Advanced Unix Mid-Term Review Part 1 Oct 11, 2005

nmap Port Scanner – Useful tool for conducting system and network ports scans It is not a vulnerability scanner

Types of Scans TCP connect TYP SYN (a.k.a. half-open) TCP FIN (a.k.a. stealth) TCP SYN/FIN using IP fragments TCP ftp proxy (a.k.a. bounce attack) UCP raw ICMP port unreachable RPC scan ACK/WIN scan Ping scan

TCP connect Goal: find open TCP ports; option –sT Open a connection to port p on the target If it succeeds, something is listening on that port Repeat for desired values of p Advantages: –fast; can do many ports in parallel –no special privileges needed Disadvantages: –easy to detect and block (filter)

TYP SYN (a.k.a. half-open) Goal: find open TCP ports; option –sS Craft and send a SYN to port p on target ACK: someone listening; RST: no-one listening Send RST to tear down (incipient) connection Repeat for desired values of p Advantages: –many sites don’t log this Disadvantages: –need root to craft the initial SYN

Network Tools The netstat command (Page 521) is one such tool It will show you the number of tcp/udp connections and the services that are listening on your system Demo netstat

Network Tools One tool overlooked by the book is lsof lsof or "list open files" is one of the systems administrator's number one tools You trace what processes are using which services as well as which files are open and by which processes Demo lsof

Network Tools Many “root kits” deployed by vandals replace the tools an SA would use to detect the attack –ps, ls, netstat, lsof, etc. Always have original binaries and/or the tool source code available

Network Services They are the Points of Attack Remove/Disable all unneeded services –/etc/services – a test file that relates the ports to the services (page 523)

TCP Wrappers For the services that you need to have running (Page 525) –Provides for added access control –The Super Daemon xinetd now has tcp wrappers built in so any service using xinetd can take advantage of tcp wrappers

TCP Wrappers Other services also use tcp wrappers such as “Very Secure FTP” –vsftpd FTP server (Page 525) –Controlled in the vsftpd configuration file Access to rsync can be controlled by TCP Wrappers via xinetd

TCP Wrappers Uses two files to define the access to the services –/etc/hosts.allow –/etc/hosts.deny You can create a deny-by-default to all services that use tcp wrappers Don’t be misled into thinking this can secure you server 100% –Understand that not all services can or do use tcp wrappers –tcp wrappers is not a Firewall but an access control

TCP Wrappers Good Example in the book (Page 526) Demo: tcp wrappers –hosts.allow –hosts.deny

Firewalls Several types of Firewalls: –Packet filter Iptables – layer 2 network –Stateful filter Cisco PIX – layer 3 and 4 –Stateful inspection Checkpoint Firewall-1 –Application proxy Sidewinder – layers 5 thru 7 –Good reference for firewalls:

Iptables iptables is a filtering firewall Comes standard as part of Linux –Older versions of Linux have ipchains FC4 comes with a relatively good initial configuration Using chkconfig, check to see if your iptables is configured to start on boot chkconfig --list iptables

Iptables If is not then enabled it via the following command: chkconfig –levels 235 iptables on To start iptables enter: /etc/init.d/iptables start Or service iptables start

Iptables Many ways to implement iptables –Demo Shorewall See:

Iptables - IP Filter IP Filter –Used to filter packets –The command to enter a rule is called iptables –The framework inside kernel is called Netfilter –Full matching on IP, TCP, UDP and ICMP packet headers –Lesser matching on other packet headers possible –Exception in TCP is the Options field IP Filter rule consists of: –Insertion point, Matching IP and Target IP

Iptables - Stateful firewalling Full state matching (TCP, UDP & ICMP) Other protocols Uses a generic connection tracking module –The generic conntrack module is less specific –Custom modules can be written –Certain protocols are more complex Requires extra modules called "conntrack helpers" Examples are FTP, IRC (DCC), AH/ESP and ntalk

Iptables - Stateful firewalling (cont.) Userland states –NEW All new connections Includes Non SYN TCP packets –ESTABLISHED All connections that has seen traffic in both directions –RELATED All connections/packets related to other connections Examples: ICMP errors, FTP-Data, DCC –INVALID Certain invalid packets depending on states E.g. FIN/ACK when no FIN was sent

Iptables - NAT NAT - Network Address Translation –The science of switching Source or Destination Addresses Two types of NAT in Linux 2.4 –Netfilter NAT –Fast NAT Usage –Makes a LAN look as if it came from a single source (firewall) Netfilter NAT –DNAT - Destination Network Address Translation –SNAT - Source Network Address Translation –Requires Connection tracking to keep states and expectations

Iptables - basic syntax iptables [command] [options] Commands: –append, insert, replace, delete, list, policy, etc. Options: –verbose, line numbers, exact, etc. Matches: –dport, dst, sport, src, states, TCP options, owner, etc. Targets: –ACCEPT, DROP, REJECT, SNAT, DNAT, TOS, LOG, etc.

