Transcript Security

Linux Installation and Administration
Lesson 8
Tutor: George Papamarkos
Topic: Linux Security
Lesson Outline
●
Setting up a secure system
●
TCP Wrapper configuration
●
Firewalls in Linux
●
Authentication Systems
–
NIS
–
Kerberos
Types of Security Threats
●
Denial of Service (DoS)
–
●
Intrusion
–
●
Unauthorised access by compromising a service or
logging in by stealing a password
Snooping
–
●
This attack disrupts a service on the system
This attack involves interception of the data of
another user, listening to all sensitive information
transmitted
Viruses, worms and Trojan Horses
Setting up a Secure System
●
●
There are some very basic things that you have to
do in order to secure your system
Shutting down the redundant services
–
You have to disable all network daemons (services)
that are not needed by the system
–
Any network port that is listening for connections can
be vulnerable to attacks due to probable exploits
against running daemon
–
To find out the ports that are opened type:
# netstat -an
Setting up a secure system (cont.)
●
Looking in /etc/services or by passing -p to netstat
we can tell which service is running per port
●
Check each port that looks like unnecessary
●
Examples vulnerable services:
telnetd, sendmail, ftpd: Send clear passwords
through the web. Instead of telnet use ssh
Shutting down services involves editing the
appropriate files on your system
–
●
Setting up a Secure System (cont.)
●
●
On RedHat based systems daemons are started by
scripts in the /etc/rc.d/init.d directory
Depending on the runlevel each daemon/services
in linked to the appropriate rcX.d directory where
0<X<6
Setting up a secure system
●
What to have in mind all the time:
–
Never use simple passwords. Try to make them
complex by mixing letters,symbols and numbers
–
Do NOT work on the root account unless absolutely
necessary
–
Do not ignore the log files
–
Update your system in a regular basis
TCP Wrapper Configuration
●
●
●
●
A simple and effective way to protect the system
TCP Wrappers “wrap” a service access (e.g.
apache web server)monitoring the connections to
it and refusing unauthorised sites
It is used in conjunction with inetd and xinetd
It's a good way to control the access to services
that do not provide any native access control
mechanism
TCP Wrapper Configuration (cont.)
●
●
●
TCP Wrapper is the first thing encounter when a
connection is established with a service protected
by the wrapper
TCP Wrapper is responsible for determining
whether the connection comes from a source host
that it is allowed to do so
Depending on whether you are using TCP
Wrappers with inetd or xinetd there are two
different approaches
TCP Wrapper Configuration (cont.)
with inetd
●
●
●
If the system is using the inetd daemon you have to edit the
/etc/inetd.conf file to use the TCP wrapper
Using TCP wrappers requires just a small change to
/etc/inetd.conf
E.g. for the finger daemon
finger stream tcp nowait root /usr/sbin/in.fingerd in.fingerd
has to be changed to:
finger stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.fingerd
This cause the tcpd command, representing the TCP wrapper, to be
executed instead of the in.fingerd and protect the daemon
TCP Wrapper Configuration (cont.)
with xinetd
●
●
●
xinetd is the replacement of inetd adopted by
some distros
In most cases xinetd has built-in support for TCP
wrappers
You need to modify the TCP wrapper
configuration files (/etc/hosts.allow,
/etc/hosts.deny)
TCP Wrapper Configuration (cont.)
with xinetd
●
●
●
●
●
/etc/hosts.allow and /etc/hosts.deny specify the access
rules that are applied in daemon protection
When a TCP wrapper is invoked it obtains the IP address
of the connecting host and its hostname
If the IP of the host is specified in the /etc/hosts.allow
then access is permitted to the daemon/service
If no match is found, the /etc/hosts.deny is consulted. If
the IP is described there then the connection is closed
If no much exists both of the files then access is granted
TCP Wrapper Configuration (cont.)
with xinetd
●
The syntax of those two files is simple
●
Each file contains a set of rules
●
General rule form:
daemon_list : client_list : shell_command
where daemon_list is comma separated list of daemons
to which the rule applies, the client_list is comma
separated list of the hostnames or IP addresses where
the rule applies and shell_command is optional,
specifying the command to be executed when rule
matches
TCP Wrapper Configuration (cont.)
