RHCE3 Slide1
Download
Report
Transcript RHCE3 Slide1
Welcome!
RHCE-III Part
Durgesh Tomar
Security Concerns and Policy
2
Understanding Security
A network is only as secure as the most open system in that
network. Although no system can be 100 percent secure, you
can follow certain basic host measures to enhance the security
on any given system and, consequently, your network. When
devising security measures, you have to plan for two types of
security violations: user accidents and break-ins.
Accidents happen because users lack adequate training or are
unwilling to follow procedures. If security is too burdensome,
productivity may suffer, and your users will try to get around your
rules. Password security falls into this category.
When a cracker breaks into your system, some crackers may be
looking for secrets such as credit card information. Others may
just want to bring down your system.
3
Understanding Security
Types of Security
Network ( External )
Local ( Internal )
Physical
4
Hacker versus Cracker
A hacker is someone who programs creatively and usually for
the pure enjoyment of it (most programmers who work on Linux
are hackers in this sense). The correct term for someone who
breaks into computer systems is a cracker.
There are many types of crackers, ranging from professional
computer criminals to the hobbyist types that break into
computers for the thrill. The growth of the cracker problem has
kept pace with the growth of the Internet. A new, younger
generation of cracker is emerging. These teenage pseudocrackers do not have all the knowledge and skill of their true
cracker counterparts, but they have access to a growing number
of cracker tools that automate the breaking of a system's
security.
5
Understanding Attack Techniques
Attacks on computing systems take on different forms,
depending on the goal and resources of the attacker. Some
attackers desire to be disruptive, while others desire to infiltrate
your machines and utilize the resources for their own nefarious
purposes. Still others are targeting your data for financial gain or
blackmail. Here are three major categories of attacks:
Denial of Service (DOS)
Distributed Denial of Service (DDOS)
Intrusion attacks
6
Denial of Service (DOS)
The easiest attacks to perpetrate are Denial of Service attacks.
The primary purpose of these attacks is to disrupt the activities
of a remote site by overloading it with irrelevant data. DOS
attacks can be as simple as sending thousands of page
requests per second at a Web site. These types of attacks are
easy to perpetrate and easy to protect against. Once you have a
handle on where the attack is coming from, a simple phone call
to the perpetrator's ISP will get the problem solved.
7
Distributed Denial of Service (DDOS)
More advanced DOS attacks are called Distributed Denial of
Service attacks. DDOS attacks are much harder to perpetrate
and nearly impossible to stop. In this form of attack, an attacker
takes control of hundreds or even thousands of weakly secured
Internet connected computers. The attacker then directs them in
unison to send a stream of irrelevant data to a single Internet
host. The result is that the power of one attacker is magnified
thousands of times. Instead of an attack coming from one
direction, as is the case in a normal DOS, it comes from
thousands of directions at once. The best defense against
DDOS attack is to contact your ISP to see if it can filter traffic at
its border routers.
8
Intrusion attacks
To remotely use the resources of a target machine, attackers
must first look for an opening to exploit. In the absence of inside
information such as passwords or encryption keys, they must
scan the target machine to see what services are offered.
Perhaps one of the services is weakly secured and the attacker
can use some known exploit to finagle his way in.
9
Diagnostic Utilities
Port Scanners
Show what services are available on a system
nmap
Packet Sniffers
Stores and analyzes all network traffic
tcpdump
ethereal
10
SELinux
11
getenforce
setenforce 0
getenforce
setenforce 1
getenforce
/etc/sysconfig/selinux
getsebool –a | gep ftp
On access, off deny
chcon –t vikas_t directory/file name :
To see the context values: ls –Z
Identity : object roll : type enforecement
Policy:
Targeted: on specific file or directory
Strict: on all
sestatus -v
SELINUX=disabled
change context value
12
Securing Networks Using
Firewall ( IPTables )
13
What is Firewall?
Information security is commonly thought of as a process and
not a product. However, standard security implementations
usually employ some form of dedicated mechanism to control
access privileges and restrict network resources to users who
are authorized, identifiable, and traceable. Red Hat Enterprise
Linux includes several powerful tools to assist administrators
and security engineers with network-level access control issues
14
What is Firewall?
Firewalls are one of the core components of a network security
implementation. Several vendors market firewall solutions catering to all
levels of the marketplace: from home users protecting one PC to data
center solutions safeguarding vital enterprise information. Firewalls can
be standalone hardware solutions, such as firewall appliances by
Cisco, Nokia, and Sonicwall. There are also proprietary software
firewall solutions developed for home and business markets by vendors
such as Checkpoint, McAfee, and Symantec.
