Admin+ Sesssion5 Apr11

UNIX SYSTEM SECURITY AND ADVANCED ADMINISTRATION

(SÉCURITÉ SYSTÈME SOUS UNIX ET ADMINISTRATION AVANCÉE)

A.Davous, 01/02/2009 1Unix Security Advanced Admin

FOREWORD

“No absolute security as long as system is accessed”

“In system administration, the evil is in details”

• For questions, contact is [email protected] • with [ESGI] in subject field – otherwise, mail will be

considered as spam by server rules.


INTRODUCTION

• SECURITY BREACHES WELL-KNOWN EXAMPLES• UNIX RELEASES AND FLAVORS• REMINDER : UNIX MANDATORY• WELL-KNOWN ATTACKS, MALICIOUS PROGRAMS• KEY CONCEPTS, RISKS, STRATEGY• HOW TO SECURE, SECURED DESIGN• SOME TABLE LAWS


SECURITY BREACHES WELL-KNOWN EXAMPLES

• Sendmail debug commands modeas sendmail runs with setuid rootso user can run any command with root power(try sudo and vi !...)

• Command passwd –f : no control of entered GECOS fieldso user can add any new line in password file

• Buffer overflow is a variantUser can execute shellcode (to get run root shell) previously saved at some memory address for programs that accepts any entry without control (exploit)

• SYN flooding : by sending high rate of TCP open session requests (SYN), server is filling its queue with half-open sessions data

• SQL-injection : SQL request to database may be forged to execute malicious code

A.Davous, 01/02/2009 Unix Security Advanced Admin 4

FOR INFORMATION – UNIX RELEASES

UNIX Solaris Linux

1969 AT&T Labs Unix

1977 Berkeley BSD Unix

1983 System V From BSD & SysV : From scratch :

1991 Solaris 1.0 (= SunOS 4) Linus Torwalds Linux

1992 FreeBSD, OpenBSD

1993 Slackware ; Debian

1994 Kernel 1.0 stable – RedHat

1995 Solaris 2.5 (= SunOS 5.5)

2000 Solaris 8 (= SunOS 5.8)

2001 Solaris 9 (= SunOS 5.9) Kernel 2.4

2003 Fedora Core – Kernel 2.6

2005 Solaris 10

2008 Fedora 10


FOR INFORMATION – UNIX FLAVORS

• Unix time line http://www.levenez.com/unix/

• Linux distributions time line http://futurist.se/gldt/gldt76.png


REMINDER – UNIX MANDATORY

• Read, read again documentationman, man –k, makewhatis -u

• vi – what else could be expected ?vim but config and security

• Shells : sh – best choice for scriptingthen tcsh or bash… (current : ps)

• find, diff, touch, sort [-n]• xargs• grep, egrep, awk, Perl, expect


WELL-KNOWN ATTACKSName Category Definition

Sniffing Network Get information from network transactions

Spoofing or masquerading

Network Take identity of someone else

Denial of service

Network Try to stop or degrade service – usually by flooding technique

Replaying Authentication Replay abusive authentication or transaction

Repudiation Authentication Reject authentication or transaction

Spam Mail Undesirable mail

Phishing Mail Disguised mail to get confidential data

Hoax Mail Joke with more or less consequences

Dictionary Password Test with list of most current words

Brute force Password By trying a large number of possibilities

Social engineering

All Getting personal information by any mean (physical, social network, …)


MALICIOUS PROGRAMS (MALWARES)Name Definition

Virus Insert malicious code on machine

Worm Separate process that exploited security holes in network

Trojan horses Malicious program disguised as something innocuous or desirable

Backdoor Method to bypass normal authentication procedures

Rootkit Software set installed to get abusive rights, install backdoor and stay hidden

Spyware Gather information for commercial purpose

Key logger Copies down the user’s keystrokes

Bomb Crash the system at a given time

Exploit Exploit a security breach of a software


Most of these can be detected locally (by signature) – except some exploits that can be detected at network level (firewall)

SECURITY KEY CONCEPTS

• Security goals: confidentiality, integrity, availabilityauthentication, non-repudiation

• 3 usual answers to threats: ignore, improvise or try to ‘over’ secure

• Right answer: determine field, identify and evaluate cost of resources (financial, confidentiality or production), determine security risks and strategy, monitor, upgrade


STRATEGIES• Strategies :

Accept threat – but have a recovery planReduce threat – by appropriate meansTransfer threat – to a vendorBypass threat – by blocking access

• Understanding is key:Example of mail user privilegeProtect all layers – example of firewallsReduce exposed surfaceProtect but detect and answer – administrate !

• Security is or must be part of :conception, operation and deployment


RISKS AND STRATEGY

Risks• Human – malicious but often from authorized users• Technical – hardware (physical access), software• This is up to sysadmin to decide what are they and right

level of protection

Strategy• Security and comfort is a compromise• Have a security policy especially recovery procedure


HOW TO SECURE

In-depth (passive) protection• (Physical – premises access)• Network filtering• Passwords• Encryption• Backup

(Active) security process• Monitor and add corrections• Full audit• Upgrade


SECURED DESIGN• Open design or secret design debate

(hidden flaws, issues discovered by community, provocation to exploits)

Common breaches• Least user access (chroot as solution)• Buffer overflow• Printf function (insert conversion keys into string)• Web programming (URL forging)• Transactions, client/server (man-in-the middle,

encryption, hashing as solutions)


SOME TABLE LAWS…• If someone can execute something on your computer or if someone can

modify your OS, or if someone can physically access to your computer, it will not belong to you anymore

• As well, if someone can execute something on your web site, it will not belong to you anymore

• Weak passwords leads to security breach• System is as secured as sysadmin wants• Encrypted data are as secured as the used key to encrypt• An anti-virus not updated is as useful as no anti-virus• Anonymity is not useful but confidentiality is• Technology is not be-all• Security measures works well when they are simple to use for

sysadmin and transparent to users

(Microsoft point of view)


SYSTEM AND SECURITY BASIS

• REMINDER : PROCESSES• DAEMONS, SERVERS, SERVICES• INIT DAEMON, INIT LEVELS• REMINDER : BOOTING – SHUTTING DOWN• SERVICE MANAGEMENT• REMINDER : FILES, FHS• PACKAGE MANAGEMENT


REMINDER : PROCESSES

• Processes have four identities : real (for accounting) and effective (for access permissions) UID and GID ; usually the same except with setuid or setgid bit set

• Command ps• Find setuid and setgid files over the system:

find / -type f –perm /u+s,g+s -ls

Kinds of processes• Interactive – controlled with & (run in background), ^Z (stop job), bg (restart

in background), jobs (list current jobs)• Batch• Daemons


DAEMONS, SERVERS, SERVICES

• Daemon, server, service concepts• Daemon : programs not part of kernel ; process that performs a

specific function or system-related task• Start at boot time or on demand

Specific system daemons• init primordial process

• cron that schedule commands• inetd that manages some of them


WELL KNOWN DAEMONS

Name Description

init First process

syslogd, rsyslogd Syslog logging

sendmail Mail MTA – Mail Transfer Agent

lpd, lpsched Print scheduler

crond Cron process scheduler

getty, mingetty Terminal support

syncd, fsflush, bdflush, pdflush Disk buffer management

pagedaemon, swapper, kswap Swap management

inetd Main daemon to start on-demand TCP/IP services as telnetd, ftpd, rshd – see /etc/inetd.conf

named Bind DNS – Dynamic Name Resolution

routed, gated TCP/IP routing daemons

dhcpd DHCP – Dynamic Host Configuration Protocol

portmap, rpcbind Port service resolution for RPC – Remote Procedure Call

nfsd NFS – Network File System

smbd, nmbd Samba

httpd Apache HTTP server

timed, ntpd, xntpd NTP – Network Time Protocol


REMINDER : BOOTING – SHUTTING DOWN

Solaris SPARC Solaris x86/64 Linux (Fedora Core)

Boot PROM(device detection)

Access with STOP-Aboot –s : single-userboot –r : reconfigure

See ls –l /dev/rdsk/c0t0d0s0

ROM BIOS

MBR of boot device

Boot loader (GRUB since 5.10,

see /boot/grub/menu.lst)

Boot loader (GRUB see /boot/grub/menu.lst)

Kernel loading and initialization

Device configurationtouch /RECONFIGURE

Device detection and configuration

Execution of startup scriptsLevel 0 : shut down (init 0) - Level 1 or S : single user (init –s) - Level 6 : reboot (init 6)

Scripts management none or see 5.10 Configuration : /etc/default

Execution of startup scriptsLevel 0 : shut down (init 0) - Level 1 or S :

single user (init –s) - Level 6 : reboot (init 6)

Scripts management : chkconfigConfiguration : /etc/sysconfig

Multiuser mode

Shutdown/usr/sbin/shutdown –g secs –i6/usr/sbin/shutdown –g secs –i0/usr/sbin/shutdown –g secs –iS

Shutdown/usr/sbin/shutdown secs –r/usr/sbin/shutdown secs –h

/usr/sbin/shutdown secs –f


Solaris SPARC Solaris x86/64 Linux (Fedora Core)

Boot PROM(device detection)

Access with STOP-Aboot –s : single-userboot –r : reconfigure

See ls –l /dev/rdsk/c0t0d0s0

ROM BIOS

MBR of boot device

Boot loader (GRUB since 5.10)

Boot loader (GRUB see /boot/grub/menu.lst)

Kernel loading and initialization

Device configurationtouch /RECONFIGURE

Device detection and config.

