Securing Network Services

Time to Internet Attack “Before you place a Unix computer on the Internet, you must make certain that no security problems have been reported with the specific software release that you intend to use. Otherwise, you may find that your machine is identified, broken into, and compromised before you even have a chance to download the latest software patch!”

/etc/services Canonical name, port number, protocol telnet 23/tcp smtp 25/tcp mail time 37/udp timeserver “Servers can run on ports that are unassigned or are assigned to other protocols.”

Startup scripts $ cd /etc/rc5.d $ ls K03rhnsd K50snmpd S10network S28autofs S91smb K05saslauthd K50snmptrapd S12syslog S56rawdevices S95atd K10cups K73ypbind S13irqbalance S56xinetd S96agent.be K10psacct K74nscd S13portmap S60vsftpd S99local K15gpm K92ip6tables S14nfslock S80sendmail S99mdmonitor K20nfs K92iptables S20random S85sshd2 S99mdmpd K24irda K95audit S24pcmcia S90crond K35winbind S00microcode_ctl S25netfs S90mysqld K40smartd S05kudzu S26apmd S91httpd

xinetd $ cd xinetd.d [frank@sappho xinetd.d]$ ls chargen daytime echo-udp klogin rsync telnet chargen-udp daytime-udp eklogin krb5-telnet services time cups-lpd echo gssftp kshell sgi_fam time-udp

telnet $ cat telnet # default: on # description: The telnet server serves telnet sessions; it uses \ # unencrypted username/password pairs for authentication. service telnet { disable = no flags = REUSE socket_type = stream wait = no user = root server = /usr/sbin/in.telnetd log_on_failure += USERID }

Services? “If you cannot explain why a service is being offered at your site, you may wish to disable it until you know what purpose it serves.”

Echo & chargen DOS “echo accepts connections on TCP port 7 or individual datagrams on UDP port 7 and echoes back everything it receives to the sender.” “chargen (character generator) sevice accepts TCP connections and UDP datagrams on port 19 and send back a character pattern.”

Don’t Be Warezed! Page 340

telnet (TCP Port 23) C:>telnet www.nku.edu “The telnet protocol poses significant risks to its users. The username, password, and all other sessions are transmitted over the Internet without encryption.” Packet sniffing using Wireshark Use ssh

Common Vulnerabilities and Exposures http://cve.mitre.org/cve/ FTP (TCP Ports 20 and 21) SMTP: Simple Mail Transfer Protocol (TCP Port 25)

SMTP “STMP servers have historically been a source of security problems for Unix systems. You should be sure that you are running the most recent version of the server, and that you monitor the appropriate web site or security mailing lists for news of newly discovered vulnerabilities. “When security flaws are announced, potential intruders are often much quicker to attack than system administrators are to upgrade.”

Domain Name System (DNS) (TCP and UDP Port 53) “An attacker who can gain control of your DNS nameserver or corrupt its contents can use it to break into your system.” Cache poisoning – using a program bug to load erroneous information. Run two nameservers; one in front of the firewall and one behind it The nameserver in front of the firewall contains only the names and IP addresses of your gateway computer.

BOOTP and DHCP (UDP Ports 67 and 68) Because there is no server authentication with DHCP, any DHCP server on the network can answer a DHCP request. An attacker can set up a rogue DHCP server that provides wrong addresses for nameservers or gateways.

SNMP: Simple Network Management Protocol (UDP Ports 161 and 162) Allows remote management of devices on your network. “With carefully constructed SNMP messages, an attacker can learn the internal structure of your network, change your network configuration, or even shut down your operation.” If you use SNMP (See page 377.)

Managing Services Securely Monitor your hosts with netstat (See pages 390-1) /usr/bin/lsof – to determine which process is listening on a port (See page 392.) Nmap to find open ports (See page 392.) Run Wireshark to monitor network traffic.

Vulnerability Scanners www.nessus.org