Advanced Unix Chapter 14

Network Tools There are many, many network tools that come with a standard Linux installation. There are many, many network tools that come with a standard Linux installation. They can be used for network troubleshooting, for cause network trouble and for detecting the same. They can be used for network troubleshooting, for cause network trouble and for detecting the same. Chapter 14 discusses a few of them Chapter 14 discusses a few of them

Network Tools The netstat command is one such tool The netstat command is one such tool It will show you the number of tcp/udp connections and the services that are listening on your system It will show you the number of tcp/udp connections and the services that are listening on your system Demo netstat Demo netstat

Network Tools One tool often overlooked by the book is lsof One tool often overlooked by the book is lsof lsof or "list open files" is one of the systems administrator's number one tools lsof or "list open files" is one of the systems administrator's number one tools You trace what processes are using which services as well as which files are open and by which processes You trace what processes are using which services as well as which files are open and by which processes Demo lsof Demo lsof

Network Tools Many “root kits” deployed by vandals replace the tools an SA would use to detect the attack Many “root kits” deployed by vandals replace the tools an SA would use to detect the attack ps, ls, netstat, lsof, etc.ps, ls, netstat, lsof, etc. Always have original binaries and/or the tool source code available Always have original binaries and/or the tool source code available See lecture I gave to Rose Cyber Security Club: See lecture I gave to Rose Cyber Security Club:

Network Services Each Network Service is a Point of Attack Each Network Service is a Point of Attack Remove/Disable all unneeded services Remove/Disable all unneeded services /etc/services – a text file that relates the ports to the services/etc/services – a text file that relates the ports to the services /etc/init.d/etc/init.d chkconfigchkconfig

TCP Wrappers For the services that you need to have running consider using tcp_wrappers For the services that you need to have running consider using tcp_wrappers Provides for added access controlProvides for added access control /etc/host.allow/etc/host.allow /etc/host.deny/etc/host.deny Note: many services now hav wrapper support programmed into the source codeNote: many services now hav wrapper support programmed into the source code The Super Daemon xinetd now has tcp wrappers built in so any service using xinetd can take advantage of tcp wrappers if it is not already encoded The Super Daemon xinetd now has tcp wrappers built in so any service using xinetd can take advantage of tcp wrappers if it is not already encoded

TCP Wrappers Other services also use tcp wrappers such as “Very Secure FTP” Other services also use tcp wrappers such as “Very Secure FTP” vsftpd FTP servervsftpd FTP server Controlled in the vsftpd configuration fileControlled in the vsftpd configuration file Access to rsync can be controlled by TCP Wrappers via xinetd Access to rsync can be controlled by TCP Wrappers via xinetd

TCP Wrappers Uses two files to define the access to the services Uses two files to define the access to the services /etc/hosts.allow/etc/hosts.allow /etc/hosts.deny/etc/hosts.deny You can create a deny-by-default to all services that use tcp wrappers You can create a deny-by-default to all services that use tcp wrappers Don’t be misled into thinking this can secure you server 100% Don’t be misled into thinking this can secure you server 100% Understand that not all services can or do use tcp wrappersUnderstand that not all services can or do use tcp wrappers tcp wrappers is not a Firewall but an access control processtcp wrappers is not a Firewall but an access control process

TCP Wrappers Good Example in the book Good Example in the book Demo: tcp wrappers Demo: tcp wrappers hosts.allowhosts.allow hosts.denyhosts.deny

Firewalls Several types of Firewalls: Several types of Firewalls: Packet filterPacket filter Iptables – layer 2 network Iptables – layer 2 network Stateful filterStateful filter Cisco PIX – layer 3 and 4 Cisco PIX – layer 3 and 4 Stateful inspectionStateful inspection Checkpoint Firewall-1 Checkpoint Firewall-1 Application proxyApplication proxy Sidewinder – layers 5 thru 7 Sidewinder – layers 5 thru 7 Good reference for firewalls:Good reference for firewalls:

Introduction to iptables 3 rd generation firewall on Linux 3 rd generation firewall on Linux Supports basic packet filtering as well as connection state tracking Supports basic packet filtering as well as connection state tracking For our needs for this course, we will use simple/basic packet filtering For our needs for this course, we will use simple/basic packet filtering

Iptables iptables is a filtering firewall iptables is a filtering firewall Comes standard as part of Linux Comes standard as part of Linux Older versions of Linux have ipchainsOlder versions of Linux have ipchains FC comes with a relatively good initial configuration FC comes with a relatively good initial configuration Use chkconfig check to see if your iptables is configured to start on boot Use chkconfig check to see if your iptables is configured to start on boot chkconfig --list iptables

Iptables If is not then enabled it via the following command: If is not then enabled it via the following command: chkconfig –levels 235 iptables on To start iptables enter: To start iptables enter: /etc/init.d/iptables start Or service iptables start

Introduction to iptables # Sample firewall – incomplete… do not use. For discussion only IPTABLES=/sbin/iptables ANY=“ /0” ETHIP=“ ” ADMINNOC=“ ” # Flush chains $IPTABLES --flush # Set default policies $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT # Allow SSH from admin NOC $IPTABLES -A INPUT -p tcp -s $ADMINNOC --sport 1024: dport 22 -j ACCEPT $IPTABLES -A OUTPUT -p tcp -d $ADMINNOC -sport 22 --dport 1024: j ACCEPT # Allow Web access $IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT # Allows secure web access $IPTABLES -A INPUT -p tcp --dport 443 -j ACCEPT $IPTABLES -A INPUT -j DROP

Dropping vs Rejecting Packets Rejecting packets COULD resource starve your system Rejecting packets COULD resource starve your system Dropping packets could cause network diagnostic hell for the other end if you don’t respond ‘nicely’ Dropping packets could cause network diagnostic hell for the other end if you don’t respond ‘nicely’ Dana’s Law: It is better to DROP packets and buy your favorite network admin a beer than to REJECT and have alarms go off at 2 in the morning during a DoS, waking you up. Dana’s Law: It is better to DROP packets and buy your favorite network admin a beer than to REJECT and have alarms go off at 2 in the morning during a DoS, waking you up.

Iptables Many ways to implement iptables Many ways to implement iptables Demo ShorewallDemo Shorewall See: See: IPTables Packet Filtering HOWTO: filtering-HOWTO.html IPTables Packet Filtering HOWTO: filtering-HOWTO.html

Good reading Building Internet Firewalls ISBN: Building Internet Firewalls ISBN: Linux Firewalls ISBN: Linux Firewalls ISBN: Threat Modeling ISBN: Threat Modeling ISBN:

Iptables To be continued next class… To be continued next class…