Upload
sunkumar
View
72
Download
0
Embed Size (px)
Citation preview
UNIX SYSTEM SECURITY AND ADVANCED ADMINISTRATION
(SÉCURITÉ SYSTÈME SOUS UNIX ET ADMINISTRATION AVANCÉE)
A.Davous, 01/02/2009 1Unix Security Advanced Admin
FOREWORD
“No absolute security as long as system is accessed”
“In system administration, the evil is in details”
• For questions, contact is [email protected] • with [ESGI] in subject field – otherwise, mail will be
considered as spam by server rules.
A.Davous, 01/02/2009 2Unix Security Advanced Admin
INTRODUCTION
• SECURITY BREACHES WELL-KNOWN EXAMPLES• UNIX RELEASES AND FLAVORS• REMINDER : UNIX MANDATORY• WELL-KNOWN ATTACKS, MALICIOUS PROGRAMS• KEY CONCEPTS, RISKS, STRATEGY• HOW TO SECURE, SECURED DESIGN• SOME TABLE LAWS
A.Davous, 01/02/2009 3Unix Security Advanced Admin
SECURITY BREACHES WELL-KNOWN EXAMPLES
• Sendmail debug commands modeas sendmail runs with setuid rootso user can run any command with root power(try sudo and vi !...)
• Command passwd –f : no control of entered GECOS fieldso user can add any new line in password file
• Buffer overflow is a variantUser can execute shellcode (to get run root shell) previously saved at some memory address for programs that accepts any entry without control (exploit)
• SYN flooding : by sending high rate of TCP open session requests (SYN), server is filling its queue with half-open sessions data
• SQL-injection : SQL request to database may be forged to execute malicious code
A.Davous, 01/02/2009 Unix Security Advanced Admin 4
FOR INFORMATION – UNIX RELEASES
UNIX Solaris Linux
1969 AT&T Labs Unix
1977 Berkeley BSD Unix
1983 System V From BSD & SysV : From scratch :
1991 Solaris 1.0 (= SunOS 4) Linus Torwalds Linux
1992 FreeBSD, OpenBSD
1993 Slackware ; Debian
1994 Kernel 1.0 stable – RedHat
1995 Solaris 2.5 (= SunOS 5.5)
2000 Solaris 8 (= SunOS 5.8)
2001 Solaris 9 (= SunOS 5.9) Kernel 2.4
2003 Fedora Core – Kernel 2.6
2005 Solaris 10
2008 Fedora 10
A.Davous, 01/02/2009 5Unix Security Advanced Admin
FOR INFORMATION – UNIX FLAVORS
• Unix time line http://www.levenez.com/unix/
• Linux distributions time line http://futurist.se/gldt/gldt76.png
A.Davous, 01/02/2009 Unix Security Advanced Admin 6
REMINDER – UNIX MANDATORY
• Read, read again documentationman, man –k, makewhatis -u
• vi – what else could be expected ?vim but config and security
• Shells : sh – best choice for scriptingthen tcsh or bash… (current : ps)
• find, diff, touch, sort [-n]• xargs• grep, egrep, awk, Perl, expect
A.Davous, 01/02/2009 7Unix Security Advanced Admin
WELL-KNOWN ATTACKSName Category Definition
Sniffing Network Get information from network transactions
Spoofing or masquerading
Network Take identity of someone else
Denial of service
Network Try to stop or degrade service – usually by flooding technique
Replaying Authentication Replay abusive authentication or transaction
Repudiation Authentication Reject authentication or transaction
Spam Mail Undesirable mail
Phishing Mail Disguised mail to get confidential data
Hoax Mail Joke with more or less consequences
Dictionary Password Test with list of most current words
Brute force Password By trying a large number of possibilities
Social engineering
All Getting personal information by any mean (physical, social network, …)
A.Davous, 01/02/2009 Unix Security Advanced Admin 8
MALICIOUS PROGRAMS (MALWARES)Name Definition
Virus Insert malicious code on machine
Worm Separate process that exploited security holes in network
Trojan horses Malicious program disguised as something innocuous or desirable
Backdoor Method to bypass normal authentication procedures
Rootkit Software set installed to get abusive rights, install backdoor and stay hidden
Spyware Gather information for commercial purpose
Key logger Copies down the user’s keystrokes
Bomb Crash the system at a given time
Exploit Exploit a security breach of a software
A.Davous, 01/02/2009 Unix Security Advanced Admin 9
Most of these can be detected locally (by signature) – except some exploits that can be detected at network level (firewall)
SECURITY KEY CONCEPTS
• Security goals: confidentiality, integrity, availabilityauthentication, non-repudiation
• 3 usual answers to threats: ignore, improvise or try to ‘over’ secure
• Right answer: determine field, identify and evaluate cost of resources (financial, confidentiality or production), determine security risks and strategy, monitor, upgrade
A.Davous, 01/02/2009 Unix Security Advanced Admin 10
STRATEGIES• Strategies :
Accept threat – but have a recovery planReduce threat – by appropriate meansTransfer threat – to a vendorBypass threat – by blocking access
• Understanding is key:Example of mail user privilegeProtect all layers – example of firewallsReduce exposed surfaceProtect but detect and answer – administrate !
• Security is or must be part of :conception, operation and deployment
A.Davous, 01/02/2009 Unix Security Advanced Admin 11
RISKS AND STRATEGY
Risks• Human – malicious but often from authorized users• Technical – hardware (physical access), software• This is up to sysadmin to decide what are they and right
level of protection
Strategy• Security and comfort is a compromise• Have a security policy especially recovery procedure
A.Davous, 01/02/2009 Unix Security Advanced Admin 12
HOW TO SECURE
In-depth (passive) protection• (Physical – premises access)• Network filtering• Passwords• Encryption• Backup
(Active) security process• Monitor and add corrections• Full audit• Upgrade
A.Davous, 01/02/2009 Unix Security Advanced Admin 13
SECURED DESIGN• Open design or secret design debate
(hidden flaws, issues discovered by community, provocation to exploits)
Common breaches• Least user access (chroot as solution)• Buffer overflow• Printf function (insert conversion keys into string)• Web programming (URL forging)• Transactions, client/server (man-in-the middle,
encryption, hashing as solutions)
A.Davous, 01/02/2009 Unix Security Advanced Admin 14
SOME TABLE LAWS…• If someone can execute something on your computer or if someone can
modify your OS, or if someone can physically access to your computer, it will not belong to you anymore
• As well, if someone can execute something on your web site, it will not belong to you anymore
• Weak passwords leads to security breach• System is as secured as sysadmin wants• Encrypted data are as secured as the used key to encrypt• An anti-virus not updated is as useful as no anti-virus• Anonymity is not useful but confidentiality is• Technology is not be-all• Security measures works well when they are simple to use for
sysadmin and transparent to users
(Microsoft point of view)
A.Davous, 01/02/2009 Unix Security Advanced Admin 15
SYSTEM AND SECURITY BASIS
• REMINDER : PROCESSES• DAEMONS, SERVERS, SERVICES• INIT DAEMON, INIT LEVELS• REMINDER : BOOTING – SHUTTING DOWN• SERVICE MANAGEMENT• REMINDER : FILES, FHS• PACKAGE MANAGEMENT
A.Davous, 01/02/2009 Unix Security Advanced Admin 16
REMINDER : PROCESSES
• Processes have four identities : real (for accounting) and effective (for access permissions) UID and GID ; usually the same except with setuid or setgid bit set
• Command ps• Find setuid and setgid files over the system:
find / -type f –perm /u+s,g+s -ls
Kinds of processes• Interactive – controlled with & (run in background), ^Z (stop job), bg (restart
in background), jobs (list current jobs)• Batch• Daemons
A.Davous, 01/02/2009 Unix Security Advanced Admin 17
DAEMONS, SERVERS, SERVICES
• Daemon, server, service concepts• Daemon : programs not part of kernel ; process that performs a
specific function or system-related task• Start at boot time or on demand
Specific system daemons• init primordial process
• cron that schedule commands• inetd that manages some of them
A.Davous, 01/02/2009 Unix Security Advanced Admin 18
WELL KNOWN DAEMONS
Name Description
init First process
syslogd, rsyslogd Syslog logging
sendmail Mail MTA – Mail Transfer Agent
lpd, lpsched Print scheduler
crond Cron process scheduler
getty, mingetty Terminal support
syncd, fsflush, bdflush, pdflush Disk buffer management
pagedaemon, swapper, kswap Swap management
inetd Main daemon to start on-demand TCP/IP services as telnetd, ftpd, rshd – see /etc/inetd.conf
named Bind DNS – Dynamic Name Resolution
routed, gated TCP/IP routing daemons
dhcpd DHCP – Dynamic Host Configuration Protocol
portmap, rpcbind Port service resolution for RPC – Remote Procedure Call
nfsd NFS – Network File System
smbd, nmbd Samba
httpd Apache HTTP server
timed, ntpd, xntpd NTP – Network Time Protocol
A.Davous, 01/02/2009 Unix Security Advanced Admin 19
REMINDER : BOOTING – SHUTTING DOWN
Solaris SPARC Solaris x86/64 Linux (Fedora Core)
Boot PROM(device detection)
Access with STOP-Aboot –s : single-userboot –r : reconfigure
See ls –l /dev/rdsk/c0t0d0s0
ROM BIOS
MBR of boot device
Boot loader (GRUB since 5.10,
see /boot/grub/menu.lst)
Boot loader (GRUB see /boot/grub/menu.lst)
Kernel loading and initialization
Device configurationtouch /RECONFIGURE
Device detection and configuration
Execution of startup scriptsLevel 0 : shut down (init 0) - Level 1 or S : single user (init –s) - Level 6 : reboot (init 6)
Scripts management none or see 5.10 Configuration : /etc/default
Execution of startup scriptsLevel 0 : shut down (init 0) - Level 1 or S :
single user (init –s) - Level 6 : reboot (init 6)
Scripts management : chkconfigConfiguration : /etc/sysconfig
Multiuser mode
Shutdown/usr/sbin/shutdown –g secs –i6/usr/sbin/shutdown –g secs –i0/usr/sbin/shutdown –g secs –iS
Shutdown/usr/sbin/shutdown secs –r/usr/sbin/shutdown secs –h
/usr/sbin/shutdown secs –f
A.Davous, 01/02/2009 Unix Security Advanced Admin 20
Solaris SPARC Solaris x86/64 Linux (Fedora Core)
Boot PROM(device detection)
Access with STOP-Aboot –s : single-userboot –r : reconfigure
See ls –l /dev/rdsk/c0t0d0s0
ROM BIOS
MBR of boot device
Boot loader (GRUB since 5.10)
Boot loader (GRUB see /boot/grub/menu.lst)
Kernel loading and initialization
Device configurationtouch /RECONFIGURE
Device detection and config.
