized users Technical – hardware (physical access), software This is up to sysadmin to decide what are they and right level of protection Strategy Security and comfort is a compromise Have a security policy especially recovery procedure A.Davous, 01/02/2009 Unix Security Advanced Admin 12

    13. HOW TO SECURE In-depth (passive) protection (Physical – premises access) Network filtering Passwords Encryption Backup (Active) security process Monitor and add corrections Full audit Upgrade A.Davous, 01/02/2009 Unix Security Advanced Admin 13

    14. SECURED DESIGN Open design or secret design debate (hidden flaws, issues discovered by community, provocation to exploits) Common breaches Least user access (chroot as solution) Buffer overflow Printf function (insert conversion keys into string) Web programming (URL forging) Transactions, client/server (man-in-the middle, encryption, hashing as solutions) A.Davous, 01/02/2009 Unix Security Advanced Admin 14

    15. SOME TABLE LAWS… If someone can execute something on your computer or if someone can modify your OS, or if someone can physically access to your computer, it will not belong to you anymore As well, if someone can execute something on your web site, it will not belong to you anymore Weak passwords leads to security breach System is as secured as sysadmin wants Encrypted data are as secured as the used key to encrypt An anti-virus not updated is as useful as no anti-virus Anonymity is not useful but confidentiality is Technology is not be-all Security measures works well when they are simple to use for sysadmin and transparent to users (Microsoft point of view) A.Davous, 01/02/2009 Unix Security Advanced Admin 15

    16. SYSTEM AND SECURITY BASIS REMINDER : PROCESSES DAEMONS, SERVERS, SERVICES INIT DAEMON, INIT LEVELS REMINDER : BOOTING – SHUTTING DOWN SERVICE MANAGEMENT REMINDER : FILES, FHS PACKAGE MANAGEMENT A.Davous, 01/02/2009 Unix Security Advanced Admin 16

    17. REMINDER : PROCESSES Processes have four identities : real (for accounting) and effective (for access permissions) UID and GID ; usually the same except with setuid or setgid bit set Command ps Find setuid and setgid files over the system: find / -type f –perm /u+s,g+s -ls Kinds of processes Interactive – controlled with & (run in background), ^Z (stop job), bg (restart in background), jobs (list current jobs) Batch Daemons A.Davous, 01/02/2009 Unix Security Advanced Admin 17

    18. DAEMONS, SERVERS, SERVICES Daemon, server, service concepts Daemon : programs not part of kernel ; process that performs a specific function or system-related task Start at boot time or on demand Specific system daemons init primordial process cron that schedule commands inetd that manages some of them A.Davous, 01/02/2009 Unix Security Advanced Admin 18

    19. WELL KNOWN DAEMONS A.Davous, 01/02/2009 Unix Security Advanced Admin 19

    20. REMINDER : BOOTING – SHUTTING DOWN A.Davous, 01/02/2009 Unix Security Advanced Admin 20

    21. INIT LEVELS A.Davous, 01/02/2009 Unix Security Advanced Admin 21

    22. INIT DAEMON First process to run after system boot Always have PID 1 and is ancestor of all other processes After startup, init consults /etc/inittab (or for BSD /etc/ttys) to determine on which physical ports it should expect users to log in (getty processes – even tough large use of network daemons today, or xdm for graphical interface) Also take care of zombie processes (not running but listed) Init defines run levels (passed as argument to it from boot loader) : 0 to 6 and s (single-user) Additional layer is given with startup scripts in /etc/init.d, linked to startup and stop scripts in /etc/rcX.d A.Davous, 01/02/2009 Unix Security Advanced Admin 22

    23. SERVICE MANAGEMENT IMPLEMENTATIONS EXAMPLES A.Davous, 01/02/2009 Unix Security Advanced Admin 23

    24. SERVICES MANAGEMENT COMPLEMENTS Commands : init 0, init 6, init s ps –ef, kill -<signal>, pgrep, pkill, <service-script> start|stop|restart (service startup script) Command chkconfig (specific to Fedora): usage: chkconfig --list [name] chkconfig --add <name> chkconfig --del <name> chkconfig --override <name> chkconfig [--level <levels>] <name> <on|off|reset|resetpriorities> chkconfig header in startup scripts And finally, system-config-services GUI applet specific to Linux Command service and semi-graphical GUI sysvconfig, both specific to Debian A.Davous, 01/02/2009 Unix Security Advanced Admin 24

    25. OTHER CONCEPTS Command dmesg (kernel log) Core dump : ulimit –c Path : - try not modify root profile PATH variable - do not set empty or ‘.’ in PATH variable - in scripts (and configurations like cron), always use full path for commands (as variables at beginning) Disk quotas may be use to isolate an application (vs. original purpose) vi and other editors dump files feature History of shell commands who –r cp -p A.Davous, 01/02/2009 Unix Security Advanced Admin 25

    26. ANSWERS TO QUESTIONS - 1 Gentoo (2003) Visible on time line ; derives from Enoch (1999) which was build from scratch. Compile on installation taking into account processor’s instruction set. ESCAPING TO SHELL WITH VI, MORE, … Type : (semi column) to get into command mode Then ! (exclamation mark) to run any shell command Type any command locate – updatedb Search of a pattern ( *file* ) instead of a filename ( file ) locate ntp == find / -name ”*ntp*” locate –b ’\ntp’ == find / -name ntp History length : on sh or bash this is set with $HISTSIZE (tcsh $HISTORY). See following profiles slide and hands-on (depending on shell, use man, setenv or printenv) A.Davous, 01/02/2009 Unix Security Advanced Admin 26

    27. ANSWERS TO QUESTIONS - 2 grep # egrep pattern file(s) Shows filenames & lines that match [ filename: line ] # egrep –L pattern file(s) Lists files that does not contain any line matching awk # ifconfig -a | awk 'BEGIN {printf "%-4s %-19s %-15s\n","If","MAC","IP"} / Link/ {a=a+1 ; printf "%.4s %17s",$1,$5 ; getline ; printf "%15s\n",substr($2,6,15)} END {print "Total nbr:", a}' If MAC IP eth0 00:09:5B:BD:FA:D2 192.168.0.1 eth1 00:0E:A6:9F:7C:AA 89.156.6.39 lo 127.0.0.1 Total nbr: 3 A.Davous, 01/02/2009 Unix Security Advanced Admin 27

    28. REMINDER : FILES In Unix everything is a file (IO from files or from peripherals are the same) In Unix, a file belongs to a user AND to a group (no mandatory relationship between both) ; a user can belong to many groups ; so, to give access to a set of files or commands belonging to a group is done by adding the user to the group When a file is created, it belong to the user who created it and its group – except if upper directory is setgid (BSD style) Commands : chown [-R], chgrp, chmod Access rights for files (directory) : r read (can ls it), w write (can supp/rename files into), x execute (can cd into) (to be executable, a script shell needs rx, a binary only x ) umask 022 command in profile files to set permission of new files Special access : t sticky bit (can write a dir but not supp file ; /tmp) s setuid bit (set resources access of process to owner and not to the one that run it) s setgid bit (for a file, set resources access of process to owning group and not the one that run it – for a dir, see upper) find / [-user root] -xdev –perm {-4000 | -2000} A.Davous, 01/02/2009 Unix Security Advanced Admin 28

    29. FILESYSTEM HIERARCHY STANDARD – 1 A.Davous, 01/02/2009 Unix Security Advanced Admin 29

    30. FILESYSTEM HIERARCHY STANDARD – 2 A.Davous, 01/02/2009 Unix Security Advanced Admin 30

    31. PACKAGES MANAGEMENT A.Davous, 01/02/2009 Unix Security Advanced Admin 31

    32. PHYSICAL SECURITY USERS AND GROUPS PASSWORD CRACK TOOLS SUDO PHYSICAL ATTACKS HIGH AVAILABILITY CHANNEL BONDING A.Davous, 01/02/2009 Unix Security Advanced Admin 32

    33. USERS AND GROUPS Su : switch user # su - switch to root with loading root environment Password # passwd [user] Sudo : optional package (configuration by visudo) # sudo [command] Users base files : /etc/passwd and /etc/shadow (encrypted passwords) # head -2 /etc/passwd root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin (User:x:UID:GID:GECOS:home-dir:shell) # man –s5 shadow # vipw [-s] Groups base file : /etc/group # head -2 /etc/group root:x:0:root bin:x:1:root,bin,daemon A.Davous, 01/02/2009 Unix Security Advanced Admin 33

    34. USERS ADMINISTRATION - PROFILES A.Davous, 01/02/2009 Unix Security Advanced Admin 34

    35. OTHER CONCEPTS Users management commands highly dependant to OS adduser, useradd, ... Command dmesg Command ls # ls -als | head -4 total 4080 nbr-of-blocks 16 drwxr-xr-x 146 root root 12288 2009-02-21 04:44 . 8 drwxr-xr-x 24 root root 4096 2009-02-10 18:03 .. 8 drwxr-xr-x 4 root root 4096 2008-01-23 15:25 acpi size-in-blocks user group size-in-bytes type last-modif-date permissions name nbr of links Command chown [-R] Command chmod Symbolic links File types (command file) d (dir), l (symbolic link), b (bloc), c (character), s (socket), p (pipe) A.Davous, 01/02/2009 Unix Security Advanced Admin 35

    36. PASSWORD CRACK TOOLS Usage of these tools are illegal on computers where you have not been explicitly authorized to do it. But it is recommended to test your own password files – anyhow, crackers will do it with them. Crack Locations: /usr/share/crack ; /usr/libexec/crack ; /usr/bin Quick-start commands: # umask 077 # ~/scripts/shadmrg.sv /etc/passwd /etc/shadow > /root/unshadp # Crack –nice 5 /root/unshadp # CrackReporter Results in ~/run directory John the Ripper Locations: /usr/share/john ; /usr/libexec/john Quick start commands: # umask 077 # unshadow /etc/passwd /etc/shadow > /root/unshadp # john [--rules --wordfile=FILE] /root/unshadp Results in ~/john.pot A.Davous, 01/02/2009 Unix Security Advanced Admin 36

    37. EXAMPLE FOR JOHN - 1 For this example to work, password check must be removed from PAM : # cp –p /etc/pam.d/system-auth /etc/pam.d/system-auth.BAK Change pam_cracklib.so from requisite to optional. But better with Fedora : set USECRACKLIB to yes in /etc/sysconfig/authconfig. NO ! If root, it is ok ! # useradd essai1 # passwd essai1 Changing password for user essai1. New UNIX password: essai1 BAD PASSWORD: it is based on a dictionary word Retype new UNIX password: essai1 # unshadow /etc/passwd /etc/shadow > /root/essai1 # john /root/essai1 Loaded 3 password hashes with 3 different salts (FreeBSD MD5 [32/32]) essai1 (essai1) guesses: 1 time: 0:00:00:03 6% (2) c/s: 4836 trying: skulls ^C Session aborted A.Davous, 01/02/2009 Unix Security Advanced Admin 37

    38. EXAMPLE FOR JOHN - 2 ... New UNIX password: 12345 ... 12345 (essai1) guesses: 1 time: 0:00:00:05 8% (2) c/s: 4880 trying: Sunshine1 ^C ... New UNIX password: cathy ... cathy (essai1) guesses: 1 time: 0:00:00:04 6% (2) c/s: 4891 trying: decembers ^C ... New UNIX password: djk7sdf ... guesses: 0 time: 0:00:00:34 37% (2) c/s: 4886 trying: blondie? ^C A.Davous, 01/02/2009 Unix Security Advanced Admin 38

