Security WeeSan Lee

What’s wrong with this picture? The Internet www eon db kilo-1

What’s wrong with this picture? The Internet www eon db kilo-1 fw

What’s wrong with this picture? The Internet www eon db kilo-1 fwfw2 DMZ

What’s wrong with this picture? The Internet www eon db kilo-1 fw fw2 DMZ fw3

Roadmap Introduction How security is compromised? Security Tips Security Tools iptables Q&A

Introduction The philosophy of Unix/Linux was optimized for convenience over security Until the “Internet Worm” from Robert Morris, Jr. CERT was formed as a result Even so, Unix/Linux is still more secure than Windows In general, Windows/Unix/Linux is not secure, get a dedicate firewall

How security is compromised? Social engineering  The users/admins are often the weakest links in the chain of security  60% of security incidents involve an insider  Educate the users Configuration errors  Accounts without passwd Software vulnerabilities  Buffer overflow  Use of relative paths

How security is compromised? system("/bin/cat ". $_POST["filename"]); OOPS!

Security Tips Employ packet filtering Update software patches  Put “yum update” in the crontab Frequent backups Logging  /var/log/messages  /var/log/secure  /var/log/maillog  /var/log/wtmp Centralized remote logging  $ man syslog.conf

Security Tips Turn off unnecessary services  $ /bin/netstat -ta | grep LISTEN tcp 0 0 *:submission*:* LISTEN tcp 0 0 *:sunrpc*:* LISTEN tcp 0 0 *:x11*:* LISTEN tcp 0 0 *:38516*:* LISTEN tcp 0 0 localhost:ipp*:* LISTEN tcp 0 0 *:smtp*:* LISTEN …  $ /usr/sbin/lsof -i :38516 COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME rpc.statd 911 nobody 9u IPv TCP *:38516 (LISTEN)

Security Tips Passwords  To check for null passwords $ perl -F: -ane ‘print if not $F[1];’ /etc/shadow  To find logins without passwords $ perl -F: -ane ‘print if not $F[2];’ /etc/passwd  Password aging

Security Tips Minimize the # of setuid programs  35 setuid programs on average  $ find / -user root -perm print | mail –s ‘setuid root files’ sysadm File permissions  /etc/{passwd,group} should have 644  /etc/shadow should have 600

Security Tips Don’t use /etc/hosts.equiv and ~/.rhosts  Create unwritable, zero-length ~/.rhosts Use LDAP instead of NIS Use NFSv4 Run ClamAV, antivirus software /etc/hosts.{allow,deny}  $ cat /etc/hosts.deny ALL:ALL  $ cat /etc/hosts.allow sshd: / Sendmail: ALL

Security Tools - simple less  $ /usr/bin/less /var/log/maillog last  $ /usr/bin/last -f /var/log/wtmp -t

Security Tools lastlog  $ lastlog -u weesan Username Port From Latest weesan pts/14 xx.xx.xx Tue May 27 22:39: grep  $ /bin/grep "Relaying denied" /var/log/maillog May 27 21:54:58 fw sm-mta[4463]: m4S4swAI004463: ruleset=check_rcpt,arg1=, relay= adsl-tpe.dynamic.so- net.net.tw [ ], reject= Relaying denied

Security Tools cat  /bin/cat /var/log/secure May 27 21:14:05 fw vsftpd[4068]: refused connect from May 27 22:24:15 fw vsftpd[4474]: refused connect from May 27 23:10:02 fw in.rshd[4558]: connect from May 27 23:11:36 fw su[4606]: + pts/4 weesan-root tail -f  $ /usr/bin/tail -f /var/log/messages May 27 22:10:52 fw sshd[4118]: Accepted publickey for weesan from port ssh2 May 27 21:58:12 fw -- MARK -- May 27 22:18:13 fw -- MARK -- May 27 22:38:13 fw -- MARK --

Security Tools watch  $ /usr/bin/watch /usr/bin/who

Security Tools - advanced nmap  Port scanning $ nmap -sT  Guess what OS a remote system is running $ nmap -O -sV Nessus  A powerful and useful software vulnerability scanner John the Ripper  Crack replacement