Iptables - matches Protocol -p, --protocol [!] [protocol] –tcp, udp, icmp or all –Numeric value –/etc/protocols Destination IP & Port -d, --destination [!] address[/mask] –Destination address –Resolvable (/etc/resolve.conf) --dport, --destination-port [!] port[:port] –Destination port –Numeric or resolvable (/etc/services) –Port range

Iptables - matches (cont.) Source IP & Port -s, --source [!] address[/mask] –Source address –Resolvable (/etc/resolve.conf) --sport, --source-port [!] port[:port] –Source port –Numeric or resolvable (/etc/services) –Port range

Iptables - matches (cont.) Incoming and Outgoing interface -i, --in-interface [!] interface -o, --out-interface [!] interface

Iptables - targets ACCEPT –Accepts the packet –Ends further processing of the specific chain –Ends processing of all previous chains –Except other main chains and tables DROP –Drops the packet –No reply –Ends all further processing

Iptables - targets (cont.) REJECT –Drops packet –Returns a reply User specified reply Calculated reply TCP-RST or ICMP errors –Ends all further processing RETURN –Returns from a chain to the calling chain

Iptables - a few simple rules iptables -A INPUT -p tcp -m state --state NEW ! --syn -j REJECT --reject- with-tcp-reset iptables -A INPUT -p tcp --dport 80:1024 -j DROP iptables -A FORWARD -p tcp --dport 22:113 -j DROP iptables -A FORWARD -p tcp --dport ftp-data:ftp -j DROP iptables -A OUTPUT -p tcp -o eth0 -j ACCEPT iptables -A OUTPUT -p tcp -o lo -j ACCEPT iptables -P OUTPUT DROP

Iptables additional syntax Listing the rules –-L, --list [chain] -F, --flush [chain] –Flushes (erases) all rules in a chain –Or a table -N, --new chain –Creates a user-specified chain –There must be no target with that name previously -X, --delete-chain [chain] –Deletes a user-created chain –No rules may reference the chain –Can delete all user-created chains in a table

Iptables additional syntax Creating... –iptables -t filter -N badtcppackets and Deleting a chain –iptables -t filter -X badtcppackets and Deleting all user-created chains –iptables -t filter -X

Need to know: –where they are and what they contains –permissions and ownership –how often they are rotated You need to: –Review logfile contents regularly –Archive important logs Logging

Pages list most of the common logs These logs are found in the /var/log directory –/var/log/messages –/var/log/boot.log –/var/log/wtmp –/var/log/dmesg Logging

Logging What to look for in a log? –Unusual activity –Take a look at your logs daily /var/log/messages /var/log/secure /var/log/sshd Other service related logs like ftpd, etc.

Logging Some common things: –Sendmail messages –SSH logins/logouts –FTP logins/logouts Based on what you see regularly, you will know when something is amuck. Common logchecking utilities are also an excellent way to keep tabs on your logs

Logcheck Was developed by Psionic ( –Portsentry –Logcheck Easy configuration Very customizable Demo: logcheck

Logwatch Part of FC3 default install It is a customizable, pluggable log- monitoring application It will go through your logs for a given period of time and make a report in the areas that you wish with the detail that you wish. Default setup is to root daily

Syslog Daemon syslogd: the system event logger –how syslog works –its configuration file –the software that uses syslog –debugging syslog

What gets logged? The accounting system The kernel Various utilities and applications –many produce data that needs to be logged –most of the data has a limited useful lifetime, and needs to be summarized, compressed, archived and eventually deleted

Logging policies Log data immediately Reset log files at periodic intervals Rotate log files, keeping data for a fixed time Compress and archive to tape or other permanent media

Logging Options Depends on : –how much disk space you have –how security-conscious you are –How important the system is Whatever scheme you select, regular maintenance of log files should be automated using cron

Throwing away log files not recommend –security problems ( accounting data and log files provide important evidence of break-ins) –helpful for alerting you to hardware and software problems. In general, keep one or two months –in a real world, it may take one or two weeks for SA to realize that site has been compromised by a hacker and need to review the logs

Throwing away (cont.) Throwing away (cont.) Most sites store each day’s log info on disk, sometimes in a compressed format These daily files are kept for a specific period of time and then deleted One common way to implement this policy is called “rotation”

