building a secure environment for free
DESCRIPTION
TRANSCRIPT
![Page 1: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/1.jpg)
Freeware Security Tools You Need
Randy Marchany
VA Tech Computing Center
Blacksburg, VA 24060
540-231-9523
![Page 2: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/2.jpg)
Suggested Strategy
Use freeware tools to gain experience with your system/network environment.
Gain experience with the features provided by these tools in order to better analyze a vendor tool.
Freeware tools provide a good short-term solution.
Vendor tools may provide better long-term solution.
![Page 3: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/3.jpg)
The Tools
Audit/Port Scanning Tools– Nessus– Saint– Sara– Nmap, strobe– Tripwire, AIDE
“Personal” Firewall– TCP Wrappers– Portsentry,ipfilters– ZoneAlarm, BlackIce, NeoWorks
![Page 4: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/4.jpg)
The Tools
Syslog Scanners– Logcheck
Sniffers– Snoop, iptrace, tcpdump– Netwatch (NT)– Snort
![Page 5: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/5.jpg)
The Tools
Sysadmin Tools– Big Brother– Password Checkers
• Crack, nt-crack, l0phtcrack,npasswd, passwd+
– Lsof, inzider (NT)– Sudo (unix)
Remote Control Tools– VNCviewer
Homegrown Tools– Network Mgt Tools that can be used for Incident Response
![Page 6: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/6.jpg)
Audit/Port Scan Tools
These tools can be used to scan your systems and network for vulnerabilities.
Some tools can perform integrity checks on designated files.
They have very good reporting tools usually based on HTML.
![Page 7: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/7.jpg)
Nessus
Available from www.nessus.org Best of the scanning tools Easy to build for Linux, harder for Solaris,
need to work on other OS. Requires GNU tools Provides HTML based reports Has distributed architecture: clients
(Windows, Unix) & engines (Unix only)
![Page 8: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/8.jpg)
Nessus – Building It
Linux– Download the RPMs– Add nessus user– Start up nessusd daemon– Start up nessus client– Start testing
![Page 9: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/9.jpg)
Nessus – Pros/Con
Pro– Easy to install if you have linux– Most comprehensive tests for your money
Con– Not that easy to understand at first– Non-linux builds require GNU software– Some inconsistency in quality of checks– Must use Unix server for specific user accounts
![Page 10: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/10.jpg)
![Page 11: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/11.jpg)
![Page 12: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/12.jpg)
![Page 13: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/13.jpg)
![Page 14: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/14.jpg)
![Page 15: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/15.jpg)
X
![Page 16: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/16.jpg)
![Page 17: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/17.jpg)
![Page 18: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/18.jpg)
![Page 19: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/19.jpg)
![Page 20: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/20.jpg)
![Page 21: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/21.jpg)
SAINT
Based on SATAN, developed by World Wide Security, Inc. (www.wwdsi.com)
Security Administrator’s Integrated Network Tool – Gathers info on remote hosts/nets– Looks at finger, NFS, NIS, ftp, tftp, rexd, statd– Can run heavy, moderate or light probes on targets.
Will check for the SANS Top 10 Threats
![Page 22: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/22.jpg)
![Page 23: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/23.jpg)
![Page 24: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/24.jpg)
![Page 25: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/25.jpg)
SARA
Security Auditor’s Research Assistant– www.www-arc.com/sara
Checks for SANS Top 10 Threats Does Unix/Windows vulnerability tests Has CVE dictionary support Search engine for post audit analysis Has a Report Writer
![Page 26: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/26.jpg)
![Page 27: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/27.jpg)
![Page 28: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/28.jpg)
![Page 29: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/29.jpg)
![Page 30: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/30.jpg)
Port Scanning Tools
Strobe was one of the earliest port scanning tools.– Available from ciac.llnl.gov
Nmap is the more sophisticated grandson of strobe– Available from www.insecure.org
![Page 31: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/31.jpg)
![Page 32: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/32.jpg)
![Page 33: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/33.jpg)
Tripwire
Available from www.tripwire.com First of the file integrity checkers Unix and NT versions available
– Network capable versions available Academic version is free. Commercial and
NT versions are not. Useful in finding trojan programs
![Page 34: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/34.jpg)
Tripwire
Generates a “signature” for each file based on checksums and other characteristics.
These signatures are stored in a database file that should be kept offline.
