Embed Size (px)
Citation preview
Curs 6Elemente de securitate
Gestiunea Serviciilor de Ret,ea
10 noiembrie 2011
GSR Curs 6, Elemente de securitate 1/39
Moto
There are two types of encryption: one that will prevent your sisterfrom reading your diary and one that will prevent your government.
Bruce Schneier
Bruce Schneier’s secure handshake is so strong, you won’t be ableto exchange keys with anyone else for days.
Bruce Schneier Facts
GSR Curs 6, Elemente de securitate 2/39
SSH. iptables
GPG
SSL/TLS. OpenSSL
TCP Wrapper
PAM
Keywords
Intrebari
GSR Curs 6, Elemente de securitate 3/39
Prerequisites
I “Cartea de RL”:http://books.google.com/books?id=GdF_3ttxnRIC
I Capitolul 6 – Securitate s, i monitorizare
GSR Curs 6, Elemente de securitate 4/39
Suport
I “Unix and Linux System Administration”I Chapter 22 – Security
I “Professional Linux System Administration”I Chapter 6 – Networking and FirewallsI Chapter 9 – Infrastructure Services: NTP, DNS, DHCP, and
SSHI Section “Secure Shell”
GSR Curs 6, Elemente de securitate 5/39
Outline
SSH. iptables
GPG
SSL/TLS. OpenSSL
TCP Wrapper
PAM
Keywords
Intrebari
GSR Curs 6, Elemente de securitate 6/39
Conectare la distant, a
I telnet
I rsh
I FreeNX
I RDP
I SSH
GSR Curs 6, Elemente de securitate 7/39
SSH
I ssh, scp, sshd, ssh-keygen, ssh-agent, ssh-add
I autentificare chei publice
I ∼/.ssh/authorized_keysI ∼/.ssh/id_rsa.pubI /etc/ssh/*
I /etc/init.d/ssh
GSR Curs 6, Elemente de securitate 8/39
ssh-agent
I agent de autentificareI ret, ine chei private (identitat, i)
I permite introducerea o singura data a passphrase-ului
I ruleaza ca un daemon
I interact, iune folosind comanda ssh-addI pentru linia de comanda
I ssh-agent bash ; un nou shellI eval $(ssh-agent) ; ın shell-ul curent
GSR Curs 6, Elemente de securitate 9/39
Tunelare. Proxy
I ssh -N -L 8080:swarm.cs.pub.ro:80 -l razvan
anaconda.cs.pub.ro
I -N – nu se executa comanda (forwarding only)I conexiune securizata pana la anaconda.cs.pub.roI nesecurizata ıntre anaconda.cs.pub.ro s, i swarm.cs.pub.ro
I ssh -N -R 2222:localhost:22 -l razvan anaconda.cs.pub.ro
I conexiunile pe portul 2222 de pe anaconda.cs.pub.ro ajung peportul 22 al sistemului local
I daca nu avem adresa IP publica (suntem ın spatele lui NAT)
I ssh -N -R 8080:localhost:80 -l razvan anaconda.cs.pub.ro
I acces securizat la serverul web ıntre anaconda.cs.pub.ro s, istat, ia locala
I ssh -D 8080 -l razvan anaconda.cs.pub.ro
I totul este proxy-at prin anaconda.cs.pub.ro (no morelimitations :-P)
GSR Curs 6, Elemente de securitate 10/39
Server SSH
I /etc/init.d/ssh start|stop|restart|reload
I /etc/ssh/sshd_configI Port 22I HostKey /etc/ssh/ssh_host_rsa_keyI SyslogFacility AUTHI LogLevel INFO
I logging ın /var/log/auth.log
I PubkeyAuthentication yesI PasswordAuthentication noI AllowUsers / DenyUsersI PermitRootLogin
I man sshd_config
GSR Curs 6, Elemente de securitate 11/39
Filtrare s, i firewall-ing
I packet filters
I stateful filters
I Cisco PIX
I iptables, PF
I application layer
GSR Curs 6, Elemente de securitate 12/39
iptables
I interfat, a ın userspace pentru controlul tabelelor furnizate demodulul netfilter
I filterI natI mangle
I ip6tables pentru ipv6
I foloses, te tabeleI fiecare tabela foloses, te lant,uri
I lant,uri predefinite (INPUT, OUTPUT, FORWARD)I lant,uri definite de utilizatorI versiunea anterioara se numea ipchains
I lant,urile cont, in reguli (de filtrare, translatare de adrese,mangling)
GSR Curs 6, Elemente de securitate 13/39
Lant,uri iptables
GSR Curs 6, Elemente de securitate 14/39
Persistent,a regulilor
I regulile sunt introduse ın linia de comanda
I nu s-a impus un utilitar care sa permita automatizare generariiregulilor
I cum se pastreaza regulile?