Apart from the differences between hardware and software firewalls,
there are also differences in the way firewalls function that separate
one solution from another
15
iptables
IPTABLES a front-end tool to manage netfilter(integrated in linux kernel),
which is the actual firewall. netfilter provide filtering of tcp/ip and UDP
based packets, so that we can filter inbound, outbound, and route traffic
from our system.
It helps to keep intruders from other networks from getting into your LAN
and compromising your systems or data. The firewall does this by allowing
some traffic to flow between your network and the Internet while blocking
other traffic by sitting between your network and the outside world.
Before you design a firewall strategy, you should sit down and think about
what you want to protect and how you are going to do it. If you are working
for a company, you should prepare a company security policy. You start by
talking to users (or their managers), you can then make decisions on what
kinds of services you will let go through the firewall.
IPTables can be used to allow or deny packets based on numerous factors
including their destination, their source, which port they are trying to
access, the user ID of the process that created the packet, and more.
16
iptables
iptables has three built-in tables, which cannot be deleted, these are:
17
iptables
18
iptables
filter table:
A packet filter is a piece of software which looks at the header of packets
as they pass through, and decides the fate of the entire packet. It contains
the built-in chains INPUT (for packets coming into the box itself),
FORWARD (for packets being routed through the box), and OUTPUT (for
locally-generated packets).
nat table:
This table is consulted when a packet that creates a new connection is
encountered.
Packets in a stream only traverse this table once. The first packet of a
stream is allowed. The rest of the packets in the stream will not go through
this table again, but instead they will automatically have the same actions
taken to them as the first packet in the stream. This is one reason why
filtering should be avoided using this table.
It consists of three built-ins: PREROUTING (is used to altering packets as
soon as they come in), OUTPUT (is used to altering locally-generated
packets before routing), and POSTROUTING (is used to altering packets
as they are about to go out).
19
iptables
mangle table:
This table is used for packet alteration. PREROUTING (for altering
incoming packets before routing) and OUTPUT (for altering locallygenerated packets before routing) INPUT (for packets coming into the box
itself), FORWARD (for altering packets being routed through the box), and
POSTROUTING (for altering packets as they are about to go out).
20
iptables
21
IPTables Command
Iptables –t
table (Action / Direction ) ( Packet Pattern ) –j ( fate )
Tables : filter ( default ) , nat , mangle
Actions : -A append, -D delete, -L list, -F flush
Direction : - INPUT, OUTPUT, FORWARD
Packet Pattern: -s Source IP-Address –d Destination IP-Address
Fate: DROP, ACCEPT, REJECT
22
IPTables Commands
Examples :
iptables
-A
INPUT
-s
192.168.1.0/24 -j
REJECT
iptables
-A
INPUT
-s
192.168.0.20
icmp
iptables -A INPUT -m mac
iptables
-A
OUTPUT
-p
-j DROP
--mac-source 12:34:56:89:90:ab -j ACCEPT
-d www.yahoo.com
-j
REJECT
23
tcpwrapper
24
What is TCP Wrappers ?
An important part of maintaining another level of security
computer, with TCP Wrappers; you can also restrict access to
your system by remote hosts by using list of hosts are kept in
the /etc/hosts.allow and /etc/hosts.deny files.
TCP Wrappers stand guard between an incoming request and
the requested service.
25
Configuration Files
When a client connects to a “ tcp wrapped” service, the access
control list /etc/hosts.allow and /etc/hosts.deny are examined.
The server will then either choose to accept or drop the
connection, depending on the control list configuration. Policies
can be specified for individual services and are usually
configured in terms of the clients IP-Address.
Both files have same basic syntax to allow or deny clients list
Service List : Client List
26
Configuration Files
Three stages of access checking
Is access explicitly permitted?
Otherwise, is access is explicitly denied?
Otherwise, by default, permit access!
Configuration stored in two files
Permissions in /etc/hosts.allow
Denials in /etc/hosts.deny
27
Configuration Files
Examples:
sshd: .example.com
sshd: ALL EXCEPT .cracker.org
sshd: ALL EXCEPT .cracker.org EXCEPT trusted.cracker.org
ALL EXCEPT sshd: ALL
ALL EXCEPT sshd: ALL EXCEPT .cracker.org
ALL EXCEPT sshd: ALL EXCEPT .cracker.org EXCEPT
trusted.cracker.org
28
TCP Wrappers & Connection Banners
Displaying a suitable banner when users connect to a service is
a good way to let potential attackers know that the system
administrator is being vigilant.
Banner for vsftpd. Create a banner file. It can be anywhere on
the system, but it must have same name as the daemon.
/etc/banners/vsftpd and contains the following line:
220-Hello, %c
220-All activity on ftp.example.com is logged.
220-Inappropriate use will result in your access privileges being
removed.
The %c token supplies a variety of client information, such as
the username and hostname, or the username and IP address.