Execution of startup scriptsLevel 0 : shut down (init 0) - Level 1 or S : single user (init –s) - Level 6 : reboot (init 6)
Scripts management none or see 5.10 Configuration : /etc/default
Exec. of startup scriptsLevel s : the same
Scripts management : chkconfigConfiguration : /etc/sysconfig
Multiuser mode
Shutdown/usr/sbin/shutdown –g secs –i6 (reboot)/usr/sbin/shutdown –g secs –i0 (shut down)/usr/sbin/shutdown –g secs –iS (single user)
(skip scandisk)
Shutdown/usr/sbin/shutdown secs –r/usr/sbin/shutdown secs –h
/usr/sbin/shutdown secs –f
INIT LEVELSLevels Name or goal Links to scripts
directoryRemarks
0 Stop /etc/rc0.d
1, S or s Maintenance, Single user /etc/rc1.d
2 Multiuser /etc/rc2.d This is the place where to add custom system links to scripts
3 Network server /etc/rc3.d This is the place where to add custom application links to scripts
5 Same as 3 with graphical logon session
/etc/rc5.d
6 Will step to 0 and back to normal
/etc/rc6.d
Notes : Many others levels, depending on OS or very specificinit commandwho –r commandDefault state defined in /etc/inittabStartup links to scripts SXXname ; stop links KXXname ; where XX is a number from 00 to 99Place where to find scripts : /etc/init.d
A.Davous, 01/02/2009 Unix Security Advanced Admin 21
INIT DAEMON
• First process to run after system boot• Always have PID 1 and is ancestor of all other processes• After startup, init consults /etc/inittab (or for BSD
/etc/ttys) to determine on which physical ports it should expect users to log in (getty processes – even tough large use of network daemons today, or xdm for graphical interface)
• Also take care of zombie processes (not running but listed)• Init defines run levels (passed as argument to it from boot loader) : 0
to 6 and s (single-user)• Additional layer is given with startup scripts in /etc/init.d, linked
to startup and stop scripts in /etc/rcX.d
A.Davous, 01/02/2009 Unix Security Advanced Admin 22
SERVICE MANAGEMENT IMPLEMENTATIONS EXAMPLES
Object Universal way of doing it Chkconfig-service commands(Fedora 10)
SMF – Service Management Facility (Solaris 10+)
Disable a service mv /etc/rc2.d/S75cron /etc/rc2.d/_S75cron
chkconfig –add crond svcadm disable system/cron:default
Enable a service Edit /etc/inet/inetd.conf, uncomment finger line
chkconfig fingerd on svcadm enable network/finger:default
Stop a service /etc/init.d/sshd stop service sshd stop svcadm disable –t network/ssh:default
Start a service /etc/init.d/sshd start service sshd start svcadm enable –t network/ssh:default
Restart a service /etc/init.d/sshd stop ; /etc/init.d/sshd start
service sshd --full-restart
svcadm restart network/ssh:default
Hang up a service kill –HUP `cat /var/run/sshd.pid`
No integrated command svcadm refresh network/ssh:default
Diagnose a faulty service
Try to look around logs (/var/adm/messages)
No integrated command svcs –x[v] service
Dependencies of a service
Try to look around scripts dependencies by reading code
No integrated command svcs {-d | -D} service
Processes associated with a service
lsof No integrated command svcs –p network/smtp:sendmailps –fp id,id
Changing run level Edit /etc/inittab No integrated command svcadm milestone –d milestone/single-user:default
Legacy Internet services daemon
Edit /etc/inet/inetd.conf No integrated command Edit /etc/inet/inetd.conf, then issue inetconv command
A.Davous, 01/02/2009 Unix Security Advanced Admin 23
SERVICES MANAGEMENT COMPLEMENTS
• Commands : init 0, init 6, init sps –ef, kill -<signal>, pgrep, pkill, <service-script> start|stop|restart (service startup script)
• Command chkconfig (specific to Fedora):usage: chkconfig --list [name] chkconfig --add <name> chkconfig --del <name> chkconfig --override <name> chkconfig [--level <levels>] <name> <on|off|reset|resetpriorities>chkconfig header in startup scripts
• And finally, system-config-services GUI applet specific to Linux
• Command service and semi-graphical GUI sysvconfig, both specific to Debian
A.Davous, 01/02/2009 Unix Security Advanced Admin 24
OTHER CONCEPTS
• Command dmesg (kernel log)• Core dump : ulimit –c• Path :
- try not modify root profile PATH variable- do not set empty or ‘.’ in PATH variable- in scripts (and configurations like cron), always use full path for commands (as variables at beginning)
• Disk quotas may be use to isolate an application (vs. original purpose)• vi and other editors dump files feature• History of shell commands• who –r• cp -p
A.Davous, 01/02/2009 Unix Security Advanced Admin 25
ANSWERS TO QUESTIONS - 1
• Gentoo (2003)Visible on time line ; derives from Enoch (1999) which was build from scratch.
Compile on installation taking into account processor’s instruction set.• ESCAPING TO SHELL WITH VI, MORE, …
Type : (semi column) to get into command modeThen ! (exclamation mark) to run any shell commandType any command
• locate – updatedbSearch of a pattern ( *file* ) instead of a filename ( file )locate ntp == find / -name ”*ntp*”locate –b ’\ntp’ == find / -name ntp
• History length : on sh or bash this is set with $HISTSIZE (tcsh $HISTORY). See following profiles slide and hands-on (depending on shell, use man, setenv or printenv)
A.Davous, 01/02/2009 Unix Security Advanced Admin 26
ANSWERS TO QUESTIONS - 2• grep
# egrep pattern file(s) Shows filenames & lines that match [ filename: line ]# egrep –L pattern file(s)Lists files that does not contain any line matching
• awk
# ifconfig -a | awk 'BEGIN {printf "%-4s %-19s %-15s\n","If","MAC","IP"} / Link/ {a=a+1 ; printf "%.4s %17s",$1,$5 ; getline ; printf "%15s\n",substr($2,6,15)} END {print "Total nbr:", a}'
If MAC IP
eth0 00:09:5B:BD:FA:D2 192.168.0.1
eth1 00:0E:A6:9F:7C:AA 89.156.6.39
lo 127.0.0.1
Total nbr: 3
A.Davous, 01/02/2009 Unix Security Advanced Admin 27
REMINDER : FILES• In Unix everything is a file (IO from files or from peripherals are the same)• In Unix, a file belongs to a user AND to a group (no mandatory relationship between
both) ; a user can belong to many groups ; so, to give access to a set of files or commands belonging to a group is done by adding the user to the group
• When a file is created, it belong to the user who created it and its group – except if upper directory is setgid (BSD style)
• Commands : chown [-R], chgrp, chmod• Access rights for files (directory) :
r read (can ls it), w write (can supp/rename files into), x execute (can cd into)(to be executable, a script shell needs rx, a binary only x )
• umask 022 command in profile files to set permission of new files• Special access :
t sticky bit (can write a dir but not supp file ; /tmp)s setuid bit (set resources access of process to owner and not to the one that run it)s setgid bit (for a file, set resources access of process to owning group and not the one that run it – for a dir, see upper)find / [-user root] -xdev –perm {-4000 | -2000}
A.Davous, 01/02/2009 Unix Security Advanced Admin 28
FILESYSTEM HIERARCHY STANDARD – 1
/ /bin Binaries
/dev /cdrom Special files – Devices
/console
/null
/stdin
/tty0
/etc /httpd Configuration files and directories/init.d
/rc2.d
/rc3.d
/skel
/sbin System binaries
/home /antoine Home directories
/lib Libraries
/lost+found Lost files (used by fsck)
A.Davous, 01/02/2009 Unix Security Advanced Admin 29
FILESYSTEM HIERARCHY STANDARD – 2
/mnt Usual mount point
/opt Optional software
/proc Special : processes directory
/tmp Temporary directory
/usr /bin User’s binaries directories
/include
/lib
/local /bin
/lib
/src
/sbin
/var /log Temporary files (logs, queues, data)/spool /cron
/lpd
/www
A.Davous, 01/02/2009 Unix Security Advanced Admin 30
PACKAGES MANAGEMENT
Solaris RedHat (Fedora)
Debian (Ubuntu) FreeBSD
List, search, information
pkginfo rpm –q apt-cache [show]
pkg_info
Install pkgadd rpm -i apt-get install pkg_add [-r]
Update smpatch rpm -U apt-get upgrade
Remove pkgrm rpm -e apt-get remove pkg_delete
GUI tool Sun ™ Update Manager
Gnome tool (or Yum-Yumex)
Synaptic Packages Manager ; Wajig-Gjig
FreeBSD offers the way to install sources and build them locally with Gnome Tinderport
This table may be not complete, as many other ways of doing packages management exists (see FreeBSD – or Mac OS X tool ‘Fink’ that also build locally) especially for other commercial OS. The system admin has to check its own OS.
A word about configuration files updates, for RPM : rpmsave and rpmnew extensionsAfter an update, do find / \( -name ″*rpmsave″ –o –name ″*rpmnew″ \)
A.Davous, 01/02/2009 Unix Security Advanced Admin 31
PHYSICAL SECURITY
• USERS AND GROUPS• PASSWORD CRACK TOOLS• SUDO• PHYSICAL ATTACKS• HIGH AVAILABILITY• CHANNEL BONDING
A.Davous, 01/02/2009 Unix Security Advanced Admin 32
USERS AND GROUPS • Su : switch user
# su - switch to root with loading root environment• Password
# passwd [user]• Sudo : optional package (configuration by visudo)
# sudo [command]• Users base files : /etc/passwd and /etc/shadow (encrypted passwords)
# head -2 /etc/passwdroot:x:0:0:root:/root:/bin/bashbin:x:1:1:bin:/bin:/sbin/nologin (User:x:UID:GID:GECOS:home-dir:shell)# man –s5 shadow# vipw [-s]
• Groups base file : /etc/group# head -2 /etc/grouproot:x:0:rootbin:x:1:root,bin,daemon
A.Davous, 01/02/2009 Unix Security Advanced Admin 33
USERS ADMINISTRATION - PROFILES
Main shells
Startup Upon termination Other
sh /etc/profile (login shells)
.profile (login shells)
Any command or script specified using trap ″command″ 0
tcsh /etc/csh.cshrc (always)
/etc/csh.login (login shells)
.tcshrc (always)
.cshrc (if no .tcshrc file is present)
.login (login shells)
.logout (login shells) .history (saves history based on "$savehist")
.cshdirs (saves directory stack)
bash /etc/profile (login shells)
.bash_profile (login shells)
.profile (login if no .bash_profile file is present)
.bashrc (interactive non-login shells)
$ENV (non-interactive shells)
.bash_logout (login shells)
.inputrc (readline initialization)
A.Davous, 01/02/2009 Unix Security Advanced Admin 34
Nothing specific to OS but to shell. However, it is worth to know !
OTHER CONCEPTS• Users management commands highly dependant to OS
adduser, useradd, ...• Command dmesg• Command ls
# ls -als | head -4total 4080 nbr-of-blocks16 drwxr-xr-x 146 root root 12288 2009-02-21 04:44 . 8 drwxr-xr-x 24 root root 4096 2009-02-10 18:03 .. 8 drwxr-xr-x 4 root root 4096 2008-01-23 15:25 acpisize-in-blocks user group size-in-bytes type last-modif-date permissions name nbr of links
• Command chown [-R]• Command chmod• Symbolic links• File types (command file)
d (dir), l (symbolic link), b (bloc), c (character), s (socket), p (pipe)
A.Davous, 01/02/2009 Unix Security Advanced Admin 35
PASSWORD CRACK TOOLSUsage of these tools are illegal on computers where you have not been explicitly authorized to do it.
But it is recommended to test your own password files – anyhow, crackers will do it with them.