This is the baseline. Latest threat involves dynamic exec
redirection. This is part of the newer Kernel Module Rootkits.
![Page 35: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/35.jpg)
Tripwire
List of files to check: tw.config– All files in a directory will be checked.– Can prune directories from the check step.– Can examine just the directory and nothing
else.– Can check by access time but not recommended
since you’ll get a report of everything that changed. Everything!
![Page 36: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/36.jpg)
Tripwire
To initialize the DB: tripwire –initialize Update DB interactively:
tripwire -interactive Non-interactive DB update:
tripwire – update <FN>
![Page 37: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/37.jpg)
Tripwire
Security Issues– Need to protect the DB– Need to protect the vulnerable executables
Advantages– Simple interface, good choice of crypto hash functions,
good all-around tool Disadvantages
– Kernel mod attacks, initial tw.config takes some time to customize, NT version is good but costs $$$, no network security
![Page 38: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/38.jpg)
![Page 39: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/39.jpg)
Personal Firewall Tools
These tools monitor connection attempts to your system and give you the option of allowing or denying the access
They log the connection attempt to standard log files
More valuable than real Firewall, IMHO.
![Page 40: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/40.jpg)
Portsentry/TCP Wrappers
Available from www.psionic.com TCP Wrappers available from ciac.llnl.gov and a
ton of other sites Any host that scans a list of “banned” ports is
placed in an /etc/hosts.deny file Need TCP Wrappers installed on the machine
– Tcpwrappers logs attempts to connect to services
![Page 41: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/41.jpg)
TCP Wrappers
Everyone should buy Wietse Venema dinner for writing this tool.
Purpose– Log network connections to a system– Allow you to filter who connects to the system
Needs an inetd-like program to act as the dispatcher of network services
![Page 42: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/42.jpg)
TCP Wrappers Features
Allows you to monitor/filter incoming requests for SYSTAT, FINGER, FTP, TELNET, R-Commands, TFTP, TALK and other network services.
Provides access control to restrict what systems connect to what network daemons.
Provides some protection from host spoofing
![Page 43: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/43.jpg)
TCP Wrapper Installation
Easy to do “Advanced Installation” easier than “Easy
Installation” IMHO Install done by Makefile
– make <os-type> Creates 5 modules that are ready to use.
![Page 44: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/44.jpg)
TCP Wrappers
4 components– Tcpd – the actual wrapper program– Tcpdmatch, tcpdchk – ACL testing programs– Try-from – tests host lookup function– Safe-finger – a better version of finger
Logs hostname, IP address and username (identd if possible) via syslog facility. Typically, it logs to the mail facility logs
Change this by editing Makefile:– FACILITY=LOG_AUTH– FACILITY=LOG_WARN
![Page 45: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/45.jpg)
TCP Wrappers
Access Control is enabled by default. 2 files
– /etc/hosts.deny – restrict access if IP addr here– /etc/hosts.allow – allow access if IP addr here
• Can restrict to username@host if services are enabled
Reverse lookup is done. Paranoid selection terminates the connection immediately if there’s a mismatch.
Set KILL_IP_OPTIONS in Makefile to refuse connections that use source routing. This prevents IP spoofing although your routers should do this.
![Page 46: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/46.jpg)
TCP Wrappers
IDENT service– Remote username lookup required remote host to run
ident (RFC 1413) protocol.
– Works only for TCP not UDP Limitations
– TCP – checks the 1st connection for each instance of the daemon
– UDP – 1st datagram only for the service
– RPC/TCP – no checking since portmapper does this.
![Page 47: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/47.jpg)
TCP Wrappers
Advantages– Logs and applies access controls to remote connections
– Lets you define which daemons are wrapped
– Does good reverse lookup on hosts Disadvantages
– Ident service not reliable
– Only looks at network daemons spawned by inetd
– Doesn’t wrap ALL services (RPC)
– Could give a false sense of security
![Page 48: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/48.jpg)
Portsentry
Available from www.psionic.com Monitors ports and performs an action
when an attempt to access the port is made. Usually access is denied to the probing
systems. Monitors TCP and UDP traffic. A little
more flexible than TCP Wrappers
![Page 49: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/49.jpg)
Portsentry Configuration Files
Portsentry.conf contains the list of ports to be monitored.