Execution of startup scriptsLevel 0 : shut down (init 0) - Level 1 or S : single user (init –s) - Level 6 : reboot (init 6)

Scripts management none or see 5.10 Configuration : /etc/default

Exec. of startup scriptsLevel s : the same

Scripts management : chkconfigConfiguration : /etc/sysconfig

Multiuser mode

Shutdown/usr/sbin/shutdown –g secs –i6 (reboot)/usr/sbin/shutdown –g secs –i0 (shut down)/usr/sbin/shutdown –g secs –iS (single user)

(skip scandisk)

Shutdown/usr/sbin/shutdown secs –r/usr/sbin/shutdown secs –h

/usr/sbin/shutdown secs –f

INIT LEVELSLevels Name or goal Links to scripts

directoryRemarks

0 Stop /etc/rc0.d

1, S or s Maintenance, Single user /etc/rc1.d

2 Multiuser /etc/rc2.d This is the place where to add custom system links to scripts

3 Network server /etc/rc3.d This is the place where to add custom application links to scripts

5 Same as 3 with graphical logon session

/etc/rc5.d

6 Will step to 0 and back to normal

/etc/rc6.d

Notes : Many others levels, depending on OS or very specificinit commandwho –r commandDefault state defined in /etc/inittabStartup links to scripts SXXname ; stop links KXXname ; where XX is a number from 00 to 99Place where to find scripts : /etc/init.d


INIT DAEMON

• First process to run after system boot• Always have PID 1 and is ancestor of all other processes• After startup, init consults /etc/inittab (or for BSD

/etc/ttys) to determine on which physical ports it should expect users to log in (getty processes – even tough large use of network daemons today, or xdm for graphical interface)

• Also take care of zombie processes (not running but listed)• Init defines run levels (passed as argument to it from boot loader) : 0

to 6 and s (single-user)• Additional layer is given with startup scripts in /etc/init.d, linked

to startup and stop scripts in /etc/rcX.d


SERVICE MANAGEMENT IMPLEMENTATIONS EXAMPLES

Object Universal way of doing it Chkconfig-service commands(Fedora 10)

SMF – Service Management Facility (Solaris 10+)

Disable a service mv /etc/rc2.d/S75cron /etc/rc2.d/_S75cron

chkconfig –add crond svcadm disable system/cron:default

Enable a service Edit /etc/inet/inetd.conf, uncomment finger line

chkconfig fingerd on svcadm enable network/finger:default

Stop a service /etc/init.d/sshd stop service sshd stop svcadm disable –t network/ssh:default

Start a service /etc/init.d/sshd start service sshd start svcadm enable –t network/ssh:default

Restart a service /etc/init.d/sshd stop ; /etc/init.d/sshd start

service sshd --full-restart

svcadm restart network/ssh:default

Hang up a service kill –HUP `cat /var/run/sshd.pid`

No integrated command svcadm refresh network/ssh:default

Diagnose a faulty service

Try to look around logs (/var/adm/messages)

No integrated command svcs –x[v] service

Dependencies of a service

Try to look around scripts dependencies by reading code

No integrated command svcs {-d | -D} service

Processes associated with a service

lsof No integrated command svcs –p network/smtp:sendmailps –fp id,id

Changing run level Edit /etc/inittab No integrated command svcadm milestone –d milestone/single-user:default

Legacy Internet services daemon

Edit /etc/inet/inetd.conf No integrated command Edit /etc/inet/inetd.conf, then issue inetconv command


SERVICES MANAGEMENT COMPLEMENTS

• Commands : init 0, init 6, init sps –ef, kill -<signal>, pgrep, pkill, <service-script> start|stop|restart (service startup script)

• Command chkconfig (specific to Fedora):usage: chkconfig --list [name] chkconfig --add <name> chkconfig --del <name> chkconfig --override <name> chkconfig [--level <levels>] <name> <on|off|reset|resetpriorities>chkconfig header in startup scripts

• And finally, system-config-services GUI applet specific to Linux

• Command service and semi-graphical GUI sysvconfig, both specific to Debian


OTHER CONCEPTS

• Command dmesg (kernel log)• Core dump : ulimit –c• Path :

- try not modify root profile PATH variable- do not set empty or ‘.’ in PATH variable- in scripts (and configurations like cron), always use full path for commands (as variables at beginning)

• Disk quotas may be use to isolate an application (vs. original purpose)• vi and other editors dump files feature• History of shell commands• who –r• cp -p


ANSWERS TO QUESTIONS - 1

• Gentoo (2003)Visible on time line ; derives from Enoch (1999) which was build from scratch.

Compile on installation taking into account processor’s instruction set.• ESCAPING TO SHELL WITH VI, MORE, …

Type : (semi column) to get into command modeThen ! (exclamation mark) to run any shell commandType any command

• locate – updatedbSearch of a pattern ( *file* ) instead of a filename ( file )locate ntp == find / -name ”*ntp*”locate –b ’\ntp’ == find / -name ntp

• History length : on sh or bash this is set with $HISTSIZE (tcsh $HISTORY). See following profiles slide and hands-on (depending on shell, use man, setenv or printenv)


ANSWERS TO QUESTIONS - 2• grep

# egrep pattern file(s) Shows filenames & lines that match [ filename: line ]# egrep –L pattern file(s)Lists files that does not contain any line matching

• awk

# ifconfig -a | awk 'BEGIN {printf "%-4s %-19s %-15s\n","If","MAC","IP"} / Link/ {a=a+1 ; printf "%.4s %17s",$1,$5 ; getline ; printf "%15s\n",substr($2,6,15)} END {print "Total nbr:", a}'

If MAC IP

eth0 00:09:5B:BD:FA:D2 192.168.0.1

eth1 00:0E:A6:9F:7C:AA 89.156.6.39

lo 127.0.0.1

Total nbr: 3


REMINDER : FILES• In Unix everything is a file (IO from files or from peripherals are the same)• In Unix, a file belongs to a user AND to a group (no mandatory relationship between

both) ; a user can belong to many groups ; so, to give access to a set of files or commands belonging to a group is done by adding the user to the group

• When a file is created, it belong to the user who created it and its group – except if upper directory is setgid (BSD style)

• Commands : chown [-R], chgrp, chmod• Access rights for files (directory) :

r read (can ls it), w write (can supp/rename files into), x execute (can cd into)(to be executable, a script shell needs rx, a binary only x )

• umask 022 command in profile files to set permission of new files• Special access :

t sticky bit (can write a dir but not supp file ; /tmp)s setuid bit (set resources access of process to owner and not to the one that run it)s setgid bit (for a file, set resources access of process to owning group and not the one that run it – for a dir, see upper)find / [-user root] -xdev –perm {-4000 | -2000}


FILESYSTEM HIERARCHY STANDARD – 1

/ /bin Binaries

/dev /cdrom Special files – Devices

/console

/null

/stdin

/tty0

/etc /httpd Configuration files and directories/init.d

/rc2.d

/rc3.d

/skel

/sbin System binaries

/home /antoine Home directories

/lib Libraries

/lost+found Lost files (used by fsck)


FILESYSTEM HIERARCHY STANDARD – 2

/mnt Usual mount point

/opt Optional software

/proc Special : processes directory

/tmp Temporary directory

/usr /bin User’s binaries directories

/include

/lib

/local /bin

/lib

/src

/sbin

/var /log Temporary files (logs, queues, data)/spool /cron

/lpd

/mail

/www


PACKAGES MANAGEMENT

Solaris RedHat (Fedora)

Debian (Ubuntu) FreeBSD

List, search, information

pkginfo rpm –q apt-cache [show]

pkg_info

Install pkgadd rpm -i apt-get install pkg_add [-r]

Update smpatch rpm -U apt-get upgrade

Remove pkgrm rpm -e apt-get remove pkg_delete

GUI tool Sun ™ Update Manager

Gnome tool (or Yum-Yumex)

Synaptic Packages Manager ; Wajig-Gjig

FreeBSD offers the way to install sources and build them locally with Gnome Tinderport

This table may be not complete, as many other ways of doing packages management exists (see FreeBSD – or Mac OS X tool ‘Fink’ that also build locally) especially for other commercial OS. The system admin has to check its own OS.

A word about configuration files updates, for RPM : rpmsave and rpmnew extensionsAfter an update, do find / $ -name ″*rpmsave″ –o –name ″*rpmnew″ $


PHYSICAL SECURITY

• USERS AND GROUPS• PASSWORD CRACK TOOLS• SUDO• PHYSICAL ATTACKS• HIGH AVAILABILITY• CHANNEL BONDING


USERS AND GROUPS • Su : switch user

# su - switch to root with loading root environment• Password

# passwd [user]• Sudo : optional package (configuration by visudo)

# sudo [command]• Users base files : /etc/passwd and /etc/shadow (encrypted passwords)

# head -2 /etc/passwdroot:x:0:0:root:/root:/bin/bashbin:x:1:1:bin:/bin:/sbin/nologin (User:x:UID:GID:GECOS:home-dir:shell)# man –s5 shadow# vipw [-s]

• Groups base file : /etc/group# head -2 /etc/grouproot:x:0:rootbin:x:1:root,bin,daemon


USERS ADMINISTRATION - PROFILES

Main shells

Startup Upon termination Other

sh /etc/profile (login shells)

.profile (login shells)

Any command or script specified using trap ″command″ 0

tcsh /etc/csh.cshrc (always)

/etc/csh.login (login shells)

.tcshrc (always)

.cshrc (if no .tcshrc file is present)

.login (login shells)

.logout (login shells) .history (saves history based on "$savehist")

.cshdirs (saves directory stack)

bash /etc/profile (login shells)

.bash_profile (login shells)

.profile (login if no .bash_profile file is present)

.bashrc (interactive non-login shells)

$ENV (non-interactive shells)

.bash_logout (login shells)

.inputrc (readline initialization)


Nothing specific to OS but to shell. However, it is worth to know !

OTHER CONCEPTS• Users management commands highly dependant to OS

adduser, useradd, ...• Command dmesg• Command ls

# ls -als | head -4total 4080 nbr-of-blocks16 drwxr-xr-x 146 root root 12288 2009-02-21 04:44 . 8 drwxr-xr-x 24 root root 4096 2009-02-10 18:03 .. 8 drwxr-xr-x 4 root root 4096 2008-01-23 15:25 acpisize-in-blocks user group size-in-bytes type last-modif-date permissions name nbr of links

• Command chown [-R]• Command chmod• Symbolic links• File types (command file)

d (dir), l (symbolic link), b (bloc), c (character), s (socket), p (pipe)


PASSWORD CRACK TOOLSUsage of these tools are illegal on computers where you have not been explicitly authorized to do it.

But it is recommended to test your own password files – anyhow, crackers will do it with them.

