Embed Size (px)
Citation preview
Welcome to Track4Techs#ChannelCon16
A Foundational IT Framework
Infrastructure Development Security Data
Today’s Tech, Today’s LinuxJames Stanger, Sr. Director, CompTIA
Copyright (c) 2015 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
James StangerSenior Director, Products, CompTIAResponsible for determining CompTIA’s product
roadmap
Open source Security Networking technologies
Education
Authority in:
Technology Footprint
DevelopmentPlatforms
Increased Attacks
Internet of Things
Drivers for Linux
Where is Linux used in the IT world today?
Job role Description
Systems administratorConfiguring Linux systems to support file sharing, database, and e-commerce.
Includes DNS, DHCP, and supporting services.
Web systems administrator Apache and Linux run over 50% of the Web.
Virtualization/ Linux and Windows administrator
Linux systems are often the foundation of virtualized environments. Therefore, even virtualized Windows and VMWare administrators are expected to know
Linux.
Intrusion detection technician / analyst / consultant
The Snort IDS, for example, was effectively “born” in Linux. Now owned by Cisco, it will never lose its Linux roots. Plus, many IDS systems remain live on
Linux systems
Penetration testerLinux systems allow for sophisticated applications and scripting that help testers
scan, penetrate, and test internal and external systems.
Linux developer / Mobile app developer / Application engineer
Believe it or not, developers often get Linux certified, because they need to know the environment.
Storage engineer For SAN and NAS-based solutions.
Hadoop administratorBig data isn’t all just about business intelligence, heat maps, and MapReduce.
Someone has to run the systems.
infrastructure support – looking underneath the hood
• Choice of environments
• Virtualbox: https://www.virtualbox.org/wiki/Downloads
• VMWare: https://my.vmware.com/web/vmware/downloads
• Hyper-V: https://www.microsoft.com/en-us/server-cloud/solutions/virtualization.aspx
Installing a VM
• Obtain the ISOfile of the OS
• Settings
• OS type
• Architecture (32 or 64)
• RAM (1024 / 2048)
• Virtual hard disk size
• Fixed or virtual
• IDE controller (SATA)use the ISO
VM considerations
Additional settings – multiple net adapters, cut and paste, audio
• More than just kind of fun
• Useful for showing locations
• Intermediaterouters
• To install ovtr:
• Uninstall openjava
• Install Oracle Java
• Update your install database
Open Visual Traceroute
• sudo apt-get remove --purge openjdk*
• sudo apt-get install oracle-java8-installer gksu traceroute
• sudo apt-get whois
• sudo dpkg –I ovtr_1.6.3-1.amd64.deb
• You can then run ovtr from the menu: Open Visual Traceroute
Installing Open Visual Traceroute
Top derivatives
– atop, htop, iotop, powertop,ntoping
– More useful than you thinkfor networking
ntop, jnettop and iftop
– For network traffic
– Ntop covered later
Bandwidthd and bmon
– Web-based access
– For long-term, like ntop
Additional tools: lynx andnetcat (nc)
Network monitoring
Iftop running – usefulfor short-term monitoring
etherape
– High-leveloverview ofthe network
nethogs
– By app
– Useful for tracing
iptraf
– Interface stats
– Often a bitgrumpy onvirtualizedsystems
Network monitoring (cont’d)
vnstat
– Persistent stats, even through boots
– Uses kernel-based logging
iptstate
– Monitors traffic acrossiptables
– Helps look for congestion
Darkstat
– Has own Web server
– Captures traffic
– Calculates stats
Even more network monitoring
Configuring darkstat
Nagios
– Like Ntop
– Bandwidth monitor
OpenNMS
– Still quite active
– Modular design
brainypdm
– Gathers data (Nagios)
Performance Co-Pilot (PCP)
– Gathers data from multiple hosts
– Web interface or GUI
Web-based network monitoring
Configuring PCP:$ sudo apt-get install pcp$ sudo update-rc.d pmcd defaults$ sudo update-rc.d pmlogger defaults$ sudo service pmcd restart$ sudo service pmlogger restart$ sudo apt-get install pcp-doc pcp-gui$ pcp –h localhost$ http://www.pcp.io/docs/guide.html$ pmdumptext -Xlimu -t 2sec 'kernel.all.load[1]' mem.util.used disk.partitions.write -h acme.com$ pmdumptext -Xlimu -t 2sec 'kernel.all.load[1]' mem.util.used disk.partitions.write -h acme.com$ pmchart –t 2sec –h localhost $ pmchart –t 2sec –h host1 –h host2
pcp’s GUI interface
$ pmchart –t 2sec –h localhost
Install (Ubuntu)
– Few, if any, dependencies
– URL: http://idroot.net/linux/install-ntopng-ubuntu-16-04/
Considerations
– What about switched networks?
