Security - Tonga Institute of Higher Education

Download Report

Transcript Security - Tonga Institute of Higher Education

Tonga Institute of Higher Education
The Linux Operating System
Lecture 8:
Security
Security in Linux
●
●
●
●
Anyone who has a server that is connected full-time
to the Internet has to be concerned with security.
There are many aspects to having a secure network
and a system. But a well-maintained Linux system
is the first line of defence to stop hackers (people
who want to break into computers and get root
access).
The most important thing you can run to protect
your computer and network is a firewall.
If you do not have dedicated hardware for a
firewall (which can sometimes be expensive), then
a Linux server is a good alternative . It can act as a
firewall for you and your network
Linux Firewalls: Iptables
●
●
●
Iptables are a way to control how your computer
deals with network data. It is built into the Linux
kernel and is a replacement for an older firewall
program called ipchains.
Iptables can work as more than just a firewall, it is
actually a way to handle data packets that come in.
It can also limit how fast connections are made.
It can log all network activity and it can also work
as a router, connecting your private network to the
Internet.
Iptables
●
●
●
●
For Iptables to work as a firewall, we will be most concerned
with 'packet filtering' or how iptables can handle different
packets that come into the computer
All traffic through a network is sent in the form of packets, so
that whatever you are getting is broken into smaller pieces
The start of each packet says where it's going, where it came
from, the type of the packet, and other details.
Some protocols, such as TCP, which is used for web traffic,
mail, and remote logins, use the concept of a `connection' -before any data packets are actually sent, various setup
packets (with special headers) are exchanged saying `I want
to connect', `OK' and `Thanks'. Then normal packets are
exchanged.
Packet Filtering
●
●
●
A packet filter is a piece of software which looks at
the header of packets as they pass through, and
decides the fate of the entire packet.
It might decide to deny the packet (discard the
packet and pretend it had never received it), accept
the packet ( let the packet go through), or reject
the packet (like deny, but tell the source of the
packet that it has done so).
Linux does all this with Iptables, a program that
works inside the kernel to look at all packets
coming in and out and deciding, based on rules you
tell it, what to do with the packet
Iptables
●
●
●
●
The Iptables packet filters are set up to look at
three types of packets, ones that are FORWARDED,
ones that are INPUT and ones that are OUTPUT.
Forwarded – these are for packets from your local
network that want to be sent to the Internet. This
is when Linux will work like a router (sending data
from one network to another)
Input – these are packets that are coming into your
computer from the outside world to do something.
They might be dangerous
Output – these are packets that are made from
your computer and are being sent to the Internet
Iptables
●
Iptables should be running when you start the computer.
To see the rules currently inside of it, type
–
●
●
●
[root@comp root]# iptables -L
Iptables doesn't save it's rules, which means if you make a
change to it, you'll have to save it yourself.
There are two programs that help you do this, first is
iptables-save. This program will output all the rules that
you can save to a file
Then there is a program called iptables-restore which will
take rules from a file.
●
Examples:
●
[root@comp root]# iptables-save > table.rules
●
[root@comp root]# cat table.rules | iptables-restore
Looking at a rule
●
●
●
Rules are the most important part of packet filtering.
Most commonly, you will use the append (-A) and delete (D) commands when you add new rules
Each rule specifies a set of conditions the packet must
meet, and what to do if it meets them (a `target').
For example, you might want to drop all ICMP packets
coming from the IP address 192.168.0.23. So in this case
our conditions are that the protocol must be ICMP and
that the source address must be 192.168.0.23. Our target
is `DROP'.
[root@comp root]# iptables -A INPUT -s
127.0.0.1 -p icmp -j DROP
●
Looking at a Rule
[root@comp root]# iptables -A INPUT -s
192.168.0.23 -p icmp -j DROP
●
●
●
●
●
-A INPUT - says to look at packets coming into the
computer.
-s 192.168.0.23 – says if the packets come from
this IP address
-p icmp – says if the packet is using the ICMP
protocol
-j DROP – says then drop this packet if it matches the
other criteria
You can also delete this rule if you want by changing A INPUT to -D INPUT
[root@comp root]# iptables -D INPUT -s
192.168.0.23 -p icmp -j DROP
Rule Specifics
●
●
Source and Destination – You can filter
packets based on where they come from and
where they are going.
Use the option '-s source' where 'source' is
an IP address or hostname
–
●
[root@comp root]# iptables -A INPUT
-s 199.99.199.99 -j DROP
Use the option '-d destination' where
'destination' is an IP address or hostname
–
[root@comp root]# iptables -A INPUT
-d 199.99.199.99 -j ACCEPT
Rule Specifics
●
●
●
Protocol – You can filter packets based on what
protocol they are using (TCP,ICMP,UDP, etc)
Use the option '-p protocol' where 'protocol' is tcp,
icmp, udp
– [root@comp root]# iptables -A INPUT
-d 192.168.0.1 -p tcp -j DROP
If you're using the 'tcp' protocol, you can even
block based on port (that means you can stop
people from using ftp or your webserver if you
don't want them to). Example below drops packets
from 199.99.199.99 that are coming to port 80
(webserver) and using TCP
– [root@comp root]# iptables -A INPUT
-s 199.99.199.99 -p tcp -dport 80 -j
DROP
Rule Specifics
●
You also have three choices with what to do
with the packet of data.
–
ACCEPT – This will allow the packet to go through
your computer
●
–
DROP – This will stop the packet from coming
through and pretend it never saw it. It will not
notify the sender that the packet was dropped. So
the computer trying to send the data will not think
