CIS 290LINUX Security

Basic Network Security“Chroot Jail”

Network services• Determine open services:

netstat –tulpn -OR-nmap -sT -O localhost

• Disable with chkconfig. And/or remove software.

• Use TCP_WRAPPERS (xinetd)

• Configure iptables

• Remove Xwindows:yum groupremove "X Window System“

• Set initdefault to runlevel 3

• No cleartext services HTTP, TELNET, FTP, rcmd, (see gov’t requirements) - use SSH, SSL, SFTP. Restrict NFS/CIFS to local networks only.

• Basic tools: ping, traceroute, netstat, nmap, netcat (nc) telnet

Chroot jail• Isolate user process within a “virtual” root file system.

• Similar to web “virtual document root” or vsftpd “chroot_local_user=YES”.

• As root: chroot <directory path> <command>

• Trick is to automate the process for user login, file transfer (sftp) or specific applications.

• Most daemon processes have their own “chroot” methodology.

• Not as secure, less isolating as LINUX containers or Solaris zones (CIS 228) for specific application environnments.

Google Hacking• We can use a standard Google search to find interesting pages such as

indexes.- “index of /etc”- “index of /etc” passwd - “index of /etc” shadow

• Google allows us to do more than just simple searching using advanced operators

• E.g.– filetype:– inanchor:– intext:– intitle:– inurl:– site:

Using Advanced Operators• We can now search in the Title field for indexed pages:

intitle:index.of./etc passwdintitle:index.of./etc shadow

• We can use the filetype: operator:password filetype:xlsfiletype:config web.config -CVSfiletype:mdb users.mdb

• Combining Operatorsfiletype:eml eml +intext:"Subject" +intext:"From" +intext:"To“"# -FrontPage-" ext:pwd inurl:(service | authors | administrators | users) "# -FrontPage-" inurl:service.pwd

Google Hacking Database (GHDB)

• Thousands of search URL’s

• Javascript: entries very powerful

• Enter Wikto – Web Server Assessment Tool - Back-end Miner- Nikto-like functionality- Googler file searcher- GoogleHacks GHDB tester