Crack• Locations: /usr/share/crack ; /usr/libexec/crack ; /usr/bin• Quick-start commands:
# umask 077# ~/scripts/shadmrg.sv /etc/passwd /etc/shadow > /root/unshadp# Crack –nice 5 /root/unshadp# CrackReporter
• Results in ~/run directory
John the Ripper• Locations: /usr/share/john ; /usr/libexec/john• Quick start commands:
# umask 077# unshadow /etc/passwd /etc/shadow > /root/unshadp# john [--rules --wordfile=FILE] /root/unshadp
• Results in ~/john.pot
A.Davous, 01/02/2009 Unix Security Advanced Admin 36
EXAMPLE FOR JOHN - 1
A.Davous, 01/02/2009 Unix Security Advanced Admin 37
EXAMPLE FOR JOHN - 2
...New UNIX password: 12345...12345 (essai1)
guesses: 1 time: 0:00:00:05 8% (2) c/s: 4880 trying: Sunshine1 ^C
...New UNIX password: cathy...cathy (essai1)
guesses: 1 time: 0:00:00:04 6% (2) c/s: 4891 trying: decembers ^C...New UNIX password: djk7sdf...
guesses: 0 time: 0:00:00:34 37% (2) c/s: 4886 trying: blondie? ^C
A.Davous, 01/02/2009 Unix Security Advanced Admin 38
SOME PHYSICAL ATTACKS
• Physical access must be protected – if not, attacker can open the case and reset EEPROM (where BIOS password is saved) or can steal hard disk…
• BIOS (or boot PROM for Sun) level must be protected (with password) – if not, attacker can boot on its own CD/DVD
• If partitions are not encrypted, booting with a CD/DVD gives access to data (with mount command) and so to /etc/passwd (this is an official recovery procedure of lost root password)
• For backup purpose, recovery CD (or software installation CD) are usually needed# mkbootdisk `uname –r`
• Network may need to be redundant (High Availability) by duplicating network interfaces, switches, routers. Multiple redundant interfacing is named channel bounding (or IP multipath for Sun) – otherwise, DoS
A.Davous, 01/02/2009 Unix Security Advanced Admin 39
ROOT PASSWORD RECOVERY
Simplest procedure using single user mode – case of Fedora 10• When Grub screen, edit current boot line (e)• Edit kernel line (e) by adding ‘single’ at end (single user mode)• Save and boot (b)• Command passwd can be entered with root privileges to reset root
password
GRUB protected if :• GRUB bootloader have a timeout (/boot/grub/menu.lst) –
suppress it (0)• Or a password (add line password –md5 PASSWORD in menu.lst)
Encrypted password is given by command# grub-md5-cryptwhich returns a PASSWORD that can be pasted
A.Davous, 01/02/2009 Unix Security Advanced Admin 40
ROOT LOGIN DEVICES
Kinds of terminals• console # console• ttyn (tty1,..) # serial terminals• vc/n (vc/1,..) # virtual consoles
Where root can directly login to• Configurable in /etc/securetty
Security• Should be all disabled (by commenting with #) except console
and/or tty1
A.Davous, 01/02/2009 Unix Security Advanced Admin 41
ROOT, SUDO AND SECURITY
• Never log as root directly• su – (minus to inherit root environment instead of user’s one)• Never change root shell• Package sudo used to give some determined root rights to standard
users (with their own passwords !)- Configuration file : /etc/sudoers (440) editable only with visudo command – see man sudo, man sudoers- Never configure shells or utilities that escape to shell as commands (more, less, vi,…) because commands will be executed as root !- sudo –v , restart timeout- sudo may be integrated to PAM- passwords are not encrypted ; SSH is the solution- usage can be forced by replacing su command to a symbolic link to sudo
A.Davous, 01/02/2009 Unix Security Advanced Admin 42
SUDO CONFIGURATION LINES EXAMPLES
Host_Alias FILESERVERS = fs1, fs2User_Alias ADMINS = antoine, johnCmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/yumDefaults requiretty
root ALL = (ALL) ALLantoine fs1 = /sbin/mount, /mnt/cdromADMINS FILESERVERS = SOFTWAREdgb fs2 = (operator) /bin/ls
• The most important : sudoers config should be set to span over multiples servers (by simple file transfer and copy)
• Last : the user dgb may run /bin/ls, but only as operator eg,# sudo –u operator /bin/ls
A.Davous, 01/02/2009 Unix Security Advanced Admin 43
ANSWERS TO QUESTIONS - 1Ubuntu (8-10) iptables startup script
# cd /etc/init.d# grep –i iptables *ufw: if iptables -L ufw-user-input -n >/dev/null 2>&1 ; thenufw: execs="iptables"ufw: execs="iptables"ufw: iptables -L ufw-user-input -n >/dev/null 2>&1 || {# cat /etc/init.d/ufw. . .
A.Davous, 01/02/2009 Unix Security Advanced Admin 44
ANSWERS TO QUESTIONS – 1bisVirtualization• http://fr.wikipedia.org/wiki/Virtualisation_(informatique)
• A Operating system-level virtualization (isolated OS) : on Sun, Solaris 10 handle concepts of containers (zone and resources) ; on Unix, chroot ; on Linux, the same concept is operated with Linux-VServer
• B Paravirtualization (software interface simulating hardware) : VirtualBox, simple but low performance - Vmware Server, Player, Workstation
• C Hypervisor (manage guest kernels calls to hardware) : on Linux, Xen can support virtualization of other OS than itself as long as ported to it - Vmware ESXi
A B C Images Wikipedia
A.Davous, 01/02/2009 Unix Security Advanced Admin 45
ANSWERS TO QUESTIONS - 2FreeBSD (7.1) switch user to root with su• Problem when logged as antoine
> iduid=1001(antoine) gid=1001(antoine) groups=1001(antoine)> su –Feb 18 11:09:02 magfbsd su: BAD SU antoine to root on /dev/ttyv0su: Sorry
• Man su (extract) :...by default only users in the ''wheel'' group can switch to UID 0 (''root'')...
• Correction procedure : log as root first
magfbsd# iduid=0(root) gid=0(wheel) groups=0(wheel),5(operator)magfbsd# cp -p /etc/group /etc/group.ORIGmagfbsd# vi /etc/group # add user antoine to wheel group
• Test : relog as antoine
> iduid=1001(antoine) gid=1001(antoine) groups=1001(antoine)> su –Password:Feb 18 11:17:09 magfbsd su: antoine to root on /dev/ttyv0magfbsd# iduid=0(root) gid=0(wheel) groups=0(wheel),5(operator)
A.Davous, 01/02/2009 Unix Security Advanced Admin 46
ANSWERS TO QUESTIONS - 3
Init levels and services management :• INIT LEVELS• SERVICES MANAGEMENT IMPLEMENTATIONS EXAMPLES
Tree command• tree –d –L 2
Telnet connections handling by TcpWrappers (see also new slides)• In /etc/hosts.allow
in.telnetd : LOCAL
Behavior against SYN received on a closed port• “If the connection does not exist (CLOSED) then a reset is sent in response to any incoming
segment except another reset. In particular, SYNs addressed to a non-existent connection are rejected by this means.”
• RFC793 found at http://www.faqs.org/rfcs/
A.Davous, 01/02/2009 Unix Security Advanced Admin 47
HIGH AVAILABILITY (HA)
• Data : RAID, Multipath• Service access : clusters, network redundancy• Geographic spanning• Load sharing, load balancing, fail over
• For Linux, specific project : Linux-HA http://www.linux-ha.org/
(based on heartbeat-2.1.x, stonith, DRDB packages) Excellent in-deep technical paper : http://www.linux-ha.org/_cache/HeartbeatTutorials__LCA2007-tutorial.pdf
Includes explanations of HA concepts (split-brain, fencing, quorum, SPOF, data sharing, …)
A.Davous, 01/02/2009 Unix Security Advanced Admin 48
(LINUX) CHANNEL BONDING - 1• Four concepts required (details may vary over distributions) :
(Linux) kernel modules, (Linux) network cards configuration, channel bonding itself, HA modes
• Note : Linux NetworkManager service (used for laptop automatic network interfaces configuration) should be disabled and stopped but network service started
• Virtual interface :/etc/sysconfig/network-scripts/ifcfg-bond0
• “Regular” interfaces :/etc/sysconfig/network-scripts/ifcfg-eth0/etc/sysconfig/network-scripts/ifcfg-eth1
• Module loading and configuration :/etc/modprobe.d/bonding
• Commands used to debug :lsmod | grep bond # Check module loadingmodprobe [-r] bonding # Load/unload module/etc/init.d/network [stop|start] # Start/stop network serviceifconfig –a # Print interfaces statusifconfig eth0 [up/down] # Enable/disable interfacecat /var/log/messages | grep –i bond # Check logs
A.Davous, 01/02/2009 Unix Security Advanced Admin 49
(LINUX) CHANNEL BONDING - 2/etc/sysconfig/network-scripts/
ifcfg-bond0 ifcfg-eth0 ifcfg-eth1
DEVICE=bond0NETWORK=192.168.10.0NETMASK=255.255.255.0IPADDR=192.168.10.52ONBOOT=yesBOOTPROTO=noneTYPE=EthernetUSERCTL=noPEERDNS=yesIPV6INIT=noNM_CONTROLLED=noGATEWAY=192.168.10.1
DEVICE=eth0HWADDR=08:00:27:aa:9a:f1ONBOOT=yesBOOTPROTO=noneTYPE=EthernetUSERCTL=noPEERDNS=yesIPV6INIT=noNM_CONTROLLED=noMASTER=bond0SLAVE=yes
DEVICE=eth1HWADDR=08:00:27:e9:ff:c7ONBOOT=yesBOOTPROTO=noneTYPE=EthernetUSERCTL=noPEERDNS=yesIPV6INIT=noNM_CONTROLLED=noMASTER=bond0SLAVE=yes
/etc/modprobe.d/bonding
alias bond0 bonding# options bond0 mode=0 miimon=100 # Load sharingoptions bond0 mode=1 miimon=100 primary=eth0 # Active/standby mode
A.Davous, 01/02/2009 Unix Security Advanced Admin 50
NETWORK SECURITY• TCP/IP SECURITY WEAKNESSES• [X]INETD DAEMON AND SERVICES• TCPWRAPPERS• PORT SCANNING• DHCP• NETWORK CONFIGURATION FILES• NETWORK COMMANDS• IP ALIASING• TCP/IP STACK SECURITY• TOOLS : WIRESHARK AND NMAP
A.Davous, 01/02/2009 Unix Security Advanced Admin 51
REMINDER : NETWORKING - 1
• TCP/IP layers : application telnet, NFS, FTP, SSH, HTTPsession DNS, DHCPtransport TCP, UDPinternet (OSI network) IP, ICMP, routingnetwork access (Ethernet, ARP)
• MAC address 48 bits – 24 first OUI (Organizationally Unique Identifier)• Service = transport protocol (TCP or UDP) + port
/etc/protocols – associate internet protocol (OSI network layer) and protocol identifier/etc/services – associate transport protocol (transport layer) and port number
• IPv6 : 128 bits address (48 firsts for FAI - end for MAC)Compatible IPv4 (::FFFF:a.b.c.d) ,loopback is ::1 , broadcast is FF02::1http://www.potaroo.net/tools/ipv4/index.html
A.Davous, 01/02/2009 Unix Security Advanced Admin 52
REMINDER : NETWORKING - 2
• Classes, networks, hosts, masks, broadcast calculation : see ipcalculator or ipcalc
• Networks, sub-networks and masksSub-networks are used to resize number of hosts belonging to a network, especially for class CMask should always be set ; hosts belonging to different sub-networks can’t communicate except via a router ; this is a way to reduce traffic over LAN
• ARP - RARP• ICMP• UDP : connectionless• TCP : connection oriented
A.Davous, 01/02/2009 Unix Security Advanced Admin 53
ICMP – PINGUsually filtered by firewalls (at least interesting types)
Think about kernel tuning (sysctl –a | grep –i icmp) to avoid flooding
Tools : hping3 [many options], xprobe2 (not really reliable or OS now secured ?)
