system administrationpdm12/cse545/slides/cse545-adminstration.pdf · cse598k/cse545 - advanced...

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

System Administration

CSE598K/CSE545 - Advanced Network SecurityLuke St.Clair - Spring 2008

1


Why do we care?• This is probably the most

important thing you can learn to secure systems?

• The idea

‣ to learn a couple practical things

‣ learn some tools to learn more

2


How to get in...• ssh - secure shell

• rhosts - it’s great! I want that.

‣ .rhosts - list of users that can log in

‣ ssh remotehost command - simply run a command on a remote host (useful for scripts)

• server not installed on Ubuntu by default (no open ports!)

3


Garage door opener• Open the door easier

‣ let’s just say who can access

‣ we’ll do it by what people have

‣ .ssh/authorized_keys

• ssh-keygen -t dsa - we’ll make some keys

4


Giving out keys• We made keys, now each host just has to make a list

of what keys are okay

• Who needs to know this?

‣ scp your .ssh/id_dsa.pub (or similar) to your VM

• scp .ssh/id_dsa.pub 130.203.83.20:~/coriakin-key.pub

‣ ssh 130.203.83.20 “cat ~/coriakin-key.pub >> ~/.ssh/authorized_keys”

5


Shortcomings of SSH• pairwise keys - gets annoying

‣ it’s really too many for me to use everywhere

• You have to trust where your host key is

• You just forget things

• MitM

‣ how do you check host key?

‣ ssh-keygen -l -f /etc/ssh/ssh_host_dsa_key.pub

6


It can be a little easier

7


Being privileged• sudo - superuser do

• there’s no root user!

• sudo visudo - you can see what the policy is

‣ your policy says anyone in the group “admin” can do anything, if they put their password in

• note that you had to sudo to change sudoers, the file that controls sudo policy

8


Let’s get some $\/\/33t w@r3z• What if there was a way to

install things as long as you know what sort of thing you want?

• What if you could update everything with a command?

9


WINDOWS UPDATE!!?!?!?

• WINDOWS UPDATE!!!!!! Rulz!

• roflcopter.

10


Aptitude• Basic Principles

‣ aptitude update - refreshes the list of what exists - practically, do this before you do things

‣ aptitude search - look in the whole repository for matches to your search terms (even descriptions!)

‣ aptitude install <package name> - installs a package. You have to type the name right

‣ aptitude (safe|full)-upgrade - upgrade all your packages, safely, or fully

11


Let’s get a Desktop• Some packages are “meta” packages, which are just

shorthand for listing tons of packages

‣ let’s aptitude install apache2

‣ installs, basically configures, and starts apache2

‣ then aptitude install xubuntu-desktop, which will install a full desktop system, and tightvncserver

12


Visit your website• Point your browserz at your ip address

• You’ve been hax0r3d!

13

Apache HTTP Server Test Page powered by CentOS http://mirror.centos.org/mirrorscripts/noindex_new.html

1 of 2 1/30/08 3:54 PM

Apache 2 Test Pagepowered by CentOS

This page is used to test the proper operation of the Apache HTTP server after it has

been installed. If you can read this page it means that the Apache HTTP server installed at

this site is working properly.

About CentOS:

The Community ENTerprise Operating System (CentOS) is an Enterprise-class

Linux Distribution derived from sources freely provided to the public by a prominent North

American Enterprise Linux vendor. CentOS conforms fully with the upstream vendors

redistribution policy and aims to be 100% binary compatible. (CentOS mainly changes

packages to remove upstream vendor branding and artwork.) The CentOS Project is the

organization that builds CentOS.

For information on CentOS please visit the CentOS website.

Note:

CentOS is an Operating System and it is used to power this website; however, the

webserver is owned by the domain owner and not the CentOS Project. If you have issues with the content of this site, contact the owner of the domain, not the CentOS project.

If you are a member of the general public:

The fact that you are seeing this page

indicates that the website you just visited

is either experiencing problems or is

undergoing routine maintenance.

If you would like to let the administrators of

this website know that you've seen this

page instead of the page you expected,

you should send them e-mail. In general,

mail sent to the name "webmaster" and

directed to the website's domain should

reach the appropriate person.

For example, if you experienced

problems while visiting

www.example.com, you should send

e-mail to "[email protected]".

If you are the website administrator:

You may now add content to the directory

/var/www/html/. Note that until you do

so, people visiting your website will see

this page and not your content. To

prevent this page from ever being used,

follow the instructions in the file

/etc/httpd/conf.d/welcome.conf.

You are free to use the images below on

Apache and CentOS Linux powered

HTTP servers. Thanks for using Apache

and CentOS!


Alternately...