    39. SOME PHYSICAL ATTACKS Physical access must be protected – if not, attacker can open the case and reset EEPROM (where BIOS password is saved) or can steal hard disk… BIOS (or boot PROM for Sun) level must be protected (with password) – if not, attacker can boot on its own CD/DVD If partitions are not encrypted, booting with a CD/DVD gives access to data (with mount command) and so to /etc/passwd (this is an official recovery procedure of lost root password) For backup purpose, recovery CD (or software installation CD) are usually needed # mkbootdisk `uname –r` Network may need to be redundant (High Availability) by duplicating network interfaces, switches, routers. Multiple redundant interfacing is named channel bounding (or IP multipath for Sun) – otherwise, DoS A.Davous, 01/02/2009 Unix Security Advanced Admin 39

    40. ROOT PASSWORD RECOVERY Simplest procedure using single user mode – case of Fedora 10 When Grub screen, edit current boot line (e) Edit kernel line (e) by adding ‘single’ at end (single user mode) Save and boot (b) Command passwd can be entered with root privileges to reset root password GRUB protected if : GRUB bootloader have a timeout (/boot/grub/menu.lst) – suppress it (0) Or a password (add line password –md5 PASSWORD in menu.lst) Encrypted password is given by command # grub-md5-crypt which returns a PASSWORD that can be pasted A.Davous, 01/02/2009 Unix Security Advanced Admin 40

    41. ROOT LOGIN DEVICES Kinds of terminals console # console ttyn (tty1,..) # serial terminals vc/n (vc/1,..) # virtual consoles Where root can directly login to Configurable in /etc/securetty Security Should be all disabled (by commenting with #) except console and/or tty1 A.Davous, 01/02/2009 Unix Security Advanced Admin 41

    42. ROOT, SUDO AND SECURITY Never log as root directly su – (minus to inherit root environment instead of user’s one) Never change root shell Package sudo used to give some determined root rights to standard users (with their own passwords !) - Configuration file : /etc/sudoers (440) editable only with visudo command – see man sudo, man sudoers - Never configure shells or utilities that escape to shell as commands (more, less, vi,…) because commands will be executed as root ! - sudo –v , restart timeout - sudo may be integrated to PAM - passwords are not encrypted ; SSH is the solution - usage can be forced by replacing su command to a symbolic link to sudo A.Davous, 01/02/2009 Unix Security Advanced Admin 42

    43. SUDO CONFIGURATION LINES EXAMPLES Host_Alias FILESERVERS = fs1, fs2 User_Alias ADMINS = antoine, john Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/yum Defaults requiretty root ALL = (ALL) ALL antoine fs1 = /sbin/mount, /mnt/cdrom ADMINS FILESERVERS = SOFTWARE dgb fs2 = (operator) /bin/ls The most important : sudoers config should be set to span over multiples servers (by simple file transfer and copy) Last : the user dgb may run /bin/ls, but only as operator eg, # sudo –u operator /bin/ls A.Davous, 01/02/2009 Unix Security Advanced Admin 43

    44. ANSWERS TO QUESTIONS - 1 Ubuntu (8-10) iptables startup script # cd /etc/init.d # grep –i iptables * ufw: if iptables -L ufw-user-input -n >/dev/null 2>&1 ; then ufw: execs="iptables" ufw: execs="iptables" ufw: iptables -L ufw-user-input -n >/dev/null 2>&1 || { # cat /etc/init.d/ufw . . . A.Davous, 01/02/2009 Unix Security Advanced Admin 44

    45. ANSWERS TO QUESTIONS – 1bis Virtualization http://fr.wikipedia.org/wiki/Virtualisation_(informatique) A Operating system-level virtualization (isolated OS) : on Sun, Solaris 10 handle concepts of containers (zone and resources) ; on Unix, chroot ; on Linux, the same concept is operated with Linux-VServer B Paravirtualization (software interface simulating hardware) : VirtualBox, simple but low performance - Vmware Server, Player, Workstation C Hypervisor (manage guest kernels calls to hardware) : on Linux, Xen can support virtualization of other OS than itself as long as ported to it - Vmware ESXi A B C Images Wikipedia A.Davous, 01/02/2009 Unix Security Advanced Admin 45

    46. ANSWERS TO QUESTIONS - 2 FreeBSD (7.1) switch user to root with su Problem when logged as antoine > id uid=1001(antoine) gid=1001(antoine) groups=1001(antoine) > su – Feb 18 11:09:02 magfbsd su: BAD SU antoine to root on /dev/ttyv0 su: Sorry Man su (extract) : ...by default only users in the ''wheel'' group can switch to UID 0 (''root'')... Correction procedure : log as root first magfbsd# id uid=0(root) gid=0(wheel) groups=0(wheel),5(operator) magfbsd# cp -p /etc/group /etc/group.ORIG magfbsd# vi /etc/group # add user antoine to wheel group Test : relog as antoine > id uid=1001(antoine) gid=1001(antoine) groups=1001(antoine) > su – Password: Feb 18 11:17:09 magfbsd su: antoine to root on /dev/ttyv0 magfbsd# id uid=0(root) gid=0(wheel) groups=0(wheel),5(operator) A.Davous, 01/02/2009 Unix Security Advanced Admin 46

    47. ANSWERS TO QUESTIONS - 3 Init levels and services management : INIT LEVELS SERVICES MANAGEMENT IMPLEMENTATIONS EXAMPLES Tree command tree –d –L 2 Telnet connections handling by TcpWrappers (see also new slides) In /etc/hosts.allow in.telnetd : LOCAL Behavior against SYN received on a closed port “If the connection does not exist (CLOSED) then a reset is sent in response to any incoming segment except another reset. In particular, SYNs addressed to a non-existent connection are rejected by this means.” RFC793 found at http://www.faqs.org/rfcs/ A.Davous, 01/02/2009 Unix Security Advanced Admin 47

    48. HIGH AVAILABILITY (HA) Data : RAID, Multipath Service access : clusters, network redundancy Geographic spanning Load sharing, load balancing, fail over For Linux, specific project : Linux-HA http://www.linux-ha.org/ (based on heartbeat-2.1.x, stonith, DRDB packages) Excellent in-deep technical paper : http://www.linux-ha.org/_cache/HeartbeatTutorials__LCA2007-tutorial.pdf Includes explanations of HA concepts (split-brain, fencing, quorum, SPOF, data sharing, …) A.Davous, 01/02/2009 Unix Security Advanced Admin 48

    49. (LINUX) CHANNEL BONDING - 1 Four concepts required (details may vary over distributions) : (Linux) kernel modules, (Linux) network cards configuration, channel bonding itself, HA modes Note : Linux NetworkManager service (used for laptop automatic network interfaces configuration) should be disabled and stopped but network service started Virtual interface : /etc/sysconfig/network-scripts/ifcfg-bond0 “Regular” interfaces : /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-eth1 Module loading and configuration : /etc/modprobe.d/bonding Commands used to debug : lsmod | grep bond # Check module loading modprobe [-r] bonding # Load/unload module /etc/init.d/network [stop|start] # Start/stop network service ifconfig –a # Print interfaces status ifconfig eth0 [up/down] # Enable/disable interface cat /var/log/messages | grep –i bond # Check logs A.Davous, 01/02/2009 Unix Security Advanced Admin 49

    50. (LINUX) CHANNEL BONDING - 2 A.Davous, 01/02/2009 Unix Security Advanced Admin 50

    51. NETWORK SECURITY TCP/IP SECURITY WEAKNESSES [X]INETD DAEMON AND SERVICES TCPWRAPPERS PORT SCANNING DHCP NETWORK CONFIGURATION FILES NETWORK COMMANDS IP ALIASING TCP/IP STACK SECURITY TOOLS : WIRESHARK AND NMAP A.Davous, 01/02/2009 Unix Security Advanced Admin 51

    52. REMINDER : NETWORKING - 1 TCP/IP layers : application telnet, NFS, FTP, SSH, HTTP session DNS, DHCP transport TCP, UDP internet (OSI network) IP, ICMP, routing network access (Ethernet, ARP) MAC address 48 bits – 24 first OUI (Organizationally Unique Identifier) Service = transport protocol (TCP or UDP) + port /etc/protocols – associate internet protocol (OSI network layer) and protocol identifier /etc/services – associate transport protocol (transport layer) and port number IPv6 : 128 bits address (48 firsts for FAI - end for MAC) Compatible IPv4 (::FFFF:a.b.c.d) , loopback is ::1 , broadcast is FF02::1 http://www.potaroo.net/tools/ipv4/index.html A.Davous, 01/02/2009 Unix Security Advanced Admin 52

    53. REMINDER : NETWORKING - 2 Classes, networks, hosts, masks, broadcast calculation : see ipcalculator or ipcalc Networks, sub-networks and masks Sub-networks are used to resize number of hosts belonging to a network, especially for class C Mask should always be set ; hosts belonging to different sub-networks can’t communicate except via a router ; this is a way to reduce traffic over LAN ARP - RARP ICMP UDP : connectionless TCP : connection oriented A.Davous, 01/02/2009 Unix Security Advanced Admin 53

    54. ICMP – PING Usually filtered by firewalls (at least interesting types) Think about kernel tuning (sysctl –a | grep –i icmp) to avoid flooding Tools : hping3 [many options], xprobe2 (not really reliable or OS now secured ?) ICMP types used for fingerprinting Type 8 – Echo request Type 13 – Timestamp request Type 15 – Information request Type 17 – Subnet address mask request Ping flooding Send pings to broadcast or multicast addresses, amplification A.Davous, 01/02/2009 Unix Security Advanced Admin 54

    55. DHCP Network layer – as ICMP Used to manage leases and allocate IP address – and other parameters as gateway, DNS addresses,… Addresses can be allocated permanently (based on MAC client address) or for a given duration (lease) Protocol : Client send a DHCPDISCOVER on broadcast Servers are answering with DHCPOFFER Client sends to all DHCP servers with a DHCPREQUEST including chosen server Chosen server finally returns DHCPACK with IP parameters Client may decline parameters with DHCPDECLINE and process is restarted DHCP servers must have a static address ! As well, DHCP must not be used for DNS, LDAP, … for security reason – spoofing of address, because there is no authentication mechanism of server identity A.Davous, 01/02/2009 Unix Security Advanced Admin 55

    56. DHCP CLIENT CONFIGURATION A.Davous, 01/02/2009 Unix Security Advanced Admin 56

    57. TCP/IP NETWORK PROTOCOLS MAP (from protocol.com website) A.Davous, 01/02/2009 Unix Security Advanced Admin 57

    58. TCP/IP NETWORK PROTOCOLS MAP (from RADCOM website) A.Davous, 01/02/2009 Unix Security Advanced Admin 58 (Attached PDF file, available from RADCOM at www.radcom.com)

    59. WELL-KNOWN SERVICES AND PORTS A.Davous, 01/02/2009 Unix Security Advanced Admin 59

    60. TCP/IP SECURITY WEAKNESSES - 1 TCP/IP leads to an unsecure network by itself No IP source authentication ; no encrypted headers or content ; flood is easy SMTP : no authentication of source mail address Ping flood Route sourcing is an IP spoofing technique Dynamic IP address : do not use it on systems that shares resources (NFS, Samba) or provides network resources (DNS, DHCP, mail server) IP provides connectionless service ; it routes and sends a datagram ; no sequence guaranty ; options fields for source routing and record route ; no encryption ; no authentication TCP, on top of IP, provides connection oriented service, delivery, and in sequence guaranties (sequence number, 3-way handshakes, timers, see TCP state machine) ; A.Davous, 01/02/2009 Unix Security Advanced Admin 60