Crack• Locations: /usr/share/crack ; /usr/libexec/crack ; /usr/bin• Quick-start commands:

# umask 077# ~/scripts/shadmrg.sv /etc/passwd /etc/shadow > /root/unshadp# Crack –nice 5 /root/unshadp# CrackReporter

• Results in ~/run directory

John the Ripper• Locations: /usr/share/john ; /usr/libexec/john• Quick start commands:

# umask 077# unshadow /etc/passwd /etc/shadow > /root/unshadp# john [--rules --wordfile=FILE] /root/unshadp

• Results in ~/john.pot


EXAMPLE FOR JOHN - 1


EXAMPLE FOR JOHN - 2

...New UNIX password: 12345...12345 (essai1)

guesses: 1 time: 0:00:00:05 8% (2) c/s: 4880 trying: Sunshine1 ^C

...New UNIX password: cathy...cathy (essai1)

guesses: 1 time: 0:00:00:04 6% (2) c/s: 4891 trying: decembers ^C...New UNIX password: djk7sdf...

guesses: 0 time: 0:00:00:34 37% (2) c/s: 4886 trying: blondie? ^C


SOME PHYSICAL ATTACKS

• Physical access must be protected – if not, attacker can open the case and reset EEPROM (where BIOS password is saved) or can steal hard disk…

• BIOS (or boot PROM for Sun) level must be protected (with password) – if not, attacker can boot on its own CD/DVD

• If partitions are not encrypted, booting with a CD/DVD gives access to data (with mount command) and so to /etc/passwd (this is an official recovery procedure of lost root password)

• For backup purpose, recovery CD (or software installation CD) are usually needed# mkbootdisk `uname –r`

• Network may need to be redundant (High Availability) by duplicating network interfaces, switches, routers. Multiple redundant interfacing is named channel bounding (or IP multipath for Sun) – otherwise, DoS


ROOT PASSWORD RECOVERY

Simplest procedure using single user mode – case of Fedora 10• When Grub screen, edit current boot line (e)• Edit kernel line (e) by adding ‘single’ at end (single user mode)• Save and boot (b)• Command passwd can be entered with root privileges to reset root

password

GRUB protected if :• GRUB bootloader have a timeout (/boot/grub/menu.lst) –

suppress it (0)• Or a password (add line password –md5 PASSWORD in menu.lst)

Encrypted password is given by command# grub-md5-cryptwhich returns a PASSWORD that can be pasted


ROOT LOGIN DEVICES

Kinds of terminals• console # console• ttyn (tty1,..) # serial terminals• vc/n (vc/1,..) # virtual consoles

Where root can directly login to• Configurable in /etc/securetty

Security• Should be all disabled (by commenting with #) except console

and/or tty1


ROOT, SUDO AND SECURITY

• Never log as root directly• su – (minus to inherit root environment instead of user’s one)• Never change root shell• Package sudo used to give some determined root rights to standard

users (with their own passwords !)- Configuration file : /etc/sudoers (440) editable only with visudo command – see man sudo, man sudoers- Never configure shells or utilities that escape to shell as commands (more, less, vi,…) because commands will be executed as root !- sudo –v , restart timeout- sudo may be integrated to PAM- passwords are not encrypted ; SSH is the solution- usage can be forced by replacing su command to a symbolic link to sudo


SUDO CONFIGURATION LINES EXAMPLES

Host_Alias FILESERVERS = fs1, fs2User_Alias ADMINS = antoine, johnCmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/yumDefaults requiretty

root ALL = (ALL) ALLantoine fs1 = /sbin/mount, /mnt/cdromADMINS FILESERVERS = SOFTWAREdgb fs2 = (operator) /bin/ls

• The most important : sudoers config should be set to span over multiples servers (by simple file transfer and copy)

• Last : the user dgb may run /bin/ls, but only as operator eg,# sudo –u operator /bin/ls


ANSWERS TO QUESTIONS - 1Ubuntu (8-10) iptables startup script

# cd /etc/init.d# grep –i iptables *ufw: if iptables -L ufw-user-input -n >/dev/null 2>&1 ; thenufw: execs="iptables"ufw: execs="iptables"ufw: iptables -L ufw-user-input -n >/dev/null 2>&1 || {# cat /etc/init.d/ufw. . .


ANSWERS TO QUESTIONS – 1bisVirtualization• http://fr.wikipedia.org/wiki/Virtualisation_(informatique)

• A Operating system-level virtualization (isolated OS) : on Sun, Solaris 10 handle concepts of containers (zone and resources) ; on Unix, chroot ; on Linux, the same concept is operated with Linux-VServer

• B Paravirtualization (software interface simulating hardware) : VirtualBox, simple but low performance - Vmware Server, Player, Workstation

• C Hypervisor (manage guest kernels calls to hardware) : on Linux, Xen can support virtualization of other OS than itself as long as ported to it - Vmware ESXi

A B C Images Wikipedia


ANSWERS TO QUESTIONS - 2FreeBSD (7.1) switch user to root with su• Problem when logged as antoine

> iduid=1001(antoine) gid=1001(antoine) groups=1001(antoine)> su –Feb 18 11:09:02 magfbsd su: BAD SU antoine to root on /dev/ttyv0su: Sorry

• Man su (extract) :...by default only users in the ''wheel'' group can switch to UID 0 (''root'')...

• Correction procedure : log as root first

magfbsd# iduid=0(root) gid=0(wheel) groups=0(wheel),5(operator)magfbsd# cp -p /etc/group /etc/group.ORIGmagfbsd# vi /etc/group # add user antoine to wheel group

• Test : relog as antoine

> iduid=1001(antoine) gid=1001(antoine) groups=1001(antoine)> su –Password:Feb 18 11:17:09 magfbsd su: antoine to root on /dev/ttyv0magfbsd# iduid=0(root) gid=0(wheel) groups=0(wheel),5(operator)


ANSWERS TO QUESTIONS - 3

Init levels and services management :• INIT LEVELS• SERVICES MANAGEMENT IMPLEMENTATIONS EXAMPLES

Tree command• tree –d –L 2

Telnet connections handling by TcpWrappers (see also new slides)• In /etc/hosts.allow

in.telnetd : LOCAL

Behavior against SYN received on a closed port• “If the connection does not exist (CLOSED) then a reset is sent in response to any incoming

segment except another reset. In particular, SYNs addressed to a non-existent connection are rejected by this means.”

• RFC793 found at http://www.faqs.org/rfcs/


HIGH AVAILABILITY (HA)

• Data : RAID, Multipath• Service access : clusters, network redundancy• Geographic spanning• Load sharing, load balancing, fail over

• For Linux, specific project : Linux-HA http://www.linux-ha.org/

(based on heartbeat-2.1.x, stonith, DRDB packages) Excellent in-deep technical paper : http://www.linux-ha.org/_cache/HeartbeatTutorials__LCA2007-tutorial.pdf

Includes explanations of HA concepts (split-brain, fencing, quorum, SPOF, data sharing, …)


(LINUX) CHANNEL BONDING - 1• Four concepts required (details may vary over distributions) :

(Linux) kernel modules, (Linux) network cards configuration, channel bonding itself, HA modes

• Note : Linux NetworkManager service (used for laptop automatic network interfaces configuration) should be disabled and stopped but network service started

• Virtual interface :/etc/sysconfig/network-scripts/ifcfg-bond0

• “Regular” interfaces :/etc/sysconfig/network-scripts/ifcfg-eth0/etc/sysconfig/network-scripts/ifcfg-eth1

• Module loading and configuration :/etc/modprobe.d/bonding

• Commands used to debug :lsmod | grep bond # Check module loadingmodprobe [-r] bonding # Load/unload module/etc/init.d/network [stop|start] # Start/stop network serviceifconfig –a # Print interfaces statusifconfig eth0 [up/down] # Enable/disable interfacecat /var/log/messages | grep –i bond # Check logs


(LINUX) CHANNEL BONDING - 2/etc/sysconfig/network-scripts/

ifcfg-bond0 ifcfg-eth0 ifcfg-eth1

DEVICE=bond0NETWORK=192.168.10.0NETMASK=255.255.255.0IPADDR=192.168.10.52ONBOOT=yesBOOTPROTO=noneTYPE=EthernetUSERCTL=noPEERDNS=yesIPV6INIT=noNM_CONTROLLED=noGATEWAY=192.168.10.1

DEVICE=eth0HWADDR=08:00:27:aa:9a:f1ONBOOT=yesBOOTPROTO=noneTYPE=EthernetUSERCTL=noPEERDNS=yesIPV6INIT=noNM_CONTROLLED=noMASTER=bond0SLAVE=yes

DEVICE=eth1HWADDR=08:00:27:e9:ff:c7ONBOOT=yesBOOTPROTO=noneTYPE=EthernetUSERCTL=noPEERDNS=yesIPV6INIT=noNM_CONTROLLED=noMASTER=bond0SLAVE=yes

/etc/modprobe.d/bonding

alias bond0 bonding# options bond0 mode=0 miimon=100 # Load sharingoptions bond0 mode=1 miimon=100 primary=eth0 # Active/standby mode


NETWORK SECURITY• TCP/IP SECURITY WEAKNESSES• [X]INETD DAEMON AND SERVICES• TCPWRAPPERS• PORT SCANNING• DHCP• NETWORK CONFIGURATION FILES• NETWORK COMMANDS• IP ALIASING• TCP/IP STACK SECURITY• TOOLS : WIRESHARK AND NMAP


REMINDER : NETWORKING - 1

• TCP/IP layers : application telnet, NFS, FTP, SSH, HTTPsession DNS, DHCPtransport TCP, UDPinternet (OSI network) IP, ICMP, routingnetwork access (Ethernet, ARP)

• MAC address 48 bits – 24 first OUI (Organizationally Unique Identifier)• Service = transport protocol (TCP or UDP) + port

/etc/protocols – associate internet protocol (OSI network layer) and protocol identifier/etc/services – associate transport protocol (transport layer) and port number

• IPv6 : 128 bits address (48 firsts for FAI - end for MAC)Compatible IPv4 (::FFFF:a.b.c.d) ,loopback is ::1 , broadcast is FF02::1http://www.potaroo.net/tools/ipv4/index.html


REMINDER : NETWORKING - 2

• Classes, networks, hosts, masks, broadcast calculation : see ipcalculator or ipcalc

• Networks, sub-networks and masksSub-networks are used to resize number of hosts belonging to a network, especially for class CMask should always be set ; hosts belonging to different sub-networks can’t communicate except via a router ; this is a way to reduce traffic over LAN

• ARP - RARP• ICMP• UDP : connectionless• TCP : connection oriented


ICMP – PINGUsually filtered by firewalls (at least interesting types)

Think about kernel tuning (sysctl –a | grep –i icmp) to avoid flooding

Tools : hping3 [many options], xprobe2 (not really reliable or OS now secured ?)