14


init.d

• Nearly every service that would run in the background (apache, ssh, etc) has a script that controls it

‣ instead of trying to figure out which process (ps aux) does what, and how to start/stop the process correctly (not kill!), just ask

‣ they all start/stop/restart - restart is always a safe bet

• you’d do this if you change the config of a running program

‣ let’s restart apache

‣ sudo /etc/init.d/apache restart (remember to tab complete!)

15


VNC• this is all easier on the command line...

• but some stuff isn’t (adding users w/ adduser, adding users to groups with usermod -G group user)

• so we want a desktop, which runs on a remote system,but that wesee on ourlocal system

16


Tunneling• To get this, we have to tunnel our data

‣ Clever firewall admins don’t let VNC through

• ssh -L 5900:firsthost:5901 -TN secondhost

‣ forwards local port 5900 to port 5901 on firsthostvia secondhost - remember this description

‣ set up a tunnel from port 5900on your machine, to 5901 onyour VM, via your VM

17


All that’s left is to connect...• Have to start a server on the remote host

‣ this is per-user: vncserver :1

‣ set a password

• On your local host, point your VNC viewer at yourself (remember, 5900, the VNC port gets tunneled to a remote party via someone’s ssh service), password is your VNC password, NOT ssh password

• You’ll be prompted for your VNC password if you didn’t put it in already

18


Ugly Desktop• See help.ubuntu.com/community/VNCOverSSH

‣ basically, just put something in your .vnc/xstartup

‣ wget http://www.lukestclair.com/tools/config/xstartup

‣ put it in your .vnc file in your home directory

19


Where to get more help• Ubuntuforums.org - by far the best source

• IRC - lots of noise to signal ratio - irc.freenode.org, #ubuntu

• wiki.ubuntu.org

20


Certificate creation• Let’s make a certificate

‣ Don’t try to remember this, just look it up

‣ Make a CA:

• openssl genrsa -des3 -out cakey.key 4096

• openssl req -new -x509 -days 365 -key cakey.key -out cacert.crt

‣ Create server key, request, sign

• openssl rsa -des3 -out server.key 4096

• openssl req -new -key server.key -out server.csr

• openssl x509 -req -days 365 -in server.csr -CA cacert.crt -CAkey cakey.key -set_serial 01 server.crt

‣ this avoids reissuing the same certificate

21


Setting up Apache• sudo a2enmod ssl (enables the SSL module)

• add to /etc/apache2/sites-available/default, right under virtualhost:

‣ SSLEngine on

‣ SSLProtocol all

‣ SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem

‣ SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

• In /usr/share/doc/ directory, allow all

‣ Order allow, deny

‣ Allow all22


Firewalls• There are so many ways to do this

23


GUIs, or G-U-I’s• Let’s make a firewall, simple-style

• You can do all of these things with iptables, and there are many good tutorials

24


Basic settings• Setup pokes some holes in the firewall

‣ your ethernet device may be different - there should only be one to choose from anyway

25


Policy• Play around with this. Firewall your website’s port 80,

to stop normal http connections (this is not really the best way to do this, but whatever)

• Don’t forgetto “Apply”policy onceyou create it

• Browse port80 and check logs

26


IPsec‣ set up rules for when we want ipsec

‣ first, add

‣ #!/usr/sbin/setkey -f

‣ flush; spdflush; to the top of the file - this gets rid of stuff before

• spdadd 130.203.32.21 130.203.32.20 any -P in ipsec esp/transport//require;

‣ packets from .21 to .20 incoming match this rule - require ipsec

• spdadd 130.203.32.20 130.203.32.21 any -P out ipsec esp/transport//require

‣ packets from .20 to .21 outgoing match this rule

‣ what does spdadd 130.203.32.20 130.203.32.21 any -P in ... do?27


Racoon• This is the program that listens for

connections

‣ get racoon.conf from http://lukestclair.com/tools/config/racoon

• put it in /etc/racoon.conf

‣ Let’s look through it...

28


Racoon.conf• remote anonymous applies this to everything

‣ alternative is to configure by ip addr, as in comments

‣ proposal is what you propose - other side picks

• here we only propose one hash, one encryption, and we only auth by pre-shared key, not certs

• dh_group defines diffie-hellman group - don’t worry about this

29


SA in racoon.conf• Defines how long your connection is good for

• Defines what encryption you support

• That’s it!

30


What did we miss?

31


psk• Fill in /etc/racoon/psk.txt

‣ mine is l33th@x0R

• Try to ping my machine (130.203.83.20)

‣ note the delay or failure

• sudo setkey -F, sudo setkey -FP should show you something, if you want to check errors or just see what’s happening

• if this doesn’t work /etc/init.d/racoon stop, sudo racoon -f /etc/racoon/racoon.conf, and we can see what happens

32

system administrationpdm12/cse545/slides/cse545-adminstration.pdf · cse598k/cse545 - advanced...

Documents