securing linux
DESCRIPTION
what people can see. securing linux. Big Picture. How rob a bank. A bit of History. 1954 & 1960 Bell System Tech Journals, trunk routing and frequencies Pranks Wozniak called Pope 2600 Hz Tone Captain Crunch whistle Phone Phreaking - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: securing linux](https://reader035.vdocument.in/reader035/viewer/2022062322/56814444550346895db0e23e/html5/thumbnails/1.jpg)
securing linux
what people can see
![Page 2: securing linux](https://reader035.vdocument.in/reader035/viewer/2022062322/56814444550346895db0e23e/html5/thumbnails/2.jpg)
Big Picture
How rob a bank
![Page 3: securing linux](https://reader035.vdocument.in/reader035/viewer/2022062322/56814444550346895db0e23e/html5/thumbnails/3.jpg)
A bit of History
• 1954 & 1960 Bell System Tech Journals, trunk routing and frequencies
• Pranks Wozniak called Pope • 2600 Hz Tone Captain Crunch whistle • Phone Phreaking• Steve Wozniak’s blue box tone generator • 1990 Phone system became digital• War dialing early form of scanning • Wargames 1983
![Page 4: securing linux](https://reader035.vdocument.in/reader035/viewer/2022062322/56814444550346895db0e23e/html5/thumbnails/4.jpg)
Socket Programming
• USPS Addressing– 1520 Orchard Road Apt 2A
• IP Addressing – 192.168.10.50/5900
• Service / Application listens on open port
• Instance messaging, VOIP in Games, telnet, FTP, HHTP
• Protocols – languages
![Page 5: securing linux](https://reader035.vdocument.in/reader035/viewer/2022062322/56814444550346895db0e23e/html5/thumbnails/5.jpg)
overview• Network topologies
– eggshell architectures
• where to get information– news groups and mailing lists
• mapping a network– ping sweeps and traceroutes
• mapping a host– port scans and OS fingerprinting
• network scanners– everything in a single powerful package
• social engineering– exploiting human nature
![Page 6: securing linux](https://reader035.vdocument.in/reader035/viewer/2022062322/56814444550346895db0e23e/html5/thumbnails/6.jpg)
where to get information
• news groups and mailing lists
• forums
• WHOIS database– www.arin.org
• DNS
![Page 7: securing linux](https://reader035.vdocument.in/reader035/viewer/2022062322/56814444550346895db0e23e/html5/thumbnails/7.jpg)
Traditional topology
![Page 8: securing linux](https://reader035.vdocument.in/reader035/viewer/2022062322/56814444550346895db0e23e/html5/thumbnails/8.jpg)
Enhanced traditional topology
![Page 9: securing linux](https://reader035.vdocument.in/reader035/viewer/2022062322/56814444550346895db0e23e/html5/thumbnails/9.jpg)
Secure network topology
![Page 10: securing linux](https://reader035.vdocument.in/reader035/viewer/2022062322/56814444550346895db0e23e/html5/thumbnails/10.jpg)
news groups / mailing lists / forums
• these are valuable resources– system administrator
– newbie
• BUT people get over excited and reveal too much information (gear head syndrome)
• golden rule - remain faceless and traceless
• security through obscurity– post only using generic terms
![Page 11: securing linux](https://reader035.vdocument.in/reader035/viewer/2022062322/56814444550346895db0e23e/html5/thumbnails/11.jpg)
news groups / forums
• they are a source of information– personal information
• name, address, title, phone, e-mail
– system configuration• network architecture
• real host names and IP addresses
• hardware: brand names and model numbers
– archives• this information never goes away!!!