3 levels of paranoia
![Page 50: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/50.jpg)
![Page 51: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/51.jpg)
IP Filter
Software package that can do NAT or basic firewall services.
Designed to be used as a loadable kernel module but can be incorporated into a Unix kernel
Can be configured to do IP Accounting (count # bytes), IP Filtering or IP authentication or NAT.
http://coombs.anu.edu.au/~avalon/ip-filter.html
![Page 52: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/52.jpg)
IP Filter
Can explicitly allow/deny any packet. Distinguishes between multiple interfaces. Filters by IP network, hosts or protocol. Filters by port number or port range. Logs the following:
– TCP/UDP/ICMP/IP packet headers– First 128 bytes– Pass or blocked status
![Page 53: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/53.jpg)
IP Filter
Statistics collected include:– Packets blocked– Packets used for accounting (packet count)– Packets passed– Packets logged– Inbound/outbound packet information
![Page 54: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/54.jpg)
![Page 55: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/55.jpg)
IP Filter Log Format
Jul 30 01:46:52 myhost.vt.edu ipmon[147]: [ID 702911local0.warning] 01:46:52.196772 hme0 @0:5 b 194.143.66.126,21 ->198.82.255.255,21 PR tcp len 20 40 -S IN
Jul 30 01:47:03 myhost.vt.edu ipmon[147]: [ID 702911local0.warning] 01:47:03.269595 hme0 @0:5 b 194.143.66.126,21 ->198.82.255.255,21 PR tcp len 20 40 -S IN
Jul 30 05:53:51 myhost.vt.edu ipmon[147]: [ID 702911local0.warning] 05:53:50.699235 hme0 @0:5 b 203.90.84.163,1781 ->198.82.255.255,21 PR tcp len 20 60 -S IN
![Page 56: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/56.jpg)
Logcheck
Available from www.psionic.com Syslog keyword scanner When it matches something, it does
something– Send email– Page someone– Run a command
![Page 57: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/57.jpg)
logcheck.violations
These keywords denote a problem and are flagged bylogcheck.
![Page 58: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/58.jpg)
logcheck.ignore
Phrases listed in this file are ignored by the logcheck program.
![Page 59: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/59.jpg)
logcheck.hacking
Keywords in this file indicatean attack is taking place
![Page 60: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/60.jpg)
![Page 61: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/61.jpg)
Zone Alarm
Available from www.zonelabs.com Not quite free Client based, application level firewall Designed to prevent unauthorized sending
and receiving of packets to your workstation
Good defense against trojans
![Page 62: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/62.jpg)
Basic Installation Steps
The following steps were developed by Marc Debonis for our site.– Download latest version from http://www.zonelabs.com– Run the installer, zonealarm.exe– Click Next, click Next– Enter name, company and email (can be invalid)– Uncheck both boxes– Click Next , click next, click finish, click start– Check “don’t show this message again” box– Click OK and reboot if necessary– Zone Alarm is installed
![Page 63: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/63.jpg)
Configuring Zone Alarm
ZA requires you authorize each & every application that attempts to send receive information to/from your network connection.
Default is BLOCK. This pops up a window asking what to do
![Page 64: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/64.jpg)
Basic Setup
Click the arrow in ZA box that points down and to the right
Click the security button Verify local security is set to MEDIUM Verify internet security is set to HIGH Click the advanced button Do NOT put a checkmark next to your adapter, OW,
all machines in your subnet will be considered to be in your local zone
Click OK
![Page 65: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/65.jpg)
![Page 66: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/66.jpg)
![Page 67: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/67.jpg)
![Page 68: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/68.jpg)
Black Ice Defender
Available from www.networkice.com Workstation Version
– End-user PC with a single connection– Tuned for common attacks to workstations
Server Version– Additional NT and W2K attacks signatures
IcePac Suite allows multiple agents to be managed from a single host. Can install agents remotely.