# iptables-save > /etc/network/iptables.rules
# cat /etc/network/if-up.d/iptables
#!/bin/bash
iptables-restore < /etc/network/iptables.rules
exit 0
GSR Curs 6, Elemente de securitate 15/39
Outline
SSH. iptables
GPG
SSL/TLS. OpenSSL
TCP Wrapper
PAM
Keywords
Intrebari
GSR Curs 6, Elemente de securitate 16/39
GPG
I GNU Privacy Guard
I alternativa la PGP (Pretty Good Privacy)
I suite of cryptographic software
I semnatura digitala, criptare asimetrica
I linia de comanda
I GUI: Enigmail, Seahorse, KGPG
GSR Curs 6, Elemente de securitate 17/39
Terminologie
I cheie publica s, i cheie secreta
I keyring – set de chei publice sau private (secring, pubring)
I semnatura digitala – cheia secreta semneaza, cheia publicaverifica
I criptare digitala – cheia publica cripteaza, cheia privatadecripteaza
I ASCII armor – binary-to-text encoding
I fingerprint – identificator mai scurt a unei chei publice (hash)
I user id / recipient – posesorul cheii (private sau publice)
GSR Curs 6, Elemente de securitate 18/39
Operat, ii GPG
I generarea chei
I editare chei
I s, tergere chei
I listare chei
I exportare chei
I importare chei
GSR Curs 6, Elemente de securitate 19/39
Operat, ii GPG (3)
I criptare (folosind cheia publica)
I decriptare (folosind cheia privata)
I semnare (folosind cheia privata)
I verificare (folosind cheia publica)
GSR Curs 6, Elemente de securitate 20/39
Outline
SSH. iptables
GPG
SSL/TLS. OpenSSL
TCP Wrapper
PAM
Keywords
Intrebari
GSR Curs 6, Elemente de securitate 21/39
Transport Layer Security
I TLS, continuator al SSL (Secure Sockets Layer)
I protocoale criptografice
I criptarea segmentelor la nivelul aplicat, ie
I SSL 3.0 (1996), TLS 1.0 (1999), TLS 1.1 (2006), TLS 1.2(2008)
I OpenSSL, GNUTLS, NSS (Network Security Services)
GSR Curs 6, Elemente de securitate 22/39
openssl
I cryptographic toolkit
I SSL/TLS
I OpenSSL crypto libraryI openssl – utilitar ın linia de comanda
I generare de chei publice/privateI operat, ii cu chei publiceI lucru cu certificate X.509
GSR Curs 6, Elemente de securitate 23/39
Terminologie
I certificat digital (X.509) (cheie publica, identitate +semnatura digitala)
I certificate authority (CA)
I self-signed certificate
I certificate chain
I CSR – Certificate Signing Request
I format DER – Distinguished Encoding Rules
I format PEM (Privacy Enhanced Mail – nu are legatura)
GSR Curs 6, Elemente de securitate 24/39
Utilizare openssl
I openssl <command> [<command_opts>] [<command_args>]
I comenzi
I genrsa – crearea unei chei private RSAI req – crearea s, i prelucrarea unui CSRI x509 – obt, inere, prelucrare, editare, afis,are informat, ii despre
certificateI verify – verificarea lant,ului de certificateI s_client – client generic de SSL/TLS
I man genrsa, man req, man x509
GSR Curs 6, Elemente de securitate 25/39
openssl – obt, inere certificate
I crearea unei chei private
I crearea unui CSR (Certificate Signing Request)
I contactarea unui CA pentru semnare (spre exempluCACert.org)
I obt, inerea unui certificat self-signed
I semnarea unui CSR (de un CA – Certification Authority)
GSR Curs 6, Elemente de securitate 26/39
Inspectare certificate s, i verificare funct, ionalitate