• http://www.archive.org
![Page 12: securing linux](https://reader035.vdocument.in/reader035/viewer/2022062322/56814444550346895db0e23e/html5/thumbnails/12.jpg)
news groups / mailing lists
• countermeasures:– use generic titles, not real names
– use switchboard numbers, not personal numbers
– separate e-mail address• work-related communication (generic title)
• personal communication– [email protected]
– limit any public description of network• fictitious IP addresses & fictitious host names
![Page 13: securing linux](https://reader035.vdocument.in/reader035/viewer/2022062322/56814444550346895db0e23e/html5/thumbnails/13.jpg)
WHOIS database www.arin.org
• whenever a URL is registered– information must be submitted with registration
– this information is publicly available
• whois utility– may require installation
• linux example:– whois lewisu.edu
– whois ibm.com
![Page 14: securing linux](https://reader035.vdocument.in/reader035/viewer/2022062322/56814444550346895db0e23e/html5/thumbnails/14.jpg)
WHOIS database
• countermeasures:
– use generic titles, not real names
– use switchboard numbers, not personal numbers
– separate e-mail address
• work-related communication (generic title)
• personal communication
• obviously you MUST give valid information
• the goal is NOT to give away valuable information unnecessarily
![Page 15: securing linux](https://reader035.vdocument.in/reader035/viewer/2022062322/56814444550346895db0e23e/html5/thumbnails/15.jpg)
DNS issues
• zone files have numerous options which provide information– HINFO system info: CPU and OS
– TXT additional text
– RP responsible person information
• zone transfers– mandatory from primary server to secondary
server
![Page 16: securing linux](https://reader035.vdocument.in/reader035/viewer/2022062322/56814444550346895db0e23e/html5/thumbnails/16.jpg)
DNS Basics
• Domain name system performs ip to name resolutions on the internet
• Started in 1983 RFC 882 has grown to one of the largest and most powerful parts of the net.
• Other than name translation a number of protocols and applications use DNS for their main activity– SMTP for mapping email address to their server– SPF records, telephone numbers & addresses,
certificates and other info stored in DNS zone records
![Page 17: securing linux](https://reader035.vdocument.in/reader035/viewer/2022062322/56814444550346895db0e23e/html5/thumbnails/17.jpg)
BIND
• Berkeley Internet Name Domain Server
• BIND is open-source software that implements the DNS protocols for the Internet.
![Page 18: securing linux](https://reader035.vdocument.in/reader035/viewer/2022062322/56814444550346895db0e23e/html5/thumbnails/18.jpg)
DNS issues
• dig DNS lookup utility (domain information groper) is a flexible tool for interrogating DNS name servers.
• linux example:
– dig -t hinfo hostname
– dig -t txt hostname
![Page 19: securing linux](https://reader035.vdocument.in/reader035/viewer/2022062322/56814444550346895db0e23e/html5/thumbnails/19.jpg)
DNS issues
• reverse lookups (IP address --> URL) often provide too much free information– 129.42.58.216 --> www.ibm.com
– www is a standard prefix for a web server
• linux example:– dig www.lewisu.edu
– dig -x 204.248.57.178
![Page 20: securing linux](https://reader035.vdocument.in/reader035/viewer/2022062322/56814444550346895db0e23e/html5/thumbnails/20.jpg)
DNS issues
• every version of bind (4, 8, and 9) has its flaws!
• 9 was a total rewrite and still had issues– the following command
• host -c chaos -t txt version.bind <server>
– will usually tell you the specific vesion
• linux example:– dig -c chaos -t txt version.bind
![Page 21: securing linux](https://reader035.vdocument.in/reader035/viewer/2022062322/56814444550346895db0e23e/html5/thumbnails/21.jpg)
DNS issues
• countermeasures: faceless & traceless– edit /etc/named.conf
• delete HINFO records
• delete TXT records
• RP records should contain generic title
• eliminate zone transfers– primary to secondary server
» allow-transfer { 233.45.164.27; };
– otherwise
» allow-transfer { none; };
