security weesan lee weesan/cs183
Post on 22-Dec-2015
216 views
TRANSCRIPT
![Page 2: Security WeeSan Lee weesan/cs183](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d765503460f94a57fa0/html5/thumbnails/2.jpg)
What’s wrong with this picture?
The Internet
The Internet
www
eon
db
kilo-1
![Page 3: Security WeeSan Lee weesan/cs183](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d765503460f94a57fa0/html5/thumbnails/3.jpg)
What’s wrong with this picture?
The Internet
The Internet
www
eon
db
kilo-1
fw
![Page 4: Security WeeSan Lee weesan/cs183](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d765503460f94a57fa0/html5/thumbnails/4.jpg)
What’s wrong with this picture?
The Internet
The Internet
www
eon
db
kilo-1
fw fw2
DMZ
![Page 5: Security WeeSan Lee weesan/cs183](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d765503460f94a57fa0/html5/thumbnails/5.jpg)
What’s wrong with this picture?
The Internet
The Internet
www
eon
db
kilo-1
fw
fw2
DMZ
fw3
![Page 6: Security WeeSan Lee weesan/cs183](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d765503460f94a57fa0/html5/thumbnails/6.jpg)
Roadmap
Introduction How security is compromised? Security Tips Security Tools iptables Q&A
![Page 7: Security WeeSan Lee weesan/cs183](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d765503460f94a57fa0/html5/thumbnails/7.jpg)
Introduction
The philosophy of Unix/Linux was optimized for convenience over security
Until the “Internet Worm” from Robert Morris, Jr.
CERT was formed as a result Even so, Unix/Linux is still more secure than
Windows In general, Windows/Unix/Linux is not secure,
get a dedicate firewall
![Page 8: Security WeeSan Lee weesan/cs183](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d765503460f94a57fa0/html5/thumbnails/8.jpg)
How security is compromised? Social engineering
The users/admins are often the weakest links in the chain of security
60% of security incidents involve an insider Educate the users
Configuration errors Accounts without passwd
Software vulnerabilities Buffer overflow Use of relative paths
![Page 9: Security WeeSan Lee weesan/cs183](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d765503460f94a57fa0/html5/thumbnails/9.jpg)
How security is compromised? system("/bin/cat " . $_POST["filename"]);
OOPS!
![Page 10: Security WeeSan Lee weesan/cs183](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d765503460f94a57fa0/html5/thumbnails/10.jpg)
Security Tips
Employ packet filtering Update software patches
Put “yum update” in the crontab Frequent backups Logging
/var/log/messages /var/log/secure /var/log/maillog /var/log/wtmp
Centralized remote logging $ man syslog.conf
![Page 11: Security WeeSan Lee weesan/cs183](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d765503460f94a57fa0/html5/thumbnails/11.jpg)
Security Tips
Turn off unnecessary services $ /bin/netstat -ta | grep LISTEN
tcp 0 0 *:submission *:* LISTEN tcp 0 0 *:sunrpc *:* LISTEN tcp 0 0 *:x11 *:* LISTEN tcp 0 0 *:38516 *:* LISTEN tcp 0 0 localhost:ipp *:* LISTEN tcp 0 0 *:smtp *:* LISTEN …
$ /usr/sbin/lsof -i :38516 COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME rpc.statd 911 nobody 9u IPv4 1952 TCP *:38516 (LISTEN)
![Page 12: Security WeeSan Lee weesan/cs183](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d765503460f94a57fa0/html5/thumbnails/12.jpg)
Security Tips
Passwords To check for null passwords
$ perl -F: -ane ‘print if not $F[1];’ /etc/shadow To find logins without passwords
$ perl -F: -ane ‘print if not $F[2];’ /etc/passwd Password aging