Rotating log files Keep backup files that are one day old, two days old, and so on. –logfile, logfile.1, logfile.2, … logfile.7 Each day rename the files to push older data toward the end of the chain –script to archive three days files

Archiving log files Some sites must archive all accounting data and log files as a matter of policy, to provide data for a potential audit Log files should be first rotate on disk, then written to tape or other permanent media –see chap 11, Backups

Finding log files Normally in /var/log but to locate log files you can read the system startup scripts : /etc/rc* or /etc/init.d/* Some programs handle logging via syslog –check /etc/syslog.conf to find out where this data goes –Again, normally to /var/log

Finding log files Finding log files Different operating systems put log files in different places: –/var/log/* –/var/cron/log –/usr/adm –/var/adm … On linux, almost all the log files are in /var/log directory.

What is syslog A comprehensive logging system, used to manage information generated by the kernel and system utilities. Allow messages to be sorted by their sources and importance, and routed to a variety of destinations: –log files, users’ terminals, or even other machines.

Syslog: three parts Syslogd and /etc/syslog.conf –the daemon that does the actual logging –its configuration file openlog, syslog, closelog –library routines that programs use to send data to syslogd logger –user-level command for submitting log entries

syslog-aware programs Using syslog lib. Routines write log entries to a special file /dev/log syslogd /etc/syslog.conf reads consults dispatches Log files Users’s terminals Other machines /dev/klog

Configuring syslogd The configuration file /etc/syslog.conf controls syslogd’s behavior. It is a text file with simple format, blank lines and lines beginning with ‘#’ are ignored. –Selector action –eg. mail.info/var/log/maillog

Configuration file - Selector Identify –source -- the program (‘facility’) that is sending a log message –importance -- the messages’s severity level –eg. mail.info/var/log/maillog Syntax –facility.level –facility names and severity levels must chosen from a list of defined values

Sample syslog output Dec 27 02:45:00 x-wing netinfod [71]: cann’t lookup child Dec 27 02:50:00 bruno ftpd [27876]: open of pid file failed: not a directory Dec 27 02:50:47 anchor vmunix: spurious VME interrupt at processor level 5 Dec 27 02:52:17 bruno pingem[107]: moose.cs.colorado.edu has not answered 34 times Dec 27 02:55:33 bruno sendmail [28040] : host name/address mismatch: != bull.bull..fr

Linux networking Understand basic configuration of Network Interface –IP address –Subnetmask –Gateway Talk about other types of interfaces (PPP, IPSec, etc) Use network utilities (ipconfig, mii-tool, etc)

The TCP/IP protocol Internet Protocol (IP) address –Four 8-bit numbers (Octets) –Identifies a computer on the network Subnet mask –Four 8-bit numbers –Determine the network and host portions of an IP address Default gateway –Router that sends packets to remote networks

Configuring a NIC interface ifconfig command –Assigns TCP/IP configuration to a NIC –Displays configuration of all network interfaces packet internet groper command –Checks connectivity to other computers

Configuring a NIC interface Multiple Tools to accomplish this: –Command line: ifconfig –Curses based: netconfig –Graphical: system-config-network

Name resolution Hostnames –Name assigned to a computer –Uses plain language Fully Qualified Domain Name (FQDN) –Hostname that follows DNS convention Domain Name Space (DNS) server –Resolves FQDNs to IP address

The Domain Name Space

Common network services Port –Number that identifies a network service –65,535 possible ports Well-known port – used by common networking services –0 to 1,024

traceroute command Used to troubleshoot routing Displays all routers between the current computer and a remote computer

The mii-tool An easy way to determine which speed is used by an Ethernet card The Ethernet card needs to have Media Independent Interface circuitry

Secure Shell Without Passwords Using ssh without passwords –Everybody pair up –Insure each of you has an account/password on each other system Refer to the Text Book for the commands and see if you can get this to work

Secure Shell Without Passwords When we last left the intrepid students they were struggling with secure shell and keys…. But wait….Daria and Chuck have made it work. Is this the break through we’ve been waiting for?

Secure Shell Without Passwords 1. Pair Up 2. Insure you have an account on your partners system and you know the password 3. Generate the ssh key cd ~/.ssh ssh-keyget –t dsa Do not enter a passphrase when prompted (this generates public and private keys)

Secure Shell Without Passwords 4. Copy public key from your system to your partners scp id_dsa.pub 5. Then enter the following (same line) ssh ‘cat /tmp/id_dsa.pub >> 6. Clean up ssh rm