Linux Network Security

From Colwiki.org

Revision as of 20:37, 4 July 2009 by Pwest (Talk | contribs)
(diff) ←Older revision | Current revision (diff) | Newer revision→ (diff)
Jump to: navigation, search


Outcomes

Upon completion of this module you will be able to:
  • Perform Security Administration Tasks
  • Set Up Host Security - Configure security environment files
  • Set Up User-Level Security
  • Minimization and Hardening of a Linux Server
  • Setting up a Stateful IPTable Firewall
  • Installing and Configuring of an Intrusion Detection System: Snort and Port Sentry
  • Security Tools: SSH, LSOF, NETSTAT,TCPDUMP and NMAP



Terminologies

  1. Firewall: A method of protecting the files and programs on one network from users on another network. A firewall blocks unwanted access to a protected network, while giving the protected network access to networks outside of the firewall.
  2. BIOS: The Basic Input/Output System (BIOS), also known as the System BIOS, is a de facto standard defining a firmware interface. The BIOS is boot firmware, designed to be the first code run by a PC when powered on. The initial function of the BIOS is to identify, test, and initialize system devices such as the video display card, hard disk, and floppy disk and other hardware. This is to prepare the machine into a known state, so that software stored on compatible media can be loaded, executed, and given control of the PC. This process is known as booting, or booting up, which is short for bootstrapping.


Contents

Host Security

System security is always a trade-off between convenience and features on the one hand and protectiveness and removing unnecessary risks on the other. As the cliché goes, security is inversely proportional to convenience: the easier a system is to use, the less secure it’s likely to be. In contrast to many discussions in this column, this month we turn our attention to the “secure if inconvenient” end of the spectrum. Linux security will require the securing of both the host and the network (perimeter). Security the host can be performed through hardening. You may take the follwong steps to harden your linux box:

  1. BIOS and Boot Loader Security: Password protection for the BIOS and the boot loader can prevent unauthorized users who have physical access to your systems from booting from removable media or attaining root through single user mode. But the security measures one should take to protect against such attacks depends both on the sensitivity of the information the workstation holds and the location of the machine.Prevent Changes to BIOS Settings — If an intruder has access to the BIOS, they can set it to boot off of a diskette or CD-ROM. This makes it possible for them to enter rescue mode or single user mode, which in turn allows them to seed nefarious programs on the system or copy sensitive data.
  2. Administrative Controls : Do Not Use Only Words or Numbers — You should never use only numbers or words in a password.
  • Do Not Use Recognizable Words — Words such as proper names, dictionary words, or even terms from television shows or novels should be avoided, even if they are bookended with numbers.
  • Do Not Use Words in Foreign Languages — Password cracking programs often check against word lists that encompass dictionaries of many languages. Relying on foreign languages for secure passwords is of little use.
  • Do Not Use Hacker Terminology — If you think you are elite because you use hacker terminology — also called l337 (LEET) speak — in your password, think again. Many word lists include LEET speak.
  • Do Not Use Personal Information — Steer clear of personal information. If the attacker knows who you are, they will have an easier time figuring out your password if it includes your personal information.
  • Do Not Invert Recognizable Words — Good password checkers always reverse common words, so inverting a bad password does not make it any more secure.

Password Protecting GRUB

You can configure GRUB to address access of the prompt issues. To do this, first decide on a password, then open a shell prompt, log in as root, and type: 

/sbin/grub-md5-crypt

When prompted, type the GRUB password and press [Enter]. This will return an MD5 hash of the password. Next, edit the GRUB configuration file /boot/grub/grub.conf. Open the file and below the timeout line in the main section of the document, add the following line: 

password --md5 <password-hash>

Replace <password-hash> with the value returned by /sbin/grub-md5-crypt[2]. The next time you boot the system, the GRUB menu will not let you access the editor or command interface without first pressing [p] followed by the GRUB password.

Unfortunately, this solution does not prevent an attacker from booting into a non-secure operating system in a dual-boot environment. For this you need to edit a different part of the /boot/grub/grub.conf file. Look for the title line of the non-secure operating system and add a line that says lock directly beneath it.

For a DOS system, the stanza should begin similar to the following: 

title DOS
lock

You must have a password line in the main section of the /boot/grub/grub.conf file for this to work properly. Otherwise an attacker will be able to access the GRUB editor interface and remove the lock line. If you wish to have a different password for a particular kernel or operating system, add a lock line to the stanza followed by a password line. Each stanza you protect with a unique password should begin with lines similar to the following example: 

title DOS
lock
password --md5 <password-hash>

Password aging is another technique used by system administrators to defend against bad passwords within an organization. Password aging means that after a set amount of time (usually 90 days) the user is prompted to create a new password. The theory behind this is that if a user is forced to change his password periodically, a cracked password is only useful to an intruder for a limited amount of time. The downside to password aging, however, is that users are more likely to write their passwords down. The -M option of the chage command specifies the maximum number of days the password is valid. So, for instance, if you want a user's password to expire in 90 days, type the following command: 