ICMP types used for fingerprinting• Type 8 – Echo request• Type 13 – Timestamp request• Type 15 – Information request• Type 17 – Subnet address mask request
Ping flooding• Send pings to broadcast or multicast addresses, amplification
A.Davous, 01/02/2009 Unix Security Advanced Admin 54
DHCP
• Network layer – as ICMP• Used to manage leases and allocate IP address – and other parameters as
gateway, DNS addresses,…• Addresses can be allocated permanently (based on MAC client address) or for a
given duration (lease)• Protocol :
Client send a DHCPDISCOVER on broadcastServers are answering with DHCPOFFERClient sends to all DHCP servers with a DHCPREQUEST including chosen serverChosen server finally returns DHCPACK with IP parametersClient may decline parameters with DHCPDECLINE and process is restarted
• DHCP servers must have a static address ! As well, DHCP must not be used for DNS, LDAP, … for security reason – spoofing of address, because there is no authentication mechanism of server identity
A.Davous, 01/02/2009 Unix Security Advanced Admin 55
DHCP CLIENT CONFIGURATION
Linux (Fedora) SolarisInterface config
/etc/sysconfig/network-scripts/ifcfg-eth0/etc/sysconfig/network
/etc/hostname.hme0/etc/init.d/network
Startup script
/etc/init.d/network(/sbin/ifup)
/etc/init.d/network
DHCP activation
BOOTPROTO=DHCP in /etc/sysconfig/network-scripts/ifcfg-eth0
touch /etc/dhcp.hme0Config in /etc/default/dhcpagent
Binary dhclient (not a daemon !) dhcpagent
Client lease file
/var/lib/dhclient/dhclient-eth0.leases(/etc/dhcp/dhcpd-eth0.info in Fedora 9 !)
/etc/dhcp/hme0.dhc
A.Davous, 01/02/2009 Unix Security Advanced Admin 56
TCP/IP NETWORK PROTOCOLS MAP (from protocol.com website)
A.Davous, 01/02/2009 Unix Security Advanced Admin 57
TCP/IP NETWORK PROTOCOLS MAP (from RADCOM website)
A.Davous, 01/02/2009 Unix Security Advanced Admin 58
(Attached PDF file,available from RADCOM
at www.radcom.com)
WELL-KNOWN SERVICES AND PORTS
Service Port Service Port
FTP 21 (20), 990 (989) NTP 123
SSH 22 IMAP 143 (v2), 220 (v3), 993 (v4)
telnet 23, 992 SNMP 161, 162
SMTP 25, 992 LDAP 389, 636
DNS 53 LPD 515
DHCP (BOOTP) 67 (s), 68 (c) NFS 2049, 4045/udp
TFTP 69 X11 6000-19, 6063
HTTP(S) 80, (443) SMB 445
Kerberos 88, 749, 750 AD 3268, 3269
POP-3 110, 995
RPC 111
A.Davous, 01/02/2009 Unix Security Advanced Admin 59
TCP/IP SECURITY WEAKNESSES - 1• TCP/IP leads to an unsecure network by itself• No IP source authentication ; no encrypted headers or content ; flood is
easy• SMTP : no authentication of source mail address• Ping flood• Route sourcing is an IP spoofing technique• Dynamic IP address : do not use it on systems that shares resources
(NFS, Samba) or provides network resources (DNS, DHCP, mail server)
• IP provides connectionless service ; it routes and sends a datagram ; no sequence guaranty ; options fields for source routing and record route ; no encryption ; no authentication
• TCP, on top of IP, provides connection oriented service, delivery, and in sequence guaranties (sequence number, 3-way handshakes, timers, see TCP state machine) ;
A.Davous, 01/02/2009 Unix Security Advanced Admin 60
TCP/IP SECURITY WEAKNESSES - 2• TCP sequence number (32 bits) – counting exchanged bytes – to check
delivery and sequence. Both sides ; initial Sequence Numbers (ISN) are random to distinguish multiple connections ; receiver window size based on it to control flow
• 3-way handshake : SYN, SYN+ACK, ACK ; release FIN, FIN+ACK, ACK• Timers
Connection establishment timer (75 s)TIME_WAIT interval timer (120 s) – allow segment in transit to be removedFor example, KEEK_ALIVE timer (3600 s) – can stall TCP state machine
• Flaws leading to DoS : synchronous establishment (no timer at SYN_RCVD, stalled) ; SYN+FIN leads to CLOSE_WAIT (no timer also, stalled)
• SYN flooding leading to DoS due to full listen queue of half opened connections (connection timer is 75 s)
A.Davous, 01/02/2009 Unix Security Advanced Admin 61
TCP/IP SECURITY WEAKNESSES - 3• IP spoofing in case an attacker takes one other host IP address (no control
from server) but 2 catches : attacker does not see responses (*) (sent to regular host) and/or must guess ISN or next sequence number (**) (after authentication for example)(**) Sequence guessing can be done because ISN is not so random(*) Source routing may be used (even tough more prohibited today)
• Connection hijacking – man in the middle attack by exploiting ‘desynchronized state’ (forcing host to reject packets with sequence number inside windows because it has already accepted its own forged)
• ICMPBy sending forged Time Exceeded or Destination Unreachable to both parties (DoS)By sending Echo Request to multicast or broadcast addresses (DoS)By sending Redirect to one of ends to take control of connection (spoofing)These attacks usually done from local network
• DNS :if attacked network is trusting domain names, attacker can map IP address of its host to belong to domain. Reverse mapping done to avoid such an attack
A.Davous, 01/02/2009 Unix Security Advanced Admin 62
NETWORKING COMMANDS
• hostname (nodename)• ifconfig• ping• arp [-n] [-a] ...• netstat [-rn] ...• route [add | del ] ...• traceroute• nslookup, dig• lsof [-i]
A.Davous, 01/02/2009 Unix Security Advanced Admin 63
(LINUX) NETWORKING FILES
• /etc/hosts # Hostname resolution• /etc/inetd.conf (/etc/xinetd.conf, /etc/xinetd.d/)• /etc/services # Service port resolution• /etc/securetty # TTY access• /etc/hosts.equiv # R* services• ~/.rhosts # R* services• /etc/hosts.allow, /etc/hosts.deny # TcpWrappers• /etc/resolv.conf # Name servers declaration• /etc/nsswitch.conf # Name services resolution methods• /etc/sysconfig/network-scripts/ # Ethernet config• /etc/sysconfig/network # Hostname, GW, options• /etc/networks # Network resolution• /etc/protocols # Protocol name resolution
A.Davous, 01/02/2009 Unix Security Advanced Admin 64
INETD AND XINETD
• Extended Internet services daemon• Unique daemon that waits for incoming connections for a number of other services and
start corresponding server (echo, telnet, FTP, r* services… most are standard and/or well-known Unix services – but not all)
• Process : inetd or xinetd (reminder : kill –HUP)• Startup for xinetd : /etc/init.d/xinetd• Log by syslog – but configurable• Old style configuration (inetd) :
/etc/inetd.conf (reminder : /etc/services)• Configuration (xinetd) in :
/etc/xinetd.conf/etc/xinetd.d/* (one config file per service)
• Even tough (x)inetd is a mandatory service (think about installing embedded servers with no SSH package installed yet), controlled services are more and more disabled for security reasons …
• … why ? For example, telnet and FTP are sending clear-text passwords !• Other : installation with core, verbose mode
A.Davous, 01/02/2009 Unix Security Advanced Admin 65
REMINDER : TELNET, (T)FTP, R* SERVICES
• Started by (x)inetd server• Reminder telnet : useful for (tests not only port 23)
# telnet host [port]• TFTP : used for X terminals startup : no authentication at all• telnet, FTP : security problem with clear-text passwords shown…• R* services
Commands : rlogin, rsh, rcp, ruptime, rwhoConfiguration : /etc/hosts.equiv , ~/.rhostsSyntax : user@hostAuthentication is done without password if succeeded (handy for rcp)But security problem : if one listed host is unsecured, local host is unsecured ! This is because with r* services authentication scheme, local authentication is based on remote one.
So use rsync for file transfer (nothing to do with r* services) or better SSH/SFTP for everything.
A.Davous, 01/02/2009 Unix Security Advanced Admin 66
TCPWRAPPERS
• Package that secure connections to given well-known services – those handled by (x)inetd for sure, but others (SSH)…
• …which ones ? For sshd example :# strings –f /sbin/sshd | grep hosts_access/usr/sbin/sshd: hosts_access (YES ! If no line returned, no)
• TcpWrappers is transparently inserted between network and service ; adds access control and logging features
• Binary: tcpd – but not a daemon (invoked at connection). This is why no service to restart after configuration modification
• Configuration files:/etc/hosts.allow/etc/hosts.deny
• Syntax of configuration linesservice_list : host_list [ : (command to log) ]host_list may be an hostname, a list, an IP address or network, a keyword (ALL, LOCAL) – but never use EXCEPT as shown in documentation
A.Davous, 01/02/2009 Unix Security Advanced Admin 67
TELNET CONNECTION EXAMPLEFor example, steps to debug telnet over xinetd connection • Check actual status of service xinetd : /etc/init.d/xinetd status – must
be up and running (or ps –ef | grep inet)• Check telnet service : must be enabled either in /etc/xinetd.conf or
/etc/xinetd.d/telnet configuration files :disable = no
• Check local connection : telnet localhost• Check local firewall if any : TCP port 23 must be open• Check TcpWrappers configuration : in.telnetd must be allowed – at least for
client used to connect or network it belongs to – eventually for ALL during testing
• Check anyway /var/log/messages logs…• For security reason - against spoofing, telnet server (but FTP also) is always
trying a reverse resolution of hostnames – so local and distant addresses should be ‘resolvable’ (in our test case, set in /etc/hosts because no DNS available – /etc/nsswitch.conf)
• Check reboot : chkconfig must show service is on – for next reboot
A.Davous, 01/02/2009 Unix Security Advanced Admin 68
TCP STATE MACHINE
A.Davous, 01/02/2009 Unix Security Advanced Admin 69
PORT SCANNING INTROTCP ports scanning• Normal handshake, port open : SYN, SYN+ACK, ACK
Normal handshake, port closed : SYN, RST+ACK
(note : this is logged ! )• Half-open SYN scan, port open : SYN, SYN+ACK, RST
Half-open SYN scan, port closed : SYN, RST+ACK(note : this may not be logged … but usually is)
• Anyhow, some systems (FW) will think about SYN flooding. So nmap can be used with –T option to slow down flood
• Probe = malformed TCP packet (i.e. “FIN” probe with FIN flag set, or “XMAS” probe with FIN, URG, PUSH, TCP flags set, “NULL” probe with TCP set)Stealth TCP scan, port open : TCP probe, No response (this is garbage)Stealth TCP scan, port closed : TCP probe, RST+ACK(notes : also named inverse TCP flag ; Windows does not respect standard and does not send RST from a closed port ; nmap can use options for each kind of probe : –sF, –sX, –sN)
• Some other techniques : analysis of ACK probe, TTL field, window field
UDP ports scanning• UDP probe, port open : UDP probe, No response
UDP probe, port closed : UDP probe, ICMP dest port unreachable
(note : nmap can use option –sU)• Using specific UDP service clients to test server – not realistic for large number of ports
A.Davous, 01/02/2009 Unix Security Advanced Admin 70
NMAP INTRO – 1
• “The bad guys are already using nmap for reconnaissance, because a single scan can tell you a lot about the open doors and windows in a computer’s house. The good guys are using nmap to make their network safer.” – James Messer (Secrets of Network Cartography)
• Nmap = Network Mapper – It is a port scannerDetects open ports, offered services and OS fingerprint of remote computer(s)Uses analysis techniques based on TCP, IP, UDP and ICMPGuesses OS from fingerprints answers from specific forged queriesOpen source created by ‘Fyodor’ and distributed by Insecure.org
• Warning : Nmap can be seen as an intrusion attemptScans are detected with IDS – Intrusion Detection System like Prelude
• Tests can be done with scanme.nmap.org
A.Davous, 01/02/2009 Unix Security Advanced Admin 71
NMAP INTRO – 2
• Available open source frontends :nmapFE or zenmap
• Ports detection states with nmap :Open TCP connections or UDP packets acceptedClosed Accessible (with answer) but no listening
application on that portFiltered Nmap can’t say because request is drop before accessing port (firewall)Unfiltered Port is accessible but Nmap can’t say if open or
closedOpen-Filtered Nmap can’t say if open or filteredClosed-Filtered Nmap can’t say if closed or filtered
A.Davous, 01/02/2009 Unix Security Advanced Admin 72
MAIN PORTS SCANNING TECHNIQUES – NMAP CORRESPONDENCE - 1
Kind Nmap option
Port Protocol exchange (1) Comments
TCP SYN -sS ClosedOpen
SYN, RSTSYN, SYN+ACK, RST
TCP session not created, no log. Most used method.