Not quite free
![Page 69: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/69.jpg)
![Page 70: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/70.jpg)
NeoWatch
Available from www.neoworx.com Another Personal FW type tool for Windows
systems. Does traceback to the originating site. Similar features as Zone Alarm and Black Ice
Defender Can send data to a central site. Not quite Free $39.95. Trial version is free for
30 days
![Page 71: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/71.jpg)
![Page 72: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/72.jpg)
![Page 73: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/73.jpg)
![Page 74: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/74.jpg)
Sniffers: snoop, iptrace, tcpdump, snort
Some systems have builtin sniffers– Solaris - snoop– AIX - iptrace– Linux - tcpdump– NT/2000 - netwatch
Tcpdump is the generic sniffer for those systems with no builtin sniffer
![Page 75: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/75.jpg)
Sniffer Output - Solaris Snoop1042 0.10594 scws29.harvard.edu -> cesgi1.ce.vt.edu TELNET R port=6754 login:1045 0.02429 cesgi1.ce.vt.edu -> scws29.harvard.edu TELNET C port=67541046 0.02039 cesgi1.ce.vt.edu -> scws29.harvard.edu TELNET C port=67541047 0.03137 scws29.harvard.edu -> cesgi1.ce.vt.edu TELNET R port=67541050 0.09288 cesgi1.ce.vt.edu -> scws29.harvard.edu TELNET C port=67541052 1.17258 cesgi1.ce.vt.edu -> scws29.harvard.edu TELNET C port=6754 b1053 0.08960 scws29.harvard.edu -> cesgi1.ce.vt.edu TELNET R port=6754 b1054 0.10377 cesgi1.ce.vt.edu -> scws29.harvard.edu TELNET C port=67541055 0.08251 cesgi1.ce.vt.edu -> scws29.harvard.edu TELNET C port=6754 r1056 0.04324 scws29.harvard.edu -> cesgi1.ce.vt.edu TELNET R port=6754 r1087 0.24398 cesgi1.ce.vt.edu -> scws29.harvard.edu TELNET C port=6754 e1090 0.01475 scws29.harvard.edu -> cesgi1.ce.vt.edu TELNET R port=6754 e1093 0.07074 cesgi1.ce.vt.edu -> scws29.harvard.edu TELNET C port=6754 a1094 0.11020 scws29.harvard.edu -> cesgi1.ce.vt.edu TELNET R port=6754 a1105 0.07212 scws29.harvard.edu -> cesgi1.ce.vt.edu TELNET R port=6754 Password:1108 0.02244 cesgi1.ce.vt.edu -> scws29.harvard.edu TELNET C port=67541115 0.24651 cesgi1.ce.vt.edu -> scws29.harvard.edu TELNET C port=6754 p1120 0.07970 scws29.harvard.edu -> cesgi1.ce.vt.edu TELNET R port=67541122 0.00623 cesgi1.ce.vt.edu -> scws29.harvard.edu TELNET C port=6754 o1123 0.11307 scws29.harvard.edu -> cesgi1.ce.vt.edu TELNET R port=67541124 0.09368 cesgi1.ce.vt.edu -> scws29.harvard.edu TELNET C port=6754 o1125 0.10588 scws29.harvard.edu -> cesgi1.ce.vt.edu TELNET R port=67541126 0.08829 cesgi1.ce.vt.edu -> scws29.harvard.edu TELNET C port=6754 h1127 0.13538 scws29.harvard.edu -> cesgi1.ce.vt.edu TELNET R port=67541128 0.10856 cesgi1.ce.vt.edu -> scws29.harvard.edu TELNET C port=6754 b1131 0.04106 scws29.harvard.edu -> cesgi1.ce.vt.edu TELNET R port=67541133 0.16857 cesgi1.ce.vt.edu -> scws29.harvard.edu TELNET C port=6754 e1136 0.02925 scws29.harvard.edu -> cesgi1.ce.vt.edu TELNET R port=6754
![Page 76: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/76.jpg)
Tcpdump Example
![Page 77: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/77.jpg)
Big Brother
Web based system and network monitor Client server model
– Clients run on the systems you want to monitor– Simple shell scripts that monitor different
aspects of your system and network What can it check?
– Disk space, CPU Utilization, critical processes, weather parameters, building monitors
![Page 78: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/78.jpg)
Big Brother
Color coded WWW page showing a matrix of machines and monitored functions
Notifies sysadmins by email, pager, SMS. System requirements
– Unix – www server, /bin/sh, C compiler to port BB
– NT – v4.0 with SP3 minimum, Intel or Alpha platforms.
![Page 79: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/79.jpg)
![Page 80: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/80.jpg)
![Page 81: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/81.jpg)
![Page 82: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/82.jpg)
Big Brother
Installation Steps– cd install– ./bbconfig– cd ../src– Make– Make install– cd ../etc
• Edit bb-hosts, bbdef.sh, bbwarnrules.cfg
– cd ..– ./runbb.sh start
![Page 83: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/83.jpg)
Big Brother
Can monitor more service by modifying bb-network.sh
BB shows historical data. Drilling down a host page and clicking on the history buttons shows the last 24 hr stats.
