system administrationpdm12/cse545/slides/cse545-adminstration.pdf · cse598k/cse545 - advanced...
TRANSCRIPT
![Page 1: System Administrationpdm12/cse545/slides/cse545-adminstration.pdf · CSE598K/CSE545 - Advanced Network Security - McDaniel Page Aptitude • Basic Principles ‣ aptitude update -](https://reader035.vdocument.in/reader035/viewer/2022081612/5f493ad0b203cf52e22c29d5/html5/thumbnails/1.jpg)
CSE598K/CSE545 - Advanced Network Security - McDaniel Page
System Administration
CSE598K/CSE545 - Advanced Network SecurityLuke St.Clair - Spring 2008
1
![Page 2: System Administrationpdm12/cse545/slides/cse545-adminstration.pdf · CSE598K/CSE545 - Advanced Network Security - McDaniel Page Aptitude • Basic Principles ‣ aptitude update -](https://reader035.vdocument.in/reader035/viewer/2022081612/5f493ad0b203cf52e22c29d5/html5/thumbnails/2.jpg)
CSE598K/CSE545 - Advanced Network Security - McDaniel Page
Why do we care?• This is probably the most
important thing you can learn to secure systems?
• The idea
‣ to learn a couple practical things
‣ learn some tools to learn more
2
![Page 3: System Administrationpdm12/cse545/slides/cse545-adminstration.pdf · CSE598K/CSE545 - Advanced Network Security - McDaniel Page Aptitude • Basic Principles ‣ aptitude update -](https://reader035.vdocument.in/reader035/viewer/2022081612/5f493ad0b203cf52e22c29d5/html5/thumbnails/3.jpg)
CSE598K/CSE545 - Advanced Network Security - McDaniel Page
How to get in...• ssh - secure shell
• rhosts - it’s great! I want that.
‣ .rhosts - list of users that can log in
‣ ssh remotehost command - simply run a command on a remote host (useful for scripts)
• server not installed on Ubuntu by default (no open ports!)
3
![Page 4: System Administrationpdm12/cse545/slides/cse545-adminstration.pdf · CSE598K/CSE545 - Advanced Network Security - McDaniel Page Aptitude • Basic Principles ‣ aptitude update -](https://reader035.vdocument.in/reader035/viewer/2022081612/5f493ad0b203cf52e22c29d5/html5/thumbnails/4.jpg)
CSE598K/CSE545 - Advanced Network Security - McDaniel Page
Garage door opener• Open the door easier
‣ let’s just say who can access
‣ we’ll do it by what people have
‣ .ssh/authorized_keys
• ssh-keygen -t dsa - we’ll make some keys
4
![Page 5: System Administrationpdm12/cse545/slides/cse545-adminstration.pdf · CSE598K/CSE545 - Advanced Network Security - McDaniel Page Aptitude • Basic Principles ‣ aptitude update -](https://reader035.vdocument.in/reader035/viewer/2022081612/5f493ad0b203cf52e22c29d5/html5/thumbnails/5.jpg)
CSE598K/CSE545 - Advanced Network Security - McDaniel Page
Giving out keys• We made keys, now each host just has to make a list
of what keys are okay
• Who needs to know this?
‣ scp your .ssh/id_dsa.pub (or similar) to your VM
• scp .ssh/id_dsa.pub 130.203.83.20:~/coriakin-key.pub
‣ ssh 130.203.83.20 “cat ~/coriakin-key.pub >> ~/.ssh/authorized_keys”
5
![Page 6: System Administrationpdm12/cse545/slides/cse545-adminstration.pdf · CSE598K/CSE545 - Advanced Network Security - McDaniel Page Aptitude • Basic Principles ‣ aptitude update -](https://reader035.vdocument.in/reader035/viewer/2022081612/5f493ad0b203cf52e22c29d5/html5/thumbnails/6.jpg)
CSE598K/CSE545 - Advanced Network Security - McDaniel Page
Shortcomings of SSH• pairwise keys - gets annoying
‣ it’s really too many for me to use everywhere
• You have to trust where your host key is
• You just forget things
• MitM
‣ how do you check host key?