chage -M 90 <username>

In the above command, replace <username> with the name of the user. If you do not want the password to expire, it is traditional to use a value of 99999 after the -M option (this equates to a little over 273 years). Disable root login over SSH. SSH brute force password attacks are arguably the biggest threat to Linux systems. There are tons of SSH brute force attacks running these days and all of your public facing servers should have the SSH port firewalled. If they absolutely must be accessible to the outside, consider setting up the firewall to restrict that outside access to the certain addresses you need, or provide access over a VPN. Disable VNC administration. run VNC over an SSH tunnel, or use NX instead. VNC is unencrypted, so any passwords you type are sent over the wire in clear text.


Perimeter Security

Perimeter security is a primary consideration in any decision to host a website as the threats are becoming more widespread and persistent every day. One means of providing additional protection is to use a firewall. There are two types of firewalls in Linux:

  1. Iptables Firewall
  2. Ip chains firewall.

These two firewalls shall be discussed simultaneously here.Originally, the most popular firewall/NAT package running on Linux was ipchains, but it had a number of shortcomings. To rectify this, the Netfilter organization decided to create a new product called iptables, giving it such improvements as:

  • Better integration with the Linux kernel with the capability of loading iptables-specific kernel modules designed for improved speed and reliability.
  • Stateful packet inspection. This means that the firewall keeps track of each connection passing through it and in certain cases will view the contents of data flows in an attempt to anticipate the next action of certain protocols. This is an important feature in the support of active FTP and DNS, as well as many other network services.
  • Filtering packets based on a MAC address and the values of the flags in the TCP header. This is helpful in preventing attacks using malformed packets and in restricting access from locally attached servers to other networks in spite of their IP addresses.
  • System logging that provides the option of adjusting the level of detail of the reporting.
  • Better network address translation.
  • Support for transparent integration with such Web proxy programs as Squid.
  • A rate limiting feature that helps iptables block some types of denial of service (DoS) attacks.

Considered a faster and more secure alternative to ipchains, iptables has become the default firewall package installed under many Linux distributions. Iptables can be installed with the relevant package manager available in your distribution

You can start, stop, and restart iptables after booting by using the commands: 

[root@linux]# service iptables start
[root@linux]# service iptables stop
[root@linux]# service iptables restart

To get iptables configured to start at boot, use the chkconfig command:. 

[root@linux]# chkconfig iptables on

You can determine whether iptables is running or not via the service iptables status command. For example 

[root@linux]# service iptables status
Firewall is stopped.
[root@linux]#

All packets inspected by iptables pass through a sequence of built-in tables (queues) for processing. Each of these queues is dedicated to a particular type of packet activity and is controlled by an associated packet transformation/filtering chain. There are three tables in total. The first is the mangle table which is responsible for the alteration of quality of service bits in the TCP header. The second table is the filter queue which is responsible for packet filtering. It has three built-in chains in which you can place your firewall policy rules. These are the:

  • Forward chain: Filters packets to servers protected by the firewall.
  • Input chain: Filters packets destined for the firewall.
  • Output chain: Filters packets originating from the firewall.

The third table is the nat queue which is responsible for network address translation. It has two built-in chains; these are:

  • Pre-routing chain: NATs packets when the destination address of the packet needs to be changed.
  • Post-routing chain: NATs packets when the source address of the packet needs to be changed

The chart below summarises this.

Image:Fwtargets.png

Each firewall rule inspects each IP packet and then tries to identify it as the target of some sort of operation. Once a target is identified, the packet needs to jump over to it for further processing. Table below lists the built-in targets that iptables uses.

Image:Fwswitches.png


Each line of an iptables script not only has a jump, but they also have a number of command line options that are used to append rules to chains that match your defined packet characteristics, such the source IP address and TCP port. There are also options that can be used to just clear a chain so you can start all over again. The table below list the most common options. Image:Fwswitches.png

In this command switches example

Image:Fwswitches2.png

In this example: 

iptables -A FORWARD -s 0/0 -i eth0 -d 192.168.1.58 -o eth1 -p TCP \
        --sport 1024:65535 --dport 80 -j ACCEPT

iptables is being configured to allow the firewall to accept TCP packets for routing when they enter on interface eth0 from any IP address and are destined for an IP address of 192.168.1.58 that is reachable via interface eth1. The source port is in the range 1024 to 65535 and the destination port is port 80 (www/http).

