Security

WeeSan Lee <weesan@cs.ucr.edu>

http://www.cs.ucr.edu/~weesan/cs183/

What’s wrong with this picture?

The Internet

The Internet

www

eon

db

kilo-1

What’s wrong with this picture?

The Internet

The Internet

www

eon

db

kilo-1

fw

What’s wrong with this picture?

The Internet

The Internet

www

eon

db

kilo-1

fw fw2

DMZ

What’s wrong with this picture?

The Internet

The Internet

www

eon

db

kilo-1

fw

fw2

DMZ

fw3

Roadmap

Introduction How security is compromised? Security Tips Security Tools iptables Q&A

Introduction

The philosophy of Unix/Linux was optimized for convenience over security

Until the “Internet Worm” from Robert Morris, Jr.

CERT was formed as a result Even so, Unix/Linux is still more secure than

Windows In general, Windows/Unix/Linux is not secure,

get a dedicate firewall

How security is compromised? Social engineering

The users/admins are often the weakest links in the chain of security

60% of security incidents involve an insider Educate the users

Configuration errors Accounts without passwd

Software vulnerabilities Buffer overflow Use of relative paths

How security is compromised? system("/bin/cat " . $_POST["filename"]);

OOPS!

Security Tips

Employ packet filtering Update software patches

Put “yum update” in the crontab Frequent backups Logging

/var/log/messages /var/log/secure /var/log/maillog /var/log/wtmp

Centralized remote logging $ man syslog.conf

Security Tips

Turn off unnecessary services $ /bin/netstat -ta | grep LISTEN

tcp 0 0 *:submission *:* LISTEN tcp 0 0 *:sunrpc *:* LISTEN tcp 0 0 *:x11 *:* LISTEN tcp 0 0 *:38516 *:* LISTEN tcp 0 0 localhost:ipp *:* LISTEN tcp 0 0 *:smtp *:* LISTEN …

$ /usr/sbin/lsof -i :38516 COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME rpc.statd 911 nobody 9u IPv4 1952 TCP *:38516 (LISTEN)

Security Tips

Passwords To check for null passwords

$ perl -F: -ane ‘print if not $F[1];’ /etc/shadow To find logins without passwords

$ perl -F: -ane ‘print if not $F[2];’ /etc/passwd Password aging

Security Tips

Minimize the # of setuid programs 35 setuid programs on average $ find / -user root -perm -4000 -print | mail –s

‘setuid root files’ sysadm File permissions

/etc/{passwd,group} should have 644 /etc/shadow should have 600

Security Tips

Don’t use /etc/hosts.equiv and ~/.rhosts Create unwritable, zero-length ~/.rhosts

Use LDAP instead of NIS Use NFSv4 Run ClamAV, antivirus software /etc/hosts.{allow,deny}

$ cat /etc/hosts.deny ALL:ALL

$ cat /etc/hosts.allow sshd: 10.0.0.0/255.255.0.0 Sendmail: ALL

Security Tools - simple

less $ /usr/bin/less /var/log/maillog

last $ /usr/bin/last -f /var/log/wtmp -t 20080520144258

Security Tools

lastlog $ lastlog -u weesan

Username Port From Latest weesan pts/14 xx.xx.xx Tue May 27 22:39:35 -0700 2008

grep $ /bin/grep "Relaying denied" /var/log/maillog

May 27 21:54:58 fw sm-mta[4463]: m4S4swAI004463: ruleset=check_rcpt,arg1=<ssmmttpp0509@yahoo.com.cn>, relay=219-84-62-105-adsl-tpe.dynamic.so-net.net.tw [219.84.62.105], reject=550 5.7.1 <ssmmttpp0509@yahoo.com.cn>... Relaying denied

Security Tools

cat /bin/cat /var/log/secure

May 27 21:14:05 fw vsftpd[4068]: refused connect from 66.11.116.140 May 27 22:24:15 fw vsftpd[4474]: refused connect from 204.8.216.130 May 27 23:10:02 fw in.rshd[4558]: connect from 10.0.0.33 May 27 23:11:36 fw su[4606]: + pts/4 weesan-root

tail -f $ /usr/bin/tail -f /var/log/messages

May 27 22:10:52 fw sshd[4118]: Accepted publickey for weesan from 10.0.0.33 port 41551 ssh2