‣ ssh-keygen -l -f /etc/ssh/ssh_host_dsa_key.pub
6
![Page 7: System Administrationpdm12/cse545/slides/cse545-adminstration.pdf · CSE598K/CSE545 - Advanced Network Security - McDaniel Page Aptitude • Basic Principles ‣ aptitude update -](https://reader035.vdocument.in/reader035/viewer/2022081612/5f493ad0b203cf52e22c29d5/html5/thumbnails/7.jpg)
CSE598K/CSE545 - Advanced Network Security - McDaniel Page
It can be a little easier
7
![Page 8: System Administrationpdm12/cse545/slides/cse545-adminstration.pdf · CSE598K/CSE545 - Advanced Network Security - McDaniel Page Aptitude • Basic Principles ‣ aptitude update -](https://reader035.vdocument.in/reader035/viewer/2022081612/5f493ad0b203cf52e22c29d5/html5/thumbnails/8.jpg)
CSE598K/CSE545 - Advanced Network Security - McDaniel Page
Being privileged• sudo - superuser do
• there’s no root user!
• sudo visudo - you can see what the policy is
‣ your policy says anyone in the group “admin” can do anything, if they put their password in
• note that you had to sudo to change sudoers, the file that controls sudo policy
8
![Page 9: System Administrationpdm12/cse545/slides/cse545-adminstration.pdf · CSE598K/CSE545 - Advanced Network Security - McDaniel Page Aptitude • Basic Principles ‣ aptitude update -](https://reader035.vdocument.in/reader035/viewer/2022081612/5f493ad0b203cf52e22c29d5/html5/thumbnails/9.jpg)
CSE598K/CSE545 - Advanced Network Security - McDaniel Page
Let’s get some $\/\/33t w@r3z• What if there was a way to
install things as long as you know what sort of thing you want?
• What if you could update everything with a command?
9
![Page 10: System Administrationpdm12/cse545/slides/cse545-adminstration.pdf · CSE598K/CSE545 - Advanced Network Security - McDaniel Page Aptitude • Basic Principles ‣ aptitude update -](https://reader035.vdocument.in/reader035/viewer/2022081612/5f493ad0b203cf52e22c29d5/html5/thumbnails/10.jpg)
CSE598K/CSE545 - Advanced Network Security - McDaniel Page
WINDOWS UPDATE!!?!?!?
• WINDOWS UPDATE!!!!!! Rulz!
• roflcopter.
10
![Page 11: System Administrationpdm12/cse545/slides/cse545-adminstration.pdf · CSE598K/CSE545 - Advanced Network Security - McDaniel Page Aptitude • Basic Principles ‣ aptitude update -](https://reader035.vdocument.in/reader035/viewer/2022081612/5f493ad0b203cf52e22c29d5/html5/thumbnails/11.jpg)
CSE598K/CSE545 - Advanced Network Security - McDaniel Page
Aptitude• Basic Principles
‣ aptitude update - refreshes the list of what exists - practically, do this before you do things
‣ aptitude search - look in the whole repository for matches to your search terms (even descriptions!)
‣ aptitude install <package name> - installs a package. You have to type the name right
‣ aptitude (safe|full)-upgrade - upgrade all your packages, safely, or fully
11
![Page 12: System Administrationpdm12/cse545/slides/cse545-adminstration.pdf · CSE598K/CSE545 - Advanced Network Security - McDaniel Page Aptitude • Basic Principles ‣ aptitude update -](https://reader035.vdocument.in/reader035/viewer/2022081612/5f493ad0b203cf52e22c29d5/html5/thumbnails/12.jpg)
CSE598K/CSE545 - Advanced Network Security - McDaniel Page
Let’s get a Desktop• Some packages are “meta” packages, which are just
shorthand for listing tons of packages
‣ let’s aptitude install apache2
‣ installs, basically configures, and starts apache2
‣ then aptitude install xubuntu-desktop, which will install a full desktop system, and tightvncserver
12
![Page 13: System Administrationpdm12/cse545/slides/cse545-adminstration.pdf · CSE598K/CSE545 - Advanced Network Security - McDaniel Page Aptitude • Basic Principles ‣ aptitude update -](https://reader035.vdocument.in/reader035/viewer/2022081612/5f493ad0b203cf52e22c29d5/html5/thumbnails/13.jpg)
CSE598K/CSE545 - Advanced Network Security - McDaniel Page
Visit your website• Point your browserz at your ip address
• You’ve been hax0r3d!