TCP Connect()
-sT ClosedOpen
SYN, RSTSYN, SYN+ACK, ACK - RST
TCP connection established. Application logs it.
TCP FIN -sF ClosedOpen
FIN, RSTFIN
Extremely quiet (a single packet to detect open, 2 to detect close).Not applicable for Windows : all ports seems to be closed !Xmas tree -sX Closed
OpenFIN+URG+PUSH, RSTFIN+URG+PUSH
Null scan -sN ClosedOpen
<all-flags-0>, RST<all-flags-0>
Services -sV Should be open !
At TCP level, will uses at least TCP SYN, then specific to app exchange
Only for TCP or UDP scans. Very intrusive. High number of packets exchanged.Based on nmap-service-probe file definitions – not always reliable and should be constantly updated.
(1) Protocol exchange is coded as follow : a plus sign stand for a given set of flags in a given packet, a comma stands for next party packet (nmap or target) and a minus sign for another packet from the same party. For example, SYN, SYN+ACK, ACK - RST means that nmap sends a SYN packet, then target replies by a packet with SYN and ACK flags set, then nmap sends successively an ACK packet and a RST packet.
A.Davous, 01/02/2009 Unix Security Advanced Admin 73
MAIN PORTS SCANNING TECHNIQUES – NMAP CORRESPONDENCE - 2
Kind Nmap option
Port Protocol exchange (1) Comments
UDP -sU ClosedOpenFiltered
UDP empty, ICMP unreachableUDP empty, any UDPUDP empty, anything else
Many problems : target may not send back UDP, nor ICMP.Slow.
TCP ACK -sA - TCP exchange variation -
TCP Window
-sW - TCP exchange variation -
TCP Maimon
-sM - TCP exchange variation -
IP -sO - Tries protocol numbers on IP protocol packet field instead of TCP or UDP
-
FTP bounce
-b - - Based on FTP proxying capability of FTP (a server can send payload to any other server). This could be used to make an inside FTP server to scan other host target ports – which is not possible from outside network. (1)
(1) A classic attack was to send a forged PORT command to an FTP server which will open back to the client a TCP connection thru a stateful firewall by adding a state rule on the given port.
A.Davous, 01/02/2009 Unix Security Advanced Admin 74
NMAP OPTIONS – 1
Kind Options Description
Host discover
-sL List scan – list targets
-sP Ping scan
-P0/PN No host discover
-PS/PA/PU [ports] TCP SYN/ACK or UDP discover
-PE/PP/PM ICMP discover
-PO [protocol] IP ping
-n/R--system-dns
No DNS resolutionOr uses system files
Scan technique
-sS/sT/sA/sW/sM TCP SYN/Connect()/ACK/Window/Maimon
-sN/sF/sX TCP Null, FIN, Xmas
-sU--scanflags <flag>
UDPTCP flags customization
-sl Idlescan
-sO IP protocol scan
-b <FTP-relay>--traceroute--reason
FTP bounce attackTraceroute to hostsVerbose port status
A.Davous, 01/02/2009 Unix Security Advanced Admin 75
NMAP OPTIONS – 2
Kind Options Description
Order -p <ports-range> Ports range scan
-r Sequential port number scan
Detection -sV--version-light--version-all--version-trace
Tests open port to detect service and its versionFast detection with minimal testsAll testsDebug tests information
-O--osscan-limit--osscan-guess
OS detectionLimit detectionMore aggressive detection
Timing policy
-T[0-5]--{min|max}-hostgroup <ms>--{min|max}-parallelism <ms>--{min|max|initial}-rtt-timeout <ms>--max-retries <tries>--[max-]scan-delay <time>
Level of policy(0 – paranoid, 5 - insane)Size of host groups to scan in parallelParallel probingTest packets RTT
Number of retransmissionsDelay between test packets
IPv6 -6 IPv6 activation
A.Davous, 01/02/2009 Unix Security Advanced Admin 76
NMAP OPTIONS – 3
Kind Options Description
Firewall, IDS, usurpation
-f--mtu <mtu>
packets fragmentation...…with this MTU value
-D <decoy1,decoy2,[ME],...> Decoy scan
-S <IP>-e <if>
Usurps IP source...…from this interface
-g--source-port <port>
Set the source port……to this value
--data-length <len>--ip-options <options>--ttl <ttl>--spoof-mac <MAC>--badsum
Add random data to packetSet IP optionsSet TTLSpoof MAC addressSet bad checksum
Output -oN/oX/oS/oG Output format normal/XML/…
-v More verbose
-d[level] Debug level (from 0 to 9)
--packet-trace-iflist
Trace packetsTrace interfaces et routes
A.Davous, 01/02/2009 Unix Security Advanced Admin 77
NAME RESOLUTION AND ROUTING
Name resolution• /etc/hosts – name resolution
(eventually distributed by NIS, but to avoided)• /etc/resolv.conf – domain definition and name servers location
(suppression will deactivate DNS resolution)• /etc/hosts.conf – name services switch
(or /etc/nsswitch.conf)
Routing• On LAN (hubs) no routing necessary• On small networks, static routes may be necessary• On large networks (WAN), dynamic routing handled by routed and gated
daemons (support of RIP, OSPF, BGP, EGP)• On Linux, static routes may be defined in /etc/sysconfig/static-routes
A.Davous, 01/02/2009 Unix Security Advanced Admin 78
TCP/IP STACK (AND KERNEL) TUNINGParameter Default Meaning
net.ipv4.ip_forward 0 IP forwarding
net.ipv4.conf.all.rp_filter 1 Source route verification
net.ipv4.conf.all.accept_source_route 0 Source routing
net.ipv4.icmp_echo_ignore_broadcasts 1 ICMP broadcasts
net.ipv4.conf.all.accept_redirects 0 Redirects
net.ipv4.icmp_ratelimit 1000 ICMP rate limit
. . .
Notes : net.ipv4.conf.default.something : default value to be set to new interfacenet.ipv4.conf.all.something : value set to all interfacesnet.ipv4.conf.eth0.something : value set to this interface
TCP/IP (kernel) tuning should be used with care BUT is essential to security, especially on front-end servers (web servers). This is usually a setting to be done or to be checked against security policy before production.
Static configuration : /etc/sysctl.confDynamic configuration : sysctl –A (to list) , sysctl –w parameter="value" (to set)Last note : this is OS specific (for Solaris, sysdef, adb, ndd commands and similar parameters with different naming scheme)
A.Davous, 01/02/2009 Unix Security Advanced Admin 79
TOOL: WIRESHARK - 1• Other well-known tcpdump (we’ll see it later)• Wireshark can import tcpdump dump file, snoop (Sun) dump file• Open-source and modular conception – you can add your own decoder• Related to sniffing but many other obscure tools are used in real life by hackers• Promiscuous mode – i.e. listen to all frames on LAN (libpcap needed – WinPcap for
Windows environment)• Can be used in text mode without GUI – but not recommended (in line mode use
tcpdump instead with –o option to export dump to Wireshark)• Configurable columns (Edit, Preferences)• Filtering : when capturing (lot of options) or viewing (also…) – can work as ring buffer
with triggers • Important options :
Resolutions : MAC, network, transport – network should be avoided as it creates new trafficFragmented IP – are reassembled by default but configurable (Edit, Preferences, IP protocol options)Analyze, Follow TCP stream : useful to present TCP session in one window
• Rich statistics options• Rich export and presentation options
A.Davous, 01/02/2009 Unix Security Advanced Admin 80
TOOL: WIRESHARK - 2
FIELD TYPE MEANING
ip.addr IPv4 address Source or destination IP address
ip.dst IPv4 address Destination IP address
ip.flags.df Boolean Don’t fragment flag
ip.ttl Unsigned integer Time to live
http.request Boolean HTTP request
icmp.type Unsigned integer ICMP command type
ftp.response.data Characters string FTP data
dns.response Boolean DNS response
A.Davous, 01/02/2009 Unix Security Advanced Admin 81
FILTER MEANING
ip.addr == 192.168.10.2 All packets coming from or going to 192.168.10.2 host
(ip.addr == 192.168.10.2) && (dns.response)
All packets coming from or going to 192.168.10.2 host which are DNS responses
TOOL: WIRESHARK - 3(ANSWER TO THE QUESTION ABOUT RING BUFFER CAPTURE)
• Define a capture filter – not so easy sometimes, so should be tried first with preliminary testsExample – not useful but for concept : among all traffic, you want to catch ICMP request with TTL at 3 (we will trig this with traceroute to www.google.com) and its response :icmp.type == 8 – ICMP requesticmp.type == 11 – ICMP TTL exceededip.ttl == 3 – TTL at 3IP of www.google.com is 209.85.229.103So a capture filter could be :ip.dst == 209.85.229.103 && (icmp.type == 8 || icmp.type == 11) && ip.ttl == 3
A.Davous, 01/02/2009 Unix Security Advanced Admin 82
DATA SECURITY
• RAID• LVM• BACKUP• NAS / SAN
A.Davous, 01/02/2009 Unix Security Advanced Admin 83
DATA SECURITY
• Software installed : the less installed, the less security holes – idea is to reduce field of potential attacks
• Journaled file systems – based on transactions, brutal power shutdown should have no effect on data integrity
• RAID
• As a reminder, command and file to know (on all OS) :mount, umount/etc/fstab
• From a security point of view, external (system) shares should usually mounted as read only
A.Davous, 01/02/2009 Unix Security Advanced Admin 84
RAID - 1
• RAID : Redundant Array of Independent/inexpensive Disks• RAID is a way to aggregate multiple block resources to give an unified
storage view to user – in simple words, aggregate physical hard disks into virtual ones from system perspective
• RAID may be implemented :- physically – RAID controllers – preferred method- in system software – low cost but low performance and security
• To be really redundant, each physical disk or disk group must have its own disk controller – especially if software implemented
• But also multiple path access (multipath), multiple power supplies… – weakest link concept in HA
• Compromise between availability, performance and cost
A.Davous, 01/02/2009 Unix Security Advanced Admin 85
RAID - 2
• RAID 0 : blocks are spread over disks – no reliability• RAID 1 : mirroring, duplication of blocks – limited performance• RAID 5 : striped set with distributed parity or interleave parity – high
availability• RAID 10 : or RAID 1 + 0
Images : Wikipedia
A.Davous, 01/02/2009 Unix Security Advanced Admin 86
RAID 1 REAL CASE EXEMPLEUseful commands are listed - will shown during hands-on (based on Linux RAID 1 simulation over VirtualBox)
cat /etc/fstab File systems table
df –k File systems usages
cat /etc/mdadm.conf RAID configuration
mdadm –-detail /dev/md2 RAID details for /dev/md2
cat /proc/mdstat RAID actual status (1)
An example – very simplified – to detach / re-attach a sub-mirror to its mirror :/dev/md0 : /boot , /dev/md1 : swap , /dev/md2 : root , largest one /dev/md2 to see sync
/dev/md0 = (/dev/sda1 + /dev/sdb1) , /dev/md1 = (/dev/sda2 + /dev/sdb2), /dev/md2 = (/dev/sda3 + /dev/sdb3)
mdadm –-detail /dev/md2 # Try to run it at each step...
mdadm /dev/md2 –-set-faulty /dev/sdb3 # Faulty required to be removed
mdadm /dev/md2 –-remove /dev/sdb3 # Remove sub-mirror#... Here the disk may be changed but other commands required (2) !
mdadm /dev/md2 –-re-add /dev/sdb3 # Re-adding sub-mirror
while true; do cat /proc/mdstat | grep recovery; sleep 15; done
(1) This command demonstrates a common usage of special proc files that can be generalized to other information, try :cat /proc/meminfocat /proc/vmstat – used by vmstat command
(2) This should be done for all mirrors – commands should be duplicated for /dev/md0 and /dev/md1 (see demo).And second disk must be RAID-formatted with same partitions and sizes, at least for mirroring – probably with mdadm as well, but to be verified.