For this banner to be displayed to incoming connections, add
the following line to the /etc/hosts.allow file:
vsftpd : ALL : banners /etc/banners/
29
TCP Wrappers & Enhanced Logging
If certain types of connections are of more concern than others, the
log level can be elevated for that service using the severity option.
Anyone attempting to connect to port 23 (the Telnet port) on an FTP
server is a cracker. To denote this, place an emerg flag in the log
files instead of the default flag, info, and deny the connection.
To do this, place the following line in /etc/hosts.deny:
in.telnetd : ALL : severity emerg
This uses the default authpriv logging facility, but elevates the
priority from the default value of info to emerg, which posts log
messages directly to the console.
30
Understanding and Managing
xinetd daemon
31
What is xinetd daemon?
The xinetd (which stands for Extended Internet Services
Daemon) program can start a number of these server daemons
simultaneously. The xinetd program listens for connection
requests for all of the active servers with scripts in the
/etc/xinetd.d directory. There's a generic configuration file for
xinetd
services,
/etc/xinetd.conf.
/etc/xinetd.d directory
also
function
The
as
scripts
in
the
service
specific
configuration files.
32
Generic xinetd Configuration
Each file in the /etc/xinetd.d directory specifies a particular
service you want to allow xinetd to manage. By default, scripts in
this directory are disabled.
xinetd provides its own set of access control functions
hosts based
time based
33
Sample configuration
service telnet
{
disable
flags
socket_type
wait
user
only_from
no_access
access_times
server
log_on_failure
=
=
=
=
=
yes
REUSE
stream
no
root
= 192.168.0.0/24
= 192.168.0.1
= 08:00-16:00
= /usr/sbin/in.telnetd
+= USERID
}
34
Understanding and Managing
NFS Server
35
What is NFS?
A Network File System (NFS) allows remote hosts to mount file
systems over a network and interact with those file systems as though
they are mounted locally. This enables system administrators to
consolidate resources onto centralized servers on the network. The
Network File System (NFS) is the standard for sharing files on a
directory with Linux and Unix computers. It was originally developed by
Sun Microsystems in the mid-1980s.
You can create shared NFS directories directly by editing the
/etc/exports configuration file, or you can create them with Red Hat's
NFS Configuration tool.
36
NFS:- Benefits and Problems
Benefits:
-> DFS(distributed file system) that allows local access to remote
files.
-> Uses standard client/server architecture.
-> Using NFS the server “export” his data to other clients.
-> Provide centralize storage solution.
-> Users get their data irrespective of physical location.
Problems:
-> Network congestion.
-> Heavy disk activity on NFS server.
-> Its design assume a trusted environment, not a hostile
environment.
-> NFS is based on RPC (Remote Procedural Call) which is easy to
exploit.
-> For Security reasons – NFS cannot be used over Internet.
37
NFS Services
portmap
nfs
rpc.mountd
: Map calls made from other machines
: Translates NFS requests in requests on the
local system
: Mounts and Unmounts filessystems
38
Server Configuration : Sharing Files
Exported files are defined in main configuration file
/etc/exports
Examples : vi /etc/exports
/data
*.example.com(ro,sync) station1.cracker.org(rw,sync)
/data
192.168.0.0/255.255.255.0(ro,sync)
Then After Exporting Files
service portmap start
service nfs start
chkconfig
--level 35 portmap on
chkconfig
--level 35 nfs on
39
Client Configuration : Mounting Shares
Mounting can be done by using following methods
Mount command [ Temporary ]
mount -t nfs 192.168.0.254:/data /mnt
/etc/fstab file [ Permanent ]
192.168.0.254:/data
/mnt nfs defaults 0 0
Mounting NFS share on two directories on same system
First mount to /home/data
mount
-t
nfs x.x.x.x:/data
/home/data
Now bind /home/data to /backup
mount
--bind
/home/data /backup
40
NFS Commands
showmount -e :shows the available shares
exportfs -v
:Displays a list of shares files and options on a server
exportfs -a
:Exports all shares listed in /etc/exports ,or given name
exportfs -u :Unexports all shares listed in /etc/exports ,or given
name
exportfs -r
:Refresh the server’s list after modifying /etc/exports
NFS & TCP Wrappers:
Two services are required for TCP wrappers
mountd
portmap
41
Understanding and Managing
NIS Server
42
What is NIS?
Work on the concept of DOMAIN.
Used to distribute information that needs to be shared thurout a
Linux network.
Developed by SUN-Microsystems and known as “Yellow
Pages”.
Mainly used to distribute user database & authentication
information like:
/etc/passwd
/etc/group
43
What is NIS?
NIS services require at least one NIS master server. This is
where the centralized NIS database files, known as maps, are
stored. NIS changes require an update to the map on the master
server. You can have only one NIS master server per NIS
domain.
For larger networks, you may also want an NIS slave server.