13
Apache HTTP Server Test Page powered by CentOS http://mirror.centos.org/mirrorscripts/noindex_new.html
1 of 2 1/30/08 3:54 PM
Apache 2 Test Pagepowered by CentOS
This page is used to test the proper operation of the Apache HTTP server after it has
been installed. If you can read this page it means that the Apache HTTP server installed at
this site is working properly.
About CentOS:
The Community ENTerprise Operating System (CentOS) is an Enterprise-class
Linux Distribution derived from sources freely provided to the public by a prominent North
American Enterprise Linux vendor. CentOS conforms fully with the upstream vendors
redistribution policy and aims to be 100% binary compatible. (CentOS mainly changes
packages to remove upstream vendor branding and artwork.) The CentOS Project is the
organization that builds CentOS.
For information on CentOS please visit the CentOS website.
Note:
CentOS is an Operating System and it is used to power this website; however, the
webserver is owned by the domain owner and not the CentOS Project. If you have issues with the content of this site, contact the owner of the domain, not the CentOS project.
If you are a member of the general public:
The fact that you are seeing this page
indicates that the website you just visited
is either experiencing problems or is
undergoing routine maintenance.
If you would like to let the administrators of
this website know that you've seen this
page instead of the page you expected,
you should send them e-mail. In general,
mail sent to the name "webmaster" and
directed to the website's domain should
reach the appropriate person.
For example, if you experienced
problems while visiting
www.example.com, you should send
e-mail to "[email protected]".
If you are the website administrator:
You may now add content to the directory
/var/www/html/. Note that until you do
so, people visiting your website will see
this page and not your content. To
prevent this page from ever being used,
follow the instructions in the file
/etc/httpd/conf.d/welcome.conf.
You are free to use the images below on
Apache and CentOS Linux powered
HTTP servers. Thanks for using Apache
and CentOS!
![Page 14: System Administrationpdm12/cse545/slides/cse545-adminstration.pdf · CSE598K/CSE545 - Advanced Network Security - McDaniel Page Aptitude • Basic Principles ‣ aptitude update -](https://reader035.vdocument.in/reader035/viewer/2022081612/5f493ad0b203cf52e22c29d5/html5/thumbnails/14.jpg)
CSE598K/CSE545 - Advanced Network Security - McDaniel Page
Alternately...
14
![Page 15: System Administrationpdm12/cse545/slides/cse545-adminstration.pdf · CSE598K/CSE545 - Advanced Network Security - McDaniel Page Aptitude • Basic Principles ‣ aptitude update -](https://reader035.vdocument.in/reader035/viewer/2022081612/5f493ad0b203cf52e22c29d5/html5/thumbnails/15.jpg)
CSE598K/CSE545 - Advanced Network Security - McDaniel Page
init.d
• Nearly every service that would run in the background (apache, ssh, etc) has a script that controls it
‣ instead of trying to figure out which process (ps aux) does what, and how to start/stop the process correctly (not kill!), just ask
‣ they all start/stop/restart - restart is always a safe bet
• you’d do this if you change the config of a running program
‣ let’s restart apache
‣ sudo /etc/init.d/apache restart (remember to tab complete!)