You can configure iptables to have user-defined chains. This feature is frequently used to help streamline the processing of packets. For example, instead of using a single, built-in chain for all protocols, you can use the chain to determine the protocol type for the packet and then hand off the actual final processing to a user-defined, protocol-specific chain in the filter table. In other words, you can replace a long chain with a stubby main chain pointing to multiple stubby chains, thereby shortening the total length of all chains the packet has to pass through. For example 

iptables -A INPUT -i eth0  -d 206.229.110.2 -j fast-input-queue
iptables -A OUTPUT -o eth0 -s 206.229.110.2 -j fast-output-queue

iptables -A fast-input-queue  -p icmp -j icmp-queue-in
iptables -A fast-output-queue -p icmp -j icmp-queue-out

iptables -A icmp-queue-out -p icmp --icmp-type echo-request \
        -m state --state NEW -j ACCEPT

iptables -A icmp-queue-in -p icmp --icmp-type echo-reply -j ACCEPT

Here six queues help assist in improving processing speed 

Chain 	Desciption 
INPUT 	The regular built-in INPUT chain in iptables 
OUTPUT 	The regular built-in OUTPUT chain in iptables 
fast-input-queue 	Input chain dedicated to identifying specific protocols and shunting the packets to protocol specific chains. 
fast-output-queue 	Output chain dedicated to identifying specific protocols and shunting the packets to protocol specific chains. 
icmp-queue-out 	Output queue dedicated to ICMP 
icmp-queue-in 	Input queue dedicated to ICMP

The service iptables save command permanently saves the iptables configuration in the /etc/sysconfig/iptables file. When the system reboots, the iptables-restore program reads the configuration and makes it the active configuration. The initialization of built-in chains is automatic and the string "iptables" is omitted from the rule statements. Here is a sample /etc/sysconfig/iptables configuration that allows ICMP, IPSec (ESP and AH packets), already established connections, and inbound SSH. 

[root@linux]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.2.9 on Mon Jun 8 11:00:07 2009 
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [144:12748]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type 255 -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Mon Nov 8 11:00:07 2004
[root@linux]#

Linux Security Tools

SSH

sshd_con fig overview

Port 22 Specify which port to listen on. Multiple “Port” options can be used 

Protocol 2,1-Specify version 1 or version 2. Can be a comma separated list. If both are supplied, they are tried in the order presented.
DenyUsers [USER]@HOST	Deny users from a specific host. Wild cards such as * can be used
PermitRootLogin yes/no	Allow or disallow root access 
X11Forwarding yes/no	Instructs the remote end to route X11 traffic back through the ssh tunnel to the user's X session. Unless disabled, the xauth settings will be transferred in order to properly authenticate remote X applications


LSOF

lsof - show open files used by processes

Traditionally used to list PIDs of processes running on a given directory:

lsof +D DIRECTORY

lsof will output the following information: 

NAME:	name of the process
PID:	process ID   
USER:	name of the user to whom the process belongs
FD:	File desciptor (e.g u = read write, r = read, w = write)
TYPE:	The file type (e.g REG = regular file)
DEVICE:	Major/Minor number (e.g 3,16 =/dev/hda16 )
SIZE:	Size or offset of the file
NODE:	Inode of the file 
NAME:	The name of the file

Lsof can also be used to display network sockets. For example the following line will list all internet connections:

lsof -i

You can also list connections to a single host:

lsof -i @HOST

For example if a host TOFFY is connected to your localhost on port 1234, the following would display information about the connection: 

lsof -i @TOFFY:1234


NETSTAT

netstat - Print network connections, routing tables ...

Main options are:

-r display routing tables -l only listening services -C display route cache --inet restrict to network sockets

NMAP

nmap - Network exploration tool and security scanner

The scanner makes use of the fact that a closed port should (according to RFC 793) send back an RST. In the case if a SYN scan, connections that are half opened are immediately close by nmap by sending an RST itself.


Scan Types

SYN or Half-open: -sS Nmap will send a synchronisation packet SYN asking for a connection. If the remote host send a RST/ACK it is assumed that the port is closed. If the remote host sends a SYN/ACK this indicates that the port is listening.

UDP: -sU UDP is connectionless. So there is no need for a 3 way handshake as with TCP. If a port is closed the server will send back a ICMP PORT UNREACHABLE. One then deduces that all the other ports are open (not reliable in the case were ICMP messages are blocked).

TCP NULL: -sN TCP packet with no flags set. Closed port will send a RST when receiving this packets (except with MS Windows).

TCP Xmas: -sX TCP packet with the FIN+URG+PUSH flags set. The remote host should send back a RST for all closed ports when receiving a Xmas packet.


Reading

From the SuSE Linux Enterprise Server (Installation and Administration Document) read Pg 819 – 843 on Firewall Implementation on SUSE Linux



Summary

In this module you learned above various Linux based firewalls and other security measures that you can take on a Linux based system. The configurations for the Linux system may be tedious and therefore I would ask you to use the webmin Linux Firewall interface to configure your firewall.



Assignment

Use the webmin interface installed in a previous exercise to configure your Linux firewall


Image:somerights20.png This work is licenced under a Creative Commons - By Attribution Licence - Share Alike License.

Retrieved from "http://colwiki.org/Linux_Network_Security"
News & Events