    61. TCP/IP SECURITY WEAKNESSES - 2 TCP sequence number (32 bits) – counting exchanged bytes – to check delivery and sequence. Both sides ; initial Sequence Numbers (ISN) are random to distinguish multiple connections ; receiver window size based on it to control flow 3-way handshake : SYN, SYN+ACK, ACK ; release FIN, FIN+ACK, ACK Timers Connection establishment timer (75 s) TIME_WAIT interval timer (120 s) – allow segment in transit to be removed For example, KEEK_ALIVE timer (3600 s) – can stall TCP state machine Flaws leading to DoS : synchronous establishment (no timer at SYN_RCVD, stalled) ; SYN+FIN leads to CLOSE_WAIT (no timer also, stalled) SYN flooding leading to DoS due to full listen queue of half opened connections (connection timer is 75 s) A.Davous, 01/02/2009 Unix Security Advanced Admin 61

    62. TCP/IP SECURITY WEAKNESSES - 3 IP spoofing in case an attacker takes one other host IP address (no control from server) but 2 catches : attacker does not see responses (*) (sent to regular host) and/or must guess ISN or next sequence number (**) (after authentication for example) (**) Sequence guessing can be done because ISN is not so random (*) Source routing may be used (even tough more prohibited today) Connection hijacking – man in the middle attack by exploiting ‘desynchronized state’ (forcing host to reject packets with sequence number inside windows because it has already accepted its own forged) ICMP By sending forged Time Exceeded or Destination Unreachable to both parties (DoS) By sending Echo Request to multicast or broadcast addresses (DoS) By sending Redirect to one of ends to take control of connection (spoofing) These attacks usually done from local network DNS :if attacked network is trusting domain names, attacker can map IP address of its host to belong to domain. Reverse mapping done to avoid such an attack A.Davous, 01/02/2009 Unix Security Advanced Admin 62

    63. NETWORKING COMMANDS hostname (nodename) ifconfig ping arp [-n] [-a] ... netstat [-rn] ... route [add | del ] ... traceroute nslookup, dig lsof [-i] A.Davous, 01/02/2009 Unix Security Advanced Admin 63

    64. (LINUX) NETWORKING FILES /etc/hosts # Hostname resolution /etc/inetd.conf (/etc/xinetd.conf, /etc/xinetd.d/) /etc/services # Service port resolution /etc/securetty # TTY access /etc/hosts.equiv # R* services ~/.rhosts # R* services /etc/hosts.allow, /etc/hosts.deny # TcpWrappers /etc/resolv.conf # Name servers declaration /etc/nsswitch.conf # Name services resolution methods /etc/sysconfig/network-scripts/ # Ethernet config /etc/sysconfig/network # Hostname, GW, options /etc/networks # Network resolution /etc/protocols # Protocol name resolution A.Davous, 01/02/2009 Unix Security Advanced Admin 64

    65. INETD AND XINETD Extended Internet services daemon Unique daemon that waits for incoming connections for a number of other services and start corresponding server (echo, telnet, FTP, r* services… most are standard and/or well-known Unix services – but not all) Process : inetd or xinetd (reminder : kill –HUP) Startup for xinetd : /etc/init.d/xinetd Log by syslog – but configurable Old style configuration (inetd) : /etc/inetd.conf (reminder : /etc/services) Configuration (xinetd) in : /etc/xinetd.conf /etc/xinetd.d/* (one config file per service) Even tough (x)inetd is a mandatory service (think about installing embedded servers with no SSH package installed yet), controlled services are more and more disabled for security reasons … … why ? For example, telnet and FTP are sending clear-text passwords ! Other : installation with core, verbose mode A.Davous, 01/02/2009 Unix Security Advanced Admin 65

    66. REMINDER : TELNET, (T)FTP, R* SERVICES Started by (x)inetd server Reminder telnet : useful for (tests not only port 23) # telnet host [port] TFTP : used for X terminals startup : no authentication at all telnet, FTP : security problem with clear-text passwords shown… R* services Commands : rlogin, rsh, rcp, ruptime, rwho Configuration : /etc/hosts.equiv , ~/.rhosts Syntax : user@host Authentication is done without password if succeeded (handy for rcp) But security problem : if one listed host is unsecured, local host is unsecured ! This is because with r* services authentication scheme, local authentication is based on remote one. So use rsync for file transfer (nothing to do with r* services) or better SSH/SFTP for everything. A.Davous, 01/02/2009 Unix Security Advanced Admin 66

    67. TCPWRAPPERS Package that secure connections to given well-known services – those handled by (x)inetd for sure, but others (SSH)… …which ones ? For sshd example : # strings –f /sbin/sshd | grep hosts_access /usr/sbin/sshd: hosts_access (YES ! If no line returned, no) TcpWrappers is transparently inserted between network and service ; adds access control and logging features Binary: tcpd – but not a daemon (invoked at connection). This is why no service to restart after configuration modification Configuration files: /etc/hosts.allow /etc/hosts.deny Syntax of configuration lines service_list : host_list [ : (command to log) ] host_list may be an hostname, a list, an IP address or network, a keyword (ALL, LOCAL) – but never use EXCEPT as shown in documentation A.Davous, 01/02/2009 Unix Security Advanced Admin 67

    68. TELNET CONNECTION EXAMPLE For example, steps to debug telnet over xinetd connection Check actual status of service xinetd : /etc/init.d/xinetd status – must be up and running (or ps –ef | grep inet) Check telnet service : must be enabled either in /etc/xinetd.conf or /etc/xinetd.d/telnet configuration files : disable = no Check local connection : telnet localhost Check local firewall if any : TCP port 23 must be open Check TcpWrappers configuration : in.telnetd must be allowed – at least for client used to connect or network it belongs to – eventually for ALL during testing Check anyway /var/log/messages logs… For security reason - against spoofing, telnet server (but FTP also) is always trying a reverse resolution of hostnames – so local and distant addresses should be ‘resolvable’ (in our test case, set in /etc/hosts because no DNS available – /etc/nsswitch.conf) Check reboot : chkconfig must show service is on – for next reboot A.Davous, 01/02/2009 Unix Security Advanced Admin 68

    69. TCP STATE MACHINE A.Davous, 01/02/2009 Unix Security Advanced Admin 69

    70. PORT SCANNING INTRO TCP ports scanning Normal handshake, port open : SYN, SYN+ACK, ACK Normal handshake, port closed : SYN, RST+ACK (note : this is logged ! ) Half-open SYN scan, port open : SYN, SYN+ACK, RST Half-open SYN scan, port closed : SYN, RST+ACK (note : this may not be logged … but usually is) Anyhow, some systems (FW) will think about SYN flooding. So nmap can be used with –T option to slow down flood Probe = malformed TCP packet (i.e. “FIN” probe with FIN flag set, or “XMAS” probe with FIN, URG, PUSH, TCP flags set, “NULL” probe with TCP set) Stealth TCP scan, port open : TCP probe, No response (this is garbage) Stealth TCP scan, port closed : TCP probe, RST+ACK (notes : also named inverse TCP flag ; Windows does not respect standard and does not send RST from a closed port ; nmap can use options for each kind of probe : –sF, –sX, –sN) Some other techniques : analysis of ACK probe, TTL field, window field UDP ports scanning UDP probe, port open : UDP probe, No response UDP probe, port closed : UDP probe, ICMP dest port unreachable (note : nmap can use option –sU) Using specific UDP service clients to test server – not realistic for large number of ports A.Davous, 01/02/2009 Unix Security Advanced Admin 70

    71. NMAP INTRO – 1 “The bad guys are already using nmap for reconnaissance, because a single scan can tell you a lot about the open doors and windows in a computer’s house. The good guys are using nmap to make their network safer.” – James Messer (Secrets of Network Cartography) Nmap = Network Mapper – It is a port scanner Detects open ports, offered services and OS fingerprint of remote computer(s) Uses analysis techniques based on TCP, IP, UDP and ICMP Guesses OS from fingerprints answers from specific forged queries Open source created by ‘Fyodor’ and distributed by Insecure.org Warning : Nmap can be seen as an intrusion attempt Scans are detected with IDS – Intrusion Detection System like Prelude Tests can be done with scanme.nmap.org A.Davous, 01/02/2009 Unix Security Advanced Admin 71

    72. NMAP INTRO – 2 Available open source frontends : nmapFE or zenmap Ports detection states with nmap : Open TCP connections or UDP packets accepted Closed Accessible (with answer) but no listening application on that port Filtered Nmap can’t say because request is drop before accessing port (firewall) Unfiltered Port is accessible but Nmap can’t say if open or closed Open-Filtered Nmap can’t say if open or filtered Closed-Filtered Nmap can’t say if closed or filtered A.Davous, 01/02/2009 Unix Security Advanced Admin 72

    73. MAIN PORTS SCANNING TECHNIQUES – NMAP CORRESPONDENCE - 1 A.Davous, 01/02/2009 Unix Security Advanced Admin 73

    74. MAIN PORTS SCANNING TECHNIQUES – NMAP CORRESPONDENCE - 2 A.Davous, 01/02/2009 Unix Security Advanced Admin 74

    75. NMAP OPTIONS – 1 A.Davous, 01/02/2009 Unix Security Advanced Admin 75

    76. NMAP OPTIONS – 2 A.Davous, 01/02/2009 Unix Security Advanced Admin 76

    77. NMAP OPTIONS – 3 A.Davous, 01/02/2009 Unix Security Advanced Admin 77

    78. NAME RESOLUTION AND ROUTING Name resolution /etc/hosts – name resolution (eventually distributed by NIS, but to avoided) /etc/resolv.conf – domain definition and name servers location (suppression will deactivate DNS resolution) /etc/hosts.conf – name services switch (or /etc/nsswitch.conf) Routing On LAN (hubs) no routing necessary On small networks, static routes may be necessary On large networks (WAN), dynamic routing handled by routed and gated daemons (support of RIP, OSPF, BGP, EGP) On Linux, static routes may be defined in /etc/sysconfig/static-routes A.Davous, 01/02/2009 Unix Security Advanced Admin 78

    79. TCP/IP STACK (AND KERNEL) TUNING A.Davous, 01/02/2009 Unix Security Advanced Admin 79

    80. TOOL: WIRESHARK - 1 Other well-known tcpdump (we’ll see it later) Wireshark can import tcpdump dump file, snoop (Sun) dump file Open-source and modular conception – you can add your own decoder Related to sniffing but many other obscure tools are used in real life by hackers Promiscuous mode – i.e. listen to all frames on LAN (libpcap needed – WinPcap for Windows environment) Can be used in text mode without GUI – but not recommended (in line mode use tcpdump instead with –o option to export dump to Wireshark) Configurable columns (Edit, Preferences) Filtering : when capturing (lot of options) or viewing (also…) – can work as ring buffer with triggers Important options : Resolutions : MAC, network, transport – network should be avoided as it creates new traffic Fragmented IP – are reassembled by default but configurable (Edit, Preferences, IP protocol options) Analyze, Follow TCP stream : useful to present TCP session in one window Rich statistics options Rich export and presentation options A.Davous, 01/02/2009 Unix Security Advanced Admin 80

