1. Security WeeSan Lee http://www.cs.ucr.edu/~weesan/cs183/

2. What’s wrong with this picture? The Internet www eon db kilo-1

3. What’s wrong with this picture? The Internet www eon db kilo-1 fw

4. What’s wrong with this picture? The Internet www eon db kilo-1 fwfw2 DMZ

5. What’s wrong with this picture? The Internet www eon db kilo-1 fw fw2 DMZ fw3

6. Roadmap Introduction How security is compromised? Security Tips Security Tools iptables Q&A

7. Introduction The philosophy of Unix/Linux was optimized for convenience over security Until the “Internet Worm” from Robert Morris, Jr. CERT was formed as a result Even so, Unix/Linux is still more secure than Windows In general, Windows/Unix/Linux is not secure, get a dedicate firewall

8. How security is compromised? Social engineering  The users/admins are often the weakest links in the chain of security  60% of security incidents involve an insider  Educate the users Configuration errors  Accounts without passwd Software vulnerabilities  Buffer overflow  Use of relative paths

9. How security is compromised? system("/bin/cat ". $_POST["filename"]); OOPS!

10. Security Tips Employ packet filtering Update software patches  Put “yum update” in the crontab Frequent backups Logging  /var/log/messages  /var/log/secure  /var/log/maillog  /var/log/wtmp Centralized remote logging  $ man syslog.conf

11. Security Tips Turn off unnecessary services  $ /bin/netstat -ta | grep LISTEN tcp 0 0 *:submission*:* LISTEN tcp 0 0 *:sunrpc*:* LISTEN tcp 0 0 *:x11*:* LISTEN tcp 0 0 *:38516*:* LISTEN tcp 0 0 localhost:ipp*:* LISTEN tcp 0 0 *:smtp*:* LISTEN …  $ /usr/sbin/lsof -i :38516 COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME rpc.statd 911 nobody 9u IPv4 1952 TCP *:38516 (LISTEN)

12. Security Tips Passwords  To check for null passwords $ perl -F: -ane ‘print if not $F[1];’ /etc/shadow  To find logins without passwords $ perl -F: -ane ‘print if not $F[2];’ /etc/passwd  Password aging

13. Security Tips Minimize the # of setuid programs  35 setuid programs on average  $ find / -user root -perm -4000 -print | mail –s ‘setuid root files’ sysadm File permissions  /etc/{passwd,group} should have 644  /etc/shadow should have 600

14. Security Tips Don’t use /etc/hosts.equiv and ~/.rhosts  Create unwritable, zero-length ~/.rhosts Use LDAP instead of NIS Use NFSv4 Run ClamAV, antivirus software /etc/hosts.{allow,deny}  $ cat /etc/hosts.deny ALL:ALL  $ cat /etc/hosts.allow sshd: 10.0.0.0/255.255.0.0 Sendmail: ALL

15. Security Tools - simple less  $ /usr/bin/less /var/log/maillog last  $ /usr/bin/last -f /var/log/wtmp -t 20080520144258

16. Security Tools lastlog  $ lastlog -u weesan Username Port From Latest weesan pts/14 xx.xx.xx Tue May 27 22:39:35 -0700 2008 grep  $ /bin/grep "Relaying denied" /var/log/maillog May 27 21:54:58 fw sm-mta[4463]: m4S4swAI004463: ruleset=check_rcpt,arg1=, relay=219-84-62-105-adsl-tpe.dynamic.so- net.net.tw [219.84.62.105], reject=550 5.7.1... Relaying denied

17. Security Tools cat  /bin/cat /var/log/secure May 27 21:14:05 fw vsftpd[4068]: refused connect from 66.11.116.140 May 27 22:24:15 fw vsftpd[4474]: refused connect from 204.8.216.130 May 27 23:10:02 fw in.rshd[4558]: connect from 10.0.0.33 May 27 23:11:36 fw su[4606]: + pts/4 weesan-root tail -f  $ /usr/bin/tail -f /var/log/messages May 27 22:10:52 fw sshd[4118]: Accepted publickey for weesan from 10.0.0.33 port 41551 ssh2 May 27 21:58:12 fw -- MARK -- May 27 22:18:13 fw -- MARK -- May 27 22:38:13 fw -- MARK --

18. Security Tools watch  $ /usr/bin/watch /usr/bin/who

19. Security Tools - advanced nmap  Port scanning $ nmap -sT www.linux.is.betterwww.linux.is.better  Guess what OS a remote system is running $ nmap -O -sV www.linux.is.betterwww.linux.is.better Nessus  A powerful and useful software vulnerability scanner John the Ripper  Crack replacement

