Presentation is loading. Please wait.

Presentation is loading. Please wait.

Advanced Unix Mid-Term Review Part 1 Oct 11, 2005.

Published byMarilynn Morrison Modified over 8 years ago

Similar presentations

Presentation on theme: "Advanced Unix Mid-Term Review Part 1 Oct 11, 2005."— Presentation transcript:

1 Advanced Unix Mid-Term Review Part 1 Oct 11, 2005

2 nmap Port Scanner –http://www.insecure.org/nmap/http://www.insecure.org/nmap/ Useful tool for conducting system and network ports scans It is not a vulnerability scanner

3 Types of Scans TCP connect TYP SYN (a.k.a. half-open) TCP FIN (a.k.a. stealth) TCP SYN/FIN using IP fragments TCP ftp proxy (a.k.a. bounce attack) UCP raw ICMP port unreachable RPC scan ACK/WIN scan Ping scan

4 TCP connect Goal: find open TCP ports; option –sT Open a connection to port p on the target If it succeeds, something is listening on that port Repeat for desired values of p Advantages: –fast; can do many ports in parallel –no special privileges needed Disadvantages: –easy to detect and block (filter)

5 TYP SYN (a.k.a. half-open) Goal: find open TCP ports; option –sS Craft and send a SYN to port p on target ACK: someone listening; RST: no-one listening Send RST to tear down (incipient) connection Repeat for desired values of p Advantages: –many sites don’t log this Disadvantages: –need root to craft the initial SYN

6 Network Tools The netstat command (Page 521) is one such tool It will show you the number of tcp/udp connections and the services that are listening on your system Demo netstat

7 Network Tools One tool overlooked by the book is lsof lsof or "list open files" is one of the systems administrator's number one tools You trace what processes are using which services as well as which files are open and by which processes Demo lsof

8 Network Tools Many “root kits” deployed by vandals replace the tools an SA would use to detect the attack –ps, ls, netstat, lsof, etc. Always have original binaries and/or the tool source code available

9 Network Services They are the Points of Attack Remove/Disable all unneeded services –/etc/services – a test file that relates the ports to the services (page 523)

10 TCP Wrappers For the services that you need to have running (Page 525) –Provides for added access control –The Super Daemon xinetd now has tcp wrappers built in so any service using xinetd can take advantage of tcp wrappers

11 TCP Wrappers Other services also use tcp wrappers such as “Very Secure FTP” –vsftpd FTP server (Page 525) –Controlled in the vsftpd configuration file Access to rsync can be controlled by TCP Wrappers via xinetd

12 TCP Wrappers Uses two files to define the access to the services –/etc/hosts.allow –/etc/hosts.deny You can create a deny-by-default to all services that use tcp wrappers Don’t be misled into thinking this can secure you server 100% –Understand that not all services can or do use tcp wrappers –tcp wrappers is not a Firewall but an access control

13 TCP Wrappers Good Example in the book (Page 526) Demo: tcp wrappers –hosts.allow –hosts.deny

14 Firewalls Several types of Firewalls: –Packet filter Iptables – layer 2 network –Stateful filter Cisco PIX – layer 3 and 4 –Stateful inspection Checkpoint Firewall-1 –Application proxy Sidewinder – layers 5 thru 7 –Good reference for firewalls: http://www.interhack.net/pubs/fwfaq/

15 Iptables iptables is a filtering firewall Comes standard as part of Linux –Older versions of Linux have ipchains FC4 comes with a relatively good initial configuration Using chkconfig, check to see if your iptables is configured to start on boot chkconfig --list iptables

16 Iptables If is not then enabled it via the following command: chkconfig –levels 235 iptables on To start iptables enter: /etc/init.d/iptables start Or service iptables start

17 Iptables Many ways to implement iptables –Demo Shorewall See: http://www.linuxguruz.com/iptables/ http://www.linuxguruz.com/iptables/

18 Iptables - IP Filter IP Filter –Used to filter packets –The command to enter a rule is called iptables –The framework inside kernel is called Netfilter –Full matching on IP, TCP, UDP and ICMP packet headers –Lesser matching on other packet headers possible –Exception in TCP is the Options field IP Filter rule consists of: –Insertion point, Matching IP and Target IP

19 Iptables - Stateful firewalling Full state matching (TCP, UDP & ICMP) Other protocols Uses a generic connection tracking module –The generic conntrack module is less specific –Custom modules can be written –Certain protocols are more complex Requires extra modules called "conntrack helpers" Examples are FTP, IRC (DCC), AH/ESP and ntalk

20 Iptables - Stateful firewalling (cont.) Userland states –NEW All new connections Includes Non SYN TCP packets –ESTABLISHED All connections that has seen traffic in both directions –RELATED All connections/packets related to other connections Examples: ICMP errors, FTP-Data, DCC –INVALID Certain invalid packets depending on states E.g. FIN/ACK when no FIN was sent