ICMP types used for fingerprinting• Type 8 – Echo request• Type 13 – Timestamp request• Type 15 – Information request• Type 17 – Subnet address mask request

Ping flooding• Send pings to broadcast or multicast addresses, amplification


DHCP

• Network layer – as ICMP• Used to manage leases and allocate IP address – and other parameters as

gateway, DNS addresses,…• Addresses can be allocated permanently (based on MAC client address) or for a

given duration (lease)• Protocol :

Client send a DHCPDISCOVER on broadcastServers are answering with DHCPOFFERClient sends to all DHCP servers with a DHCPREQUEST including chosen serverChosen server finally returns DHCPACK with IP parametersClient may decline parameters with DHCPDECLINE and process is restarted

• DHCP servers must have a static address ! As well, DHCP must not be used for DNS, LDAP, … for security reason – spoofing of address, because there is no authentication mechanism of server identity


DHCP CLIENT CONFIGURATION

Linux (Fedora) SolarisInterface config

/etc/sysconfig/network-scripts/ifcfg-eth0/etc/sysconfig/network

/etc/hostname.hme0/etc/init.d/network

Startup script

/etc/init.d/network(/sbin/ifup)

/etc/init.d/network

DHCP activation

BOOTPROTO=DHCP in /etc/sysconfig/network-scripts/ifcfg-eth0

touch /etc/dhcp.hme0Config in /etc/default/dhcpagent

Binary dhclient (not a daemon !) dhcpagent

Client lease file

/var/lib/dhclient/dhclient-eth0.leases(/etc/dhcp/dhcpd-eth0.info in Fedora 9 !)

/etc/dhcp/hme0.dhc


TCP/IP NETWORK PROTOCOLS MAP (from protocol.com website)


TCP/IP NETWORK PROTOCOLS MAP (from RADCOM website)


(Attached PDF file,available from RADCOM

at www.radcom.com)

WELL-KNOWN SERVICES AND PORTS

Service Port Service Port

FTP 21 (20), 990 (989) NTP 123

SSH 22 IMAP 143 (v2), 220 (v3), 993 (v4)

telnet 23, 992 SNMP 161, 162

SMTP 25, 992 LDAP 389, 636

DNS 53 LPD 515

DHCP (BOOTP) 67 (s), 68 (c) NFS 2049, 4045/udp

TFTP 69 X11 6000-19, 6063

HTTP(S) 80, (443) SMB 445

Kerberos 88, 749, 750 AD 3268, 3269

POP-3 110, 995

RPC 111


TCP/IP SECURITY WEAKNESSES - 1• TCP/IP leads to an unsecure network by itself• No IP source authentication ; no encrypted headers or content ; flood is

easy• SMTP : no authentication of source mail address• Ping flood• Route sourcing is an IP spoofing technique• Dynamic IP address : do not use it on systems that shares resources

(NFS, Samba) or provides network resources (DNS, DHCP, mail server)

• IP provides connectionless service ; it routes and sends a datagram ; no sequence guaranty ; options fields for source routing and record route ; no encryption ; no authentication

• TCP, on top of IP, provides connection oriented service, delivery, and in sequence guaranties (sequence number, 3-way handshakes, timers, see TCP state machine) ;


TCP/IP SECURITY WEAKNESSES - 2• TCP sequence number (32 bits) – counting exchanged bytes – to check

delivery and sequence. Both sides ; initial Sequence Numbers (ISN) are random to distinguish multiple connections ; receiver window size based on it to control flow

• 3-way handshake : SYN, SYN+ACK, ACK ; release FIN, FIN+ACK, ACK• Timers

Connection establishment timer (75 s)TIME_WAIT interval timer (120 s) – allow segment in transit to be removedFor example, KEEK_ALIVE timer (3600 s) – can stall TCP state machine

• Flaws leading to DoS : synchronous establishment (no timer at SYN_RCVD, stalled) ; SYN+FIN leads to CLOSE_WAIT (no timer also, stalled)

• SYN flooding leading to DoS due to full listen queue of half opened connections (connection timer is 75 s)


TCP/IP SECURITY WEAKNESSES - 3• IP spoofing in case an attacker takes one other host IP address (no control

from server) but 2 catches : attacker does not see responses (*) (sent to regular host) and/or must guess ISN or next sequence number (**) (after authentication for example)(**) Sequence guessing can be done because ISN is not so random(*) Source routing may be used (even tough more prohibited today)

• Connection hijacking – man in the middle attack by exploiting ‘desynchronized state’ (forcing host to reject packets with sequence number inside windows because it has already accepted its own forged)

• ICMPBy sending forged Time Exceeded or Destination Unreachable to both parties (DoS)By sending Echo Request to multicast or broadcast addresses (DoS)By sending Redirect to one of ends to take control of connection (spoofing)These attacks usually done from local network

• DNS :if attacked network is trusting domain names, attacker can map IP address of its host to belong to domain. Reverse mapping done to avoid such an attack


NETWORKING COMMANDS

• hostname (nodename)• ifconfig• ping• arp [-n] [-a] ...• netstat [-rn] ...• route [add | del ] ...• traceroute• nslookup, dig• lsof [-i]


(LINUX) NETWORKING FILES

• /etc/hosts # Hostname resolution• /etc/inetd.conf (/etc/xinetd.conf, /etc/xinetd.d/)• /etc/services # Service port resolution• /etc/securetty # TTY access• /etc/hosts.equiv # R* services• ~/.rhosts # R* services• /etc/hosts.allow, /etc/hosts.deny # TcpWrappers• /etc/resolv.conf # Name servers declaration• /etc/nsswitch.conf # Name services resolution methods• /etc/sysconfig/network-scripts/ # Ethernet config• /etc/sysconfig/network # Hostname, GW, options• /etc/networks # Network resolution• /etc/protocols # Protocol name resolution


INETD AND XINETD

• Extended Internet services daemon• Unique daemon that waits for incoming connections for a number of other services and

start corresponding server (echo, telnet, FTP, r* services… most are standard and/or well-known Unix services – but not all)

• Process : inetd or xinetd (reminder : kill –HUP)• Startup for xinetd : /etc/init.d/xinetd• Log by syslog – but configurable• Old style configuration (inetd) :

/etc/inetd.conf (reminder : /etc/services)• Configuration (xinetd) in :

/etc/xinetd.conf/etc/xinetd.d/* (one config file per service)

• Even tough (x)inetd is a mandatory service (think about installing embedded servers with no SSH package installed yet), controlled services are more and more disabled for security reasons …

• … why ? For example, telnet and FTP are sending clear-text passwords !• Other : installation with core, verbose mode


REMINDER : TELNET, (T)FTP, R* SERVICES

• Started by (x)inetd server• Reminder telnet : useful for (tests not only port 23)

# telnet host [port]• TFTP : used for X terminals startup : no authentication at all• telnet, FTP : security problem with clear-text passwords shown…• R* services

Commands : rlogin, rsh, rcp, ruptime, rwhoConfiguration : /etc/hosts.equiv , ~/.rhostsSyntax : user@hostAuthentication is done without password if succeeded (handy for rcp)But security problem : if one listed host is unsecured, local host is unsecured ! This is because with r* services authentication scheme, local authentication is based on remote one.

So use rsync for file transfer (nothing to do with r* services) or better SSH/SFTP for everything.


TCPWRAPPERS

• Package that secure connections to given well-known services – those handled by (x)inetd for sure, but others (SSH)…

• …which ones ? For sshd example :# strings –f /sbin/sshd | grep hosts_access/usr/sbin/sshd: hosts_access (YES ! If no line returned, no)

• TcpWrappers is transparently inserted between network and service ; adds access control and logging features

• Binary: tcpd – but not a daemon (invoked at connection). This is why no service to restart after configuration modification

• Configuration files:/etc/hosts.allow/etc/hosts.deny

• Syntax of configuration linesservice_list : host_list [ : (command to log) ]host_list may be an hostname, a list, an IP address or network, a keyword (ALL, LOCAL) – but never use EXCEPT as shown in documentation


TELNET CONNECTION EXAMPLEFor example, steps to debug telnet over xinetd connection • Check actual status of service xinetd : /etc/init.d/xinetd status – must

be up and running (or ps –ef | grep inet)• Check telnet service : must be enabled either in /etc/xinetd.conf or

/etc/xinetd.d/telnet configuration files :disable = no

• Check local connection : telnet localhost• Check local firewall if any : TCP port 23 must be open• Check TcpWrappers configuration : in.telnetd must be allowed – at least for

client used to connect or network it belongs to – eventually for ALL during testing

• Check anyway /var/log/messages logs…• For security reason - against spoofing, telnet server (but FTP also) is always

trying a reverse resolution of hostnames – so local and distant addresses should be ‘resolvable’ (in our test case, set in /etc/hosts because no DNS available – /etc/nsswitch.conf)

• Check reboot : chkconfig must show service is on – for next reboot


TCP STATE MACHINE


PORT SCANNING INTROTCP ports scanning• Normal handshake, port open : SYN, SYN+ACK, ACK

Normal handshake, port closed : SYN, RST+ACK

(note : this is logged ! )• Half-open SYN scan, port open : SYN, SYN+ACK, RST

Half-open SYN scan, port closed : SYN, RST+ACK(note : this may not be logged … but usually is)

• Anyhow, some systems (FW) will think about SYN flooding. So nmap can be used with –T option to slow down flood

• Probe = malformed TCP packet (i.e. “FIN” probe with FIN flag set, or “XMAS” probe with FIN, URG, PUSH, TCP flags set, “NULL” probe with TCP set)Stealth TCP scan, port open : TCP probe, No response (this is garbage)Stealth TCP scan, port closed : TCP probe, RST+ACK(notes : also named inverse TCP flag ; Windows does not respect standard and does not send RST from a closed port ; nmap can use options for each kind of probe : –sF, –sX, –sN)

• Some other techniques : analysis of ACK probe, TTL field, window field

UDP ports scanning• UDP probe, port open : UDP probe, No response

UDP probe, port closed : UDP probe, ICMP dest port unreachable

(note : nmap can use option –sU)• Using specific UDP service clients to test server – not realistic for large number of ports


NMAP INTRO – 1

• “The bad guys are already using nmap for reconnaissance, because a single scan can tell you a lot about the open doors and windows in a computer’s house. The good guys are using nmap to make their network safer.” – James Messer (Secrets of Network Cartography)

• Nmap = Network Mapper – It is a port scannerDetects open ports, offered services and OS fingerprint of remote computer(s)Uses analysis techniques based on TCP, IP, UDP and ICMPGuesses OS from fingerprints answers from specific forged queriesOpen source created by ‘Fyodor’ and distributed by Insecure.org

• Warning : Nmap can be seen as an intrusion attemptScans are detected with IDS – Intrusion Detection System like Prelude

• Tests can be done with scanme.nmap.org


NMAP INTRO – 2

• Available open source frontends :nmapFE or zenmap

• Ports detection states with nmap :Open TCP connections or UDP packets acceptedClosed Accessible (with answer) but no listening

application on that portFiltered Nmap can’t say because request is drop before accessing port (firewall)Unfiltered Port is accessible but Nmap can’t say if open or

closedOpen-Filtered Nmap can’t say if open or filteredClosed-Filtered Nmap can’t say if closed or filtered


MAIN PORTS SCANNING TECHNIQUES – NMAP CORRESPONDENCE - 1

Kind Nmap option

Port Protocol exchange (1) Comments

TCP SYN -sS ClosedOpen

SYN, RSTSYN, SYN+ACK, RST

TCP session not created, no log. Most used method.

