Security WeeSan Lee weesan/cs183
-
date post
22-Dec-2015 -
Category
Documents
-
view
216 -
download
0
Transcript of Security WeeSan Lee weesan/cs183
What’s wrong with this picture?
The Internet
The Internet
www
eon
db
kilo-1
What’s wrong with this picture?
The Internet
The Internet
www
eon
db
kilo-1
fw
What’s wrong with this picture?
The Internet
The Internet
www
eon
db
kilo-1
fw fw2
DMZ
What’s wrong with this picture?
The Internet
The Internet
www
eon
db
kilo-1
fw
fw2
DMZ
fw3
Roadmap
Introduction How security is compromised? Security Tips Security Tools iptables Q&A
Introduction
The philosophy of Unix/Linux was optimized for convenience over security
Until the “Internet Worm” from Robert Morris, Jr.
CERT was formed as a result Even so, Unix/Linux is still more secure than
Windows In general, Windows/Unix/Linux is not secure,
get a dedicate firewall
How security is compromised? Social engineering
The users/admins are often the weakest links in the chain of security
60% of security incidents involve an insider Educate the users
Configuration errors Accounts without passwd
Software vulnerabilities Buffer overflow Use of relative paths
How security is compromised? system("/bin/cat " . $_POST["filename"]);
OOPS!
Security Tips
Employ packet filtering Update software patches
Put “yum update” in the crontab Frequent backups Logging
/var/log/messages /var/log/secure /var/log/maillog /var/log/wtmp
Centralized remote logging $ man syslog.conf
Security Tips
Turn off unnecessary services $ /bin/netstat -ta | grep LISTEN
tcp 0 0 *:submission *:* LISTEN tcp 0 0 *:sunrpc *:* LISTEN tcp 0 0 *:x11 *:* LISTEN tcp 0 0 *:38516 *:* LISTEN tcp 0 0 localhost:ipp *:* LISTEN tcp 0 0 *:smtp *:* LISTEN …
$ /usr/sbin/lsof -i :38516 COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME rpc.statd 911 nobody 9u IPv4 1952 TCP *:38516 (LISTEN)
Security Tips
Passwords To check for null passwords
$ perl -F: -ane ‘print if not $F[1];’ /etc/shadow To find logins without passwords
$ perl -F: -ane ‘print if not $F[2];’ /etc/passwd Password aging
Security Tips
Minimize the # of setuid programs 35 setuid programs on average $ find / -user root -perm -4000 -print | mail –s
‘setuid root files’ sysadm File permissions
/etc/{passwd,group} should have 644 /etc/shadow should have 600
Security Tips
Don’t use /etc/hosts.equiv and ~/.rhosts Create unwritable, zero-length ~/.rhosts
Use LDAP instead of NIS Use NFSv4 Run ClamAV, antivirus software /etc/hosts.{allow,deny}
$ cat /etc/hosts.deny ALL:ALL
$ cat /etc/hosts.allow sshd: 10.0.0.0/255.255.0.0 Sendmail: ALL
Security Tools - simple
less $ /usr/bin/less /var/log/maillog
last $ /usr/bin/last -f /var/log/wtmp -t 20080520144258
Security Tools
lastlog $ lastlog -u weesan
Username Port From Latest weesan pts/14 xx.xx.xx Tue May 27 22:39:35 -0700 2008
grep $ /bin/grep "Relaying denied" /var/log/maillog
May 27 21:54:58 fw sm-mta[4463]: m4S4swAI004463: ruleset=check_rcpt,arg1=<[email protected]>, relay=219-84-62-105-adsl-tpe.dynamic.so-net.net.tw [219.84.62.105], reject=550 5.7.1 <[email protected]>... Relaying denied
Security Tools
cat /bin/cat /var/log/secure
May 27 21:14:05 fw vsftpd[4068]: refused connect from 66.11.116.140 May 27 22:24:15 fw vsftpd[4474]: refused connect from 204.8.216.130 May 27 23:10:02 fw in.rshd[4558]: connect from 10.0.0.33 May 27 23:11:36 fw su[4606]: + pts/4 weesan-root
tail -f $ /usr/bin/tail -f /var/log/messages
May 27 22:10:52 fw sshd[4118]: Accepted publickey for weesan from 10.0.0.33 port 41551 ssh2