21 Iptables - NAT NAT - Network Address Translation –The science of switching Source or Destination Addresses Two types of NAT in Linux 2.4 –Netfilter NAT –Fast NAT Usage –Makes a LAN look as if it came from a single source (firewall) Netfilter NAT –DNAT - Destination Network Address Translation –SNAT - Source Network Address Translation –Requires Connection tracking to keep states and expectations

22 Iptables - basic syntax iptables [command] [options] Commands: –append, insert, replace, delete, list, policy, etc. Options: –verbose, line numbers, exact, etc. Matches: –dport, dst, sport, src, states, TCP options, owner, etc. Targets: –ACCEPT, DROP, REJECT, SNAT, DNAT, TOS, LOG, etc.

23 Iptables - matches Protocol -p, --protocol [!] [protocol] –tcp, udp, icmp or all –Numeric value –/etc/protocols Destination IP & Port -d, --destination [!] address[/mask] –Destination address –Resolvable (/etc/resolve.conf) --dport, --destination-port [!] port[:port] –Destination port –Numeric or resolvable (/etc/services) –Port range

24 Iptables - matches (cont.) Source IP & Port -s, --source [!] address[/mask] –Source address –Resolvable (/etc/resolve.conf) --sport, --source-port [!] port[:port] –Source port –Numeric or resolvable (/etc/services) –Port range

25 Iptables - matches (cont.) Incoming and Outgoing interface -i, --in-interface [!] interface -o, --out-interface [!] interface

26 Iptables - targets ACCEPT –Accepts the packet –Ends further processing of the specific chain –Ends processing of all previous chains –Except other main chains and tables DROP –Drops the packet –No reply –Ends all further processing

27 Iptables - targets (cont.) REJECT –Drops packet –Returns a reply User specified reply Calculated reply TCP-RST or ICMP errors –Ends all further processing RETURN –Returns from a chain to the calling chain

28 Iptables - a few simple rules iptables -A INPUT -p tcp -m state --state NEW ! --syn -j REJECT --reject- with-tcp-reset iptables -A INPUT -p tcp --dport 80:1024 -j DROP iptables -A FORWARD -p tcp --dport 22:113 -j DROP iptables -A FORWARD -p tcp --dport ftp-data:ftp -j DROP iptables -A OUTPUT -p tcp -o eth0 -j ACCEPT iptables -A OUTPUT -p tcp -o lo -j ACCEPT iptables -P OUTPUT DROP

29 Iptables additional syntax Listing the rules –-L, --list [chain] -F, --flush [chain] –Flushes (erases) all rules in a chain –Or a table -N, --new chain –Creates a user-specified chain –There must be no target with that name previously -X, --delete-chain [chain] –Deletes a user-created chain –No rules may reference the chain –Can delete all user-created chains in a table

30 Iptables additional syntax Creating... –iptables -t filter -N badtcppackets and Deleting a chain –iptables -t filter -X badtcppackets and Deleting all user-created chains –iptables -t filter -X

31 Need to know: –where they are and what they contains –permissions and ownership –how often they are rotated You need to: –Review logfile contents regularly –Archive important logs Logging

32 Pages 541-542 list most of the common logs These logs are found in the /var/log directory –/var/log/messages –/var/log/boot.log –/var/log/wtmp –/var/log/dmesg Logging

33 Logging What to look for in a log? –Unusual activity –Take a look at your logs daily /var/log/messages /var/log/secure /var/log/sshd Other service related logs like ftpd, etc.

34 Logging Some common things: –Sendmail messages –SSH logins/logouts –FTP logins/logouts Based on what you see regularly, you will know when something is amuck. Common logchecking utilities are also an excellent way to keep tabs on your logs

35 Logcheck Was developed by Psionic (http://www.psionic.com)http://www.psionic.com –Portsentry –Logcheck Easy configuration Very customizable Demo: logcheck

36 Logwatch Part of FC3 default install It is a customizable, pluggable log- monitoring application It will go through your logs for a given period of time and make a report in the areas that you wish with the detail that you wish. Default setup is to email root daily

37 Syslog Daemon syslogd: the system event logger –how syslog works –its configuration file –the software that uses syslog –debugging syslog

38 What gets logged? The accounting system The kernel Various utilities and applications –many produce data that needs to be logged –most of the data has a limited useful lifetime, and needs to be summarized, compressed, archived and eventually deleted

39 Logging policies Log data immediately Reset log files at periodic intervals Rotate log files, keeping data for a fixed time Compress and archive to tape or other permanent media