    81. TOOL: WIRESHARK - 2 A.Davous, 01/02/2009 Unix Security Advanced Admin 81

    82. TOOL: WIRESHARK - 3 (ANSWER TO THE QUESTION ABOUT RING BUFFER CAPTURE) Define a capture filter – not so easy sometimes, so should be tried first with preliminary tests Example – not useful but for concept : among all traffic, you want to catch ICMP request with TTL at 3 (we will trig this with traceroute to www.google.com) and its response : icmp.type == 8 – ICMP request icmp.type == 11 – ICMP TTL exceeded ip.ttl == 3 – TTL at 3 IP of www.google.com is 209.85.229.103 So a capture filter could be : ip.dst == 209.85.229.103 && (icmp.type == 8 || icmp.type == 11) && ip.ttl == 3 A.Davous, 01/02/2009 Unix Security Advanced Admin 82

    83. DATA SECURITY RAID LVM BACKUP NAS / SAN A.Davous, 01/02/2009 Unix Security Advanced Admin 83

    84. DATA SECURITY Software installed : the less installed, the less security holes – idea is to reduce field of potential attacks Journaled file systems – based on transactions, brutal power shutdown should have no effect on data integrity RAID As a reminder, command and file to know (on all OS) : mount, umount /etc/fstab From a security point of view, external (system) shares should usually mounted as read only A.Davous, 01/02/2009 Unix Security Advanced Admin 84

    85. RAID - 1 RAID : Redundant Array of Independent/inexpensive Disks RAID is a way to aggregate multiple block resources to give an unified storage view to user – in simple words, aggregate physical hard disks into virtual ones from system perspective RAID may be implemented : - physically – RAID controllers – preferred method - in system software – low cost but low performance and security To be really redundant, each physical disk or disk group must have its own disk controller – especially if software implemented But also multiple path access (multipath), multiple power supplies… – weakest link concept in HA Compromise between availability, performance and cost A.Davous, 01/02/2009 Unix Security Advanced Admin 85

    86. RAID - 2 RAID 0 : blocks are spread over disks – no reliability RAID 1 : mirroring, duplication of blocks – limited performance RAID 5 : striped set with distributed parity or interleave parity – high availability RAID 10 : or RAID 1 + 0 Images : Wikipedia A.Davous, 01/02/2009 Unix Security Advanced Admin 86

    87. RAID 1 REAL CASE EXEMPLE Useful commands are listed - will shown during hands-on (based on Linux RAID 1 simulation over VirtualBox) cat /etc/fstab File systems table df –k File systems usages cat /etc/mdadm.conf RAID configuration mdadm –-detail /dev/md2 RAID details for /dev/md2 cat /proc/mdstat RAID actual status (1) An example – very simplified – to detach / re-attach a sub-mirror to its mirror : /dev/md0 : /boot , /dev/md1 : swap , /dev/md2 : root , largest one /dev/md2 to see sync /dev/md0 = (/dev/sda1 + /dev/sdb1) , /dev/md1 = (/dev/sda2 + /dev/sdb2), /dev/md2 = (/dev/sda3 + /dev/sdb3) mdadm –-detail /dev/md2 # Try to run it at each step... mdadm /dev/md2 –-set-faulty /dev/sdb3 # Faulty required to be removed mdadm /dev/md2 –-remove /dev/sdb3 # Remove sub-mirror #... Here the disk may be changed but other commands required (2) ! mdadm /dev/md2 –-re-add /dev/sdb3 # Re-adding sub-mirror while true; do cat /proc/mdstat | grep recovery; sleep 15; done This command demonstrates a common usage of special proc files that can be generalized to other information, try : cat /proc/meminfo cat /proc/vmstat – used by vmstat command This should be done for all mirrors – commands should be duplicated for /dev/md0 and /dev/md1 (see demo). And second disk must be RAID-formatted with same partitions and sizes, at least for mirroring – probably with mdadm as well, but to be verified. A.Davous, 01/02/2009 Unix Security Advanced Admin 87

    88. (LINUX) LVM LVM : Linux Volume Management (used also for HP-UX) (Sun SVM : Solstice Volume Management) (Multiple) Set of : (Multiple) Physical Volumes PV (physical disks, partitions, RAID volumes or SAN units) Volume Group VG (only one for many PV ‘upward’ and many LV ‘downward’) (Multiple) Logical Volumes LV (simply partitions on which a FS can be set) Main useful feature : hot configuration – creation, extension… A.Davous, 01/02/2009 Unix Security Advanced Admin 88

    89. LVM REAL CASE EXEMPLE - 1 One Linux file system with a Linux swap as two LV in the same VG [root@moscou-fed ~]# cat /etc/fstab fs_spec fs_file vfstype fs_mntops fs_freq fs_passno /dev/VolGroup00/LogVol00 / ext3 defaults 1 1 UUID=46916b32-…-b231142 /boot ext3 defaults 1 2 tmpfs /dev/shm tmpfs defaults 0 0 devpts /dev/pts devpts gid=5,mode=620 0 0 dysfs /sys sysfs defaults 0 0 proc /proc proc defaults 0 0 /dev/VolGroup00/LogVol01 swap swap defaults 0 0 Boot partition on first partition of sda, another physical disk partition sdb5 mounted on /media [root@moscou-fed ~]# df -k Filesystem 1K-blocks Used Available Use% Mounted on /dev/mapper/VolGroup00-LogVol00 36736600 3032376 33331436 9% / /dev/sda1 194442 28192 156211 16% /boot tmpfs 370620 76 370544 1% /dev/shm /dev/sdb5 19354752 518808 17852768 3% /media (shm = shared memory, devpts = consoles, dysfs = virtual device FS, proc = special files which represent current state of kernel – do cat /proc/meminfo for example) A.Davous, 01/02/2009 Unix Security Advanced Admin 89

    90. LVM REAL CASE EXEMPLE - 2 Finally, LVM configuration shows two LV in one VG itself using only one PV (second partition of sda.) [root@moscou-fed ~]# lvm lvm> pvs PV VG Fmt Attr PSize PFree /dev/sda2 VolGroup00 lvm2 a- 37.06G 32.00M lvm> vgs VG #PV #LV #SN Attr VSize VFree VolGroup00 1 2 0 wz--n- 37.06G 32.00M lvm> lvs LV VG Attr LSize Origin Snap% Move Log Copy% Convert LogVol00 VolGroup00 -wi-ao 35.59G LogVol01 VolGroup00 -wi-ao 1.44G A.Davous, 01/02/2009 Unix Security Advanced Admin 90

    91. FILE SYSTEM - TYPES A.Davous, 01/02/2009 Unix Security Advanced Admin 91

    92. BACKUP - 1 Old days : full backup of system into tapes (requires system boot disk of exactly same release) “Backup are for wimps. Real men upload their data to an FTP site and have everyone else mirror it.” – Linus Torvalds Nowadays : - mirroring of critic data files (on NAS, SAN with hot swap disks) - system duplication, clusters (geographically diversified) - snapshots (different concepts for LVM, virtual machines) Strategy is highly dependant on actual case (front end or backend server) What is to be backup – if not everything : Configuration files (/etc, /usr/local/etc, …) Data (specific cases of databases : SQL dumps or proprietary ways) A.Davous, 01/02/2009 Unix Security Advanced Admin 92

    93. BACKUP – 2 (*) A.Davous, 01/02/2009 Unix Security Advanced Admin 93

    94. BACKUP - 3 A.Davous, 01/02/2009 Unix Security Advanced Admin 94 Well-known high-level applications on LINUX : Amanda 2.6.1 (Jan 2009) Advanced Maryland Automatic Network Disk Archiver Uses Samba or native Windows (VSS = Volume Shadow Services) to backup Windows clients http://www.amanda.org/ Bacula 2.4.4 (Jan 2009) Modular architecture (highly developed) : Admin workstation (tray monitor, command console), Backup server (director daemon), Database Server (MySQL or else for catalogs), File server (file daemon) and Storage Server (connected to backup device) http://www.bacula.org/fr/ Well-known high-level applications on Unix (usually large Network Management applications that handle at least a backup module): IBM Tivoli HP OpenView BMC Patrol

    95. TP1 - NTP A.Davous, 01/02/2009 Unix Security Advanced Admin 95

    96. NTP - INTRODUCTION NTP : Network Time Protocol, for servers time synchronization thru network Uses NTP protocol (UDP, port 123) formalized in IETF RFC1305 NTP provides the mechanisms to synchronize time and coordinate time distribution in a large, diverse internet operating at rates from mundane to lightwave. [antoine@magfed ~]$ cat /etc/services | egrep "^ntp“ ntp 123/tcp ntp 123/udp # Network Time Protocol Stratum concept : …the accuracy of each server is defined by a number called the stratum, with the topmost level (primary servers) assigned as one and each level downwards (secondary servers) in the hierarchy assigned as one greater than the preceding level. 2 operating architectures : - symmetric active/passive – client pulls time information - client/server broadcast/multicast – server pushes time information Versions [root@moscou-fed ~]# ntpq ntpq> version ntpq 4.2.4p6@1.1549-o Mon Jan 12 14:07:32 UTC 2009 (1) ntpq> ntpversion NTP version being claimed is 2 A.Davous, 01/02/2009 Unix Security Advanced Admin 96

    97. NTP – PACKAGE - 1 Package is ntp-4.2.4p6-1.fc10.i386 – binary installation (Yum) : [root@magfed ~]# rpm -qa | grep -i ntp ntp-4.2.4p6-1.fc10.i386 From ntp.org, actual version is : Release Version Date Production 4.2.4p6 2009/01/08 Release Candidate 4.2.4p7 2009/03/30 Development 4.2.5p161 2009/03/31 Update available ? Probably not, but to check… [root@magfed ~]# yum check-update ntp-4.2.4p6-1.fc10.i386 Loaded plugins: refresh-packagekit fedora | 2.8 kB 00:00 updates | 2.3 kB 00:00 updates/primary_db | 3.1 MB 00:02 … and to update [root@magfed ~]# yum update ntp-4.2.4p6-1.fc10.i386 A.Davous, 01/02/2009 Unix Security Advanced Admin 97

    98. NTP – PACKAGE - 2 # rpm -ql ntp-4.2.4p6-1.fc10.i386 /etc/ntp.conf /etc/ntp/crypto /etc/ntp/crypto/pw /etc/rc.d/init.d/ntpd /etc/sysconfig/ntpd /usr/bin/ntpstat /usr/sbin/ntp-keygen /usr/sbin/ntpd /usr/sbin/ntpdc /usr/sbin/ntpq /usr/sbin/ntptime /usr/sbin/tickadj /usr/share/doc/ntp-4.2.4p6 [ -- LOT OF DOC OR MAN FILES -- ] /var/lib/ntp /var/lib/ntp/drift /var/log/ntpstats # tree -aF /etc/ntp* /etc/ntp |-- crypto/ | `-- pw |-- keys |-- ntpservers `-- step-tickers /etc/ntp.conf [error opening dir]   1 directory, 4 files # ldd /usr/sbin/ntpd linux-gate.so.1 => (0x009d5000) libm.so.6 => /lib/libm.so.6 (0x00a29000) libcrypto.so.7 => /lib/libcrypto.so.7 (0x00110000) libcap.so.2 => /lib/libcap.so.2 (0x0025e000) librt.so.1 => /lib/librt.so.1 (0x00c39000) libc.so.6 => /lib/libc.so.6 (0x00263000) /lib/ld-linux.so.2 (0x006cb000) libdl.so.2 => /lib/libdl.so.2 (0x003d7000) libz.so.1 => /lib/libz.so.1 (0x003dc000) libpthread.so.0 => /lib/libpthread.so.0 (0x003f3000) A.Davous, 01/02/2009 Unix Security Advanced Admin 98