TCP Connect()

-sT ClosedOpen

SYN, RSTSYN, SYN+ACK, ACK - RST

TCP connection established. Application logs it.

TCP FIN -sF ClosedOpen

FIN, RSTFIN

Extremely quiet (a single packet to detect open, 2 to detect close).Not applicable for Windows : all ports seems to be closed !Xmas tree -sX Closed

OpenFIN+URG+PUSH, RSTFIN+URG+PUSH

Null scan -sN ClosedOpen

<all-flags-0>, RST<all-flags-0>

Services -sV Should be open !

At TCP level, will uses at least TCP SYN, then specific to app exchange

Only for TCP or UDP scans. Very intrusive. High number of packets exchanged.Based on nmap-service-probe file definitions – not always reliable and should be constantly updated.

(1) Protocol exchange is coded as follow : a plus sign stand for a given set of flags in a given packet, a comma stands for next party packet (nmap or target) and a minus sign for another packet from the same party. For example, SYN, SYN+ACK, ACK - RST means that nmap sends a SYN packet, then target replies by a packet with SYN and ACK flags set, then nmap sends successively an ACK packet and a RST packet.


MAIN PORTS SCANNING TECHNIQUES – NMAP CORRESPONDENCE - 2

Kind Nmap option

Port Protocol exchange (1) Comments

UDP -sU ClosedOpenFiltered

UDP empty, ICMP unreachableUDP empty, any UDPUDP empty, anything else

Many problems : target may not send back UDP, nor ICMP.Slow.

TCP ACK -sA - TCP exchange variation -

TCP Window

-sW - TCP exchange variation -

TCP Maimon

-sM - TCP exchange variation -

IP -sO - Tries protocol numbers on IP protocol packet field instead of TCP or UDP

-

FTP bounce

-b - - Based on FTP proxying capability of FTP (a server can send payload to any other server). This could be used to make an inside FTP server to scan other host target ports – which is not possible from outside network. (1)

(1) A classic attack was to send a forged PORT command to an FTP server which will open back to the client a TCP connection thru a stateful firewall by adding a state rule on the given port.


NMAP OPTIONS – 1

Kind Options Description

Host discover

-sL List scan – list targets

-sP Ping scan

-P0/PN No host discover

-PS/PA/PU [ports] TCP SYN/ACK or UDP discover

-PE/PP/PM ICMP discover

-PO [protocol] IP ping

-n/R--system-dns

No DNS resolutionOr uses system files

Scan technique

-sS/sT/sA/sW/sM TCP SYN/Connect()/ACK/Window/Maimon

-sN/sF/sX TCP Null, FIN, Xmas

-sU--scanflags <flag>

UDPTCP flags customization

-sl Idlescan

-sO IP protocol scan

-b <FTP-relay>--traceroute--reason

FTP bounce attackTraceroute to hostsVerbose port status


NMAP OPTIONS – 2


Order -p <ports-range> Ports range scan

-r Sequential port number scan

Detection -sV--version-light--version-all--version-trace

Tests open port to detect service and its versionFast detection with minimal testsAll testsDebug tests information

-O--osscan-limit--osscan-guess

OS detectionLimit detectionMore aggressive detection

Timing policy

-T[0-5]--{min|max}-hostgroup <ms>--{min|max}-parallelism <ms>--{min|max|initial}-rtt-timeout <ms>--max-retries <tries>--[max-]scan-delay <time>

Level of policy(0 – paranoid, 5 - insane)Size of host groups to scan in parallelParallel probingTest packets RTT

Number of retransmissionsDelay between test packets

IPv6 -6 IPv6 activation


NMAP OPTIONS – 3


Firewall, IDS, usurpation

-f--mtu <mtu>

packets fragmentation...…with this MTU value

-D <decoy1,decoy2,[ME],...> Decoy scan

-S <IP>-e <if>

Usurps IP source...…from this interface

-g--source-port <port>

Set the source port……to this value

--data-length <len>--ip-options <options>--ttl <ttl>--spoof-mac <MAC>--badsum

Add random data to packetSet IP optionsSet TTLSpoof MAC addressSet bad checksum

Output -oN/oX/oS/oG Output format normal/XML/…

-v More verbose

-d[level] Debug level (from 0 to 9)

--packet-trace-iflist

Trace packetsTrace interfaces et routes


NAME RESOLUTION AND ROUTING

Name resolution• /etc/hosts – name resolution

(eventually distributed by NIS, but to avoided)• /etc/resolv.conf – domain definition and name servers location

(suppression will deactivate DNS resolution)• /etc/hosts.conf – name services switch

(or /etc/nsswitch.conf)

Routing• On LAN (hubs) no routing necessary• On small networks, static routes may be necessary• On large networks (WAN), dynamic routing handled by routed and gated

daemons (support of RIP, OSPF, BGP, EGP)• On Linux, static routes may be defined in /etc/sysconfig/static-routes


TCP/IP STACK (AND KERNEL) TUNINGParameter Default Meaning

net.ipv4.ip_forward 0 IP forwarding

net.ipv4.conf.all.rp_filter 1 Source route verification

net.ipv4.conf.all.accept_source_route 0 Source routing

net.ipv4.icmp_echo_ignore_broadcasts 1 ICMP broadcasts

net.ipv4.conf.all.accept_redirects 0 Redirects

net.ipv4.icmp_ratelimit 1000 ICMP rate limit

. . .

Notes : net.ipv4.conf.default.something : default value to be set to new interfacenet.ipv4.conf.all.something : value set to all interfacesnet.ipv4.conf.eth0.something : value set to this interface

TCP/IP (kernel) tuning should be used with care BUT is essential to security, especially on front-end servers (web servers). This is usually a setting to be done or to be checked against security policy before production.

Static configuration : /etc/sysctl.confDynamic configuration : sysctl –A (to list) , sysctl –w parameter="value" (to set)Last note : this is OS specific (for Solaris, sysdef, adb, ndd commands and similar parameters with different naming scheme)


TOOL: WIRESHARK - 1• Other well-known tcpdump (we’ll see it later)• Wireshark can import tcpdump dump file, snoop (Sun) dump file• Open-source and modular conception – you can add your own decoder• Related to sniffing but many other obscure tools are used in real life by hackers• Promiscuous mode – i.e. listen to all frames on LAN (libpcap needed – WinPcap for

Windows environment)• Can be used in text mode without GUI – but not recommended (in line mode use

tcpdump instead with –o option to export dump to Wireshark)• Configurable columns (Edit, Preferences)• Filtering : when capturing (lot of options) or viewing (also…) – can work as ring buffer

with triggers • Important options :

Resolutions : MAC, network, transport – network should be avoided as it creates new trafficFragmented IP – are reassembled by default but configurable (Edit, Preferences, IP protocol options)Analyze, Follow TCP stream : useful to present TCP session in one window

• Rich statistics options• Rich export and presentation options


TOOL: WIRESHARK - 2

FIELD TYPE MEANING

ip.addr IPv4 address Source or destination IP address

ip.dst IPv4 address Destination IP address

ip.flags.df Boolean Don’t fragment flag

ip.ttl Unsigned integer Time to live

http.request Boolean HTTP request

icmp.type Unsigned integer ICMP command type

ftp.response.data Characters string FTP data

dns.response Boolean DNS response


FILTER MEANING

ip.addr == 192.168.10.2 All packets coming from or going to 192.168.10.2 host

(ip.addr == 192.168.10.2) && (dns.response)

All packets coming from or going to 192.168.10.2 host which are DNS responses

TOOL: WIRESHARK - 3(ANSWER TO THE QUESTION ABOUT RING BUFFER CAPTURE)

• Define a capture filter – not so easy sometimes, so should be tried first with preliminary testsExample – not useful but for concept : among all traffic, you want to catch ICMP request with TTL at 3 (we will trig this with traceroute to www.google.com) and its response :icmp.type == 8 – ICMP requesticmp.type == 11 – ICMP TTL exceededip.ttl == 3 – TTL at 3IP of www.google.com is 209.85.229.103So a capture filter could be :ip.dst == 209.85.229.103 && (icmp.type == 8 || icmp.type == 11) && ip.ttl == 3


DATA SECURITY

• RAID• LVM• BACKUP• NAS / SAN


DATA SECURITY

• Software installed : the less installed, the less security holes – idea is to reduce field of potential attacks

• Journaled file systems – based on transactions, brutal power shutdown should have no effect on data integrity

• RAID

• As a reminder, command and file to know (on all OS) :mount, umount/etc/fstab

• From a security point of view, external (system) shares should usually mounted as read only


RAID - 1

• RAID : Redundant Array of Independent/inexpensive Disks• RAID is a way to aggregate multiple block resources to give an unified

storage view to user – in simple words, aggregate physical hard disks into virtual ones from system perspective

• RAID may be implemented :- physically – RAID controllers – preferred method- in system software – low cost but low performance and security

• To be really redundant, each physical disk or disk group must have its own disk controller – especially if software implemented

• But also multiple path access (multipath), multiple power supplies… – weakest link concept in HA

• Compromise between availability, performance and cost


RAID - 2

• RAID 0 : blocks are spread over disks – no reliability• RAID 1 : mirroring, duplication of blocks – limited performance• RAID 5 : striped set with distributed parity or interleave parity – high

availability• RAID 10 : or RAID 1 + 0

Images : Wikipedia


RAID 1 REAL CASE EXEMPLEUseful commands are listed - will shown during hands-on (based on Linux RAID 1 simulation over VirtualBox)

cat /etc/fstab File systems table

df –k File systems usages

cat /etc/mdadm.conf RAID configuration

mdadm –-detail /dev/md2 RAID details for /dev/md2

cat /proc/mdstat RAID actual status (1)

An example – very simplified – to detach / re-attach a sub-mirror to its mirror :/dev/md0 : /boot , /dev/md1 : swap , /dev/md2 : root , largest one /dev/md2 to see sync

/dev/md0 = (/dev/sda1 + /dev/sdb1) , /dev/md1 = (/dev/sda2 + /dev/sdb2), /dev/md2 = (/dev/sda3 + /dev/sdb3)

mdadm –-detail /dev/md2 # Try to run it at each step...

mdadm /dev/md2 –-set-faulty /dev/sdb3 # Faulty required to be removed

mdadm /dev/md2 –-remove /dev/sdb3 # Remove sub-mirror#... Here the disk may be changed but other commands required (2) !

mdadm /dev/md2 –-re-add /dev/sdb3 # Re-adding sub-mirror

while true; do cat /proc/mdstat | grep recovery; sleep 15; done

(1) This command demonstrates a common usage of special proc files that can be generalized to other information, try :cat /proc/meminfocat /proc/vmstat – used by vmstat command

(2) This should be done for all mirrors – commands should be duplicated for /dev/md0 and /dev/md1 (see demo).And second disk must be RAID-formatted with same partitions and sizes, at least for mirroring – probably with mdadm as well, but to be verified.