Doesn’t need to run as root. Run as ‘bb’. Restricts incoming connections by ACL.
![Page 84: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/84.jpg)
VNCViewer
Available from www.uk.research.att.com/vnc Great remote control tool for Windows 95/98,
NT, 2000, Macintosh, Unix clients Nice help desk tool It displays the remote desktop on your
system. A better version of BackOrifice, BO2K tool
![Page 85: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/85.jpg)
![Page 86: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/86.jpg)
![Page 87: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/87.jpg)
![Page 88: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/88.jpg)
Lsof, inzider
These programs list the processes running on a system.
They also list the files opened by those processes.
Useful in finding where a sniffer log file is located
![Page 89: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/89.jpg)
Sample lsof Utility Output# ./lsof /sbin/racket.udpCOMMAND PID USER FD TYPE DEVICE SIZE/OFF INODE NAMEracket.ud 450 root txt VREG 128, 16 20332 15836 /sbin/racket.
# . /lsof -p 450COMMAND PID USER FD TYPE DEVICE SIZE/OFF INODE NAMEracket.ud 450 root cwd VDIR 128, 16 1024 2 /racket.ud 450 root txt VREG 128, 16 20332 15836 /sbin/racket.udpracket.ud 450 root txt VREG 128, 16 1483100 904 /lib/libc.so.1racket.ud 450 root txt VREG 128, 16 585876 2051 /lib/rldracket.ud 450 root 3u inet 0x8af730e4 0t0 TCP *:3038
# ./lsof -p 1423,1424COMMAND PID USER FD TYPE DEVICE SIZE/OFF INODE NAMEracket.ud 1423 root cwd VDIR 128, 16 1024 2 /racket.ud 1423 root txt VREG 128, 16 20332 15836 /sbin/racket.udpracket.ud 1423 root txt VREG 128, 16 1483100 904 /lib/libc.so.1racket.ud 1423 root txt VREG 128, 16 585876 2051 /lib/rldracket.ud 1423 root 0u inet 0x89c804e0 0t373 TCPcesgi1.ce.vt.edu:3038->sable.cc.vt.edu:4894racket.ud 1423 root 1u inet 0x8a8d8d60 0t225 TCPcesgi1.ce.vt.edu:1307->vtaix.cc.vt.edu:telnetracket.ud 1424 root cwd VDIR 128, 16 1024 2 /racket.ud 1424 root txt VREG 128, 16 20332 15836 /sbin/racket.udpracket.ud 1424 root txt VREG 128, 16 1483100 904 /lib/libc.so.1racket.ud 1424 root txt VREG 128, 16 585876 2051 /lib/rldracket.ud 1424 root 3u inet 0x8af730e4 0t0 TCP *:
![Page 90: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/90.jpg)
Sysadmin Tools
Sudo – Unix access control is all (root) or nothing
(user).– Some commands (backup, restore) are
restricted to root but are really an OPER class command. You don’t want an operator to have root access but you want them to do backups.
– Sudo lets you set up this “pseudo” privilege scheme.
![Page 91: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/91.jpg)
Sudo
Sudo uses user identity and host to restrict the commands the user can run in “root” mode.
It is a restricted root shell. User is prompted for a special password
that allows them to run the command.
![Page 92: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/92.jpg)
Sudo
The sudoers files lists the commands, shells, hosts that a user can execute commands
Should always list the full path name for the commands
Notifies sysadmins if illegal uses of sudo is attempted.
Notifies sysadmins if user in sudoers tries to run a restricted command
![Page 93: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/93.jpg)
Sudo
Advantages– Good warning if someone tries to use it incorrectly.– Easy to configure for multiple machines– Adequate internal security checks
• Check for “.” in PATH• Removes LD* variables before execution
Disadvantages– Works with root userid only. Can’t use with other
userids.– Doesn’t handle commands that use a subshell to spawn
other commands
![Page 94: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/94.jpg)
Proactive Password Tools
Most newer OS allow you to set password rules in config files.
