The Linux Operating System Tonga Institute of Higher Education The Linux Operating System Lecture 8: Security
Security in Linux Anyone who has a server that is connected full-time to the Internet has to be concerned with security. There are many aspects to having a secure network and a system. But a well-maintained Linux system is the first line of defence to stop hackers (people who want to break into computers and get root access). The most important thing you can run to protect your computer and network is a firewall. If you do not have dedicated hardware for a firewall (which can sometimes be expensive), then a Linux server is a good alternative . It can act as a firewall for you and your network
Linux Firewalls: Iptables Iptables are a way to control how your computer deals with network data. It is built into the Linux kernel and is a replacement for an older firewall program called ipchains. Iptables can work as more than just a firewall, it is actually a way to handle data packets that come in. It can also limit how fast connections are made. It can log all network activity and it can also work as a router, connecting your private network to the Internet.
Iptables For Iptables to work as a firewall, we will be most concerned with 'packet filtering' or how iptables can handle different packets that come into the computer All traffic through a network is sent in the form of packets, so that whatever you are getting is broken into smaller pieces The start of each packet says where it's going, where it came from, the type of the packet, and other details. Some protocols, such as TCP, which is used for web traffic, mail, and remote logins, use the concept of a `connection' -- before any data packets are actually sent, various setup packets (with special headers) are exchanged saying `I want to connect', `OK' and `Thanks'. Then normal packets are exchanged.
Packet Filtering A packet filter is a piece of software which looks at the header of packets as they pass through, and decides the fate of the entire packet. It might decide to deny the packet (discard the packet and pretend it had never received it), accept the packet ( let the packet go through), or reject the packet (like deny, but tell the source of the packet that it has done so). Linux does all this with Iptables, a program that works inside the kernel to look at all packets coming in and out and deciding, based on rules you tell it, what to do with the packet
Iptables The Iptables packet filters are set up to look at three types of packets, ones that are FORWARDED, ones that are INPUT and ones that are OUTPUT. Forwarded – these are for packets from your local network that want to be sent to the Internet. This is when Linux will work like a router (sending data from one network to another) Input – these are packets that are coming into your computer from the outside world to do something. They might be dangerous Output – these are packets that are made from your computer and are being sent to the Internet
Iptables Iptables should be running when you start the computer. To see the rules currently inside of it, type [root@comp root]# iptables -L Iptables doesn't save it's rules, which means if you make a change to it, you'll have to save it yourself. There are two programs that help you do this, first is iptables-save. This program will output all the rules that you can save to a file Then there is a program called iptables-restore which will take rules from a file. Examples: [root@comp root]# iptables-save > table.rules [root@comp root]# cat table.rules | iptables-restore
Looking at a rule Rules are the most important part of packet filtering. Most commonly, you will use the append (-A) and delete (- D) commands when you add new rules Each rule specifies a set of conditions the packet must meet, and what to do if it meets them (a `target'). For example, you might want to drop all ICMP packets coming from the IP address 192.168.0.23. So in this case our conditions are that the protocol must be ICMP and that the source address must be 192.168.0.23. Our target is `DROP'. [root@comp root]# iptables -A INPUT -s 127.0.0.1 -p icmp -j DROP
Looking at a Rule [root@comp root]# iptables -A INPUT -s 192.168.0.23 -p icmp -j DROP -A INPUT - says to look at packets coming into the computer. -s 192.168.0.23 – says if the packets come from this IP address -p icmp – says if the packet is using the ICMP protocol -j DROP – says then drop this packet if it matches the other criteria You can also delete this rule if you want by changing - A INPUT to -D INPUT [root@comp root]# iptables -D INPUT -s 192.168.0.23 -p icmp -j DROP
Rule Specifics Source and Destination – You can filter packets based on where they come from and where they are going. Use the option '-s source' where 'source' is an IP address or hostname [root@comp root]# iptables -A INPUT -s 199.99.199.99 -j DROP Use the option '-d destination' where 'destination' is an IP address or hostname [root@comp root]# iptables -A INPUT -d 199.99.199.99 -j ACCEPT
Rule Specifics Protocol – You can filter packets based on what protocol they are using (TCP,ICMP,UDP, etc) Use the option '-p protocol' where 'protocol' is tcp, icmp, udp [root@comp root]# iptables -A INPUT -d 192.168.0.1 -p tcp -j DROP If you're using the 'tcp' protocol, you can even block based on port (that means you can stop people from using ftp or your webserver if you don't want them to). Example below drops packets from 199.99.199.99 that are coming to port 80 (webserver) and using TCP [root@comp root]# iptables -A INPUT -s 199.99.199.99 -p tcp -dport 80 -j DROP
Rule Specifics You also have three choices with what to do with the packet of data. ACCEPT – This will allow the packet to go through your computer Example: iptables -A INPUT -s 192.168.0.4 -j ACCEPT DROP – This will stop the packet from coming through and pretend it never saw it. It will not notify the sender that the packet was dropped. So the computer trying to send the data will not think the computer is on the network Example: iptables -A INPUT -s 192.168.0.4 -j DROP REJECT – This will stop the packet and tell the sender they were rejected.