NIS slaves take copies of the NIS maps from the master server.
NIS clients can then get their configuration files from either the
master server or a slave server. You can have multiple NIS
slave servers on a network.
NIS clients are systems that use information from an NIS
server. NIS clients don't store any information that is contained
in the NIS databases; whenever that information is needed, it is
retrieved from a server.
44
Configuring NIS Server
Packages needed:
portmap [ installed by default ]
ypserv [ to be installed ]
Main Configuration files of NIS SERVER:
/etc/ypserv.conf
/etc/yp.conf
Step-1.
nisdomainname RHCE
Cross check -- vi /etc/sysconfig/network
NISDOMAIN=RHCE
nisdomainname
service portmap restart
service ypserv restart
45
Configuring NIS Server
Step-2. Make NIS MAP – Make something for NIS to serve.
/usr/lib/yp/ypinit -m
Step-3. Secure Communication [optional ]
vi /var/yp/securenets
255.255.255.0
192.168.0.0
Step-4.
rpcinfo -p localhost
service ypserv start
service portmap start
service yppasswdd start
Step-5. Check status of YP
rpcinfo -p 192.168.0.254
46
Configuring NIS Client
Step-1. Install YPBIND and PORTMAP service.
Step-2. authconfig [CLI / GUI]
Step-3.
/etc/yp.conf ----------- just to confirm
ypserver x.x.x.x
domain RHCE broadcast
domain RHCE server x.x.x.x
Step-4.
Check /etc/sysconfig/network ----- to confirm
NISDOMAINNAME=RHCE
Step-5.
/etc/host.conf ---------- just to confirm
order hosts,nis,bind
47
Configuring NIS Client
Step-6.
/etc/nsswitch.conf ------------- just to confirm
passwd: files nis
shadow: files nis
group: files nis
hosts: files nis
Step -7. Check NISDOMAIN
ypcat passwd
getent passwd
48
Automounting /home folders
Server SIDE Configuration
Step 1: Modify /etc/exports file
vi /etc/exports
/home *(rw,sync)
Step 2: Start portmap and nfs services
service portmap start
service nfs start
chkconfig --level 345 portmap on
chkconfig --level 345 nfs on
49
Automounting /home folders
Client SIDE Configuration
Step 1: Modify /etc/auto.master file
vi /etc/auto.master
/home /etc/auto.home --timeout=60
Step 2: Modify /etc/auto.home file you have specified
vi
/etc/auto.home
* -fstype=nfs 192.168.0.254:/home/&
Step 3: Start autofs service
umount /home
service autofs restart
chkconfig
--level 345 autofs on
50
Understanding and Managing
PAM Authentication
51
What is PAM?
The Pluggable Authentication Modules (PAM) system to check
for authorized users. PAM includes a group of dynamically
loadable library modules that govern how individual applications
verify their users. You can modify PAM configuration files to suit
your needs.
The PAM provides a generic way for applications to implement
support for authentication and authorization. A PAM-enabled
application calls libpam functions to perform all authentication
test for it.
52
PAM Operation
PAM works with the help of Modules and Service files
to maintain the security.
PAM Modules are stored in following directory
/lib/security
PAM Service files are stored in following directory
/etc/pam.d
53
PAM Tests
PAM actually organized tests into four management groups which are
checked independently by different libpam library functions.
auth
: This management group is used by PAM functions
which authenticate users.
account
: This management group is used to verify that an
account is valid at this time and passwords have not
expired.
password
: This management group is used to control password
changes.
session
: This management group is called by PAM at the start
and at the end of a session.
54
PAM Control Values
PAM uses control values to determine how each test affects groups
overall result.
required
: Must pass, keep testing even if fails
requisite
: as required, except stop testing on fail
sufficient
: if passing so far, return success now if fails, ignore test
and keep checking
optional
: whether test passes or fails is irrelevant
55
Using PAM to Limiting NIS Users
56
Limiting NIS Users
For Security reasons, some of the users managed by the NIS
server should be allowed to use the NIS client, but some should
not.
57
Limiting NIS Users
Step 1: On your NIS client Modify /etc/pam.d/system-auth
vi /etc/pam.d/system-auth
• account required pam_unix.so
• account sufficient pam_succeed_if.so uid < 100 quiet
• account
required /lib/security/$ISA/pam_localuser.so
• account
sufficient /lib/security/$ISA/pam_listfile.so
item=user sense=allow file=/etc/nisusers onerr=fail
• account
required pam_permit.so
58
Limiting NIS Users
You still have to create /etc/nisusers on your NIS client. Each line in
that file should be a non-local user to whom we want to grant access.
Step 1: Create / Modify /etc/nisusers file
vi
nisuser1
/etc/nisusers
59
?
Questions
Thank You !!!