A.Davous, 01/02/2009 Unix Security Advanced Admin 87
(LINUX) LVM• LVM : Linux Volume Management (used also for HP-UX)
(Sun SVM : Solstice Volume Management)• (Multiple) Set of :
(Multiple) Physical Volumes PV (physical disks, partitions, RAID volumes or SAN units)
Volume Group VG(only one for many PV ‘upward’ and many LV ‘downward’)
(Multiple) Logical Volumes LV(simply partitions on which a FS can be set)
• Main useful feature : hot configuration – creation, extension…
A.Davous, 01/02/2009 Unix Security Advanced Admin 88
LVM REAL CASE EXEMPLE - 1One Linux file system with a Linux swap as two LV in the same VG
[root@moscou-fed ~]# cat /etc/fstab
fs_spec fs_file vfstype fs_mntops fs_freq fs_passno
/dev/VolGroup00/LogVol00 / ext3 defaults 1 1
UUID=46916b32-…-b231142 /boot ext3 defaults 1 2
tmpfs /dev/shm tmpfs defaults 0 0
devpts /dev/pts devpts gid=5,mode=620 0 0
dysfs /sys sysfs defaults 0 0
proc /proc proc defaults 0 0
/dev/VolGroup00/LogVol01 swap swap defaults 0 0
Boot partition on first partition of sda, another physical disk partition sdb5 mounted on /media
[root@moscou-fed ~]# df -k
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/mapper/VolGroup00-LogVol00 36736600 3032376 33331436 9% /
/dev/sda1 194442 28192 156211 16% /boot
tmpfs 370620 76 370544 1% /dev/shm
/dev/sdb5 19354752 518808 17852768 3% /media
(shm = shared memory, devpts = consoles, dysfs = virtual device FS,
proc = special files which represent current state of kernel – do cat /proc/meminfo for example)
A.Davous, 01/02/2009 Unix Security Advanced Admin 89
LVM REAL CASE EXEMPLE - 2Finally, LVM configuration shows two LV in one VG itself using only one PV (second partition of sda.)
[root@moscou-fed ~]# lvm
lvm> pvs
PV VG Fmt Attr PSize PFree
/dev/sda2 VolGroup00 lvm2 a- 37.06G 32.00M
lvm> vgs
VG #PV #LV #SN Attr VSize VFree
VolGroup00 1 2 0 wz--n- 37.06G 32.00M
lvm> lvs
LV VG Attr LSize Origin Snap% Move Log Copy% Convert
LogVol00 VolGroup00 -wi-ao 35.59G
LogVol01 VolGroup00 -wi-ao 1.44G
A.Davous, 01/02/2009 Unix Security Advanced Admin 90
FILE SYSTEM - TYPES
Linux Linux(Solaris)
Solaris Solaris(Linux)
Solaris(Mac OS)(Linux)
Windows(Solaris)(Linux)
Windows(Linux)
ext2 ext3 UFS VxFS ZFS FAT32 NTFS
Vendor (Linux) (Linux) (FreeBSD) Veritas Sun Microsoft Microsoft
Max file size 2 TB 2 TB 256 TB ? 16 EB 4 GB 16 EB
Max volume size
32 TB 32 TB 256 TB ? 218 EB 32 GB 16 EB
ACL Yes Yes Yes Yes Yes No Yes
Journaling No Yes No Yes Yes No Yes
Name in Solaris /etc/vfstab
ext2fs (with specific packages)
ext3 ufs vxfs zfs pcfs (Via NFSv2)
Name in Linux /etc/fstab
ext2 ext3 ufs xfs ? ? vfat ntfs
A.Davous, 01/02/2009 Unix Security Advanced Admin 91
Tera = T = 10004 – Exa = E = 10006
BACKUP - 1
• Old days : full backup of system into tapes (requires system boot disk of exactly same release)
• “Backup are for wimps. Real men upload their data to an FTP site and have everyone else mirror it.” – Linus Torvalds
• Nowadays : - mirroring of critic data files (on NAS, SAN with hot swap disks)- system duplication, clusters (geographically diversified)- snapshots (different concepts for LVM, virtual machines)
• Strategy is highly dependant on actual case (front end or backend server)
• What is to be backup – if not everything :Configuration files (/etc, /usr/local/etc, …)Data (specific cases of databases : SQL dumps or proprietary ways)
A.Davous, 01/02/2009 Unix Security Advanced Admin 92
BACKUP – 2 (*)
NAS – Network Attached Storage SAN – Storage Area Network
Files oriented SCSI packets oriented
Based on Ethernet Based on Fiber Channel protocol
Seamless integration in a server-clients network
Isolated from clients access thru dedicated server(s)
NFS or SMB/CIFS environment Dedicated SCSI servers
Simple architecture and administration Complex to deploy and administrateAcronyms :SCSI : Small Computer System InterfaceFC : Fiber ChannelNFS : Network File System (Unix)SMB : Server Message Block protocol (Windows)CIFS : Common Internet File system (Windows)
(*) : of course, these technologies are NOT ONLY used for backup and often as application’s storage or for HA purpose…
A.Davous, 01/02/2009 Unix Security Advanced Admin 93
BACKUP - 3
A.Davous, 01/02/2009 Unix Security Advanced Admin 94
Well-known high-level applications on LINUX :• Amanda 2.6.1 (Jan 2009)
Advanced Maryland Automatic Network Disk ArchiverUses Samba or native Windows (VSS = Volume Shadow Services) to backup Windows clients http://www.amanda.org/
• Bacula 2.4.4 (Jan 2009)Modular architecture (highly developed) : Admin workstation (tray monitor, command console), Backup server (director daemon), Database Server (MySQL or else for catalogs), File server (file daemon) and Storage Server (connected to backup device) http://www.bacula.org/fr/
Well-known high-level applications on Unix (usually large Network Management applications that handle at least a backup module):
• IBM Tivoli• HP OpenView• BMC Patrol
TP1 - NTP
A.Davous, 01/02/2009 Unix Security Advanced Admin 95
NTP - INTRODUCTION• NTP : Network Time Protocol, for servers time synchronization thru network• Uses NTP protocol (UDP, port 123) formalized in IETF RFC1305
NTP provides the mechanisms to synchronize time and coordinate time distribution in a large, diverse internet operating at rates from mundane to lightwave. [antoine@magfed ~]$ cat /etc/services | egrep "^ntp“ntp 123/tcpntp 123/udp # Network Time Protocol
• Stratum concept : …the accuracy of each server is defined by a number called the stratum, with the topmost level (primary servers) assigned as one and each level downwards (secondary servers) in the hierarchy assigned as one greater than the preceding level.
• 2 operating architectures :- symmetric active/passive – client pulls time information- client/server broadcast/multicast – server pushes time information
• Versions[root@moscou-fed ~]# ntpq
ntpq> version
ntpq [email protected] Mon Jan 12 14:07:32 UTC 2009 (1)
ntpq> ntpversion
NTP version being claimed is 2
A.Davous, 01/02/2009 Unix Security Advanced Admin 96
NTP – PACKAGE - 1• Package is ntp-4.2.4p6-1.fc10.i386 – binary installation (Yum) :
[root@magfed ~]# rpm -qa | grep -i ntp
ntp-4.2.4p6-1.fc10.i386
• From ntp.org, actual version is :Release Version DateProduction 4.2.4p6 2009/01/08
Release Candidate 4.2.4p7 2009/03/30
Development 4.2.5p161 2009/03/31
• Update available ? Probably not, but to check…[root@magfed ~]# yum check-update ntp-4.2.4p6-1.fc10.i386Loaded plugins: refresh-packagekitfedora | 2.8 kB 00:00updates | 2.3 kB 00:00updates/primary_db | 3.1 MB 00:02
• … and to update[root@magfed ~]# yum update ntp-4.2.4p6-1.fc10.i386
A.Davous, 01/02/2009 Unix Security Advanced Admin 97
NTP – PACKAGE - 2
A.Davous, 01/02/2009 Unix Security Advanced Admin 98
NTP – COMMANDS - 1• Start (obvious), stop (obvious), status[antoine@magfed ~]$ /etc/init.d/ntpd status
ntpd (pid 2122) is running...
[root@moscou-fed ~]# ps -ef | egrep "[U]ID|[n]tp"
UID PID PPID C STIME TTY TIME CMD
ntp 2288 1 0 13:56 ? 00:00:00 ntpd -u ntp:ntp -p /var/run/ntpd.pid –g
• Actual status – you should have seen some problems with VM (?) :[root@moscou-fed ~]# ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
+farnsworth.1270 131.188.3.223 2 u 336 1024 377 11.417 4.163 0.259
*ns1.azuria.net 193.67.79.202 2 u 901 1024 377 9.586 9.058 1.761
+crush.bmconseil 91.121.20.142 3 u 882 1024 377 9.759 3.963 73.903
Where :
+ denotes symmetric active
(star) denotes the peer server synchronized to
poll : polling interval in secondsreach : reachability register in octal (377 highest value = 255 base 10)delay, offset and jitter in ms
A.Davous, 01/02/2009 Unix Security Advanced Admin 99
NTP – COMMANDS - 2• ntpq – standard NTP query program
ntpq> help
ntpq commands:
addvars debug lopeers passociations rl associations delay lpassociations passwd rmvars authenticate exit lpeers peers rv cl help mreadlist poll showvars clearvars host mreadvar pstatus timeout clocklist hostnames mrl quit version clockvar keyid mrv raw writelist cooked keytype ntpversion readlist writevar
• ntpdc – special NTP query program
ntpdc> help
ntpdc commands:
addpeer controlkey fudge keytype quit timeout addrefclock ctlstats help listpeers readkeys timerstats addserver debug host loopinfo requestkey traps addtrap delay hostnames memstats reset trustedkey authinfo delrestrict ifreload monlist reslist unconfig broadcast disable ifstats passwd restrict unrestrict clkbug dmpeers iostats peers showpeer untrustedkey clockstat enable kerninfo preset sysinfo version clrtrap exit keyid pstats sysstats