20. Security Tools Samhain  Host-based intrusion detection Security-Enhanced Linux (SELinux)  Not recommended Kerberos  Guarantees that users and services are in fact who they claim to be PGP – Pretty Good Privary  Used to encrypt data, to generate signatures, and to verify origin of the files and messages  GnuPG

21. Security Tools ssh  A replacement for telnet scp  A replacement for ftp One-time passwords  Generate passwd off-line and good for once only Stunnel  Secure tunnel Firewall  iptables

22. iptables Linux kernel ver 2.4 introduced Netfilter iptables controls Netfilter Applies ordered “chains” of rules to network packets 3 default chains (filter tables)  INPUT Rules applied to incoming packets  OUTPUT Rules applied to outgoing packets  FORWARD Rules applied to packets from one NIC to another

23. iptables (cont) In addition to 3 default filter tables  nat For setting up NAT  mangle For modifying the packet header Each rule has a target  ACCEPT  DROP  REJECT  LOG  REDIRECT  RETURN  …

24. iptables (cont) 1. $ iptables -F 2. $ iptables -P INPUT ACCEPT 3. $ iptables -P FORWARD ACCEPT 4. $ iptables -N RH-Firewall-1-INPUT 5. $ iptables -A INPUT -j RH-Firewall-1-INPUT 6. $ iptables -A FORWARD -j RH-Firewall-1-INPUT 7. $ iptables -A RH-Firewall-1-INPUT -i lo -j ACCEPT 8. $ iptables -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT 9. $ iptables -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT 10. $ iptables -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT 11. $ iptables -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 12. $ iptables -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT 13. $ iptables -A RH-Firewall-1-INPUT -j LOG 14. $ iptables -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited Flush the filter tables Default to ACCEPT, why??? Create a new chain Link the INPUT & FORWARD chain to the new chain In-interface Jump Reject all others Log to /var/log/syslog before rejecting it

25. iptables (cont) Add the following between line 10 & 11 to reject all the adv websites  for ad in $ADV_SERVERS; do  iptables -A RH-Firewall-1-INPUT -i eth1 -p tcp -d $ad --dport 80 -j REJECT  done To accept certain connections/services, figure out the protocol type, port number and add a new line similar to line 12  Q. What protocol type DNS uses? On which port?  A: Check out /etc/services

26. iptables (cont) To turn on NAT  $ iptables -t nat -F  # Redirect HTTP traffic to a web cache server  $ iptables -A PREROUTING -t nat -i eth1 -p tcp -d $ALL --dport 80 -j REDIRECT --to-ports 3128  # Turn on NAT for TCP, UDP and ICMP  $ iptables -A POSTROUTING -t nat -o eth0 -p tcp -s 10.0.0.0/24 -j MASQUERADE  $ iptables -A POSTROUTING -t nat -o eth0 -p udp -s 10.0.0.0/24 -j MASQUERADE  $ iptables -A POSTROUTING -t nat -o eth0 -p icmp -s 10.0.0.0/24 -j MASQUERADE

27. iptables (cont) To view the rules  $ iptables -L -v To view the rules in the NAT table  $ iptables -L -v -t nat

28. Reference LAH  Ch 20 - Security iptables  $ man iptables Unix Advanced System Admin. EdCert  https://www.ussg.iu.edu/edcert/course/view.php?id=7 Cert  http://www.cert.org/ Security Focus  http://www.securityfocus.com/

29. iptables (cont) $ iptables -F $ iptables -P INPUT DROP $ iptables -P FORWARD DROP $ iptables -A FORWARD -i eth1 -p ANY -j ACCEPT $ iptables -A FORWARD -d 10.0.0.100 -p tcp -dport 22 -j ACCEPT $ iptables -A FORWARD -d 10.0.0.100 -p tcp -dport 80 -j ACCEPT $ iptables -A INPUT -i eth1 -d 10.0.0.1 -p icmp -- icmp-type 8 -j ACCEPT Flush the filter tables Default to DROP Append a ruleIn-interfaceProtocolJump Destination Dest. port

30. iptables (cont) $ iptables -t nat -A PREROUTING -i eth0 -s 10.0.0.0/8 -j DROP $ iptables -t nat -A PREROUTING -i eth0 -s 172.16.0.0/12 -j DROP $ iptables -t nat -A PREROUTING -i eth0 -s 192.168.0.0/16 -j DROP $ iptables -t nat -A PREROUTING -i eth0 -s 127.0.0.0/8 -j DROP $ iptables -t nat -A PREROUTING -i eth0 -s 224.0.0.0/4 -j DROP Drop all the packets originated from private IP addresses.