(LINUX) LVM• LVM : Linux Volume Management (used also for HP-UX)

(Sun SVM : Solstice Volume Management)• (Multiple) Set of :

(Multiple) Physical Volumes PV (physical disks, partitions, RAID volumes or SAN units)

Volume Group VG(only one for many PV ‘upward’ and many LV ‘downward’)

(Multiple) Logical Volumes LV(simply partitions on which a FS can be set)

• Main useful feature : hot configuration – creation, extension…


LVM REAL CASE EXEMPLE - 1One Linux file system with a Linux swap as two LV in the same VG

[root@moscou-fed ~]# cat /etc/fstab

fs_spec fs_file vfstype fs_mntops fs_freq fs_passno

/dev/VolGroup00/LogVol00 / ext3 defaults 1 1

UUID=46916b32-…-b231142 /boot ext3 defaults 1 2

tmpfs /dev/shm tmpfs defaults 0 0

devpts /dev/pts devpts gid=5,mode=620 0 0

dysfs /sys sysfs defaults 0 0

proc /proc proc defaults 0 0

/dev/VolGroup00/LogVol01 swap swap defaults 0 0

Boot partition on first partition of sda, another physical disk partition sdb5 mounted on /media

[root@moscou-fed ~]# df -k

Filesystem 1K-blocks Used Available Use% Mounted on

/dev/mapper/VolGroup00-LogVol00 36736600 3032376 33331436 9% /

/dev/sda1 194442 28192 156211 16% /boot

tmpfs 370620 76 370544 1% /dev/shm

/dev/sdb5 19354752 518808 17852768 3% /media

(shm = shared memory, devpts = consoles, dysfs = virtual device FS,

proc = special files which represent current state of kernel – do cat /proc/meminfo for example)


LVM REAL CASE EXEMPLE - 2Finally, LVM configuration shows two LV in one VG itself using only one PV (second partition of sda.)

[root@moscou-fed ~]# lvm

lvm> pvs

PV VG Fmt Attr PSize PFree

/dev/sda2 VolGroup00 lvm2 a- 37.06G 32.00M

lvm> vgs

VG #PV #LV #SN Attr VSize VFree

VolGroup00 1 2 0 wz--n- 37.06G 32.00M

lvm> lvs

LV VG Attr LSize Origin Snap% Move Log Copy% Convert

LogVol00 VolGroup00 -wi-ao 35.59G

LogVol01 VolGroup00 -wi-ao 1.44G


FILE SYSTEM - TYPES

Linux Linux(Solaris)

Solaris Solaris(Linux)

Solaris(Mac OS)(Linux)

Windows(Solaris)(Linux)

Windows(Linux)

ext2 ext3 UFS VxFS ZFS FAT32 NTFS

Vendor (Linux) (Linux) (FreeBSD) Veritas Sun Microsoft Microsoft

Max file size 2 TB 2 TB 256 TB ? 16 EB 4 GB 16 EB

Max volume size

32 TB 32 TB 256 TB ? 218 EB 32 GB 16 EB

ACL Yes Yes Yes Yes Yes No Yes

Journaling No Yes No Yes Yes No Yes

Name in Solaris /etc/vfstab

ext2fs (with specific packages)

ext3 ufs vxfs zfs pcfs (Via NFSv2)

Name in Linux /etc/fstab

ext2 ext3 ufs xfs ? ? vfat ntfs


Tera = T = 10004 – Exa = E = 10006

BACKUP - 1

• Old days : full backup of system into tapes (requires system boot disk of exactly same release)

• “Backup are for wimps. Real men upload their data to an FTP site and have everyone else mirror it.” – Linus Torvalds

• Nowadays : - mirroring of critic data files (on NAS, SAN with hot swap disks)- system duplication, clusters (geographically diversified)- snapshots (different concepts for LVM, virtual machines)

• Strategy is highly dependant on actual case (front end or backend server)

• What is to be backup – if not everything :Configuration files (/etc, /usr/local/etc, …)Data (specific cases of databases : SQL dumps or proprietary ways)


BACKUP – 2 (*)

NAS – Network Attached Storage SAN – Storage Area Network

Files oriented SCSI packets oriented

Based on Ethernet Based on Fiber Channel protocol

Seamless integration in a server-clients network

Isolated from clients access thru dedicated server(s)

NFS or SMB/CIFS environment Dedicated SCSI servers

Simple architecture and administration Complex to deploy and administrateAcronyms :SCSI : Small Computer System InterfaceFC : Fiber ChannelNFS : Network File System (Unix)SMB : Server Message Block protocol (Windows)CIFS : Common Internet File system (Windows)

(*) : of course, these technologies are NOT ONLY used for backup and often as application’s storage or for HA purpose…


BACKUP - 3


Well-known high-level applications on LINUX :• Amanda 2.6.1 (Jan 2009)

Advanced Maryland Automatic Network Disk ArchiverUses Samba or native Windows (VSS = Volume Shadow Services) to backup Windows clients http://www.amanda.org/

• Bacula 2.4.4 (Jan 2009)Modular architecture (highly developed) : Admin workstation (tray monitor, command console), Backup server (director daemon), Database Server (MySQL or else for catalogs), File server (file daemon) and Storage Server (connected to backup device) http://www.bacula.org/fr/

Well-known high-level applications on Unix (usually large Network Management applications that handle at least a backup module):

• IBM Tivoli• HP OpenView• BMC Patrol

TP1 - NTP


NTP - INTRODUCTION• NTP : Network Time Protocol, for servers time synchronization thru network• Uses NTP protocol (UDP, port 123) formalized in IETF RFC1305

NTP provides the mechanisms to synchronize time and coordinate time distribution in a large, diverse internet operating at rates from mundane to lightwave. [antoine@magfed ~]$ cat /etc/services | egrep "^ntp“ntp 123/tcpntp 123/udp # Network Time Protocol

• Stratum concept : …the accuracy of each server is defined by a number called the stratum, with the topmost level (primary servers) assigned as one and each level downwards (secondary servers) in the hierarchy assigned as one greater than the preceding level.

• 2 operating architectures :- symmetric active/passive – client pulls time information- client/server broadcast/multicast – server pushes time information

• Versions[root@moscou-fed ~]# ntpq

ntpq> version

ntpq [email protected] Mon Jan 12 14:07:32 UTC 2009 (1)

ntpq> ntpversion

NTP version being claimed is 2


NTP – PACKAGE - 1• Package is ntp-4.2.4p6-1.fc10.i386 – binary installation (Yum) :

[root@magfed ~]# rpm -qa | grep -i ntp

ntp-4.2.4p6-1.fc10.i386

• From ntp.org, actual version is :Release Version DateProduction 4.2.4p6 2009/01/08

Release Candidate 4.2.4p7 2009/03/30

Development 4.2.5p161 2009/03/31

• Update available ? Probably not, but to check…[root@magfed ~]# yum check-update ntp-4.2.4p6-1.fc10.i386Loaded plugins: refresh-packagekitfedora | 2.8 kB 00:00updates | 2.3 kB 00:00updates/primary_db | 3.1 MB 00:02

• … and to update[root@magfed ~]# yum update ntp-4.2.4p6-1.fc10.i386


NTP – PACKAGE - 2


NTP – COMMANDS - 1• Start (obvious), stop (obvious), status[antoine@magfed ~]$ /etc/init.d/ntpd status

ntpd (pid 2122) is running...

[root@moscou-fed ~]# ps -ef | egrep "[U]ID|[n]tp"

UID PID PPID C STIME TTY TIME CMD

ntp 2288 1 0 13:56 ? 00:00:00 ntpd -u ntp:ntp -p /var/run/ntpd.pid –g

• Actual status – you should have seen some problems with VM (?) :[root@moscou-fed ~]# ntpq -p

remote refid st t when poll reach delay offset jitter

==============================================================================

+farnsworth.1270 131.188.3.223 2 u 336 1024 377 11.417 4.163 0.259

*ns1.azuria.net 193.67.79.202 2 u 901 1024 377 9.586 9.058 1.761

+crush.bmconseil 91.121.20.142 3 u 882 1024 377 9.759 3.963 73.903

Where :

+ denotes symmetric active

(star) denotes the peer server synchronized to

poll : polling interval in secondsreach : reachability register in octal (377 highest value = 255 base 10)delay, offset and jitter in ms


NTP – COMMANDS - 2• ntpq – standard NTP query program

ntpq> help

ntpq commands:

addvars debug lopeers passociations rl associations delay lpassociations passwd rmvars authenticate exit lpeers peers rv cl help mreadlist poll showvars clearvars host mreadvar pstatus timeout clocklist hostnames mrl quit version clockvar keyid mrv raw writelist cooked keytype ntpversion readlist writevar

• ntpdc – special NTP query program

ntpdc> help

ntpdc commands:

addpeer controlkey fudge keytype quit timeout addrefclock ctlstats help listpeers readkeys timerstats addserver debug host loopinfo requestkey traps addtrap delay hostnames memstats reset trustedkey authinfo delrestrict ifreload monlist reslist unconfig broadcast disable ifstats passwd restrict unrestrict clkbug dmpeers iostats peers showpeer untrustedkey clockstat enable kerninfo preset sysinfo version clrtrap exit keyid pstats sysstats


NTP – CONFIGURATION - 1# Permit time synchronization with our time source, but do not