![Page 13: Security WeeSan Lee weesan/cs183](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d765503460f94a57fa0/html5/thumbnails/13.jpg)
Security Tips
Minimize the # of setuid programs 35 setuid programs on average $ find / -user root -perm -4000 -print | mail –s
‘setuid root files’ sysadm File permissions
/etc/{passwd,group} should have 644 /etc/shadow should have 600
![Page 14: Security WeeSan Lee weesan/cs183](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d765503460f94a57fa0/html5/thumbnails/14.jpg)
Security Tips
Don’t use /etc/hosts.equiv and ~/.rhosts Create unwritable, zero-length ~/.rhosts
Use LDAP instead of NIS Use NFSv4 Run ClamAV, antivirus software /etc/hosts.{allow,deny}
$ cat /etc/hosts.deny ALL:ALL
$ cat /etc/hosts.allow sshd: 10.0.0.0/255.255.0.0 Sendmail: ALL
![Page 15: Security WeeSan Lee weesan/cs183](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d765503460f94a57fa0/html5/thumbnails/15.jpg)
Security Tools - simple
less $ /usr/bin/less /var/log/maillog
last $ /usr/bin/last -f /var/log/wtmp -t 20080520144258
![Page 16: Security WeeSan Lee weesan/cs183](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d765503460f94a57fa0/html5/thumbnails/16.jpg)
Security Tools
lastlog $ lastlog -u weesan
Username Port From Latest weesan pts/14 xx.xx.xx Tue May 27 22:39:35 -0700 2008
grep $ /bin/grep "Relaying denied" /var/log/maillog
May 27 21:54:58 fw sm-mta[4463]: m4S4swAI004463: ruleset=check_rcpt,arg1=<[email protected]>, relay=219-84-62-105-adsl-tpe.dynamic.so-net.net.tw [219.84.62.105], reject=550 5.7.1 <[email protected]>... Relaying denied
![Page 17: Security WeeSan Lee weesan/cs183](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d765503460f94a57fa0/html5/thumbnails/17.jpg)
Security Tools
cat /bin/cat /var/log/secure
May 27 21:14:05 fw vsftpd[4068]: refused connect from 66.11.116.140 May 27 22:24:15 fw vsftpd[4474]: refused connect from 204.8.216.130 May 27 23:10:02 fw in.rshd[4558]: connect from 10.0.0.33 May 27 23:11:36 fw su[4606]: + pts/4 weesan-root
tail -f $ /usr/bin/tail -f /var/log/messages
May 27 22:10:52 fw sshd[4118]: Accepted publickey for weesan from 10.0.0.33 port 41551 ssh2
May 27 21:58:12 fw -- MARK -- May 27 22:18:13 fw -- MARK -- May 27 22:38:13 fw -- MARK --
![Page 18: Security WeeSan Lee weesan/cs183](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d765503460f94a57fa0/html5/thumbnails/18.jpg)
Security Tools
watch $ /usr/bin/watch /usr/bin/who
![Page 19: Security WeeSan Lee weesan/cs183](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d765503460f94a57fa0/html5/thumbnails/19.jpg)
Security Tools - advanced
nmap Port scanning
$ nmap -sT www.linux.is.better Guess what OS a remote system is running
$ nmap -O -sV www.linux.is.better
Nessus A powerful and useful software vulnerability
scanner John the Ripper
Crack replacement
![Page 20: Security WeeSan Lee weesan/cs183](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d765503460f94a57fa0/html5/thumbnails/20.jpg)
Security Tools
Samhain Host-based intrusion detection
Security-Enhanced Linux (SELinux) Not recommended
Kerberos Guarantees that users and services are in fact who they
claim to be PGP – Pretty Good Privary
Used to encrypt data, to generate signatures, and to verify origin of the files and messages
GnuPG
![Page 21: Security WeeSan Lee weesan/cs183](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d765503460f94a57fa0/html5/thumbnails/21.jpg)
Security Tools
ssh A replacement for telnet
scp A replacement for ftp
One-time passwords Generate passwd off-line and good for once only
Stunnel Secure tunnel
Firewall iptables