Testing out your network Now that you have a firewall installed, you should test it, to see if it is vulnerable at all There are many programs available that will test check your computer for weaknesses. One of the most popular ways to check is through a “port scanner.” This is a program that will check all the ports on your computer to see what is open. If it finds that port 80 is open, then it knows you are running a webserver. The most popular of these is called “nmap” and it will provide a lot of useful information about the computer you are testing
Nmap You may need to download and install nmap, because it is not always included Example port scan of google.com [root@tihe root]# nmap -sS -O google.com Interesting ports on www.google.com (The 1622 ports scanned but not shown below are in state: closed) Port State Service 80/tcp open http This means that port 80 is open and it is running a webserver, but that is it. All other ports are closed. Thus, unless there is a problem with their webserver, they will be pretty safe from hackers
Security Scanners A “port-scanner” is a good first step to test your network, but a security scanner will really test out things. The most popular security scanner is called Nessus. It will look at whatever computer you tell it to check out and find out everything about it. It will look at what version of what service you have running to see if there are vulnerabilities for that. It will also tell you what to do to fix the problem and often times tell you how to exploit a security hole These tools are often used by hackers themselves to find if a computer is vulnerable
Watching your network If something is happening to your computer, it's good to have a few tools that can help tell you where data is coming from and where it is going One program, called “iptraf” will show all incoming and outgoing data and the ports they are using. Can be helpful to determine which computer on a network is acting up Another program called “etherape” shows graphically all the data on your network and so you can see who is using the most
Keeping up to date If you are in charge of a system that is on the internet all the time, it is important to keep your programs and services up to date Vulnerabilities to different programs come out fairly regularly and the companies that make the products will release security fixes. Falling behind for too long will leave your system open to attacks from hackers There are a few good websites to look at to stay up-to-date with security problems http://www.slashdot.org http://www.securityfocus.org http://www.cert.org/
Encryption Most network activity happens unencrypted. That means if someone got the data that was being sent, they could see what is inside. Since your data is usually sent over the Internet and around the world, there is a lot of opportunity to see what is happening. To protect yourself from anyone seeing what is happening, you need to use encryption for your data. This means everything will look like garbage to whoever tries to look at it. Encryption in Linux is done through SSL, or Secure- Sockets Layer, which can sit on top of a protocol and change all the data being sent into something no one else can read
Using encryption To use encryption, you'll need different programs. For example, instead of using telnet to log into a server, you should use a protocol called SSH, which gives you the same effect as telnet, but it is secure, because it is encrypted. You need to download a special program to use SSH. The most popular is called PuTTy (if you are using windows. Linux has ssh built in [ ssh tihe.org –l username ] http://www.chiark.greenend.org.uk/~sgtatham/putty/ For browsing the web, you can see if it is secure by looking at the URL in the browser. If it contains “http://” then it is insecure If it contains “https://” then you know it is secure because it is using a secure version of the HTTP protocol
Packet Sniffing To get a better idea of how network communication works, you can use a packet sniffer, which will examine all the packets that come into the computer and also some other packets that are floating around on the network The best packet sniffer is called Ethereal. It is a graphical program that lets you capture packets and then analyze the data that has come in. This means you can see what web pages a person was looking at, or you can see FTP data they sent, or any network data that is being sent. If you are logging in with telnet, someone will be able to see your password and your username right away because it is unecrypted
Intrusion Detection There are also programs that help figure out when an attack is happening on your system. These are called IDS, or intrusion detection systems. A popular one is called Snort. It basically examines packets that come in and has a big database of rules that can determine if a special exploit or attack is coming in It will then alert the administrator and take some action You can actually watch a hack in progress with an IDS system set. You'll have to install Snort yourself if you want it, although there is a lot of documentation available http://www.snort.org
Summary Linux security is an ongoing project for all the developers of Linux over the world. Exploits for products are released daily, so keeping your computers safe is challenging Most of the time today, people will not care who the computer belongs to, but they will use it as a launching point to attack other computers. That it way, the computer really being attacked will not know for real, where the attack is coming from Other times, hackers can set up programs that run on your computer and wait for their instructions. For more information about Linux security: http://www.insecure.org http://www.yolinux.com/TUTORIALS/ http://www.linuxsecurity.com/