    99. NTP – COMMANDS - 1 Start (obvious), stop (obvious), status [antoine@magfed ~]$ /etc/init.d/ntpd status ntpd (pid 2122) is running... [root@moscou-fed ~]# ps -ef | egrep "[U]ID|[n]tp" UID PID PPID C STIME TTY TIME CMD ntp 2288 1 0 13:56 ? 00:00:00 ntpd -u ntp:ntp -p /var/run/ntpd.pid –g Actual status – you should have seen some problems with VM (?) : [root@moscou-fed ~]# ntpq -p remote refid st t when poll reach delay offset jitter ============================================================================== +farnsworth.1270 131.188.3.223 2 u 336 1024 377 11.417 4.163 0.259 *ns1.azuria.net 193.67.79.202 2 u 901 1024 377 9.586 9.058 1.761 +crush.bmconseil 91.121.20.142 3 u 882 1024 377 9.759 3.963 73.903 Where : + denotes symmetric active (star) denotes the peer server synchronized to poll : polling interval in seconds reach : reachability register in octal (377 highest value = 255 base 10) delay, offset and jitter in ms A.Davous, 01/02/2009 Unix Security Advanced Admin 99

    100. NTP – COMMANDS - 2 ntpq – standard NTP query program ntpq> help ntpq commands: addvars debug lopeers passociations rl associations delay lpassociations passwd rmvars authenticate exit lpeers peers rv cl help mreadlist poll showvars clearvars host mreadvar pstatus timeout clocklist hostnames mrl quit version clockvar keyid mrv raw writelist cooked keytype ntpversion readlist writevar ntpdc – special NTP query program ntpdc> help ntpdc commands: addpeer controlkey fudge keytype quit timeout addrefclock ctlstats help listpeers readkeys timerstats addserver debug host loopinfo requestkey traps addtrap delay hostnames memstats reset trustedkey authinfo delrestrict ifreload monlist reslist unconfig broadcast disable ifstats passwd restrict unrestrict clkbug dmpeers iostats peers showpeer untrustedkey clockstat enable kerninfo preset sysinfo version clrtrap exit keyid pstats sysstats A.Davous, 01/02/2009 Unix Security Advanced Admin 100

    101. NTP – CONFIGURATION - 1 # Permit time synchronization with our time source, but do not # permit the source to query or modify the service on this system. restrict default kod nomodify notrap nopeer noquery restrict -6 default kod nomodify notrap nopeer noquery # Permit all access over the loopback interface. This could # be tightened as well, but to do so would effect some of # the administrative functions. restrict 127.0.0.1 restrict -6 ::1 # Hosts on local network are less restricted. #restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap # Enable public key cryptography. #crypto includefile /etc/ntp/crypto/pw # Key file containing the keys and key identifiers used when operating # with symmetric key cryptography. keys /etc/ntp/keys # Specify the key identifiers which are trusted. #trustedkey 4 8 42 # Specify the key identifier to use with the ntpdc utility. #requestkey 8 # Specify the key identifier to use with the ntpq utility. #controlkey 8 A.Davous, 01/02/2009 Unix Security Advanced Admin 101

    102. NTP – CONFIGURATION - 2 restrict default ignore restrict -6 default ignore restrict 192.168.10.0 mask 255.255.255.0 kod nomodify notrap nopeer noquery restrict 192.168.2.0 mask 255.255.255.0 kod nomodify notrap nopeer noquery restrict 192.168.0.0 mask 255.255.255.0 nomodify notrap restrict 127.0.0.1 restrict -6 ::1 # Enable public key cryptography. #crypto includefile /etc/ntp/crypto/pw # Key file containing the keys and key identifiers used when operating # with symmetric key cryptography. keys /etc/ntp/keys # Specify the key identifiers which are trusted. #trustedkey 4 8 42 # Specify the key identifier to use with the ntpdc utility. #requestkey 8 # Specify the key identifier to use with the ntpq utility. #controlkey 8 A.Davous, 01/02/2009 Unix Security Advanced Admin 102

    103. NTP – LOG TRACE tail –f /var/log/messages | grep ntp Apr 9 07:32:22 magfed ntpd[2122]: time reset +0.234766 s Apr 9 07:32:22 magfed ntpd[2122]: kernel time sync status change 0001 Apr 9 07:37:27 magfed ntpd[2122]: synchronized to 91.121.19.179, stratum 2 Apr 9 07:40:36 magfed ntpd[2122]: synchronized to 193.48.168.130, stratum 2 [ STOP HERE ] Apr 9 07:43:05 magfed ntpd[2122]: ntpd exiting on signal 15 [ START HERE ] Apr 9 07:43:11 magfed ntpd[2576]: ntpd 4.2.4p6@1.1549-o Mon Jan 12 14:07:28 UTC 2009 (1) Apr 9 07:43:11 magfed ntpd[2577]: precision = 2.585 usec Apr 9 07:43:11 magfed ntpd[2577]: Listening on interface #0 wildcard, 0.0.0.0#123 Disabled Apr 9 07:43:11 magfed ntpd[2577]: Listening on interface #1 wildcard, ::#123 Disabled Apr 9 07:43:11 magfed ntpd[2577]: Listening on interface #2 eth0, fe80::a00:27ff:feac:77f7#123 Enabled Apr 9 07:43:11 magfed ntpd[2577]: Listening on interface #3 lo, ::1#123 Enabled Apr 9 07:43:11 magfed ntpd[2577]: Listening on interface #4 lo, 127.0.0.1#123 Enabled Apr 9 07:43:11 magfed ntpd[2577]: Listening on interface #5 eth0, 192.168.10.4#123 Enabled Apr 9 07:43:11 magfed ntpd[2577]: Listening on routing socket on fd #22 for interface updates Apr 9 07:43:11 magfed ntpd[2577]: kernel time sync status 0040 Apr 9 07:43:11 magfed ntpd[2577]: frequency initialized 16.601 PPM from /var/lib/ntp/drift [ AFTER A WHILE ] Apr 9 07:47:29 magfed ntpd[2577]: synchronized to 87.98.159.36, stratum 2 Apr 9 07:47:30 magfed ntpd[2577]: time reset +1.073432 s Apr 9 07:47:30 magfed ntpd[2577]: kernel time sync status change 0001 A.Davous, 01/02/2009 Unix Security Advanced Admin 103

    104. NTP – NETWORK TRACE - 1 With tcpdump by refresh of Windows client (Internet time parameters, Update time) [root@moscou-fed ~]# tcpdump -i eth0 port ntp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 17:18:20.207873 IP 192.168.0.128.ntp > 192.168.0.1.ntp: NTPv3, Client, length 48 17:18:20.208009 IP 192.168.0.1.ntp > 192.168.0.128.ntp: NTPv3, Server, length 48 A.Davous, 01/02/2009 Unix Security Advanced Admin 104

    105. NTP – NETWORK TRACE - 2 Wireshark (capture filter “ntp”) and exporting and filtering trace (displayed packets) to text format No. Time Source Destination Protocol Info _ 2337 10.597450 192.168.0.128 192.168.0.1 NTP NTP client Network Time Protocol Reference Clock Update Time: Apr 9, 2009 15:18:18.9180 UTC Originate Time Stamp: NULL Receive Time Stamp: NULL Transmit Time Stamp: Apr 9, 2009 15:19:53.9070 UTC No. Time Source Destination Protocol Info _ 2338 10.597562 192.168.0.1 192.168.0.128 NTP NTP server Network Time Protocol Flags: 0x1c 00.. .... = Leap Indicator: no warning (0) ..01 1... = Version number: NTP Version 3 (3) .... .100 = Mode: server (4) Peer Clock Stratum: secondary reference (3) Peer Polling Interval: 10 (1024 sec) Peer Clock Precision: 0.000001 sec Root Delay: 0.0225 sec Root Dispersion: 0.0547 sec Reference Clock ID: 80.65.235.4 Reference Clock Update Time: Apr 9, 2009 15:08:28.7991 UTC Originate Time Stamp: Apr 9, 2009 15:19:53.9070 UTC Receive Time Stamp: Apr 9, 2009 15:19:55.2902 UTC Transmit Time Stamp: Apr 9, 2009 15:19:55.2903 UTC A.Davous, 01/02/2009 Unix Security Advanced Admin 105

    106. NTP – SECURITY - 1 Own NTP security (Access Control Support, authentication) Local firewall (block NTP incoming but let outgoing to server, depending on mode – symmetric or multicast) Use IP addresses instead of hostnames (general rule) Set correct permissions for binaries, for configuration files, for logs (general rule) Secure NTP administration commands access Problem not solved : [root@moscou-fed ~]# ps -ef | grep ntp ntp 6511 1 0 21:18 ? 00:00:00 ntpd -I eth0 -u ntp:ntp -p /var/run/ntpd.pid –g [root@moscou-fed ~]# netstat --inet -a | egrep "Proto|ntp" Proto Recv-Q Send-Q Local Address Foreign Address State udp 0 0 10.8.0.3:ntp *:* (tun0) udp 0 0 89-156-6-39.rev.num:ntp *:* (eth1) udp 0 0 192.168.0.1:ntp *:* (eth0) udp 0 0 localhost.localdomain:ntp *:* (lo0) udp 0 0 *:ntp *:* Even if option –I eth0 added in /etc/sysconfig/ntpd OPTIONS="-I eth0 -u ntp:ntp -p /var/run/ntpd.pid -g" A.Davous, 01/02/2009 Unix Security Advanced Admin 106

    107. NTP – SECURITY - 2 Simple security scheme with : In /etc/ntp/keys on both client and server 4 M shf49s In /etc/ntp.conf on both client and server trustedkey 4 In /etc/ntp.conf on client server 192.168.0.1 key 4 If key is invalid on client side for example : [root@moscou-fed ~]# ntpq -p remote refid st t when poll reach delay offset jitter ============================================================================== 192.168.0.1 .AUTH. 16 u - 64 0 0.000 0.000 0.000 A.Davous, 01/02/2009 Unix Security Advanced Admin 107

    108. NTP – SECURITY - 3 No. Time Source Destination Protocol Info _ 2148 21.837346 192.168.0.135 192.168.0.1 NTP NTP client ... Network Time Protocol ... Reference Clock ID: 192.168.0.1 Reference Clock Update Time: Apr 9, 2009 19:55:06.0316 UTC Originate Time Stamp: Apr 9, 2009 19:56:10.0764 UTC Receive Time Stamp: Apr 9, 2009 19:56:10.0317 UTC Transmit Time Stamp: Apr 9, 2009 19:57:16.0300 UTC Key ID: 00000004 Message Authentication Code: 931D66E8C3E8DD1E6C0A4A077BB8CA20 No. Time Source Destination Protocol Info _ 2149 21.837498 192.168.0.1 192.168.0.135 NTP NTP server ... Network Time Protocol ... Reference Clock ID: 88.191.77.246 Reference Clock Update Time: Apr 9, 2009 19:48:48.8906 UTC Originate Time Stamp: Apr 9, 2009 19:57:16.0300 UTC Receive Time Stamp: Apr 9, 2009 19:57:16.0719 UTC Transmit Time Stamp: Apr 9, 2009 19:57:16.0720 UTC Key ID: 00000004 Message Authentication Code: 1ACB85DBA718FD9843ABD2C2FAFB6BD7 A.Davous, 01/02/2009 Unix Security Advanced Admin 108