A.Davous, 01/02/2009 Unix Security Advanced Admin 100
NTP – CONFIGURATION - 1# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
# Permit all access over the loopback interface. This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1
restrict -6 ::1
# Hosts on local network are less restricted.
#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
# Enable public key cryptography.
#crypto
includefile /etc/ntp/crypto/pw
# Key file containing the keys and key identifiers used when operating
# with symmetric key cryptography.
keys /etc/ntp/keys
# Specify the key identifiers which are trusted.
#trustedkey 4 8 42
# Specify the key identifier to use with the ntpdc utility.
#requestkey 8
# Specify the key identifier to use with the ntpq utility.
#controlkey 8
A.Davous, 01/02/2009 Unix Security Advanced Admin 101
NTP – CONFIGURATION - 2restrict default ignore
restrict -6 default ignore
restrict 192.168.10.0 mask 255.255.255.0 kod nomodify notrap nopeer noquery
restrict 192.168.2.0 mask 255.255.255.0 kod nomodify notrap nopeer noquery
restrict 192.168.0.0 mask 255.255.255.0 nomodify notrap
restrict 127.0.0.1
restrict -6 ::1
# Enable public key cryptography.
#crypto
includefile /etc/ntp/crypto/pw
# Key file containing the keys and key identifiers used when operating
# with symmetric key cryptography.
keys /etc/ntp/keys
# Specify the key identifiers which are trusted.
#trustedkey 4 8 42
# Specify the key identifier to use with the ntpdc utility.
#requestkey 8
# Specify the key identifier to use with the ntpq utility.
#controlkey 8
A.Davous, 01/02/2009 Unix Security Advanced Admin 102
NTP – LOG TRACE
• tail –f /var/log/messages | grep ntpApr 9 07:32:22 magfed ntpd[2122]: time reset +0.234766 s
Apr 9 07:32:22 magfed ntpd[2122]: kernel time sync status change 0001
Apr 9 07:37:27 magfed ntpd[2122]: synchronized to 91.121.19.179, stratum 2
Apr 9 07:40:36 magfed ntpd[2122]: synchronized to 193.48.168.130, stratum 2
[ STOP HERE ]
Apr 9 07:43:05 magfed ntpd[2122]: ntpd exiting on signal 15
[ START HERE ]
Apr 9 07:43:11 magfed ntpd[2576]: ntpd [email protected] Mon Jan 12 14:07:28 UTC 2009 (1)
Apr 9 07:43:11 magfed ntpd[2577]: precision = 2.585 usec
Apr 9 07:43:11 magfed ntpd[2577]: Listening on interface #0 wildcard, 0.0.0.0#123 Disabled
Apr 9 07:43:11 magfed ntpd[2577]: Listening on interface #1 wildcard, ::#123 Disabled
Apr 9 07:43:11 magfed ntpd[2577]: Listening on interface #2 eth0, fe80::a00:27ff:feac:77f7#123 Enabled
Apr 9 07:43:11 magfed ntpd[2577]: Listening on interface #3 lo, ::1#123 Enabled
Apr 9 07:43:11 magfed ntpd[2577]: Listening on interface #4 lo, 127.0.0.1#123 Enabled
Apr 9 07:43:11 magfed ntpd[2577]: Listening on interface #5 eth0, 192.168.10.4#123 Enabled
Apr 9 07:43:11 magfed ntpd[2577]: Listening on routing socket on fd #22 for interface updates
Apr 9 07:43:11 magfed ntpd[2577]: kernel time sync status 0040
Apr 9 07:43:11 magfed ntpd[2577]: frequency initialized 16.601 PPM from /var/lib/ntp/drift
[ AFTER A WHILE ]
Apr 9 07:47:29 magfed ntpd[2577]: synchronized to 87.98.159.36, stratum 2
Apr 9 07:47:30 magfed ntpd[2577]: time reset +1.073432 s
Apr 9 07:47:30 magfed ntpd[2577]: kernel time sync status change 0001
A.Davous, 01/02/2009 Unix Security Advanced Admin 103
NTP – NETWORK TRACE - 1
• With tcpdump by refresh of Windows client (Internet time parameters, Update time)
[root@moscou-fed ~]# tcpdump -i eth0 port ntp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
17:18:20.207873 IP 192.168.0.128.ntp > 192.168.0.1.ntp: NTPv3, Client, length 48
17:18:20.208009 IP 192.168.0.1.ntp > 192.168.0.128.ntp: NTPv3, Server, length 48
A.Davous, 01/02/2009 Unix Security Advanced Admin 104
NTP – NETWORK TRACE - 2• Wireshark (capture filter “ntp”) and exporting and filtering trace (displayed packets) to text formatNo. Time Source Destination Protocol Info _
2337 10.597450 192.168.0.128 192.168.0.1 NTP NTP client
Network Time Protocol
Reference Clock Update Time: Apr 9, 2009 15:18:18.9180 UTC
Originate Time Stamp: NULL
Receive Time Stamp: NULL
Transmit Time Stamp: Apr 9, 2009 15:19:53.9070 UTC
No. Time Source Destination Protocol Info _
2338 10.597562 192.168.0.1 192.168.0.128 NTP NTP server
Network Time Protocol
Flags: 0x1c
00.. .... = Leap Indicator: no warning (0)
..01 1... = Version number: NTP Version 3 (3)
.... .100 = Mode: server (4)
Peer Clock Stratum: secondary reference (3)
Peer Polling Interval: 10 (1024 sec)
Peer Clock Precision: 0.000001 sec
Root Delay: 0.0225 sec
Root Dispersion: 0.0547 sec
Reference Clock ID: 80.65.235.4
Reference Clock Update Time: Apr 9, 2009 15:08:28.7991 UTC
Originate Time Stamp: Apr 9, 2009 15:19:53.9070 UTC
Receive Time Stamp: Apr 9, 2009 15:19:55.2902 UTC
Transmit Time Stamp: Apr 9, 2009 15:19:55.2903 UTC
A.Davous, 01/02/2009 Unix Security Advanced Admin 105
NTP – SECURITY - 1• Own NTP security (Access Control Support, authentication)• Local firewall (block NTP incoming but let outgoing to server, depending on
mode – symmetric or multicast)• Use IP addresses instead of hostnames (general rule)• Set correct permissions for binaries, for configuration files, for logs (general
rule)• Secure NTP administration commands access• Problem not solved :[root@moscou-fed ~]# ps -ef | grep ntp
ntp 6511 1 0 21:18 ? 00:00:00 ntpd -I eth0 -u ntp:ntp -p /var/run/ntpd.pid –g
[root@moscou-fed ~]# netstat --inet -a | egrep "Proto|ntp"
Proto Recv-Q Send-Q Local Address Foreign Address State
udp 0 0 10.8.0.3:ntp *:* (tun0)
udp 0 0 89-156-6-39.rev.num:ntp *:* (eth1)
udp 0 0 192.168.0.1:ntp *:* (eth0)
udp 0 0 localhost.localdomain:ntp *:* (lo0)
udp 0 0 *:ntp *:*
Even if option –I eth0 added in /etc/sysconfig/ntpdOPTIONS="-I eth0 -u ntp:ntp -p /var/run/ntpd.pid -g"
A.Davous, 01/02/2009 Unix Security Advanced Admin 106
NTP – SECURITY - 2• Simple security scheme with :
In /etc/ntp/keys on both client and server4 M shf49sIn /etc/ntp.conf on both client and servertrustedkey 4In /etc/ntp.conf on clientserver 192.168.0.1 key 4
• If key is invalid on client side for example :[root@moscou-fed ~]# ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
192.168.0.1 .AUTH. 16 u - 64 0 0.000 0.000 0.000
A.Davous, 01/02/2009 Unix Security Advanced Admin 107
NTP – SECURITY - 3No. Time Source Destination Protocol Info _
2148 21.837346 192.168.0.135 192.168.0.1 NTP NTP client
...
Network Time Protocol
...
Reference Clock ID: 192.168.0.1
Reference Clock Update Time: Apr 9, 2009 19:55:06.0316 UTC
Originate Time Stamp: Apr 9, 2009 19:56:10.0764 UTC
Receive Time Stamp: Apr 9, 2009 19:56:10.0317 UTC
Transmit Time Stamp: Apr 9, 2009 19:57:16.0300 UTC
Key ID: 00000004
Message Authentication Code: 931D66E8C3E8DD1E6C0A4A077BB8CA20
No. Time Source Destination Protocol Info _
2149 21.837498 192.168.0.1 192.168.0.135 NTP NTP server
...
Network Time Protocol
...
Reference Clock ID: 88.191.77.246
Reference Clock Update Time: Apr 9, 2009 19:48:48.8906 UTC
Originate Time Stamp: Apr 9, 2009 19:57:16.0300 UTC
Receive Time Stamp: Apr 9, 2009 19:57:16.0719 UTC
Transmit Time Stamp: Apr 9, 2009 19:57:16.0720 UTC
Key ID: 00000004
Message Authentication Code: 1ACB85DBA718FD9843ABD2C2FAFB6BD7
A.Davous, 01/02/2009 Unix Security Advanced Admin 108
NTP - REFERENCES
• IETF NTP related RFC :http://www.ietf.org/rfc/rfc1305.txt?number=1305
• NTP home site :http://www.ntp.org/
• Public NTP servers list :http://support.ntp.org/bin/view/Servers/WebHome
A.Davous, 01/02/2009 Unix Security Advanced Admin 109
SYSTEM HARDENING• SECURITY POLICY• PAM• CHROOTING• APACHE CHROOTING EXEMPLE• KERBEROS
A.Davous, 01/02/2009 Unix Security Advanced Admin 110
SECURITY POLICY
• Concept of hardening• Concept of policy security
• GNU/Linux Fedora – Sécurité, chapter 7• Unix and Linux Security Checklist v3.0 – AusCERT
http://www.auscert.org.au
A.Davous, 01/02/2009 Unix Security Advanced Admin 111
HOW TO SECURE A SYSTEM• Physical• Disk : partitioning (/, /boot, /var, /home)• File system : mount securely (noexec, ro,..)• GRUB configuration• Update software• Remove or check (chmod 700 gcc) installed compilers • Remove unused packages (rpm –e <package> but care with dependencies)• Disable interactive init startup (/etc/sysconfig/init, PROMPT=no)• Disable unused services ( [x]inetd configuration, /etc/rcX.d, chkconfig,
services GUI)• Define umask in profile system file• SELinux => specific to Fedora, we’ll see that later on • Remove unused users (especially guest type accounts as nobody – but beware of actual
owners of files !)• … Look chapter 7 of ENI recommended book
• IT IS ALL ABOUT WHAT HAS BEEN SHOWN FROM START TO END OF THIS COURSE
A.Davous, 01/02/2009 Unix Security Advanced Admin 112
PAM - 1• PAM is a configurable mechanism,
that let system to authenticate users, independently from programs or services
• PAM = Pluggable Authentication Module• PAM components:
- legacy services – compatible with PAM (login, passwd)- modules (libraries .so in /lib/security) – do authentication related tasks – development- main configuration data (in /etc/pam.conf and /etc/pam.d/), by service – probably nothing to do with them except development- user configuration data (in /etc/security/*.conf), by service – this is where sysadmin has to do setup
A.Davous, 01/02/2009 Unix Security Advanced Admin 113
PAM - 2• Type valuesauth : instructs the application to prompt the user for a password
account : performs non-authentication based account management (time, max logged users)
password : updates authentication token associated with the user
session : does things that need to be done after (logging, mounting directories)
• Control valuessufficient : success of such module is enough, return success ; if not
continue
requisite : if module fails to give access, return fail ; if not continue
required : must give access and continue anyway
optional : result of this module will be used only if no other has given a result
include : include another module definition
A.Davous, 01/02/2009 Unix Security Advanced Admin 114
PAM - 3#%PAM-1.0
# root can connect as defined in /etc/securetty
auth required pam_securetty.so
# prompt password (maybe in /etc/shadow) ; empty password authorized
auth required pam_unix.so shadow nullok
# controls if /etc/nologin exists (if so, only root can connect)
auth required pam_nologin.so
# check account permissions (expired password ?)
account required pam_unix.so
# if password expired, ask a new one, check against dicts., max 3 times
password required pam_cracklib.so retry=3
# effective change of password – from previous pam_unix.so invocation
password required pam_unix.so shadow nullok use_authok
# log in /var/log/messages
session required pam_unix.so
A.Davous, 01/02/2009 Unix Security Advanced Admin 115
CHROOTING
• Chrooting is changing the root directory of the calling process.The application is put in jail, with no access to the system even if compromised
• Chrooting can be compared to OS virtualisation as a less advanced technique (Sun containers, Linux Xen)
• Traditionally used to secure web (Apache) or DNS (Bind) servers
• Next example is the opportunity to examine some Apache security measures (compilation, modules, UID, configuration) as well as usage of advanced commands (ldd, strings, strace, mknod)
A.Davous, 01/02/2009 Unix Security Advanced Admin 116
APACHE REQUISITS• Idea is to offer a web service on FE (front end) servers. Only for static
pages but high performance and security – no PHP, JSP or CGI, all handled by hidden BE (back ends)
• Name based virtual hosting – only one server IP but as many hosts as virtual servers
• Basic authentication – based on IP client address• Server must be hardened : server must offer only web and management
services (SSH, SNMP, ...)• Apache should be compiled in place for performance and security purpose• Only useful modules loaded in Apache and statically compiled – as opposed to
shared modules• Server must run with its own UID/GID• Chrooting is a good solution here as it put Apache in a jail from which there is
no possibility from any way to reach system
A.Davous, 01/02/2009 Unix Security Advanced Admin 117
APACHE INSTALLATIONDownload latest Apache sources from http://httpd.apache.org/ $ cp httpd-2.2.11.tar.gz /usr/src/. # Probably home directory
!