40 Logging Options Depends on : –how much disk space you have –how security-conscious you are –How important the system is Whatever scheme you select, regular maintenance of log files should be automated using cron

41 Throwing away log files not recommend –security problems ( accounting data and log files provide important evidence of break-ins) –helpful for alerting you to hardware and software problems. In general, keep one or two months –in a real world, it may take one or two weeks for SA to realize that site has been compromised by a hacker and need to review the logs

42 Throwing away (cont.) Throwing away (cont.) Most sites store each day’s log info on disk, sometimes in a compressed format These daily files are kept for a specific period of time and then deleted One common way to implement this policy is called “rotation”

43 Rotating log files Keep backup files that are one day old, two days old, and so on. –logfile, logfile.1, logfile.2, … logfile.7 Each day rename the files to push older data toward the end of the chain –script to archive three days files

44 Archiving log files Some sites must archive all accounting data and log files as a matter of policy, to provide data for a potential audit Log files should be first rotate on disk, then written to tape or other permanent media –see chap 11, Backups

45 Finding log files Normally in /var/log but to locate log files you can read the system startup scripts : /etc/rc* or /etc/init.d/* Some programs handle logging via syslog –check /etc/syslog.conf to find out where this data goes –Again, normally to /var/log

46 Finding log files Finding log files Different operating systems put log files in different places: –/var/log/* –/var/cron/log –/usr/adm –/var/adm … On linux, almost all the log files are in /var/log directory.

47 What is syslog A comprehensive logging system, used to manage information generated by the kernel and system utilities. Allow messages to be sorted by their sources and importance, and routed to a variety of destinations: –log files, users’ terminals, or even other machines.

48 Syslog: three parts Syslogd and /etc/syslog.conf –the daemon that does the actual logging –its configuration file openlog, syslog, closelog –library routines that programs use to send data to syslogd logger –user-level command for submitting log entries

49 syslog-aware programs Using syslog lib. Routines write log entries to a special file /dev/log syslogd /etc/syslog.conf reads consults dispatches Log files Users’s terminals Other machines /dev/klog

50 Configuring syslogd The configuration file /etc/syslog.conf controls syslogd’s behavior. It is a text file with simple format, blank lines and lines beginning with ‘#’ are ignored. –Selector action –eg. mail.info/var/log/maillog

51 Configuration file - Selector Identify –source -- the program (‘facility’) that is sending a log message –importance -- the messages’s severity level –eg. mail.info/var/log/maillog Syntax –facility.level –facility names and severity levels must chosen from a list of defined values

52 Sample syslog output Dec 27 02:45:00 x-wing netinfod [71]: cann’t lookup child Dec 27 02:50:00 bruno ftpd [27876]: open of pid file failed: not a directory Dec 27 02:50:47 anchor vmunix: spurious VME interrupt at processor level 5 Dec 27 02:52:17 bruno pingem[107]: moose.cs.colorado.edu has not answered 34 times Dec 27 02:55:33 bruno sendmail [28040] : host name/address mismatch: 192.93.110.26 != bull.bull..fr

53 Linux networking Understand basic configuration of Network Interface –IP address –Subnetmask –Gateway Talk about other types of interfaces (PPP, IPSec, etc) Use network utilities (ipconfig, mii-tool, etc)

54 The TCP/IP protocol Internet Protocol (IP) address –Four 8-bit numbers (Octets) –Identifies a computer on the network Subnet mask –Four 8-bit numbers –Determine the network and host portions of an IP address Default gateway –Router that sends packets to remote networks

55 Configuring a NIC interface ifconfig command –Assigns TCP/IP configuration to a NIC –Displays configuration of all network interfaces packet internet groper command –Checks connectivity to other computers

56 Configuring a NIC interface Multiple Tools to accomplish this: –Command line: ifconfig –Curses based: netconfig –Graphical: system-config-network

57 Name resolution Hostnames –Name assigned to a computer –Uses plain language Fully Qualified Domain Name (FQDN) –Hostname that follows DNS convention Domain Name Space (DNS) server –Resolves FQDNs to IP address

58 The Domain Name Space

59 Common network services Port –Number that identifies a network service –65,535 possible ports Well-known port – used by common networking services –0 to 1,024

60 traceroute command Used to troubleshoot routing Displays all routers between the current computer and a remote computer

61 The mii-tool An easy way to determine which speed is used by an Ethernet card The Ethernet card needs to have Media Independent Interface circuitry

62 Secure Shell Without Passwords Using ssh without passwords –Everybody pair up –Insure each of you has an account/password on each other system Refer to the Text Book for the commands and see if you can get this to work

63 Secure Shell Without Passwords When we last left the intrepid students they were struggling with secure shell and keys…. But wait….Daria and Chuck have made it work. Is this the break through we’ve been waiting for?