    109. NTP - REFERENCES IETF NTP related RFC : http://www.ietf.org/rfc/rfc1305.txt?number=1305 NTP home site : http://www.ntp.org/ Public NTP servers list : http://support.ntp.org/bin/view/Servers/WebHome A.Davous, 01/02/2009 Unix Security Advanced Admin 109

    110. SYSTEM HARDENING SECURITY POLICY PAM CHROOTING APACHE CHROOTING EXEMPLE KERBEROS A.Davous, 01/02/2009 Unix Security Advanced Admin 110

    111. SECURITY POLICY Concept of hardening Concept of security policy GNU/Linux Fedora – Sécurité, chapter 7 Unix and Linux Security Checklist v3.0 – AusCERT http://www.auscert.org.au A.Davous, 01/02/2009 Unix Security Advanced Admin 111

    112. HOW TO SECURE A SYSTEM Physical Disk : partitioning (/, /boot, /var, /home) File system : mount securely (noexec, ro,..) GRUB configuration Update software Remove or check (chmod 700 gcc) installed compilers Remove unused packages (rpm –e <package> but care with dependencies) Disable interactive init startup (/etc/sysconfig/init, PROMPT=no) Disable unused services ( [x]inetd configuration, /etc/rcX.d, chkconfig, services GUI) Define umask in profile system file SELinux => specific to Fedora, we’ll see that later on Remove unused users (especially guest type accounts as nobody – but beware of actual owners of files !) … Look chapter 7 of ENI recommended book IT IS ALL ABOUT WHAT HAS BEEN SHOWN FROM START TO END OF THIS COURSE A.Davous, 01/02/2009 Unix Security Advanced Admin 112

    113. PAM - 1 PAM is a configurable mechanism, that let system to authenticate users, independently from programs or services PAM = Pluggable Authentication Module PAM components: - legacy services – compatible with PAM (login, passwd) - modules (libraries .so in /lib/security) – do authentication related tasks – development - main configuration data (in /etc/pam.conf and /etc/pam.d/), by service – probably nothing to do with them except development - user configuration data (in /etc/security/*.conf), by service – this is where sysadmin has to do setup A.Davous, 01/02/2009 Unix Security Advanced Admin 113

    114. PAM - 2 Type values auth : instructs the application to prompt the user for a password account : performs non-authentication based account management (time, max logged users) password : updates authentication token associated with the user session : does things that need to be done after (logging, mounting directories) Control values sufficient : success of such module is enough, return success ; if not continue requisite : if module fails to give access, return fail ; if not continue required : must give access and continue anyway optional : result of this module will be used only if no other has given a result include : include another module definition A.Davous, 01/02/2009 Unix Security Advanced Admin 114

    115. PAM - 3 #%PAM-1.0 # root can connect as defined in /etc/securetty auth required pam_securetty.so # prompt password (maybe in /etc/shadow) ; empty password authorized auth required pam_unix.so shadow nullok # controls if /etc/nologin exists (if so, only root can connect) auth required pam_nologin.so # check account permissions (expired password ?) account required pam_unix.so # if password expired, ask a new one, check against dicts., max 3 times password required pam_cracklib.so retry=3 # effective change of password – from previous pam_unix.so invocation password required pam_unix.so shadow nullok use_authok # log in /var/log/messages session required pam_unix.so A.Davous, 01/02/2009 Unix Security Advanced Admin 115

    116. CHROOTING Chrooting is changing the root directory of the calling process. The application is put in jail, with no access to the system even if compromised Chrooting can be compared to OS virtualisation as a less advanced technique (Sun containers, Linux Xen) Traditionally used to secure web (Apache) or DNS (Bind) servers Next example is the opportunity to examine some Apache security measures (compilation, modules, UID, configuration) as well as usage of advanced commands (ldd, strings, strace, mknod) A.Davous, 01/02/2009 Unix Security Advanced Admin 116

    117. APACHE REQUISITS Idea is to offer a web service on FE (front end) servers. Only for static pages but high performance and security – no PHP, JSP or CGI, all handled by hidden BE (back ends) Name based virtual hosting – only one server IP but as many hosts as virtual servers Basic authentication – based on IP client address Server must be hardened : server must offer only web and management services (SSH, SNMP, ...) Apache should be compiled in place for performance and security purpose Only useful modules loaded in Apache and statically compiled – as opposed to shared modules Server must run with its own UID/GID Chrooting is a good solution here as it put Apache in a jail from which there is no possibility from any way to reach system A.Davous, 01/02/2009 Unix Security Advanced Admin 117

    118. APACHE INSTALLATION Download latest Apache sources from http://httpd.apache.org/ $ cp httpd-2.2.11.tar.gz /usr/src/. # Probably home directory ! $ gunzip httpd-2.2.11.tar.gz $ tar xvf httpd-2.2.11.tar $ cd httpd-2.2.11 Create makefiles by disabling most modules $ ./configure --disable-actions --disable-alias \ --disable-asis --disable-autoindex --disable-cgi \ --disable-cgid --disable-charset-lite –disable-env \ --disable-imagemap --disable-include --disable-negotiation \ --disable-setenvif --disable-usedir $ make Installation as root # umask 022 # make install # chown –R root:root /usr/local/apache2 A.Davous, 01/02/2009 Unix Security Advanced Admin 118

    119. APACHE CHROOTING - 1 Creating jail directories # mkdir –p /chroot/httpd/dev # mkdir –p /chroot/httpd/etc # mkdir –p /chroot/httpd/lib # mkdir –p /chroot/httpd/usr/local/apache2/bin # mkdir –p /chroot/httpd/usr/local/apache2/logs # mkdir –p /chroot/httpd/usr/local/apache2/conf # mkdir –p /chroot/httpd/usr/local/apache2/htdocs # chown –R root:root /chroot # chmod –R 0755 /chroot Special device /dev/null # ls –als /dev/null # mknod /chroot/httpd/dev/null c 1 3 # chown root:root /chroot/httpd/dev/null # chmod 666 /chroot/httpd/dev/null Looking for required libraries # ldd /usr/local/apache2/bin/httpd # strings /usr/local/apache2/bin/httpd | grep lib # strace /usr/local/apache2/bin/httpd 2>&1 | grep open # Fedora # truss /usr/local/apache2/bin/httpd 2>&1 | grep open # Solaris A.Davous, 01/02/2009 Unix Security Advanced Admin 119

    120. APACHE CHROOTING - 2 Copying library files to jail - some are missing, see commands.txt # cp –p /usr/local/apache2/bin/httpd /chroot/httpd/usr/local/apache2/bin/. # cp –p /lib/libm.so.6 /chroot/httpd/lib/. # cp -p /usr/local/apache2/lib/libaprutil-1.so.0 /chroot/httpd/usr/local/apache2/lib/. # cp -p /usr/local/apache2/lib/libexpat.so.0 /chroot/httpd/usr/local/apache2/lib/. # cp -p /usr/local/apache2/lib/libapr-1.so.0 /chroot/httpd/usr/local/apache2/lib/. # cp -p /lib/librt.so.1 /chroot/httpd/lib/. # cp -p /lib/libcrypt.so.1 /chroot/httpd/lib/. # cp -p /lib/libpthread.so.0 /chroot/httpd/lib/. # cp -p /lib/libdl.so.2 /chroot/httpd/lib/. # cp -p /lib/libc.so.6 /chroot/httpd/lib/. # cp -p /lib/ld-linux.so.2 /chroot/httpd/lib/. Copying system and application files to jail - some are missing, see commands.txt # cp -p /usr/local/apache2/bin/httpd /chroot/httpd/usr/local/apache2/bin/. # cp -p /usr/local/apache2/conf/httpd.conf /chroot/httpd/usr/local/apache2/conf/. # cp -p /usr/local/apache2/conf/mime.types \ /chroot/httpd/usr/local/apache2/conf/mime.types # cp -p /etc/hosts /chroot/httpd/etc/. # cp -p /etc/resolv.conf /chroot/httpd/etc/. # cp -p /etc/hosts.conf /chroot/httpd/etc/. # cp -p /etc/group /chroot/httpd/etc/. # cp -p /etc/passwd /chroot/httpd/etc/. # cp -p /etc/shadow /chroot/httpd/etc/. # cp –p /usr/local/apache2/htdocs/* /chroot/httpd/usr/local/apache2/htdocs/. A.Davous, 01/02/2009 Unix Security Advanced Admin 120

    121. FINAL CHROOTED-APACHE CONFIGURATION Apache in jail should work now… This is the last step, configuration and tuning : Users and group clean-up (remove all other than apache users and groups) Network configuration tuning (/etc/hosts, /etc/nsswitch.conf, /etc/resolv.conf, …) Apache configuration : /chroot/httpd/usr/local/apache2/conf/httpd.conf Apache content – web pages : /chroot/httpd/usr/local/apache2/htdocs/* Apache startup script to be modified and placed in /etc/init.d/ by modifying the delivered one with sources ; startup configuration with chkconfig command Probably other things to do ... A.Davous, 01/02/2009 Unix Security Advanced Admin 121

    122. KERBEROS MIT project that encrypts transactions of adapted application – “kerberized applications” like telnet, FTP, … Clients are authenticated by kerberized services with tickets Based first on KDC (Key Distribution Center) that validates password with symmetric encryption ; then authenticated client can ask TGS (Ticket Granting Service) to deliver authorization ticket for given application usage Kerberos needs time synchronization (NTP) and DNS services Pros : usual historical services does not encrypt transactions – clear text password but rest of transaction – Kerberos resolves this issue Cons : no direct use of Unix users databases ; PAM integration not complete ; application must be redesigned The whole system may be compromised : - if KDC/TGS server is compromised (open to unsecure network) - if not all services kerberized (by sending unprotected passwords) OpenSSH is probably the alternative A.Davous, 01/02/2009 Unix Security Advanced Admin 122

    123. INFO RELATED TO TP 2: VIRTUALBOX 2.2.0 Do not upgrade VirtualBox from 2.1.4 to 2.2.0 (April 2009) due to problems with Solaris and OpenSolaris guests – memory crash – (but also with Windows ?) If already done, uninstall it (from Windows Configuration Panel) and reinstall 2.1.4 (on web site, can be found in Other Builds) ; finally, rename files : \Users\<user>\.VirtualBox\VirtualBox.xml.1.6-windows.bak into \Users\<user>\.VirtualBox\VirtualBox.xml and \Users\<user>\.VirtualBox\Machines\<VM>\<VM>.xml.1.6-windows.bak into \Users\<user>\.VirtualBox\Machines\<VM>\<VM>.xml A.Davous, 01/02/2009 Unix Security Advanced Admin 123

    124. INFO RELATED TO TP 2: SOLARIS INSTALLATION Important notes related to Solaris installation During installation, select Custom Install (instead of Default Install) If disk space is limited (less than 30 GB) choose End User Group distribution – but be prepared to install some other packages ; if not, choose full distribution No modification should be done to Partition (Solaris must use full available space) BUT, the Layout File System should be close to something like : /export/home Must be suppressed (by default is very high) swap Default 512 MB – can be raised /var 5 GB or more / Left available space (15 GB or more) A.Davous, 01/02/2009 Unix Security Advanced Admin 124