15
![Page 16: System Administrationpdm12/cse545/slides/cse545-adminstration.pdf · CSE598K/CSE545 - Advanced Network Security - McDaniel Page Aptitude • Basic Principles ‣ aptitude update -](https://reader035.vdocument.in/reader035/viewer/2022081612/5f493ad0b203cf52e22c29d5/html5/thumbnails/16.jpg)
CSE598K/CSE545 - Advanced Network Security - McDaniel Page
VNC• this is all easier on the command line...
• but some stuff isn’t (adding users w/ adduser, adding users to groups with usermod -G group user)
• so we want a desktop, which runs on a remote system,but that wesee on ourlocal system
16
![Page 17: System Administrationpdm12/cse545/slides/cse545-adminstration.pdf · CSE598K/CSE545 - Advanced Network Security - McDaniel Page Aptitude • Basic Principles ‣ aptitude update -](https://reader035.vdocument.in/reader035/viewer/2022081612/5f493ad0b203cf52e22c29d5/html5/thumbnails/17.jpg)
CSE598K/CSE545 - Advanced Network Security - McDaniel Page
Tunneling• To get this, we have to tunnel our data
‣ Clever firewall admins don’t let VNC through
• ssh -L 5900:firsthost:5901 -TN secondhost
‣ forwards local port 5900 to port 5901 on firsthostvia secondhost - remember this description
‣ set up a tunnel from port 5900on your machine, to 5901 onyour VM, via your VM
17
![Page 18: System Administrationpdm12/cse545/slides/cse545-adminstration.pdf · CSE598K/CSE545 - Advanced Network Security - McDaniel Page Aptitude • Basic Principles ‣ aptitude update -](https://reader035.vdocument.in/reader035/viewer/2022081612/5f493ad0b203cf52e22c29d5/html5/thumbnails/18.jpg)
CSE598K/CSE545 - Advanced Network Security - McDaniel Page
All that’s left is to connect...• Have to start a server on the remote host
‣ this is per-user: vncserver :1
‣ set a password
• On your local host, point your VNC viewer at yourself (remember, 5900, the VNC port gets tunneled to a remote party via someone’s ssh service), password is your VNC password, NOT ssh password
• You’ll be prompted for your VNC password if you didn’t put it in already
18
![Page 19: System Administrationpdm12/cse545/slides/cse545-adminstration.pdf · CSE598K/CSE545 - Advanced Network Security - McDaniel Page Aptitude • Basic Principles ‣ aptitude update -](https://reader035.vdocument.in/reader035/viewer/2022081612/5f493ad0b203cf52e22c29d5/html5/thumbnails/19.jpg)
CSE598K/CSE545 - Advanced Network Security - McDaniel Page
Ugly Desktop• See help.ubuntu.com/community/VNCOverSSH
‣ basically, just put something in your .vnc/xstartup
‣ wget http://www.lukestclair.com/tools/config/xstartup
‣ put it in your .vnc file in your home directory
19
![Page 20: System Administrationpdm12/cse545/slides/cse545-adminstration.pdf · CSE598K/CSE545 - Advanced Network Security - McDaniel Page Aptitude • Basic Principles ‣ aptitude update -](https://reader035.vdocument.in/reader035/viewer/2022081612/5f493ad0b203cf52e22c29d5/html5/thumbnails/20.jpg)
CSE598K/CSE545 - Advanced Network Security - McDaniel Page
Where to get more help• Ubuntuforums.org - by far the best source
• IRC - lots of noise to signal ratio - irc.freenode.org, #ubuntu
• wiki.ubuntu.org
20
![Page 21: System Administrationpdm12/cse545/slides/cse545-adminstration.pdf · CSE598K/CSE545 - Advanced Network Security - McDaniel Page Aptitude • Basic Principles ‣ aptitude update -](https://reader035.vdocument.in/reader035/viewer/2022081612/5f493ad0b203cf52e22c29d5/html5/thumbnails/21.jpg)