64 Secure Shell Without Passwords 1. Pair Up 2. Insure you have an account on your partners system and you know the password 3. Generate the ssh key cd ~/.ssh ssh-keyget –t dsa Do not enter a passphrase when prompted (this generates public and private keys)

65 Secure Shell Without Passwords 4. Copy public key from your system to your partners scp id_dsa.pub userid@partner:/tmpuserid@partner:/tmp 5. Then enter the following (same line) ssh userid@partner ‘cat /tmp/id_dsa.pub >> /home/userid/.ssh/authorized_keys2userid@partner 6. Clean up ssh userid@partner rm /tmp/id_dsa.pubuserid@partner

Download ppt "Advanced Unix Mid-Term Review Part 1 Oct 11, 2005."

Similar presentations

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
Media Access Control (MAC) addresses in the network access layer ▫ Associated w/ network interface card (NIC) ▫ 48 bits or 64 bits IP addresses for the.

Media Access Control (MAC) addresses in the network access layer ▫ Associated w/ network interface card (NIC) ▫ 48 bits or 64 bits IP addresses for the.
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
TCP/IP Fundamentals A quick and easy way to understand TCP/IP v4.

TCP/IP Fundamentals A quick and easy way to understand TCP/IP v4.
Ipchains and Iptables Linux operating system natively supports packet-filtering rules: Kernel versions 2.2 and earlier support the ipchains command. Kernel.

Ipchains and Iptables Linux operating system natively supports packet-filtering rules: Kernel versions 2.2 and earlier support the ipchains command. Kernel.
1 Linux Networking and Security Chapter 2. 2 Configuring Basic Networking Describe how networking devices differ from other Linux devices Configure Linux.

1 Linux Networking and Security Chapter 2. 2 Configuring Basic Networking Describe how networking devices differ from other Linux devices Configure Linux.
Syslog and log files1-1 Syslog and Log Files  From logfiles, you can find m important information m History m Errors/warnings  Logging policies m Reset.

Syslog and log files1-1 Syslog and Log Files  From logfiles, you can find m important information m History m Errors/warnings  Logging policies m Reset.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Linux Networking TCP/IP stack kernel controls the TCP/IP protocol Ethernet adapter is hooked to the kernel in with the ipconfig command ifconfig sets the.

Linux Networking TCP/IP stack kernel controls the TCP/IP protocol Ethernet adapter is hooked to the kernel in with the ipconfig command ifconfig sets the.
Securing Network using Linux. Lesson Outline Setting up a secure system TCP Wrapper configuration Firewalls in Linux Authentication Systems –NIS –Kerberos.

Securing Network using Linux. Lesson Outline Setting up a secure system TCP Wrapper configuration Firewalls in Linux Authentication Systems –NIS –Kerberos.
Linux+ Guide to Linux Certification, Second Edition Chapter 14 Network Configuration.

Linux+ Guide to Linux Certification, Second Edition Chapter 14 Network Configuration.
Chapter 23: ARP, ICMP, DHCP IS333 Spring 2015.

Chapter 23: ARP, ICMP, DHCP IS333 Spring 2015.
TCP/IP Tools Lesson 5. Objectives Skills/ConceptsObjective Domain Description Objective Domain Number Using basic TCP/IP commands Understanding TCP/IP3.6.

TCP/IP Tools Lesson 5. Objectives Skills/ConceptsObjective Domain Description Objective Domain Number Using basic TCP/IP commands Understanding TCP/IP3.6.
Click to edit Master subtitle style Chapter 17: Troubleshooting Tools Instructor:

Click to edit Master subtitle style Chapter 17: Troubleshooting Tools Instructor:
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
SUSE Linux Enterprise Server Administration (Course 3037) Chapter 7 Connect the SUSE Linux Enterprise Server to the Network.

SUSE Linux Enterprise Server Administration (Course 3037) Chapter 7 Connect the SUSE Linux Enterprise Server to the Network.
Ana Chanaba Robert Huylo

Ana Chanaba Robert Huylo
Module 7: Configuring TCP/IP Addressing and Name Resolution.

Module 7: Configuring TCP/IP Addressing and Name Resolution.
Managing Network connections. Network Cabling Ethernet Topology Bus topology – Connects each node in a line – Has no central connection point Star topology.

Managing Network connections. Network Cabling Ethernet Topology Bus topology – Connects each node in a line – Has no central connection point Star topology.
NetFilter – IPtables Firewall –Series of rules to govern what Kind of access to allow on your system –Packet filtering –Drop or Accept packets NAT –Network.

NetFilter – IPtables Firewall –Series of rules to govern what Kind of access to allow on your system –Packet filtering –Drop or Accept packets NAT –Network.

Similar presentations

Ads by Google