    125. INFO RELATED TO TP 2: SOLARIS NETWORK CONFIGURATION # cat /etc/hostname.e1000g0 # Admin magsol # cat /etc/hostname.e1000g1 # Traffic magsol1 # cat /etc/nodename magsol # cat /etc/netmasks 192.168.10.0 255.255.255.0 192.168.11.0 255.255.255.0 # cat /etc/hosts ::1 localhost 127.0.0.1 localhost loghost 192.168.10.55 magsol.aviler.net magsol 192.168.11.55 magsol1.aviler.net magsol1 # mv /etc/dhcp.e1000g0 /etc/_dhcp.e1000g0 # cp /etc/nsswitch.dns /etc/nsswitch.conf # cat /etc/defaultrouter 192.168.10.1 In red, configuration is done to avoid following annoying messages : # cat /var/adm/messages ... Apr 28 11:54:11 unknown syslogd: line 24: WARNING: loghost could not be resolved ... Apr 28 11:54:12 unknown sendmail[1166]: [ID 702911 mail.crit] My qualified host name (unknown) unknown; sleeping for retry Apr 28 11:54:12 unknown sendmail[1166]: [ID 702911 mail.crit] unable to qualify my own domain name (unknown) -- using short name A.Davous, 01/02/2009 Unix Security Advanced Admin 125

    126. INFO RELATED TO TP 2: SOLARIS PACKAGE INSTALLATION Either mount with VirtualBox Solaris DVD or Companion CD ISO files, and # cd /cdrom/sol_10_1008_x86/Solaris_10/Product # cd /cdrom/s10_1008_software_companion/ Solaris_Software_Companion/Solaris_i386/Packages # ls | grep –i <package-name-short-identifier> # ls | egrep –i ?man|doc? ... SUNWman SUNWdoc ... # pkgadd –d . SUNWman SUNWdoc Or, download packages from SunFreeware ( http://www.sunfreeware.com/ ) and copy them with dependant packages in /var/spool/pkg # cd /var/spool/pkg ; gunzip *.gz # pkgadd –d <pkg> Rem: SUNWxxx => installation into / SFWxxx => installation into /opt/sfw SMCxxx => installation into /usr/local A.Davous, 01/02/2009 Unix Security Advanced Admin 126

    127. INFO RELATED TO TP 2: SOME REFERENCES This is a sample of reference websites. Many others. Some are OS dependant (Solaris or Fedora) but may contain Unix main concepts. SunFreeware http://www.sunfreeware.com/ BigAdmin http://www.sun.com/bigadmin/home/index.jsp Solaris x86 FAQ http://www.sun.drydog.com/faq/ CERT http://www.cert.org/ AusCERT http://www.auscert.org.au/ Unix Security http://www.deter.com/unix/ Unix Tools http://www.unixtools.com/security.html Documentation Sun http://docs.sun.com/ Checklist http://staff.washington.edu/dittrich/R870/security-checklist.html Fedora security http://fedoraproject.org/wiki/Security RedHat security http://tldp.org/HOWTO/Security-Quickstart-Redhat-HOWTO/index.html Apache security http://www.apacheweek.com/security/ Security tools http://sectools.org/ A.Davous, 01/02/2009 Unix Security Advanced Admin 127

    128. FIREWALLS INTRODUCTION DMZ PACKET FILTERING APPLICATION PROXY NAT NETFILTER (IPTABLES) IPFILTER FIREWALLBUILDER PROXY A.Davous, 01/02/2009 Unix Security Advanced Admin 128

    129. INTRODUCTION Hardware or software : commercial issue ? Controls and eventually blocks traffic by analyzing OSI layers 3, 4 or 7 Multihomed machine – except local firewalls Architecture concepts : DMZ Usually not mentioned but also protect Internet from inside networks (think about the fact that most attacks are done from inside) ! Used not only to prevent attacks but for centralized control or traffic audit – this can be discussed, proxy is a better solution Should not avoid server by server or service by service protection (this is obviously a miss-conception to think that firewall is the only security aspect to protect a network) BUT MOST IMPORTANT : firewall can be crossed (think about port 22 or 80) NAT is often associated to firewalls ; load balancing also Packet filtering vs. application proxy – both may be seen as firewalls Well-known vendors : Cisco, CheckPoint Well-known open-source : IpFilter, Netfilter (iptables) Idea on actual market : http://en.wikipedia.org/wiki/Comparison_of_firewalls A.Davous, 01/02/2009 Unix Security Advanced Admin 129

    130. DMZ DeMilitarized Zone, Data Management Zone, DeMarcation Zone Intermediate trust level zone offered to not trusted internet that attackers can access rather than internal network Sub-network that usually provide email, web or DNS services Hosts in DMZ can not establish connection with any host in internal network even tough DMZ offers its services also for internal hosts DMZ architecture is built on firewall – three legged model (external, DMZ and internal interface) or dual firewalls architecture – with rules that forbids traffic from DMZ to internal, any others allowed Compromise to do with web BE databases : databases should not be installed in DMZ (sensitive information) but FE web server in DMZ needs to access BE Compromise to do with email servers : email server should not be installed in DMZ (sensitive information) but an email relay instead ; idea is to let email internal server to initiate communication with DMZ one Forward proxy : internal hosts can access Internet only through DMZ proxy – for security, traffic control and cache reasons Reverse proxy : add more security for internal server access from outside – application layer, traffic shape control A.Davous, 01/02/2009 Unix Security Advanced Admin 130

    131. PACKETS FILTERING Filters IP packets based on : IP source address, IP destination address, transport protocol (TCP or UDP), port number Due to IP address weakness (no authentication), packet filtering may be considered somehow unsecure (think about DHCP allocated address) PROS Easy to implement Low cost – at least for open-source software firewalls Good performance Transparent to users CONS Application level not analyzed - tunneling attack is the way to cross - no authentication - no content filtering A.Davous, 01/02/2009 Unix Security Advanced Admin 131

    132. APPLICATION PROXY Specific to application that must be filtered PROS Higher security Application level is analyzed so virtually all kinds of filtering (and more) is possible – authentication, access, content based filtering (, decoding, statistics) Highly centralized solution if all applications are filtered CONS Requires a specific and dedicated filter for each application/protocol Difficult to manage – manageability depends on solution (scriptable ?) High cost Relative low performance – if comparison is done for as many as services configured for packet filtering – but better fit to specific case Same level of security can be reached with a packets filtering firewall and application by application hardening (?) A.Davous, 01/02/2009 Unix Security Advanced Admin 132

    133. NAT Allows to translate a number of internal host addresses to a small number of external routable addresses Usually, allocation done for a limited amount of time – to be able to reallocate Benefice : many internal hosts are shutdown or will never route to outside, so exposed addresses block may be kept smaller than actual number of inside addresses … … but issue : IP source address, not routable, may be inserted in body content packet ; this is the case of FTP, H.323, IRC, DNS, ICMP, SIP, … (dirty content protocols). These protocols are known to not be able to pass thru firewalls NAT types Static NAT : same number of outside and inside hosts Dynamic NAT : smaller number of outside hosts than inside Static NAT PAT : port address translation of server port Dynamic NAT PAT : source port address translation (masquerading when only one exposed external address) Fortunately, IPv6 should operate without need of NAT One of the promises of IPv6 is that the almost infinite number of addresses and the better (but not perfect) renumbering makes NAT unnecessary so it will once again be possible to deploy new applications without cumbersome workarounds or random failures that the widespread use of NAT imposes in today's IPv4. The Internet Engineering Task Force (IETF) has traditionally been highly critical of NAT, … (NAT in depth by Iljitsch van Beijnum – www.ipv6.com) A.Davous, 01/02/2009 Unix Security Advanced Admin 133

    134. IMPORTANT CONCLUSIONS Is a firewall really necessary ? Let’s examine packet filtering only first ! Why are we using it : because we want to be protected against unsecure IP ? No, OS and service level configurations are far from enough ! BUT most probably because we don’t want to send unwanted traffic over Internet – or internal network, in case of internal attack, for example : no other way to filter outgoing traffic ! => a free firewall without anti-spoofing rule is a non-sense ! Now, if we think about application content or service filtering, then a proxy is necessary - Freeware : usually packet filtering only – can’t be used - Commercial : packet filtering and application proxy features but very expensive (are they really used for that ?) - Finally, dedicated proxy – based on custom application or development may be an alternative Finally, a word about distributed firewall concept A.Davous, 01/02/2009 Unix Security Advanced Admin 134

    135. NETFILTER INTRODUCTION http://www.netfilter.org/ Associated to Linux kernel iptables (2.4.x, 2.6.x) and derived from ipchains (2.2.x) and ipfwadm (2.0.x) Stateless, stateful packet filtering for IPv4 and IPv6 Address and port translation (NAT/NAPT) for IPv4 only Plugins/modules available Netfilter concept definitions target : action related to analyzed packet if rule matches chain : set of consecutive rules (some are built-in, others are user-defined) policy : (built-in) chain associated with a (default) target, usually ACCEPT or DROP A.Davous, 01/02/2009 Unix Security Advanced Admin 135

    136. NETFILTER IMPLEMENTATION Startup script : /etc/init.d/iptables General configuration : /etc/sysconfig/iptables-config Logs : syslog, i.e. otherwise configured in /var/log/messages Firewall rules saved in : /etc/sysconfig/iptables BUT : in case of FirewallBuilder usage or some others management tools, it must not be modified (and must stay the minimal FW rules set, proved to be functional and secure). FirewallBuilder creates a script that starts-up autonomously; in any way, iptables-save command should only be used to modify it. Commands : iptables –L iptables-save, iptables-restore A.Davous, 01/02/2009 Unix Security Advanced Admin 136

    137. MINIMAL LOCAL FIREWALL # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination # cat /etc/sysconfig/iptables *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT A.Davous, 01/02/2009 Unix Security Advanced Admin 137

    138. NETFILTER ARCHITECTURE A.Davous, 01/02/2009 Unix Security Advanced Admin 138

    139. NETFILTER DIRECTIVES EXAMPLES $IPTABLES -P OUTPUT DROP # Filter automatic rules – remove $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -t nat -A POSTROUTING -o eth1 -s 192.168.0.0/24 -j MASQUERADE # NAT $IPTABLES -N In_RULE_0 # Anti-spoofing $IPTABLES -A INPUT -i eth1 -s 192.168.0.0/24 -m state --state NEW -j In_RULE_0 $IPTABLES -A FORWARD -i eth1 -s 192.168.0.0/24 -m state --state NEW -j In_RULE_0 $IPTABLES -A In_RULE_0 -j LOG --log-level info --log-prefix "RULE 0 -- DENY " $IPTABLES -A In_RULE_0 -j DROP $IPTABLES -A INPUT -i eth0 -p tcp -m tcp -s 192.168.0.0/24 --dport 22 -m state --state NEW -j ACCEPT # SSH access to firewall $IPTABLES -N Cid475AE6EA3506.0 $IPTABLES -A OUTPUT -o eth0 -p tcp -m tcp -s 192.168.0.0/24 --dport 22 -m state --state NEW -j Cid475AE6EA3506.0 $IPTABLES -A Cid475AE6EA3506.0 -d 192.168.0.1 -j ACCEPT $IPTABLES -N Cid475AE6EA3506.1 $IPTABLES -A FORWARD -o eth0 -p tcp -m tcp -s 192.168.0.0/24 --dport 22 -m state --state NEW -j Cid475AE6EA3506.1 $IPTABLES -A Cid475AE6EA3506.1 -d 192.168.0.1 -j ACCEPT A.Davous, 01/02/2009 Unix Security Advanced Admin 139