• disable the version.bind response» version “not available”;
![Page 22: securing linux](https://reader035.vdocument.in/reader035/viewer/2022062322/56814444550346895db0e23e/html5/thumbnails/22.jpg)
protocols and services
• network layer– IP: internet protocol
• transport layer– ICMP: internet control message protocol
– UDP: user datagram protocol
– TCP: transmission control protocol
• services
![Page 23: securing linux](https://reader035.vdocument.in/reader035/viewer/2022062322/56814444550346895db0e23e/html5/thumbnails/23.jpg)
IP: internet protocol
• foundational layer for higher level protocols
• packet header contains– source IP address
– destination IP address
![Page 24: securing linux](https://reader035.vdocument.in/reader035/viewer/2022062322/56814444550346895db0e23e/html5/thumbnails/24.jpg)
ICMP: internet control message protocol
• purpose of ICMP is to provide feedback about IP performance
• packet header contains– source IP address, destination IP address
– packet type, checksum, data
• most well-known packet types– 7 echo request
– 0 echo reply
– 3 destination unreachable
– 30 traceroute
![Page 25: securing linux](https://reader035.vdocument.in/reader035/viewer/2022062322/56814444550346895db0e23e/html5/thumbnails/25.jpg)
UDP: user datagram protocol
• purpose of UDP is minimal transport service with no guarantee of delivery– connection-less
• packet header contains– source IP address, destination IP address
– source port number, destination port number
– length, checksum, data
• faster communication– but packet loss possible
![Page 26: securing linux](https://reader035.vdocument.in/reader035/viewer/2022062322/56814444550346895db0e23e/html5/thumbnails/26.jpg)
TCP: transmission control protocol
• purpose of TCP is a transport service with guarantee of delivery– connection-oriented
• packet header contains– source IP address, destination IP address
– source port number, destination port number
– sequence #, control bits, checksum, data
• slower communication– but no packet loss
![Page 27: securing linux](https://reader035.vdocument.in/reader035/viewer/2022062322/56814444550346895db0e23e/html5/thumbnails/27.jpg)
TCP: transmission control protocol
• control bits include:
– SYN, ACK, RST, FIN, ...
• building a connection:
– source sends SYN
– destination sends SYN/ACK
– source sends ACK
• terminating a connection:
– source sends FIN/ACK
– destination sends ACK
– destination sends FIN/ACK
– source sends ACK
![Page 28: securing linux](https://reader035.vdocument.in/reader035/viewer/2022062322/56814444550346895db0e23e/html5/thumbnails/28.jpg)
services
• port numbers fall into three categories:– 0 through 1023 well-known
– 1024 through 49151 registered
– 49152 through 65535 dynamic / private
• www.iana.org has responsibility for assigning well-known port numbers
• well-known port numbers can only be used by root
![Page 29: securing linux](https://reader035.vdocument.in/reader035/viewer/2022062322/56814444550346895db0e23e/html5/thumbnails/29.jpg)
services
• linux example:– less /etc/services
![Page 30: securing linux](https://reader035.vdocument.in/reader035/viewer/2022062322/56814444550346895db0e23e/html5/thumbnails/30.jpg)
mapping a network
• ping sweeps– cracker sees what is out there?
• traceroutes– cracker learns how to get there?
• countermeasures
![Page 31: securing linux](https://reader035.vdocument.in/reader035/viewer/2022062322/56814444550346895db0e23e/html5/thumbnails/31.jpg)
ping sweeps
• types of ping sweeps– icmp ping traditional echo request
– echo port ping request to port 7 (echo)
– fast ping icmp ping to multiple hosts
– network sweep
![Page 32: securing linux](https://reader035.vdocument.in/reader035/viewer/2022062322/56814444550346895db0e23e/html5/thumbnails/32.jpg)
ping sweeps
• countermeasures:– edit iptables and firewalls
• no incoming / outgoing ICMP requests
• limit ICMP requests to internal network only
• drop ICMP at firewall
– be sure echo port and chargen port are disabled
• edit /etc/inetd.conf or /etc/xinetd.conf
• consider disabling inetd or xinetd completely!