Crack is still the best of the bunch. Npasswd and passwd+ are two older but still
effective tools. Npasswd is a good tool for those who don’t want
to spend a lot of time configuring a password checker
Passwd+ requires more configuration time.
![Page 95: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/95.jpg)
Crack
The first of the really good password crackers. Available on the net for the past 10 years.
Easy to customize. Works on non-shadow password files.
Use a preprocessor to rebuild in old format or use NIS, NIS+
Can be distributed among systems http;//www.users.dircon.co.uk/~crypto/
![Page 96: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/96.jpg)
npasswd
Uses ASCII dictionaries or DBM format dictionaries. Programs to build directories included. If the password is in the dictionary, it’s rejected. Case
and reversed word checks are done as well Does singlecase (Yes/No) checks
– Allow passwords in one case. Default = No. Does Control Character (Yes/No) checks.
– Allows passwords with ASCII control characters in them. Default = Yes.
Does min/max length checks.
![Page 97: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/97.jpg)
npasswd
Checks for 3 sequential occurrences of the same character. This value can be modified.
Does illegal character check. (^C, ^D, ^G, ^J, ^M, ^O, ^Q, etc.
Good, quick easy tool to use.
![Page 98: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/98.jpg)
Home Grown Tools
Network Mgt Group developed a couple of tools for their use.
Our CIRT can use the same tools to track an attack in our network.
Our Netadmins controls the ENTIRE University net and developed these tools to help them manage, fix and bill usage of net resources. SQL front ends to Oracle DB.
![Page 99: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/99.jpg)
![Page 100: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/100.jpg)
![Page 101: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/101.jpg)
![Page 102: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/102.jpg)
![Page 103: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/103.jpg)
![Page 104: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/104.jpg)
![Page 105: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/105.jpg)
![Page 106: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/106.jpg)
![Page 107: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/107.jpg)
![Page 108: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/108.jpg)
![Page 109: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/109.jpg)
Using the Tools – A Strategy
Preparation Detection Containment Eradication Recovery Followup
![Page 110: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/110.jpg)
Preparation
Unix Host Systems– Install TCP Wrappers, Portsentry, logcheck,
tripwire, lsof, ipfilter NT/2000
– Inzider,syslog converters Network
– Ingress, egress filters in place– Router logs in place
![Page 111: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/111.jpg)
Detection
Portsentry, TCP wrappers, Personal Firewall tools usually send the first alarm.
Network router filters may trigger an alarm as well.
Once an event is detected, reaction mechanisms are enabled
![Page 112: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/112.jpg)
Containment
Detection tools give the source IP address. Router blocks may be enabled to prevent
additional attacks. HC++ tool used to isolate offending system Portsentry or PFW tools prevent further
access to the systems
![Page 113: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/113.jpg)
Eradication
HC++ tool used to shut off internal port. Router blocks on external IP address. Tripwire used to remove offending files. Network backup software can be used to
verify this. Why? Most network backup software does incremental backups so they can capture a newly installed file.
![Page 114: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/114.jpg)
Recovery
“Jumpstart” style OS installation Network and regular backup software File servers may limit the damage
![Page 115: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/115.jpg)
Followup
See what components worked.– Could additional scanning detect the holes?– How fast did the reaction mechanisms work?– Internal network tools work?– Backup procedures work?– What didn’t work? Why? How?
![Page 116: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/116.jpg)
Summary
There are some excellent freeware tools that will help you with sysadmin and security issues at your site.
Use these tools to gain experience in evaluating vendor tools.
A combination of vendor and freeware tools is desired
There are MORE tools out there.
![Page 117: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/117.jpg)
Where to Get the Tools
Http://ciac.llnl.gov– TCP Wrappers, crack, tcpdump, lsof
Http://www.wwdsi.com– SAINT
Http://www.www-arc.com/sara– SARA
Http://www.tripwire.com– tripwire
![Page 118: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/118.jpg)
Where to Get the Tools
Http://www.psionic.com– Logcheck, portsentry
Http://www.uk.research.att.com/vnc– VNCViewer
Http://www.insecure.org– Nmap
Http://www.ssh.org– SSH
![Page 119: Building a Secure Environment for Free](https://reader034.vdocument.in/reader034/viewer/2022051611/54b5d0794a7959567e8b4576/html5/thumbnails/119.jpg)
Where to Get the Tools
www.nessus.org– Nessus
http://packetstorm.securify.com (now defunct)