    140. FIREWALLBUILDER - 1 GUI firewall configuration an management tool that supports Netfilter (iptables), IpFilter, Cisco PIX and others Runs on Linux, FreeBSD, OpenBSD, Mac OS X and Windows A GUI is convenient (mandatory ?) due to complexity of - firewall rules creation, - firewall management, - firewall rules update and deployment As an example, a firewall policy for a Linux network gateway machine with 2 wired Ethernet interfaces, 1 NAT, 1 WLAN access point interface, a VPN, and a dozen of services related rules (DHCP, DNS, NTP, SSH, HTTP, …), leads to a set of 479 iptables directives. Demonstrations are done, during course, for managing : - Linux Fedora 10 firewall based on Netfilter (iptables) - Sun Solaris 10 firewall based on IpFilter A.Davous, 01/02/2009 Unix Security Advanced Admin 140

    141. FIREWALLBUILDER - 2 Note Standard policy and User customizable policy Create a firewall by clicking on Firewall directory and New menu IMPORTANT : check and set firewall properties : Right-click on firewall object, menu Edit Then you can (re-)set Platform, Version, Host OS parameters, as well as Host OS Settings (Packet Forwarding, ICMP behavior, path of binaries) or Firewall Settings (Compiler, Installer, Prolog/Epilog, logging, script options, IPv6) Note rich rules options (depending on platform, here based on Linux conntrack module) : logging, rule limit, connlimit (connections number limit) , hashlimit (connection rate limit) Issue related to installation authorization : SSH is used but usually root connection not allowed ; sudo may be used as a workaround Issue related to execution at boot : - by adding service iptables save (for iptables) command into epilog - by creating a custom startup script – preferable as original minimal policy is not modified – your own firewall may be disabled so - many other ways to do it See documentation : http://www.fwbuilder.org/ A.Davous, 01/02/2009 Unix Security Advanced Admin 141

    142. IPFILTER Main product site http://coombs.anu.edu.au/~avalon/ Excellent Sun documentation about IpFilter http://docs.sun.com/app/docs/doc/816-4554/ipfilter-admin-1?l=en&a=view&q=IPfilter Specific kernel module – loadable (preferable but even statically linked) You can check on Solaris with command modinfo | grep –i ipf Comes as a part of FreeBSD, NetBSD, Solaris 10, Open Solaris – but runs on many others (Linux 2.4 – 2.6) Packet filtering, IP options filtering (IP security), NAT, stateless, stateful Supports 2 loadable rule sets – switchable (production – test) A.Davous, 01/02/2009 Unix Security Advanced Admin 142

    143. IPFILTER IMPLEMENTATION Basic on Solaris : IPv4 rule set /etc/ipf/ipf.conf IPv6 rule set /etc/ipf/ipf6.conf NAT config /etc/ipf/ipnat.conf Addresses pools /etc/ipf/ippool.conf Enabling filtering # svcadm enable network/ipfilter List actual rules # ipfstat –io Remove rules # ipf –Fa Disabling filtering # svcadm disable network/ipfilter Interesting features : Adding/removing rules # ipf # ipnat Testing (1) # ipftest Monitoring (1) # ipmon Packet generation (1) # ipsend Spoofing (1) # ipresend (from snoop or tcpdump dumps) Testing again (1) # iptest (1) Unfortunately no binary package available for Solaris either from Sun, either for SunFreeware ; local compilation required but even probably useful… A.Davous, 01/02/2009 Unix Security Advanced Admin 143

    144. IPFILTER ARCHITECTURE IN | V +-------------------------+--------------------------+ | | | | V | | Network Address Translation | | | | | authenticated | | | +-------<---------+ | | | | | | | V | | V IP Accounting | | | | | | | V | | | Fragment Cache Check--+ | | | | | | | V V V | | | Packet State Check-->+ | | | | | | | | +->--+ | | | | | | | V | | | V groups Firewall check V | | | | | | | | | | +--<-+ | | | | | | | | | +---------------->|<-----------+ | | | | | V | | +---<----+ | | | | | | function | | | | V | | +--->----+ | | | | | V | +--|---<--- fast-route ---<--+ | | | | | | | V | | +-------------------------+--------------------------+ | | | pass only | | | V V [KERNEL TCP/IP Processing] | | | +-------------------------+--------------------------+ | | | | | | V | | | Fragment Cache Check--+ | | | | | | | | V V | | | Packet State Check-->+ | | | | | | | | V | | V | Firewall Check | | | | | V | | | |<-----------+ | | | V | | | IP Accounting | | | | | | | V | | | Network Address Translation | | | | | | | V | | +-------------------------+--------------------------+ | | | pass only V | +--------------------------->| V OUT A.Davous, 01/02/2009 Unix Security Advanced Admin 144

    145. SIMPLE RULE SET IPFILTER EXAMPLE # ipfstat -io pass out quick on lo0 proto icmp from any to any keep state pass out quick on lo0 proto tcp from any to any keep state pass out quick on lo0 proto udp from any to any keep state pass out quick on lo0 from any to any pass out quick on e1000g0 proto tcp from 192.168.10.0/24 to 192.168.10.55/32 port = ssh keep state pass out quick on e1000g0 proto tcp from 192.168.10.0/24 to 192.168.11.55/32 port = ssh keep state pass out log quick proto tcp from 192.168.10.55/32 to any port = domain keep state pass out log quick proto tcp from 192.168.11.55/32 to any port = domain keep state pass out log quick proto udp from 192.168.10.55/32 to any port = domain keep state pass out log quick proto udp from 192.168.11.55/32 to any port = domain keep state block out log quick from any to any block out quick from any to any block in log quick on e1000g1 from 192.168.10.55/32 to any block in log quick on e1000g1 from 192.168.11.55/32 to any pass in quick on lo0 proto icmp from any to any keep state pass in quick on lo0 proto tcp from any to any keep state pass in quick on lo0 proto udp from any to any keep state pass in quick on lo0 from any to any pass in quick on e1000g0 proto tcp from 192.168.10.0/24 to 192.168.10.55/32 port = ssh keep state pass in quick on e1000g0 proto tcp from 192.168.10.0/24 to 192.168.11.55/32 port = ssh keep state block in log quick from any to 192.168.10.55/32 block in log quick from any to 192.168.11.55/32 block in log quick from any to any block in quick from any to any A.Davous, 01/02/2009 Unix Security Advanced Admin 145

    146. IPFILTER ON SOLARIS First check actual policy by : # ipfstat –io Should be empty… Check with nmap for information For now, root login will be permitted by setting in /etc/ssh/sshd_config : PermitRootLogin yes Standard loopback interface must be renamed in policy from lo to lo0 Set correct path of ipf and ipnat (/usr/sbin/ipf and /usr/sbin/ipnat) in firewall Host OS settings Take care that IpFilter is enabled first on target – this can’t be prolog as compiled script will begin by delete rules. Anyhow, a custom startup script (running .fw script) should be written for loading rules # svcadm enable ipfilter Still a problem : ipf never give back control to Firewall Builder buit-in installer… A.Davous, 01/02/2009 Unix Security Advanced Admin 146

    147. PROXIES - 1 Requires cooperation of user’s application – think about web browser proxy configuration – this is a major drawback as users would like to use latest applications that does not support it Added values of proxy : - can check that traffic is really related to its port – on port 80, only real HTTP traffic is permitted - authentication - URL filtering - cache (proxy will claim higher performance ?) - a lot more… BUT, performance may be decreased depending on technology : highly configurable or convenient script based solutions should be avoid but statically compiled software preferred – application dependant To pass-thru a proxy a client may use SOCKS protocol (between application and transport layers) : add features of authentication, UDP support, name resolution, IPv6 (SSH and PuTTY are well-known SOCKS server and client) – generic proxies Note : open proxies server OS MUST be secured ! Otherwise, it may serve to an attacker – bouncing attacks that masks originating IP source (but not always) A.Davous, 01/02/2009 Unix Security Advanced Admin 147

    148. PROXIES - 2 Most well-known free software Apache with mod_proxy http://httpd.apache.org/docs/2.0/mod/mod_proxy.html Supports HTTP(S), SSL tunneling, FTP, with cache Squid http://www.squid-cache.org/ Supports HTTP, HTTPS, FTP, SOCKS, with cache SSH Proxy http://sshproxy-project.org/ Supports SSH A.Davous, 01/02/2009 Unix Security Advanced Admin 148

    149. Sun xVM VirtualBox - 1 VirtualBox release 2.1.2 found at www.virtualbox.org (accept installation of USB and network drivers) Host and guest concepts, see manual Guest additions concept Fedora 10 found at fedoraproject.org/en/get-fedora (F10-i686-Live.iso, 32 bits although 64 supported by xVM, English edition, installable Live CD) A.Davous, 01/02/2009 Unix Security Advanced Admin 149

    150. Sun xVM VirtualBox - 2 Installation procedure (example is Fedora) New machine ; choose OS, select memory size (2 GB but less than host !), add virtual disk (fixed, 10 GB). Mount OS ISO local file as CD/DVD-ROM Start !... (ignore both messages – no additions installed yet) When started, use Install on hard disk icon. Select French keyboard. Shut down, unmount CD/DVD and restart. Upgrade system and application packages (Yum). Install dkms package (Dynamic Kernel Module Support Framework). Install GNU make, gcc packages. Mount Guest Additions ISO with Devices, Install Guest Additions xVM menu. Run Sun’s script (cd /media/VBOXADDITIONS_2.1.2_41885/ ; sh ./VBoxLinuxAdditions-x86.run) Restart. A.Davous, 01/02/2009 Unix Security Advanced Admin 150

    151. Sun xVM VirtualBox - 3 Installation procedure particularities for Debian 4 Installation of small image via Internet. Disk partitioning without LVM, one root partition. Desktop and system packages. Synaptic Package Manager used for package installation : make, gcc and kernel headers (linux-headers-2.6.18-6 and linux-headers-2.6.18-6-686 ; check release with command uname –a). A.Davous, 01/02/2009 Unix Security Advanced Admin 151

    152. Sun xVM VirtualBox - 4 Command line A.Davous, 01/02/2009 Unix Security Advanced Admin 152

    153. REMOTE ACCESS TO SYSTEM Xming XLaunch utility But otherwise, X specific, “exporting display” : Run your X server on PC (nothing required if PuTTY used because X protocol is SSH’d encapsulated - port 22 ; otherwise, ports XDMCP 177 and 6000 should be opened) Then, on client : setenv DISPLAY server:0.0 echo $DISPLAY Putty A.Davous, 01/02/2009 Unix Security Advanced Admin 153

    154. CRYPTOGRAPHY BASED TOOLS A.Davous, 01/02/2009 Unix Security Advanced Admin 154

    155. USEFUL LINKS A.Davous, 01/02/2009 155 Unix Security Advanced Admin 16:5016:50

    156. BIBLIOGRAPHY A.Davous, 01/02/2009 Unix Security Advanced Admin 156 16:5516:55

    157. WINDOWS TOOLS USED DURING THIS SESSION A.Davous, 01/02/2009 Unix Security Advanced Admin 157 17:0017:00

More Related