![Page 33: securing linux](https://reader035.vdocument.in/reader035/viewer/2022062322/56814444550346895db0e23e/html5/thumbnails/33.jpg)
fundamental network tools
• netcat / nc– swiss army knife of network communication
– invaluable to both• the system administrator
• the cracker
• nmap– basic tool for
• ping sweeps
• port scans
![Page 34: securing linux](https://reader035.vdocument.in/reader035/viewer/2022062322/56814444550346895db0e23e/html5/thumbnails/34.jpg)
ntop
• ntop is a network traffic probe that shows network usage– similar to the UNIX top command
• ntop is a daemon that monitors the network
• ntop has a web interface
![Page 35: securing linux](https://reader035.vdocument.in/reader035/viewer/2022062322/56814444550346895db0e23e/html5/thumbnails/35.jpg)
traceroutes
• once potential targets have been identified via ping sweeps, the cracker can augment information about the hosts using traceroute
• often provides information regarding– location
• ISP names and locations often visible
– hardware• descriptive names for routers, switches, and hosts
![Page 36: securing linux](https://reader035.vdocument.in/reader035/viewer/2022062322/56814444550346895db0e23e/html5/thumbnails/36.jpg)
traceroutes
• flavors– UNIX traceroute
• command– traceroute <target>
• sequence of UDP packets having increasing TTLs
– Matt's traceroute• command
– mtr <target>
• sequence of ICMP packets having increasing TTLs
![Page 37: securing linux](https://reader035.vdocument.in/reader035/viewer/2022062322/56814444550346895db0e23e/html5/thumbnails/37.jpg)
traceroutes
• countermeasures:– edit iptables and firewalls
• drop ICMP request packets
• drop UDP packets in traceroute range– 33,435 through 33,524
– do NOT use descriptive names for components within the network
• function / role
• vendor
![Page 38: securing linux](https://reader035.vdocument.in/reader035/viewer/2022062322/56814444550346895db0e23e/html5/thumbnails/38.jpg)
mapping a host
• port scans– cracker sees what ports are open
• OS fingerprinting– cracker determines underlying software
• countermeasures
![Page 39: securing linux](https://reader035.vdocument.in/reader035/viewer/2022062322/56814444550346895db0e23e/html5/thumbnails/39.jpg)
port scans
• what ports are open on the target host?
• what daemon is listening on each open port?– what software? what version?
![Page 40: securing linux](https://reader035.vdocument.in/reader035/viewer/2022062322/56814444550346895db0e23e/html5/thumbnails/40.jpg)
port scans
• tools– netcat
• UDP scans
• TCP scans
– nmap• UDP scans
• TCP scans
• TCP stealth scans
– strobe
![Page 41: securing linux](https://reader035.vdocument.in/reader035/viewer/2022062322/56814444550346895db0e23e/html5/thumbnails/41.jpg)
port scans• countermeasures:
– klaxon• incorporated into /etc/inetd.conf or /etc/xinetd.conf
• to listen on unused ports
– scanlogd• monitors ports for sudden increase in activity
– portsentry• monitors up to 64 ports
• able to take action against an intruder!– tcp wrappers and/or iptables
– psad• analysis of firewall logs
![Page 42: securing linux](https://reader035.vdocument.in/reader035/viewer/2022062322/56814444550346895db0e23e/html5/thumbnails/42.jpg)
port scans• identifying software listening on a given port
is usually as simple as– telnet <target> <port>
• software typically displays a banner announcing itself and its version number!
• countermeasures:– remove / modify banner display
– example:• in /etc/sendmail.cf
– OsmtpGreetingMessage=$jUPS 2005;$b
![Page 43: securing linux](https://reader035.vdocument.in/reader035/viewer/2022062322/56814444550346895db0e23e/html5/thumbnails/43.jpg)
OS fingerprinting
• OS fingerprinting– telnet is notorious for identifying
• the operating system, the distribution, even the kernel
– open ports often provide clues• smtp, ssh, and portmap => UNIX
• netbios => Windows
– /etc/issue, /etc/issue.net, and /etc/motd• often convey too much information
![Page 44: securing linux](https://reader035.vdocument.in/reader035/viewer/2022062322/56814444550346895db0e23e/html5/thumbnails/44.jpg)
OS fingerprinting
• active OS fingerprinting– send sequence of special IP packets to target
– catalog responses
– compare with database of responses from various operating systems
– software• queso
• nmap
• xprobe
![Page 45: securing linux](https://reader035.vdocument.in/reader035/viewer/2022062322/56814444550346895db0e23e/html5/thumbnails/45.jpg)
OS fingerprinting
• countermeasures:– utilize a firewall in front of servers
• operating system detected is that of firewall and not that of the server
– disable ICMP packets at the firewall• negates xprobe
– install IP Personality• only for Linux 2.4 kernels?