CSE598K/CSE545 - Advanced Network Security - McDaniel Page
Certificate creation• Let’s make a certificate
‣ Don’t try to remember this, just look it up
‣ Make a CA:
• openssl genrsa -des3 -out cakey.key 4096
• openssl req -new -x509 -days 365 -key cakey.key -out cacert.crt
‣ Create server key, request, sign
• openssl rsa -des3 -out server.key 4096
• openssl req -new -key server.key -out server.csr
• openssl x509 -req -days 365 -in server.csr -CA cacert.crt -CAkey cakey.key -set_serial 01 server.crt
‣ this avoids reissuing the same certificate
21
![Page 22: System Administrationpdm12/cse545/slides/cse545-adminstration.pdf · CSE598K/CSE545 - Advanced Network Security - McDaniel Page Aptitude • Basic Principles ‣ aptitude update -](https://reader035.vdocument.in/reader035/viewer/2022081612/5f493ad0b203cf52e22c29d5/html5/thumbnails/22.jpg)
CSE598K/CSE545 - Advanced Network Security - McDaniel Page
Setting up Apache• sudo a2enmod ssl (enables the SSL module)
• add to /etc/apache2/sites-available/default, right under virtualhost:
‣ SSLEngine on
‣ SSLProtocol all
‣ SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
‣ SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
• In /usr/share/doc/ directory, allow all
‣ Order allow, deny
‣ Allow all22
![Page 23: System Administrationpdm12/cse545/slides/cse545-adminstration.pdf · CSE598K/CSE545 - Advanced Network Security - McDaniel Page Aptitude • Basic Principles ‣ aptitude update -](https://reader035.vdocument.in/reader035/viewer/2022081612/5f493ad0b203cf52e22c29d5/html5/thumbnails/23.jpg)
CSE598K/CSE545 - Advanced Network Security - McDaniel Page
Firewalls• There are so many ways to do this
23
![Page 24: System Administrationpdm12/cse545/slides/cse545-adminstration.pdf · CSE598K/CSE545 - Advanced Network Security - McDaniel Page Aptitude • Basic Principles ‣ aptitude update -](https://reader035.vdocument.in/reader035/viewer/2022081612/5f493ad0b203cf52e22c29d5/html5/thumbnails/24.jpg)
CSE598K/CSE545 - Advanced Network Security - McDaniel Page
GUIs, or G-U-I’s• Let’s make a firewall, simple-style
• You can do all of these things with iptables, and there are many good tutorials
24
![Page 25: System Administrationpdm12/cse545/slides/cse545-adminstration.pdf · CSE598K/CSE545 - Advanced Network Security - McDaniel Page Aptitude • Basic Principles ‣ aptitude update -](https://reader035.vdocument.in/reader035/viewer/2022081612/5f493ad0b203cf52e22c29d5/html5/thumbnails/25.jpg)
CSE598K/CSE545 - Advanced Network Security - McDaniel Page
Basic settings• Setup pokes some holes in the firewall
‣ your ethernet device may be different - there should only be one to choose from anyway
25
![Page 26: System Administrationpdm12/cse545/slides/cse545-adminstration.pdf · CSE598K/CSE545 - Advanced Network Security - McDaniel Page Aptitude • Basic Principles ‣ aptitude update -](https://reader035.vdocument.in/reader035/viewer/2022081612/5f493ad0b203cf52e22c29d5/html5/thumbnails/26.jpg)
CSE598K/CSE545 - Advanced Network Security - McDaniel Page
Policy• Play around with this. Firewall your website’s port 80,
to stop normal http connections (this is not really the best way to do this, but whatever)
• Don’t forgetto “Apply”policy onceyou create it
• Browse port80 and check logs
26
![Page 27: System Administrationpdm12/cse545/slides/cse545-adminstration.pdf · CSE598K/CSE545 - Advanced Network Security - McDaniel Page Aptitude • Basic Principles ‣ aptitude update -](https://reader035.vdocument.in/reader035/viewer/2022081612/5f493ad0b203cf52e22c29d5/html5/thumbnails/27.jpg)