![Page 22: Security WeeSan Lee weesan/cs183](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d765503460f94a57fa0/html5/thumbnails/22.jpg)
iptables
Linux kernel ver 2.4 introduced Netfilter iptables controls Netfilter Applies ordered “chains” of rules to network packets 3 default chains (filter tables)
INPUT Rules applied to incoming packets
OUTPUT Rules applied to outgoing packets
FORWARD Rules applied to packets from one NIC to another
![Page 23: Security WeeSan Lee weesan/cs183](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d765503460f94a57fa0/html5/thumbnails/23.jpg)
iptables (cont)
In addition to 3 default filter tables nat
For setting up NAT mangle
For modifying the packet header Each rule has a target
ACCEPT DROP REJECT LOG REDIRECT RETURN …
![Page 24: Security WeeSan Lee weesan/cs183](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d765503460f94a57fa0/html5/thumbnails/24.jpg)
iptables (cont)
1. $ iptables -F2. $ iptables -P INPUT ACCEPT3. $ iptables -P FORWARD ACCEPT4. $ iptables -N RH-Firewall-1-INPUT
5. $ iptables -A INPUT -j RH-Firewall-1-INPUT6. $ iptables -A FORWARD -j RH-Firewall-1-INPUT
7. $ iptables -A RH-Firewall-1-INPUT -i lo -j ACCEPT8. $ iptables -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT9. $ iptables -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT10. $ iptables -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT11. $ iptables -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j
ACCEPT12. $ iptables -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j
ACCEPT13. $ iptables -A RH-Firewall-1-INPUT -j LOG14. $ iptables -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
Flush the filter tables
Default to ACCEPT, why???
Create a new chain
Link the INPUT & FORWARD chain to
the new chain
In-interfaceJump
Reject all others
Log to /var/log/syslog before rejecting it
![Page 25: Security WeeSan Lee weesan/cs183](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d765503460f94a57fa0/html5/thumbnails/25.jpg)
iptables (cont)
Add the following between line 10 & 11 to reject all the adv websites for ad in $ADV_SERVERS; do iptables -A RH-Firewall-1-INPUT -i eth1 -p tcp -d $ad
--dport 80 -j REJECT done
To accept certain connections/services, figure out the protocol type, port number and add a new line similar to line 12 Q. What protocol type DNS uses? On which port? A: Check out /etc/services
![Page 26: Security WeeSan Lee weesan/cs183](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d765503460f94a57fa0/html5/thumbnails/26.jpg)
iptables (cont)
To turn on NAT $ iptables -t nat -F # Redirect HTTP traffic to a web cache server $ iptables -A PREROUTING -t nat -i eth1 -p tcp -d $ALL
--dport 80 -j REDIRECT --to-ports 3128 # Turn on NAT for TCP, UDP and ICMP $ iptables -A POSTROUTING -t nat -o eth0 -p tcp -s
10.0.0.0/24 -j MASQUERADE $ iptables -A POSTROUTING -t nat -o eth0 -p udp -s
10.0.0.0/24 -j MASQUERADE $ iptables -A POSTROUTING -t nat -o eth0 -p icmp -s
10.0.0.0/24 -j MASQUERADE
![Page 27: Security WeeSan Lee weesan/cs183](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d765503460f94a57fa0/html5/thumbnails/27.jpg)
iptables (cont)
To view the rules $ iptables -L -v
To view the rules in the NAT table $ iptables -L -v -t nat
![Page 28: Security WeeSan Lee weesan/cs183](https://reader030.vdocuments.site/reader030/viewer/2022032523/56649d765503460f94a57fa0/html5/thumbnails/28.jpg)
Reference
LAH Ch 20 - Security
iptables $ man iptables
Unix Advanced System Admin. EdCert https://www.ussg.iu.edu/edcert/course/view.php?id=7
Cert http://www.cert.org/
Security Focus http://www.securityfocus.com/