May 27 21:58:12 fw -- MARK -- May 27 22:18:13 fw -- MARK -- May 27 22:38:13 fw -- MARK --
Security Tools
watch $ /usr/bin/watch /usr/bin/who
Security Tools - advanced
nmap Port scanning
$ nmap -sT www.linux.is.better Guess what OS a remote system is running
$ nmap -O -sV www.linux.is.better
Nessus A powerful and useful software vulnerability
scanner John the Ripper
Crack replacement
Security Tools
Samhain Host-based intrusion detection
Security-Enhanced Linux (SELinux) Not recommended
Kerberos Guarantees that users and services are in fact who they
claim to be PGP – Pretty Good Privary
Used to encrypt data, to generate signatures, and to verify origin of the files and messages
GnuPG
Security Tools
ssh A replacement for telnet
scp A replacement for ftp
One-time passwords Generate passwd off-line and good for once only
Stunnel Secure tunnel
Firewall iptables
iptables
Linux kernel ver 2.4 introduced Netfilter iptables controls Netfilter Applies ordered “chains” of rules to network packets 3 default chains (filter tables)
INPUT Rules applied to incoming packets
OUTPUT Rules applied to outgoing packets
FORWARD Rules applied to packets from one NIC to another
iptables (cont)
In addition to 3 default filter tables nat
For setting up NAT mangle
For modifying the packet header Each rule has a target
ACCEPT DROP REJECT LOG REDIRECT RETURN …
iptables (cont)
1. $ iptables -F2. $ iptables -P INPUT ACCEPT3. $ iptables -P FORWARD ACCEPT4. $ iptables -N RH-Firewall-1-INPUT
5. $ iptables -A INPUT -j RH-Firewall-1-INPUT6. $ iptables -A FORWARD -j RH-Firewall-1-INPUT
7. $ iptables -A RH-Firewall-1-INPUT -i lo -j ACCEPT8. $ iptables -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT9. $ iptables -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT10. $ iptables -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT11. $ iptables -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j
ACCEPT12. $ iptables -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j
ACCEPT13. $ iptables -A RH-Firewall-1-INPUT -j LOG14. $ iptables -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
Flush the filter tables
Default to ACCEPT, why???
Create a new chain
Link the INPUT & FORWARD chain to
the new chain
In-interfaceJump
Reject all others
Log to /var/log/syslog before rejecting it
iptables (cont)
Add the following between line 10 & 11 to reject all the adv websites for ad in $ADV_SERVERS; do iptables -A RH-Firewall-1-INPUT -i eth1 -p tcp -d $ad
--dport 80 -j REJECT done
To accept certain connections/services, figure out the protocol type, port number and add a new line similar to line 12 Q. What protocol type DNS uses? On which port? A: Check out /etc/services
iptables (cont)
To turn on NAT $ iptables -t nat -F # Redirect HTTP traffic to a web cache server $ iptables -A PREROUTING -t nat -i eth1 -p tcp -d $ALL
--dport 80 -j REDIRECT --to-ports 3128 # Turn on NAT for TCP, UDP and ICMP $ iptables -A POSTROUTING -t nat -o eth0 -p tcp -s
10.0.0.0/24 -j MASQUERADE $ iptables -A POSTROUTING -t nat -o eth0 -p udp -s
10.0.0.0/24 -j MASQUERADE $ iptables -A POSTROUTING -t nat -o eth0 -p icmp -s
10.0.0.0/24 -j MASQUERADE
iptables (cont)
To view the rules $ iptables -L -v
To view the rules in the NAT table $ iptables -L -v -t nat
Reference
LAH Ch 20 - Security
iptables $ man iptables
Unix Advanced System Admin. EdCert https://www.ussg.iu.edu/edcert/course/view.php?id=7
Cert http://www.cert.org/
Security Focus http://www.securityfocus.com/