I openssl rsa -noout -text -in www.gogu.com.key
I openssl req -noout -text -in www.gogu.com.csr
I openssl x509 -noout -text -in www.gogu.com.crt
I openssl s_client -connect swarm.cs.pub.ro:443
GSR Curs 6, Elemente de securitate 27/39
Outline
SSH. iptables
GPG
SSL/TLS. OpenSSL
TCP Wrapper
PAM
Keywords
Intrebari
GSR Curs 6, Elemente de securitate 28/39
TCP Wrapper
I host-based Networking ACL system
I libwrapI /etc/hosts.allow, /etc/hosts.deny
I sshd: swarm.cs.pub.roI sshd: 1.2.3.4I sshd: 192.168.4. (da, e corect – echivalnet
192.168.4.0/24)
GSR Curs 6, Elemente de securitate 29/39
DenyHosts
I log-based intrusion prevention for SSH servers
I monitorizeza log-urile de autentificare (/var/log/auth.log)
I /etc/denyhosts.conf
I accese peste un anumit threshold
I ruleaza ca daemon sau task cron
GSR Curs 6, Elemente de securitate 30/39
Fail2ban
I intrusion prevention framework
I blocheaza folosind iptables sau TCP Wrapper
I monitorizeaza logurile pentru a verifica daca mai multe act, iuniinvalide sunt realizate ıntr-un interval dat
I Apache, Lighttpd, sshd, vsftpd etc.
GSR Curs 6, Elemente de securitate 31/39
Outline
SSH. iptables
GPG
SSL/TLS. OpenSSL
TCP Wrapper
PAM
Keywords
Intrebari
GSR Curs 6, Elemente de securitate 32/39
PAM – Pluggable Authentication Modules
I integrarea schemelor de autentificare cu un API
I programe precum login pot folosi diverse forme deautentificare
I Linux-PAMI management groups
I account – servicii de verificare a contuluiI authentication – autentificarea utilizatorilor s, i configurarea
credent, ialelorI password – actualizarea mecanismelor de autenficareI session – sarcini de realizat ınainte sau dupa un serviciu dat
GSR Curs 6, Elemente de securitate 33/39
Linux-PAM
I libpam-modules
I /lib/security/pam_*; se pot instala s, i altele
I /etc/pam.conf, /etc/pam.d/*
I man pam_*
I fiecare serviciu care foloses, te PAM are o intrare ın/etc/pam.d/
I /etc/pam.d/sshdI /etc/pam.d/cron
I management groupsI /etc/pam.d/common-accountI /etc/pam.d/common-authI /etc/pam.d/common-passwordI /etc/pam.d/common-session
GSR Curs 6, Elemente de securitate 34/39
Exemple de configurare
I accountI account required pam_ldap.so
I authI auth required pam_ldap.so use_first_pass
I passwordI password required pam_cracklib.so retry=3 minlen=6
difok=3
I sessionI session required pam_mkhomedir.so skel=/etc/skel
umask=0022I session required pam_limits.so
GSR Curs 6, Elemente de securitate 35/39
Outline
SSH. iptables
GPG
SSL/TLS. OpenSSL
TCP Wrapper
PAM
Keywords
Intrebari
GSR Curs 6, Elemente de securitate 36/39
Cuvinte cheie
I SSH
I ssh-agent
I sshd
I iptables
I iptables-save,iptables-restore
I GPG
I keyring
I ASCII armor
I criptare, decriptare
I semnare, verificare
I TLS/SSL
I OpenSSL
I certificat digital
I CSR
I X.509
I CA
I openssl
I TCP Wrapper
I DenyHosts
I Fail2ban
I PAM
GSR Curs 6, Elemente de securitate 37/39
Resurse utile
I http://en.wikipedia.org/wiki/Transport_Layer_Security
I http://www.gnu.org/software/gnutls/comparison.html
I http://www.kernel.org/pub/linux/libs/pam/
GSR Curs 6, Elemente de securitate 38/39
Outline
SSH. iptables
GPG
SSL/TLS. OpenSSL
TCP Wrapper
PAM
Keywords
Intrebari
GSR Curs 6, Elemente de securitate 39/39