– TMI at port localhost:3000
– Narrow down according to: Business need – what your boss wants
Traffic type
Network sector
History of traffic and/or issues
Web-based network monitoring: Ntop
Default user: adminpassword – you set it
Linux and security
• Many available
• Lynis
• Chkrootkit
• ISPProtect
• Sophos
• They look for software
• They also look for dangerousconditions that invite rootkits
• Rootkits
• Necurs
• Ones you’ve never heard of
rootkit detection
Open Source Software
Description URL
Wireshark Network protocol analyzer / packet capture tool
www.wireshark.org
Bro Event monitoring software –focusing on analysis
www.bro.org
AlienVault Open Source SIEM (OSSIM)
Event monitoring software www.alienvault.com
Snort IDS – now managed by Cisco www.snort.org
Typical open source security analyst tools
• Use it securely
• Use dumpcap first, as root (sudo), to capture
• Can also use tshark (?)
• Then, use the Wireshark GUI as a standard user toread the packets
• Tips• Filtering packets
• Saving for reuse later
Using Wireshark
$ dumpcap –w wiresharkcapture.cap$ sudo chmod o+rw wiresharkcapture.cap$ wireshark –r wiresharkcapture.cap
• Installation
• $ sudo apt-get install zlib
• $ sudo apt-get install zlib-headers
• $ sudo apt-get install cmake make gcc g++ bison libpcap-dev libssl-dev python-dev swig zlib1g-dev
• $ cd bro-2.4.1/
• $ ./configure –prefix=/nsm/bro
• $ make
• $ sudo make install
• $ export PATH=/nsm/bro/bin/:$PATH
You are now ready to run: broctl as root.
Installing bro
You can also edit the /etc/environment file to add the path.
• Use the broctl command
• status
• netstats
• top
• Configuration files:
• All off of the /nsm/bro/etc/ directory; not the /etc/ directory
• node.cfg: Specify the interface
• networks.cfg: Specify the network to monitor
• broctl.cfg: Mail configuration – for notifications
• Restart: $/nsm/bro/bin/broctl, then start | stop
Configuring bro
• View the following log files:
• /nsm/bro/logs/*
• Today’s date
• communication*loaded_scripts*
• Packet_filter*
• The “current” directory
• Files include weird.log dns.log, httpd.log, scripts.log
• Too much information / don’t like reading log files?
• Configure the ”ELK stack”
• Graphical visualization of the log files you’ve captured
• The wave of the future – make it so that even your CIO can read it!
Configuring bro (cont’d)
Viewing logs generated from bro
• This is a copy of the /nsm/bro/logs/current/weird.log file
• Notice the “bad packets” section
• Scapy
• Ostinato
• PackETH
packet manipulation
You’ll need to knowyour TCP/IP suitefrontwards andbackwards –IPv4 and IPv6
ARP/DatalinkUDPTCPAll IP options
Packets created by Packeth shown in Wireshark
packet manipulation and bro
OpenVAS
– A working “fork” of Nessus
– Fully open source
– URL: www.openvas.org
Considerations
– Setting up the service
– Too much information
– Signature updates
– Customization Interface choice
Protocols/traffic types to analyze
Network segments
Regions
Scanning, vulnerability management, and SIEM
• Disk encryption (strong)
• Available for Mac, Linux, Windows
• Successor to TrueCrypt
• Independently audited
• Several differentencryption algorithms available
• Viewable or hidden volumes
• GUI-based
• Many encryption key options
Disk encryption on Linux - Veracrypt
questions?
Coming in December
Live from HQ…A new continuing education event
for IT pros
Details/Call for speakers
coming soon
Up Next12:00 Technology Vendor Fair Lunch and Exhibitor Raffles
2:15 Basic Malware Analysis Workshop
3:30 Enterprise Mobile Development
4:30 Wine Down Reception