CSE598K/CSE545 - Advanced Network Security - McDaniel Page
IPsec‣ set up rules for when we want ipsec
‣ first, add
‣ #!/usr/sbin/setkey -f
‣ flush; spdflush; to the top of the file - this gets rid of stuff before
• spdadd 130.203.32.21 130.203.32.20 any -P in ipsec esp/transport//require;
‣ packets from .21 to .20 incoming match this rule - require ipsec
• spdadd 130.203.32.20 130.203.32.21 any -P out ipsec esp/transport//require
‣ packets from .20 to .21 outgoing match this rule
‣ what does spdadd 130.203.32.20 130.203.32.21 any -P in ... do?27
![Page 28: System Administrationpdm12/cse545/slides/cse545-adminstration.pdf · CSE598K/CSE545 - Advanced Network Security - McDaniel Page Aptitude • Basic Principles ‣ aptitude update -](https://reader035.vdocument.in/reader035/viewer/2022081612/5f493ad0b203cf52e22c29d5/html5/thumbnails/28.jpg)
CSE598K/CSE545 - Advanced Network Security - McDaniel Page
Racoon• This is the program that listens for
connections
‣ get racoon.conf from http://lukestclair.com/tools/config/racoon
• put it in /etc/racoon.conf
‣ Let’s look through it...
28
![Page 29: System Administrationpdm12/cse545/slides/cse545-adminstration.pdf · CSE598K/CSE545 - Advanced Network Security - McDaniel Page Aptitude • Basic Principles ‣ aptitude update -](https://reader035.vdocument.in/reader035/viewer/2022081612/5f493ad0b203cf52e22c29d5/html5/thumbnails/29.jpg)
CSE598K/CSE545 - Advanced Network Security - McDaniel Page
Racoon.conf• remote anonymous applies this to everything
‣ alternative is to configure by ip addr, as in comments
‣ proposal is what you propose - other side picks
• here we only propose one hash, one encryption, and we only auth by pre-shared key, not certs
• dh_group defines diffie-hellman group - don’t worry about this
29
![Page 30: System Administrationpdm12/cse545/slides/cse545-adminstration.pdf · CSE598K/CSE545 - Advanced Network Security - McDaniel Page Aptitude • Basic Principles ‣ aptitude update -](https://reader035.vdocument.in/reader035/viewer/2022081612/5f493ad0b203cf52e22c29d5/html5/thumbnails/30.jpg)
CSE598K/CSE545 - Advanced Network Security - McDaniel Page
SA in racoon.conf• Defines how long your connection is good for
• Defines what encryption you support
• That’s it!
30
![Page 31: System Administrationpdm12/cse545/slides/cse545-adminstration.pdf · CSE598K/CSE545 - Advanced Network Security - McDaniel Page Aptitude • Basic Principles ‣ aptitude update -](https://reader035.vdocument.in/reader035/viewer/2022081612/5f493ad0b203cf52e22c29d5/html5/thumbnails/31.jpg)
CSE598K/CSE545 - Advanced Network Security - McDaniel Page
What did we miss?
31
![Page 32: System Administrationpdm12/cse545/slides/cse545-adminstration.pdf · CSE598K/CSE545 - Advanced Network Security - McDaniel Page Aptitude • Basic Principles ‣ aptitude update -](https://reader035.vdocument.in/reader035/viewer/2022081612/5f493ad0b203cf52e22c29d5/html5/thumbnails/32.jpg)
CSE598K/CSE545 - Advanced Network Security - McDaniel Page
psk• Fill in /etc/racoon/psk.txt
‣ mine is l33th@x0R
• Try to ping my machine (130.203.83.20)
‣ note the delay or failure
• sudo setkey -F, sudo setkey -FP should show you something, if you want to check errors or just see what’s happening
• if this doesn’t work /etc/init.d/racoon stop, sudo racoon -f /etc/racoon/racoon.conf, and we can see what happens
32