$ gunzip httpd-2.2.11.tar.gz
$ tar xvf httpd-2.2.11.tar
$ cd httpd-2.2.11
Create makefiles by disabling most modules$ ./configure --disable-actions --disable-alias \
--disable-asis --disable-autoindex --disable-cgi \
--disable-cgid --disable-charset-lite –disable-env \
--disable-imagemap --disable-include --disable-negotiation \
--disable-setenvif --disable-usedir
$ make
Installation as root# umask 022
# make install
# chown –R root:root /usr/local/apache2
A.Davous, 01/02/2009 Unix Security Advanced Admin 118
APACHE CHROOTING - 1Creating jail directories# mkdir –p /chroot/httpd/dev# mkdir –p /chroot/httpd/etc# mkdir –p /chroot/httpd/lib# mkdir –p /chroot/httpd/usr/local/apache2/bin# mkdir –p /chroot/httpd/usr/local/apache2/logs# mkdir –p /chroot/httpd/usr/local/apache2/conf# mkdir –p /chroot/httpd/usr/local/apache2/htdocs# chown –R root:root /chroot# chmod –R 0755 /chroot
Special device /dev/null# ls –als /dev/null
# mknod /chroot/httpd/dev/null c 1 3
# chown root:root /chroot/httpd/dev/null
# chmod 666 /chroot/httpd/dev/null
Looking for required libraries# ldd /usr/local/apache2/bin/httpd
# strings /usr/local/apache2/bin/httpd | grep lib
# strace /usr/local/apache2/bin/httpd 2>&1 | grep open # Fedora
# truss /usr/local/apache2/bin/httpd 2>&1 | grep open # Solaris
A.Davous, 01/02/2009 Unix Security Advanced Admin 119
APACHE CHROOTING - 2Copying library files to jail - some are missing, see commands.txt# cp –p /usr/local/apache2/bin/httpd /chroot/httpd/usr/local/apache2/bin/.
# cp –p /lib/libm.so.6 /chroot/httpd/lib/.
# cp -p /usr/local/apache2/lib/libaprutil-1.so.0 /chroot/httpd/usr/local/apache2/lib/.
# cp -p /usr/local/apache2/lib/libexpat.so.0 /chroot/httpd/usr/local/apache2/lib/.
# cp -p /usr/local/apache2/lib/libapr-1.so.0 /chroot/httpd/usr/local/apache2/lib/.
# cp -p /lib/librt.so.1 /chroot/httpd/lib/.
# cp -p /lib/libcrypt.so.1 /chroot/httpd/lib/.
# cp -p /lib/libpthread.so.0 /chroot/httpd/lib/.
# cp -p /lib/libdl.so.2 /chroot/httpd/lib/.
# cp -p /lib/libc.so.6 /chroot/httpd/lib/.
# cp -p /lib/ld-linux.so.2 /chroot/httpd/lib/.
Copying system and application files to jail - some are missing, see commands.txt# cp -p /usr/local/apache2/bin/httpd /chroot/httpd/usr/local/apache2/bin/.
# cp -p /usr/local/apache2/conf/httpd.conf /chroot/httpd/usr/local/apache2/conf/.
# cp -p /usr/local/apache2/conf/mime.types \ /chroot/httpd/usr/local/apache2/conf/mime.types
# cp -p /etc/hosts /chroot/httpd/etc/.
# cp -p /etc/resolv.conf /chroot/httpd/etc/.
# cp -p /etc/hosts.conf /chroot/httpd/etc/.
# cp -p /etc/group /chroot/httpd/etc/.
# cp -p /etc/passwd /chroot/httpd/etc/.
# cp -p /etc/shadow /chroot/httpd/etc/.
# cp –p /usr/local/apache2/htdocs/* /chroot/httpd/usr/local/apache2/htdocs/.
A.Davous, 01/02/2009 Unix Security Advanced Admin 120
FINAL CHROOTED-APACHE CONFIGURATION
Apache in jail should work now… This is the last step, configuration and tuning :• Users and group clean-up (remove all other than apache users and groups)• Network configuration tuning (/etc/hosts, /etc/nsswitch.conf,
/etc/resolv.conf, …)• Apache configuration :
/chroot/httpd/usr/local/apache2/conf/httpd.conf
• Apache content – web pages : /chroot/httpd/usr/local/apache2/htdocs/*
• Apache startup script to be modified and placed in /etc/init.d/ by modifying the delivered one with sources ; startup configuration with chkconfig command
• Probably other things to do ...
A.Davous, 01/02/2009 Unix Security Advanced Admin 121
APACHE ASSESSMENT
A.Davous, 01/02/2009 Unix Security Advanced Admin 122
KERBEROS• MIT project that encrypts transactions of adapted application – “kerberized
applications” like telnet, FTP, …• Clients are authenticated by kerberized services with tickets• Based first on KDC (Key Distribution Center) that validates password with
symmetric encryption ; then authenticated client can ask TGS (Ticket Granting Service) to deliver authorization ticket for given application usage
• Kerberos needs time synchronization (NTP) and DNS services• Pros : usual historical services does not encrypt transactions – clear text
password but rest of transaction – Kerberos resolves this issue• Cons : no direct use of Unix users databases ; PAM integration not complete ;
application must be redesigned
The whole system may be compromised : - if KDC/TGS server is compromised (open to unsecure network)- if not all services kerberized (by sending unprotected passwords)
• OpenSSH is probably the alternative
A.Davous, 01/02/2009 Unix Security Advanced Admin 123
FIREWALLS
•
A.Davous, 01/02/2009 Unix Security Advanced Admin 124
Sun xVM VirtualBox - 1• VirtualBox release 2.1.2 found at www.virtualbox.org
(accept installation of USB and network drivers)Host and guest concepts, see manualGuest additions concept
• Fedora 10 found at fedoraproject.org/en/get-fedora (F10-i686-Live.iso, 32 bits although 64 supported by xVM, English edition, installable Live CD)
A.Davous, 01/02/2009 Unix Security Advanced Admin 125
Sun xVM VirtualBox - 2• Installation procedure (example is Fedora)
New machine ; choose OS, select memory size (2 GB but less than host !), add virtual disk (fixed, 10 GB).Mount OS ISO local file as CD/DVD-ROMStart !... (ignore both messages – no additions installed yet)When started, use Install on hard disk icon. Select French keyboard.Shut down, unmount CD/DVD and restart.Upgrade system and application packages (Yum).Install dkms package (Dynamic Kernel Module Support Framework).Install GNU make, gcc packages.Mount Guest Additions ISO with Devices, Install Guest Additions xVM menu.Run Sun’s script (cd /media/VBOXADDITIONS_2.1.2_41885/ ; sh ./VBoxLinuxAdditions-x86.run)Restart.
A.Davous, 01/02/2009 Unix Security Advanced Admin 126
Sun xVM VirtualBox - 3• Installation procedure particularities for Debian 4
Installation of small image via Internet.Disk partitioning without LVM, one root partition.Desktop and system packages.Synaptic Package Manager used for package installation : make, gcc and kernel headers (linux-headers-2.6.18-6 and linux-headers-2.6.18-6-686 ; check release with command uname –a).
A.Davous, 01/02/2009 Unix Security Advanced Admin 127
Sun xVM VirtualBox - 4• Command line
A.Davous, 01/02/2009 Unix Security Advanced Admin 128
REMOTE ACCESS TO SYSTEM
• Xming XLaunch utility• But otherwise, X specific, “exporting display” :
Run your X server on PC (nothing required if PuTTY used because X protocol is SSH’d encapsulated - port 22 ; otherwise, ports XDMCP 177 and 6000 should be opened)Then, on client : setenv DISPLAY server:0.0echo $DISPLAY
• Putty
A.Davous, 01/02/2009 Unix Security Advanced Admin 129
USEFUL LINKShttp://www.dwheeler.com/secure-programs/ Secure Programming for Linux and Unix HOWTOwww.cpan.org Perl packages and morehttp://www.sun.com/software/security/jass Sun’s JASS Solaris Security Toolkithttp://www.digilife.be/quickreferences/quickrefs.htm Quick Reference Cards – useful for those related to Unixhttp://www.cert.org/cert/ CERT – Security informationhttp://www.auscert.org.au/5816 AusCERT – Unix and Linux Security Checklist v3.0http://www.protocols.com/pbook/tcpip1.htm#MAP RADCOM protocols.com web site (protocols map)
A.Davous, 01/02/2009 130Unix Security Advanced Admin
BIBLIOGRAPHYUnix System Administration Handbook – Evi Nemeth, Garth Snyder, Scott Seebass, Trent R. Hein – Prentice Hall
English. Third edition 2001. Few security aspects. All Unices covered (HP, Aix, Sun, RedHat, BSD). 854 p.
Essential System Administration – Aeleen Frisch – O’Reilly
English, but French version available (Les bases de l’administration système). Third edition 2002. Few security aspects. All Unices covered (HP, Aix, Sun, RedHat, BSD, Tru64). 1172 p.
TCP/IP illustrated volume 1 – Richard Stevens Addison-Wesley
English, but French version available (TCP/IP illustré - Vuibert). A must for TCP/IP matter. No OS privileged but Unix foundations. 592 p.
TCP/IP Network Administration – Craig Hunt – O’Reilly
English, but French version available. Third edition 2002. Covers RedHat and Solaris. 772 p.
Network Security Assessment – Chris McNab – O’Reilly
English. Second edition 2007. Covers Unix and Windows from network services breaches perspective. 478 p.
GNU/Linux Fedora, Spécial Sécurité – Huet-Verhille – ENI Editions
French. First edition 2007. Focuses on Fedora (as it is a native secured OS). 342 p. 39 €. Recommended for this course
A.Davous, 01/02/2009 Unix Security Advanced Admin 131
WINDOWS TOOLS USED DURING THIS SESSION
Wireshark (prev. Ethereal), network protocol analyzer http://www.wireshark.org
PuTTY, SSH client http://www.chiark.greenend.org.uk/~sgtatham/putty/
Xming, PC X server http://www.straightrunning.com/XmingNotes/
VirtualBox, virtualization http://www.virtualbox.org/
EasyBCD, Windows Vista bootloader utility http://neosmart.net/
Apache JMeter, HTTP workbench http://jakarta.apache.org/jmeter/
A.Davous, 01/02/2009 Unix Security Advanced Admin 132