# permit the source to query or modify the service on this system.

restrict default kod nomodify notrap nopeer noquery

restrict -6 default kod nomodify notrap nopeer noquery

# Permit all access over the loopback interface. This could

# be tightened as well, but to do so would effect some of

# the administrative functions.

restrict 127.0.0.1

restrict -6 ::1

# Hosts on local network are less restricted.

#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap

# Enable public key cryptography.

#crypto

includefile /etc/ntp/crypto/pw

# Key file containing the keys and key identifiers used when operating

# with symmetric key cryptography.

keys /etc/ntp/keys

# Specify the key identifiers which are trusted.

#trustedkey 4 8 42

# Specify the key identifier to use with the ntpdc utility.

#requestkey 8

# Specify the key identifier to use with the ntpq utility.

#controlkey 8


NTP – CONFIGURATION - 2restrict default ignore

restrict -6 default ignore

restrict 192.168.10.0 mask 255.255.255.0 kod nomodify notrap nopeer noquery

restrict 192.168.2.0 mask 255.255.255.0 kod nomodify notrap nopeer noquery

restrict 192.168.0.0 mask 255.255.255.0 nomodify notrap

restrict 127.0.0.1

restrict -6 ::1

# Enable public key cryptography.

#crypto

includefile /etc/ntp/crypto/pw

# Key file containing the keys and key identifiers used when operating

# with symmetric key cryptography.

keys /etc/ntp/keys

# Specify the key identifiers which are trusted.

#trustedkey 4 8 42

# Specify the key identifier to use with the ntpdc utility.

#requestkey 8

# Specify the key identifier to use with the ntpq utility.

#controlkey 8


NTP – LOG TRACE

• tail –f /var/log/messages | grep ntpApr 9 07:32:22 magfed ntpd[2122]: time reset +0.234766 s

Apr 9 07:32:22 magfed ntpd[2122]: kernel time sync status change 0001

Apr 9 07:37:27 magfed ntpd[2122]: synchronized to 91.121.19.179, stratum 2


[ STOP HERE ]

Apr 9 07:43:05 magfed ntpd[2122]: ntpd exiting on signal 15

[ START HERE ]

Apr 9 07:43:11 magfed ntpd[2576]: ntpd [email protected] Mon Jan 12 14:07:28 UTC 2009 (1)

Apr 9 07:43:11 magfed ntpd[2577]: precision = 2.585 usec

Apr 9 07:43:11 magfed ntpd[2577]: Listening on interface #0 wildcard, 0.0.0.0#123 Disabled

Apr 9 07:43:11 magfed ntpd[2577]: Listening on interface #1 wildcard, ::#123 Disabled

Apr 9 07:43:11 magfed ntpd[2577]: Listening on interface #2 eth0, fe80::a00:27ff:feac:77f7#123 Enabled

Apr 9 07:43:11 magfed ntpd[2577]: Listening on interface #3 lo, ::1#123 Enabled

Apr 9 07:43:11 magfed ntpd[2577]: Listening on interface #4 lo, 127.0.0.1#123 Enabled

Apr 9 07:43:11 magfed ntpd[2577]: Listening on interface #5 eth0, 192.168.10.4#123 Enabled

Apr 9 07:43:11 magfed ntpd[2577]: Listening on routing socket on fd #22 for interface updates

Apr 9 07:43:11 magfed ntpd[2577]: kernel time sync status 0040

Apr 9 07:43:11 magfed ntpd[2577]: frequency initialized 16.601 PPM from /var/lib/ntp/drift

[ AFTER A WHILE ]


Apr 9 07:47:30 magfed ntpd[2577]: time reset +1.073432 s

Apr 9 07:47:30 magfed ntpd[2577]: kernel time sync status change 0001


NTP – NETWORK TRACE - 1

• With tcpdump by refresh of Windows client (Internet time parameters, Update time)

[root@moscou-fed ~]# tcpdump -i eth0 port ntp

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes

17:18:20.207873 IP 192.168.0.128.ntp > 192.168.0.1.ntp: NTPv3, Client, length 48

17:18:20.208009 IP 192.168.0.1.ntp > 192.168.0.128.ntp: NTPv3, Server, length 48


NTP – NETWORK TRACE - 2• Wireshark (capture filter “ntp”) and exporting and filtering trace (displayed packets) to text formatNo. Time Source Destination Protocol Info _

2337 10.597450 192.168.0.128 192.168.0.1 NTP NTP client

Network Time Protocol

Reference Clock Update Time: Apr 9, 2009 15:18:18.9180 UTC

Originate Time Stamp: NULL

Receive Time Stamp: NULL

Transmit Time Stamp: Apr 9, 2009 15:19:53.9070 UTC

No. Time Source Destination Protocol Info _

2338 10.597562 192.168.0.1 192.168.0.128 NTP NTP server


Flags: 0x1c

00.. .... = Leap Indicator: no warning (0)

..01 1... = Version number: NTP Version 3 (3)

.... .100 = Mode: server (4)

Peer Clock Stratum: secondary reference (3)

Peer Polling Interval: 10 (1024 sec)

Peer Clock Precision: 0.000001 sec

Root Delay: 0.0225 sec

Root Dispersion: 0.0547 sec

Reference Clock ID: 80.65.235.4


Originate Time Stamp: Apr 9, 2009 15:19:53.9070 UTC

Receive Time Stamp: Apr 9, 2009 15:19:55.2902 UTC



NTP – SECURITY - 1• Own NTP security (Access Control Support, authentication)• Local firewall (block NTP incoming but let outgoing to server, depending on

mode – symmetric or multicast)• Use IP addresses instead of hostnames (general rule)• Set correct permissions for binaries, for configuration files, for logs (general

rule)• Secure NTP administration commands access• Problem not solved :[root@moscou-fed ~]# ps -ef | grep ntp

ntp 6511 1 0 21:18 ? 00:00:00 ntpd -I eth0 -u ntp:ntp -p /var/run/ntpd.pid –g

[root@moscou-fed ~]# netstat --inet -a | egrep "Proto|ntp"

Proto Recv-Q Send-Q Local Address Foreign Address State

udp 0 0 10.8.0.3:ntp *:* (tun0)

udp 0 0 89-156-6-39.rev.num:ntp *:* (eth1)

udp 0 0 192.168.0.1:ntp *:* (eth0)

udp 0 0 localhost.localdomain:ntp *:* (lo0)

udp 0 0 *:ntp *:*

Even if option –I eth0 added in /etc/sysconfig/ntpdOPTIONS="-I eth0 -u ntp:ntp -p /var/run/ntpd.pid -g"


NTP – SECURITY - 2• Simple security scheme with :

In /etc/ntp/keys on both client and server4 M shf49sIn /etc/ntp.conf on both client and servertrustedkey 4In /etc/ntp.conf on clientserver 192.168.0.1 key 4

• If key is invalid on client side for example :[root@moscou-fed ~]# ntpq -p

remote refid st t when poll reach delay offset jitter

==============================================================================

192.168.0.1 .AUTH. 16 u - 64 0 0.000 0.000 0.000


NTP – SECURITY - 3No. Time Source Destination Protocol Info _

2148 21.837346 192.168.0.135 192.168.0.1 NTP NTP client

...


...






Key ID: 00000004

Message Authentication Code: 931D66E8C3E8DD1E6C0A4A077BB8CA20

No. Time Source Destination Protocol Info _

2149 21.837498 192.168.0.1 192.168.0.135 NTP NTP server

...


...






Key ID: 00000004

Message Authentication Code: 1ACB85DBA718FD9843ABD2C2FAFB6BD7


NTP - REFERENCES

• IETF NTP related RFC :http://www.ietf.org/rfc/rfc1305.txt?number=1305

• NTP home site :http://www.ntp.org/

• Public NTP servers list :http://support.ntp.org/bin/view/Servers/WebHome


SYSTEM HARDENING• SECURITY POLICY• PAM• CHROOTING• APACHE CHROOTING EXEMPLE• KERBEROS


SECURITY POLICY

• Concept of hardening• Concept of policy security

• GNU/Linux Fedora – Sécurité, chapter 7• Unix and Linux Security Checklist v3.0 – AusCERT

http://www.auscert.org.au


HOW TO SECURE A SYSTEM• Physical• Disk : partitioning (/, /boot, /var, /home)• File system : mount securely (noexec, ro,..)• GRUB configuration• Update software• Remove or check (chmod 700 gcc) installed compilers • Remove unused packages (rpm –e <package> but care with dependencies)• Disable interactive init startup (/etc/sysconfig/init, PROMPT=no)• Disable unused services ( [x]inetd configuration, /etc/rcX.d, chkconfig,

services GUI)• Define umask in profile system file• SELinux => specific to Fedora, we’ll see that later on • Remove unused users (especially guest type accounts as nobody – but beware of actual

owners of files !)• … Look chapter 7 of ENI recommended book

• IT IS ALL ABOUT WHAT HAS BEEN SHOWN FROM START TO END OF THIS COURSE


PAM - 1• PAM is a configurable mechanism,

that let system to authenticate users, independently from programs or services

• PAM = Pluggable Authentication Module• PAM components:

- legacy services – compatible with PAM (login, passwd)- modules (libraries .so in /lib/security) – do authentication related tasks – development- main configuration data (in /etc/pam.conf and /etc/pam.d/), by service – probably nothing to do with them except development- user configuration data (in /etc/security/*.conf), by service – this is where sysadmin has to do setup


PAM - 2• Type valuesauth : instructs the application to prompt the user for a password

account : performs non-authentication based account management (time, max logged users)

password : updates authentication token associated with the user

session : does things that need to be done after (logging, mounting directories)

• Control valuessufficient : success of such module is enough, return success ; if not

continue

requisite : if module fails to give access, return fail ; if not continue

required : must give access and continue anyway

optional : result of this module will be used only if no other has given a result

include : include another module definition


PAM - 3#%PAM-1.0

# root can connect as defined in /etc/securetty

auth required pam_securetty.so

# prompt password (maybe in /etc/shadow) ; empty password authorized

auth required pam_unix.so shadow nullok

# controls if /etc/nologin exists (if so, only root can connect)

auth required pam_nologin.so

# check account permissions (expired password ?)

account required pam_unix.so

# if password expired, ask a new one, check against dicts., max 3 times

password required pam_cracklib.so retry=3

# effective change of password – from previous pam_unix.so invocation

password required pam_unix.so shadow nullok use_authok

# log in /var/log/messages

session required pam_unix.so


CHROOTING

• Chrooting is changing the root directory of the calling process.The application is put in jail, with no access to the system even if compromised

• Chrooting can be compared to OS virtualisation as a less advanced technique (Sun containers, Linux Xen)

• Traditionally used to secure web (Apache) or DNS (Bind) servers

• Next example is the opportunity to examine some Apache security measures (compilation, modules, UID, configuration) as well as usage of advanced commands (ldd, strings, strace, mknod)


APACHE REQUISITS• Idea is to offer a web service on FE (front end) servers. Only for static

pages but high performance and security – no PHP, JSP or CGI, all handled by hidden BE (back ends)

• Name based virtual hosting – only one server IP but as many hosts as virtual servers

• Basic authentication – based on IP client address• Server must be hardened : server must offer only web and management

services (SSH, SNMP, ...)• Apache should be compiled in place for performance and security purpose• Only useful modules loaded in Apache and statically compiled – as opposed to

shared modules• Server must run with its own UID/GID• Chrooting is a good solution here as it put Apache in a jail from which there is

no possibility from any way to reach system


APACHE INSTALLATIONDownload latest Apache sources from http://httpd.apache.org/ $ cp httpd-2.2.11.tar.gz /usr/src/. # Probably home directory

!