the computer is on the network
●
–
Example: iptables -A INPUT -s 192.168.0.4 -j ACCEPT
Example: iptables -A INPUT -s 192.168.0.4 -j DROP
REJECT – This will stop the packet and tell the
sender they were rejected.
Testing out your network
●
●
●
●
Now that you have a firewall installed, you should
test it, to see if it is vulnerable at all
There are many programs available that will test
check your computer for weaknesses.
One of the most popular ways to check is through a
“port scanner.” This is a program that will check all
the ports on your computer to see what is open. If
it finds that port 80 is open, then it knows you are
running a webserver.
The most popular of these is called “nmap” and it
will provide a lot of useful information about the
computer you are testing
Nmap
●
●
You may need to download and install nmap, because
it is not always included
Example port scan of google.com
[root@tihe root]# nmap -sS -O google.com
Interesting ports on www.google.com
(The 1622 ports scanned but not shown below are
in state: closed)
Port
State
Service
80/tcp
open
http
This means that port 80 is open and it is running a webserver, but
that is it. All other ports are closed. Thus, unless there is a
problem with their webserver, they will be pretty safe from
hackers
Security Scanners
●
●
●
●
●
●
A “port-scanner” is a good first step to test your
network, but a security scanner will really test out
things.
The most popular security scanner is called Nessus.
It will look at whatever computer you tell it to check
out and find out everything about it.
It will look at what version of what service you have
running to see if there are vulnerabilities for that.
It will also tell you what to do to fix the problem and
often times tell you how to exploit a security hole
These tools are often used by hackers themselves to
find if a computer is vulnerable
Watching your network
●
●
●
If something is happening to your computer, it's
good to have a few tools that can help tell you
where data is coming from and where it is going
One program, called “iptraf” will show all incoming
and outgoing data and the ports they are using.
Can be helpful to determine which computer on a
network is acting up
Another program called “etherape” shows
graphically all the data on your network and so you
can see who is using the most
Keeping up to date
●
●
●
If you are in charge of a system that is on the
internet all the time, it is important to keep your
programs and services up to date
Vulnerabilities to different programs come out fairly
regularly and the companies that make the
products will release security fixes. Falling behind
for too long will leave your system open to attacks
from hackers
There are a few good websites to look at to stay
up-to-date with security problems
–
http://www.slashdot.org
–
http://www.securityfocus.org
–
http://www.cert.org/
Encryption
●
●
●
●
Most network activity happens unencrypted. That
means if someone got the data that was being sent,
they could see what is inside.
Since your data is usually sent over the Internet and
around the world, there is a lot of opportunity to see
what is happening.
To protect yourself from anyone seeing what is
happening, you need to use encryption for your data.
This means everything will look like garbage to
whoever tries to look at it.
Encryption in Linux is done through SSL, or SecureSockets Layer, which can sit on top of a protocol and
change all the data being sent into something no one
else can read
Using encryption
●
●
To use encryption, you'll need different programs.
For example, instead of using telnet to log into a server,
you should use a protocol called SSH, which gives you the
same effect as telnet, but it is secure, because it is
encrypted. You need to download a special program to
use SSH. The most popular is called PuTTy (if you are
using windows. Linux has ssh built in [ ssh tihe.org –l
username ]
–
●
●
http://www.chiark.greenend.org.uk/~sgtatham/putty/
For browsing the web, you can see if it is secure by
looking at the URL in the browser. If it contains “http://”
then it is insecure
If it contains “https://” then you know it is secure because
it is using a secure version of the HTTP protocol
Packet Sniffing
●
●
●
●
To get a better idea of how network communication
works, you can use a packet sniffer, which will examine
all the packets that come into the computer and also
some other packets that are floating around on the
network
The best packet sniffer is called Ethereal. It is a
graphical program that lets you capture packets and
then analyze the data that has come in.
This means you can see what web pages a person was
looking at, or you can see FTP data they sent, or any
network data that is being sent.
If you are logging in with telnet, someone will be able
to see your password and your username right away
because it is unecrypted
Intrusion Detection
●
●
●
●
●
There are also programs that help figure out when an
attack is happening on your system. These are called
IDS, or intrusion detection systems.
A popular one is called Snort. It basically examines
packets that come in and has a big database of rules
that can determine if a special exploit or attack is
coming in
It will then alert the administrator and take some action
You can actually watch a hack in progress with an IDS
system set.
You'll have to install Snort yourself if you want it,
although there is a lot of documentation available
–
http://www.snort.org
Summary
●
●
●
●
Linux security is an ongoing project for all the developers of
Linux over the world. Exploits for products are released daily,
so keeping your computers safe is challenging
Most of the time today, people will not care who the computer
belongs to, but they will use it as a launching point to attack
other computers. That it way, the computer really being
attacked will not know for real, where the attack is coming
from
Other times, hackers can set up programs that run on your
computer and wait for their instructions.
For more information about Linux security:
–
http://www.insecure.org
–
http://www.yolinux.com/TUTORIALS/
–
http://www.linuxsecurity.com/