with xinetd
●
Example rules:
1. /etc/hosts.deny
ALL:ALL # Deny everything from everywhere
In case that nothing is specified in the /etc/hosts.allow
then this rule will refuse connection to any service by
anyone
2. /etc/hosts.deny
ALL: ALL EXCEPT localhost
3. /etc/hosts.allow
in.fingerd: ALL
Firewalls in Linux
●
●
●
●
It is the case that TCP Wrappers work with
services configured using xinetd
For stand-alone services another tool has to be
used to control access
In modern systems is common place to get
protection by IP filtering
In IP filtering kernel inspects each network
packet transmitted or received by the host
machine
Firewalls in Linux (cont.)
●
●
●
Kernel IP filtering mechanism decides whether to
allow or deny the access of a certain packet
IP filtering though does not provide protection
from DoS attacks, Trojan’s and viruses
IP filters take their decision according to packet
headers which contain information like:
–
–
●
Protocol Type (TCP,UDP)
Source and Destination Port Numbers
E.g. Web Servers like Apache use port 80 on TCP
protocol
Firewalls in Linux (cont.)
●
●
IP filtering in Linux is implemented by the
kernel
There are three IP filtering/firewall
generations in Linux:
ipfw (IP firewall) for kernel versions 2.0.X
– ipchains in kernel versions 2.2.x
– netfilter/iptables in kernel versions 2.4.x
–
●
netfilter is the kernel module while iptables is the
user space configuration tool
Firewalls in Linux (cont.)
●
●
●
We are going to describe netfilter/iptables that
refers to the modern kernel versions 2.4.x
Iptables command allows a rich and complex IP
filtering rule definition
E.g.
iptables -A INPUT -m state --state NEW -m tcp -p tcp -dport 22 -j ACCEPT
This command install an IP filter that accepts new
incoming connections to TCP port 22 (the ssh
service) on our local system.
Firewalls in Linux (cont.)
●
●
A set of rules defined by iptables is called chain
and is applied to all packets transmitted or
received
There are three system chains defined by kernel:
–
INPUT: Applies to packets received
–
OUTPUT: Applies to packets send
–
FORWARD: Applies to all the packets that are routed
from one network interface (net card) of the system to
an other. Helpful when system works as router or
gateway
Firewalls in Linux (cont.)
●
Actions that can be performed from rules include:
–
–
–
●
ACCEPT: Accepts the packet
DROP: Drops the packet, i.e. refusing transmitting or
receiving it
The default action can be configured to be either
ACCEPT or DROP
netfilter also allows performing:
–
–
Packet Logging
Network Address Translation (NAT) aka IP
masquerading
Firewalls in Linux (cont.)
●
●
●
Each Linux Distribution takes a slightly different
approach on managing firewall
In RedHat-based distros all the rules are stored in
/etc/sysconfig/iptables
You first specify the rules using the iptables
command and the you save them typing as root:
–
/sbin/service iptables save
Firewalls in Linux (cont.)
# Set default policy on the INPUT chain to DROP.
# -P sets the default action of the specified chain, so here
#DROP the packets of INPUT chain
iptables -P INPUT DROP
# ACCEPT all packets that have come from the loopback interface, that
# is, from the local host. '-i lo' identifies the loopback interface.
iptables -A INPUT -i lo -j ACCEPT
-j here stands for “jump” meaning that if a packet matches the rules
then processing will jump to what follows. The options after –j are:
ACCEPT: Allow the transmission of the packet
DROP: Drop the packet
QUEUE: Pass the packet to a program for processing
RETURN: Returns the packet to the end of rule chain
Firewalls in Linux (cont.)
# ACCEPT packets belonging to an existing
(ESTABLISHED,RELATED) connection.'-A INPUT' is used to
append to the INPUT chain. '-m state' uses the stateful inspection
module.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j
ACCEPT
# ACCEPT new incoming FTP connections from 192.168.1/24.
iptables -A INPUT -m state --state NEW -m tcp -p tcp -s
192.168.1/24 \ --dport 21 -j ACCEPT
Firewalls in Linux (cont.)
●
You can see the list of rule currently applied on
the system by typing:
–
iptalbes –L -v
Reference – Using the iptables