$ gunzip httpd-2.2.11.tar.gz

$ tar xvf httpd-2.2.11.tar

$ cd httpd-2.2.11

Create makefiles by disabling most modules$ ./configure --disable-actions --disable-alias \

--disable-asis --disable-autoindex --disable-cgi \

--disable-cgid --disable-charset-lite –disable-env \

--disable-imagemap --disable-include --disable-negotiation \

--disable-setenvif --disable-usedir

$ make

Installation as root# umask 022

# make install

# chown –R root:root /usr/local/apache2


APACHE CHROOTING - 1Creating jail directories# mkdir –p /chroot/httpd/dev# mkdir –p /chroot/httpd/etc# mkdir –p /chroot/httpd/lib# mkdir –p /chroot/httpd/usr/local/apache2/bin# mkdir –p /chroot/httpd/usr/local/apache2/logs# mkdir –p /chroot/httpd/usr/local/apache2/conf# mkdir –p /chroot/httpd/usr/local/apache2/htdocs# chown –R root:root /chroot# chmod –R 0755 /chroot

Special device /dev/null# ls –als /dev/null

# mknod /chroot/httpd/dev/null c 1 3

# chown root:root /chroot/httpd/dev/null

# chmod 666 /chroot/httpd/dev/null

Looking for required libraries# ldd /usr/local/apache2/bin/httpd

# strings /usr/local/apache2/bin/httpd | grep lib

# strace /usr/local/apache2/bin/httpd 2>&1 | grep open # Fedora

# truss /usr/local/apache2/bin/httpd 2>&1 | grep open # Solaris


APACHE CHROOTING - 2Copying library files to jail - some are missing, see commands.txt# cp –p /usr/local/apache2/bin/httpd /chroot/httpd/usr/local/apache2/bin/.

# cp –p /lib/libm.so.6 /chroot/httpd/lib/.

# cp -p /usr/local/apache2/lib/libaprutil-1.so.0 /chroot/httpd/usr/local/apache2/lib/.

# cp -p /usr/local/apache2/lib/libexpat.so.0 /chroot/httpd/usr/local/apache2/lib/.

# cp -p /usr/local/apache2/lib/libapr-1.so.0 /chroot/httpd/usr/local/apache2/lib/.

# cp -p /lib/librt.so.1 /chroot/httpd/lib/.

# cp -p /lib/libcrypt.so.1 /chroot/httpd/lib/.

# cp -p /lib/libpthread.so.0 /chroot/httpd/lib/.

# cp -p /lib/libdl.so.2 /chroot/httpd/lib/.

# cp -p /lib/libc.so.6 /chroot/httpd/lib/.

# cp -p /lib/ld-linux.so.2 /chroot/httpd/lib/.

Copying system and application files to jail - some are missing, see commands.txt# cp -p /usr/local/apache2/bin/httpd /chroot/httpd/usr/local/apache2/bin/.

# cp -p /usr/local/apache2/conf/httpd.conf /chroot/httpd/usr/local/apache2/conf/.

# cp -p /usr/local/apache2/conf/mime.types \ /chroot/httpd/usr/local/apache2/conf/mime.types

# cp -p /etc/hosts /chroot/httpd/etc/.

# cp -p /etc/resolv.conf /chroot/httpd/etc/.

# cp -p /etc/hosts.conf /chroot/httpd/etc/.

# cp -p /etc/group /chroot/httpd/etc/.

# cp -p /etc/passwd /chroot/httpd/etc/.

# cp -p /etc/shadow /chroot/httpd/etc/.

# cp –p /usr/local/apache2/htdocs/* /chroot/httpd/usr/local/apache2/htdocs/.


FINAL CHROOTED-APACHE CONFIGURATION

Apache in jail should work now… This is the last step, configuration and tuning :• Users and group clean-up (remove all other than apache users and groups)• Network configuration tuning (/etc/hosts, /etc/nsswitch.conf,

/etc/resolv.conf, …)• Apache configuration :

/chroot/httpd/usr/local/apache2/conf/httpd.conf

• Apache content – web pages : /chroot/httpd/usr/local/apache2/htdocs/*

• Apache startup script to be modified and placed in /etc/init.d/ by modifying the delivered one with sources ; startup configuration with chkconfig command

• Probably other things to do ...


APACHE ASSESSMENT


KERBEROS• MIT project that encrypts transactions of adapted application – “kerberized

applications” like telnet, FTP, …• Clients are authenticated by kerberized services with tickets• Based first on KDC (Key Distribution Center) that validates password with

symmetric encryption ; then authenticated client can ask TGS (Ticket Granting Service) to deliver authorization ticket for given application usage

• Kerberos needs time synchronization (NTP) and DNS services• Pros : usual historical services does not encrypt transactions – clear text

password but rest of transaction – Kerberos resolves this issue• Cons : no direct use of Unix users databases ; PAM integration not complete ;

application must be redesigned

The whole system may be compromised : - if KDC/TGS server is compromised (open to unsecure network)- if not all services kerberized (by sending unprotected passwords)

• OpenSSH is probably the alternative


FIREWALLS

•


Sun xVM VirtualBox - 1• VirtualBox release 2.1.2 found at www.virtualbox.org

(accept installation of USB and network drivers)Host and guest concepts, see manualGuest additions concept

• Fedora 10 found at fedoraproject.org/en/get-fedora (F10-i686-Live.iso, 32 bits although 64 supported by xVM, English edition, installable Live CD)


Sun xVM VirtualBox - 2• Installation procedure (example is Fedora)

New machine ; choose OS, select memory size (2 GB but less than host !), add virtual disk (fixed, 10 GB).Mount OS ISO local file as CD/DVD-ROMStart !... (ignore both messages – no additions installed yet)When started, use Install on hard disk icon. Select French keyboard.Shut down, unmount CD/DVD and restart.Upgrade system and application packages (Yum).Install dkms package (Dynamic Kernel Module Support Framework).Install GNU make, gcc packages.Mount Guest Additions ISO with Devices, Install Guest Additions xVM menu.Run Sun’s script (cd /media/VBOXADDITIONS_2.1.2_41885/ ; sh ./VBoxLinuxAdditions-x86.run)Restart.


Sun xVM VirtualBox - 3• Installation procedure particularities for Debian 4

Installation of small image via Internet.Disk partitioning without LVM, one root partition.Desktop and system packages.Synaptic Package Manager used for package installation : make, gcc and kernel headers (linux-headers-2.6.18-6 and linux-headers-2.6.18-6-686 ; check release with command uname –a).


Sun xVM VirtualBox - 4• Command line


REMOTE ACCESS TO SYSTEM

• Xming XLaunch utility• But otherwise, X specific, “exporting display” :

Run your X server on PC (nothing required if PuTTY used because X protocol is SSH’d encapsulated - port 22 ; otherwise, ports XDMCP 177 and 6000 should be opened)Then, on client : setenv DISPLAY server:0.0echo $DISPLAY

• Putty


USEFUL LINKShttp://www.dwheeler.com/secure-programs/ Secure Programming for Linux and Unix HOWTOwww.cpan.org Perl packages and morehttp://www.sun.com/software/security/jass Sun’s JASS Solaris Security Toolkithttp://www.digilife.be/quickreferences/quickrefs.htm Quick Reference Cards – useful for those related to Unixhttp://www.cert.org/cert/ CERT – Security informationhttp://www.auscert.org.au/5816 AusCERT – Unix and Linux Security Checklist v3.0http://www.protocols.com/pbook/tcpip1.htm#MAP RADCOM protocols.com web site (protocols map)


BIBLIOGRAPHYUnix System Administration Handbook – Evi Nemeth, Garth Snyder, Scott Seebass, Trent R. Hein – Prentice Hall

English. Third edition 2001. Few security aspects. All Unices covered (HP, Aix, Sun, RedHat, BSD). 854 p.

Essential System Administration – Aeleen Frisch – O’Reilly

English, but French version available (Les bases de l’administration système). Third edition 2002. Few security aspects. All Unices covered (HP, Aix, Sun, RedHat, BSD, Tru64). 1172 p.

TCP/IP illustrated volume 1 – Richard Stevens Addison-Wesley

English, but French version available (TCP/IP illustré - Vuibert). A must for TCP/IP matter. No OS privileged but Unix foundations. 592 p.

TCP/IP Network Administration – Craig Hunt – O’Reilly

English, but French version available. Third edition 2002. Covers RedHat and Solaris. 772 p.

Network Security Assessment – Chris McNab – O’Reilly

English. Second edition 2007. Covers Unix and Windows from network services breaches perspective. 478 p.

GNU/Linux Fedora, Spécial Sécurité – Huet-Verhille – ENI Editions

French. First edition 2007. Focuses on Fedora (as it is a native secured OS). 342 p. 39 €. Recommended for this course


WINDOWS TOOLS USED DURING THIS SESSION

Wireshark (prev. Ethereal), network protocol analyzer http://www.wireshark.org

PuTTY, SSH client http://www.chiark.greenend.org.uk/~sgtatham/putty/

Xming, PC X server http://www.straightrunning.com/XmingNotes/

VirtualBox, virtualization http://www.virtualbox.org/

EasyBCD, Windows Vista bootloader utility http://neosmart.net/

Apache JMeter, HTTP workbench http://jakarta.apache.org/jmeter/


Admin+ Sesssion5 Apr11

Documents