Security Tools Samhain  Host-based intrusion detection Security-Enhanced Linux (SELinux)  Not recommended Kerberos  Guarantees that users and services are in fact who they claim to be PGP – Pretty Good Privary  Used to encrypt data, to generate signatures, and to verify origin of the files and messages  GnuPG

Security Tools ssh  A replacement for telnet scp  A replacement for ftp One-time passwords  Generate passwd off-line and good for once only Stunnel  Secure tunnel Firewall  iptables

iptables Linux kernel ver 2.4 introduced Netfilter iptables controls Netfilter Applies ordered “chains” of rules to network packets 3 default chains (filter tables)  INPUT Rules applied to incoming packets  OUTPUT Rules applied to outgoing packets  FORWARD Rules applied to packets from one NIC to another

iptables (cont) In addition to 3 default filter tables  nat For setting up NAT  mangle For modifying the packet header Each rule has a target  ACCEPT  DROP  REJECT  LOG  REDIRECT  RETURN  …

iptables (cont) 1. $ iptables -F 2. $ iptables -P INPUT ACCEPT 3. $ iptables -P FORWARD ACCEPT 4. $ iptables -N RH-Firewall-1-INPUT 5. $ iptables -A INPUT -j RH-Firewall-1-INPUT 6. $ iptables -A FORWARD -j RH-Firewall-1-INPUT 7. $ iptables -A RH-Firewall-1-INPUT -i lo -j ACCEPT 8. $ iptables -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT 9. $ iptables -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT 10. $ iptables -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT 11. $ iptables -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 12. $ iptables -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT 13. $ iptables -A RH-Firewall-1-INPUT -j LOG 14. $ iptables -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited Flush the filter tables Default to ACCEPT, why??? Create a new chain Link the INPUT & FORWARD chain to the new chain In-interface Jump Reject all others Log to /var/log/syslog before rejecting it

iptables (cont) Add the following between line 10 & 11 to reject all the adv websites  for ad in $ADV_SERVERS; do  iptables -A RH-Firewall-1-INPUT -i eth1 -p tcp -d $ad --dport 80 -j REJECT  done To accept certain connections/services, figure out the protocol type, port number and add a new line similar to line 12  Q. What protocol type DNS uses? On which port?  A: Check out /etc/services

iptables (cont) To turn on NAT  $ iptables -t nat -F  # Redirect HTTP traffic to a web cache server  $ iptables -A PREROUTING -t nat -i eth1 -p tcp -d $ALL --dport 80 -j REDIRECT --to-ports 3128  # Turn on NAT for TCP, UDP and ICMP  $ iptables -A POSTROUTING -t nat -o eth0 -p tcp -s /24 -j MASQUERADE  $ iptables -A POSTROUTING -t nat -o eth0 -p udp -s /24 -j MASQUERADE  $ iptables -A POSTROUTING -t nat -o eth0 -p icmp -s /24 -j MASQUERADE

iptables (cont) To view the rules  $ iptables -L -v To view the rules in the NAT table  $ iptables -L -v -t nat

Reference LAH  Ch 20 - Security iptables  $ man iptables Unix Advanced System Admin. EdCert  Cert  Security Focus 

iptables (cont) $ iptables -F $ iptables -P INPUT DROP $ iptables -P FORWARD DROP $ iptables -A FORWARD -i eth1 -p ANY -j ACCEPT $ iptables -A FORWARD -d p tcp -dport 22 -j ACCEPT $ iptables -A FORWARD -d p tcp -dport 80 -j ACCEPT $ iptables -A INPUT -i eth1 -d p icmp -- icmp-type 8 -j ACCEPT Flush the filter tables Default to DROP Append a ruleIn-interfaceProtocolJump Destination Dest. port

iptables (cont) $ iptables -t nat -A PREROUTING -i eth0 -s /8 -j DROP $ iptables -t nat -A PREROUTING -i eth0 -s /12 -j DROP $ iptables -t nat -A PREROUTING -i eth0 -s /16 -j DROP $ iptables -t nat -A PREROUTING -i eth0 -s /8 -j DROP $ iptables -t nat -A PREROUTING -i eth0 -s /4 -j DROP Drop all the packets originated from private IP addresses.