May 27 21:58:12 fw -- MARK -- May 27 22:18:13 fw -- MARK -- May 27 22:38:13 fw -- MARK --

Security Tools

watch $ /usr/bin/watch /usr/bin/who

Security Tools - advanced

nmap Port scanning

$ nmap -sT www.linux.is.better Guess what OS a remote system is running

$ nmap -O -sV www.linux.is.better

Nessus A powerful and useful software vulnerability

scanner John the Ripper

Crack replacement

Security Tools

Samhain Host-based intrusion detection

Security-Enhanced Linux (SELinux) Not recommended

Kerberos Guarantees that users and services are in fact who they

claim to be PGP – Pretty Good Privary

Used to encrypt data, to generate signatures, and to verify origin of the files and messages

GnuPG

Security Tools

ssh A replacement for telnet

scp A replacement for ftp

One-time passwords Generate passwd off-line and good for once only

Stunnel Secure tunnel

Firewall iptables

iptables

Linux kernel ver 2.4 introduced Netfilter iptables controls Netfilter Applies ordered “chains” of rules to network packets 3 default chains (filter tables)

INPUT Rules applied to incoming packets

OUTPUT Rules applied to outgoing packets

FORWARD Rules applied to packets from one NIC to another

iptables (cont)

In addition to 3 default filter tables nat

For setting up NAT mangle

For modifying the packet header Each rule has a target

ACCEPT DROP REJECT LOG REDIRECT RETURN …

iptables (cont)

1. $ iptables -F2. $ iptables -P INPUT ACCEPT3. $ iptables -P FORWARD ACCEPT4. $ iptables -N RH-Firewall-1-INPUT

5. $ iptables -A INPUT -j RH-Firewall-1-INPUT6. $ iptables -A FORWARD -j RH-Firewall-1-INPUT

7. $ iptables -A RH-Firewall-1-INPUT -i lo -j ACCEPT8. $ iptables -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT9. $ iptables -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT10. $ iptables -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT11. $ iptables -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j

ACCEPT12. $ iptables -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j

ACCEPT13. $ iptables -A RH-Firewall-1-INPUT -j LOG14. $ iptables -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

Flush the filter tables

Default to ACCEPT, why???

Create a new chain

Link the INPUT & FORWARD chain to

the new chain

In-interfaceJump

Reject all others

Log to /var/log/syslog before rejecting it

iptables (cont)

Add the following between line 10 & 11 to reject all the adv websites for ad in $ADV_SERVERS; do iptables -A RH-Firewall-1-INPUT -i eth1 -p tcp -d $ad

--dport 80 -j REJECT done

To accept certain connections/services, figure out the protocol type, port number and add a new line similar to line 12 Q. What protocol type DNS uses? On which port? A: Check out /etc/services

iptables (cont)

To turn on NAT $ iptables -t nat -F # Redirect HTTP traffic to a web cache server $ iptables -A PREROUTING -t nat -i eth1 -p tcp -d $ALL

--dport 80 -j REDIRECT --to-ports 3128 # Turn on NAT for TCP, UDP and ICMP $ iptables -A POSTROUTING -t nat -o eth0 -p tcp -s

10.0.0.0/24 -j MASQUERADE $ iptables -A POSTROUTING -t nat -o eth0 -p udp -s

10.0.0.0/24 -j MASQUERADE $ iptables -A POSTROUTING -t nat -o eth0 -p icmp -s

10.0.0.0/24 -j MASQUERADE

iptables (cont)

To view the rules $ iptables -L -v

To view the rules in the NAT table $ iptables -L -v -t nat

Reference

LAH Ch 20 - Security

iptables $ man iptables

Unix Advanced System Admin. EdCert https://www.ussg.iu.edu/edcert/course/view.php?id=7

Cert http://www.cert.org/

Security Focus http://www.securityfocus.com/