• using iptables, can impersonate ANY operating system
![Page 46: securing linux](https://reader035.vdocument.in/reader035/viewer/2022062322/56814444550346895db0e23e/html5/thumbnails/46.jpg)
OS fingerprinting
• passive OS fingerprinting– does not initiate any additional IP traffic
– uses packet sniffing to gather information
– software• siphon
• pOf
![Page 47: securing linux](https://reader035.vdocument.in/reader035/viewer/2022062322/56814444550346895db0e23e/html5/thumbnails/47.jpg)
OS fingerprinting
• countermeasures– can change some parameters of the operating
system• cat /proc/sys/net/ipv4/ip_default_ttl
– default value is 64
• echo 35 > /proc/sys/net/ipv4/ip_default_ttl– change to 35
• edit error messages masquerade as something else– apache httpd.conf
![Page 48: securing linux](https://reader035.vdocument.in/reader035/viewer/2022062322/56814444550346895db0e23e/html5/thumbnails/48.jpg)
network scanners
• combine ping sweeps, traceroutes, port scans, and OS fingerprinting together and you have a
• network scanner• ISS: Internet Security Scanner
– first publicly available
• NESSUS
– the Cadillac of network scanners!
![Page 49: securing linux](https://reader035.vdocument.in/reader035/viewer/2022062322/56814444550346895db0e23e/html5/thumbnails/49.jpg)
network scanners• other network scanners
– Nmap
– SATAN: Security Administrator's Tool for Analyzing Networks
• SANTA!
– SAINT: Security Administrator's Integrated Network Tool
– SARA: Security Auditor's Research Assistant
– NSAT: Network Security Analysts Tool
• text based!
– raccess: Remote Access System
• doesn't just check host; it exploits if possible!
![Page 50: securing linux](https://reader035.vdocument.in/reader035/viewer/2022062322/56814444550346895db0e23e/html5/thumbnails/50.jpg)
social engineering• ten common techniques of social
engineering– impersonation
• pretend to be some from inside the company to obtain passwords
• usually coupled with research regarding IT personnel
– sympathy• usually request access to hardware: server room or
PC
• usually coupled with dire consequences if unable to complete the task
![Page 51: securing linux](https://reader035.vdocument.in/reader035/viewer/2022062322/56814444550346895db0e23e/html5/thumbnails/51.jpg)
social engineering
• ten common techniques (cont'd)– wooing
• develop a trust relationship with the victim
• to obtain a wide range of information
– intimidation• for victims who do not respond well to sympathy or
wooing
• pretense: company official, government official, inspector
![Page 52: securing linux](https://reader035.vdocument.in/reader035/viewer/2022062322/56814444550346895db0e23e/html5/thumbnails/52.jpg)
social engineering
• ten common techniques (cont'd)– greed
• money or goods in exchange for information
– confusion• create a diversion which vacates an office
• access logged-on session
![Page 53: securing linux](https://reader035.vdocument.in/reader035/viewer/2022062322/56814444550346895db0e23e/html5/thumbnails/53.jpg)
social engineering
• ten common techniques (cont'd)– shoulder surfing
• passive observation of typing– either by physical presence as a trusted individual
– or by using some form of eavesdropping
– dumpster diving• searching garbage for useful information
– either discarded papers
– or removable media
![Page 54: securing linux](https://reader035.vdocument.in/reader035/viewer/2022062322/56814444550346895db0e23e/html5/thumbnails/54.jpg)
social engineering
• ten common techniques (cont'd)– phishing
• request for victim to visit a false web site
• for purpose of updating invalid / obsolete information
– reverse social engineering• present oneself as an expert who can fix a problem
• results in a reversal of roles:– victim asks the questions
– social engineer provides the answers
» often being granted access to the computer systems
![Page 55: securing linux](https://reader035.vdocument.in/reader035/viewer/2022062322/56814444550346895db0e23e/html5/thumbnails/55.jpg)
diy pen testing
• whois lewisu.edu• host lewisu.edu• dig lewisu.edu• traceroute www.google.com• ping lewisu.edu• Check your box
– netstat –anp
– dmesg | more
– ps aux
![Page 56: securing linux](https://reader035.vdocument.in/reader035/viewer/2022062322/56814444550346895db0e23e/html5/thumbnails/56.jpg)
Summary
• Removed extra packages, services / daemons, close unneeded ports
• Methodology of least privilege
• Adopt a minimalist approach
• Acknowledge no security silver bullets!
• Adopt a comprehensive secure design utilizing multiple layers of defense