UNIX SYSTEM SECURITY AND ADVANCED ADMINISTRATION (S CURIT - PowerPoint PPT Presentation

1 / 157
About This Presentation
Title:

UNIX SYSTEM SECURITY AND ADVANCED ADMINISTRATION (S CURIT

Description:

UNIX SYSTEM SECURITY AND ADVANCED ADMINISTRATION (S CURIT SYST ME SOUS UNIX ET ADMINISTRATION AVANC E) A.Davous, 01/02/2009 * Unix Security Advanced Admin – PowerPoint PPT presentation

Number of Views:8167
Avg rating:3.0/5.0
Slides: 158
Provided by: eloworldC
Category:

less

Transcript and Presenter's Notes

Title: UNIX SYSTEM SECURITY AND ADVANCED ADMINISTRATION (S CURIT


1
UNIX SYSTEM SECURITY AND ADVANCED ADMINISTRATION
  • (SÉCURITÉ SYSTÈME SOUS UNIX ET ADMINISTRATION
    AVANCÉE)

2
FOREWORD
  • No absolute security as long as system is
    accessed
  • In system administration, the evil is in
    details
  • For questions, contact is antoine.davous_at_aviler.co
    m
  • with ESGI in subject field otherwise, mail
    will be considered as spam by server rules.

3
INTRODUCTION
  • SECURITY BREACHES WELL-KNOWN EXAMPLES
  • UNIX RELEASES AND FLAVORS
  • REMINDER UNIX MANDATORY
  • WELL-KNOWN ATTACKS, MALICIOUS PROGRAMS
  • KEY CONCEPTS, RISKS, STRATEGY
  • HOW TO SECURE, SECURED DESIGN
  • SOME TABLE LAWS

4
SECURITY BREACHES WELL-KNOWN EXAMPLES
  • Sendmail debug commands modeas sendmail runs
    with setuid rootso user can run any command with
    root power(try sudo and vi !...)
  • Command passwd f no control of entered GECOS
    fieldso user can add any new line in password
    file
  • Buffer overflow is a variantUser can execute
    shellcode (to get run root shell) previously
    saved at some memory address for programs that
    accepts any entry without control (exploit)
  • SYN flooding by sending high rate of TCP open
    session requests (SYN), server is filling its
    queue with half-open sessions data
  • SQL-injection SQL request to database may be
    forged to execute malicious code

5
FOR INFORMATION UNIX RELEASES
6
FOR INFORMATION UNIX FLAVORS
  • Unix time line http//www.levenez.com/unix/
  • Linux distributions time line http//futurist.se/
    gldt/gldt76.png

7
REMINDER UNIX MANDATORY
  • Read, read again documentationman, man k,
    makewhatis -u
  • vi what else could be expected ?vim but config
    and security
  • Shells sh best choice for scriptingthen tcsh
    or bash (current ps)
  • find, diff, touch, sort -n
  • xargs
  • grep, egrep, awk, Perl, expect

8
WELL-KNOWN ATTACKS
9
MALICIOUS PROGRAMS (MALWARES)
Most of these can be detected locally (by
signature) except some exploits that can be
detected at network level (firewall)
10
SECURITY KEY CONCEPTS
  • Security goals confidentiality, integrity,
    availabilityauthentication, non-repudiation
  • 3 usual answers to threats ignore, improvise or
    try to over secure
  • Right answer determine field, identify and
    evaluate cost of resources (financial,
    confidentiality or production), determine
    security risks and strategy, monitor, upgrade

11
STRATEGIES
  • Strategies Accept threat but have a recovery
    planReduce threat by appropriate
    meansTransfer threat to a vendorBypass threat
    by blocking access
  • Understanding is keyExample of mail user
    privilegeProtect all layers example of
    firewallsReduce exposed surfaceProtect but
    detect and answer administrate !
  • Security is or must be part of conception,
    operation and deployment

12
RISKS AND STRATEGY
  • Risks
  • Human malicious but often from authorized users
  • Technical hardware (physical access), software
  • This is up to sysadmin to decide what are they
    and right level of protection
  • Strategy
  • Security and comfort is a compromise
  • Have a security policy especially recovery
    procedure

13
HOW TO SECURE
  • In-depth (passive) protection
  • (Physical premises access)
  • Network filtering
  • Passwords
  • Encryption
  • Backup
  • (Active) security process
  • Monitor and add corrections
  • Full audit
  • Upgrade

14
SECURED DESIGN
  • Open design or secret design debate(hidden
    flaws, issues discovered by community,
    provocation to exploits)
  • Common breaches
  • Least user access (chroot as solution)
  • Buffer overflow
  • Printf function (insert conversion keys into
    string)
  • Web programming (URL forging)
  • Transactions, client/server (man-in-the middle,
    encryption, hashing as solutions)

15
SOME TABLE LAWS
  • If someone can execute something on your computer
    or if someone can modify your OS, or if someone
    can physically access to your computer, it will
    not belong to you anymore
  • As well, if someone can execute something on your
    web site, it will not belong to you anymore
  • Weak passwords leads to security breach
  • System is as secured as sysadmin wants
  • Encrypted data are as secured as the used key to
    encrypt
  • An anti-virus not updated is as useful as no
    anti-virus
  • Anonymity is not useful but confidentiality is
  • Technology is not be-all
  • Security measures works well when they are simple
    to use for sysadmin and transparent to users
  • (Microsoft point of view)

16
SYSTEM AND SECURITY BASIS
  • REMINDER PROCESSES
  • DAEMONS, SERVERS, SERVICES
  • INIT DAEMON, INIT LEVELS
  • REMINDER BOOTING SHUTTING DOWN
  • SERVICE MANAGEMENT
  • REMINDER FILES, FHS
  • PACKAGE MANAGEMENT

17
REMINDER PROCESSES
  • Processes have four identities real (for
    accounting) and effective (for access
    permissions) UID and GID usually the same
    except with setuid or setgid bit set
  • Command ps
  • Find setuid and setgid files over the
    systemfind / -type f perm /us,gs -ls
  • Kinds of processes
  • Interactive controlled with (run in
    background), Z (stop job), bg (restart in
    background), jobs (list current jobs)
  • Batch
  • Daemons

18
DAEMONS, SERVERS, SERVICES
  • Daemon, server, service concepts
  • Daemon programs not part of kernel process
    that performs a specific function or
    system-related task
  • Start at boot time or on demand
  • Specific system daemons
  • init primordial process
  • cron that schedule commands
  • inetd that manages some of them

19
WELL KNOWN DAEMONS
20
REMINDER BOOTING SHUTTING DOWN
21
INIT LEVELS
22
INIT DAEMON
  • First process to run after system boot
  • Always have PID 1 and is ancestor of all other
    processes
  • After startup, init consults /etc/inittab (or for
    BSD /etc/ttys) to determine on which physical
    ports it should expect users to log in (getty
    processes even tough large use of network
    daemons today, or xdm for graphical interface)
  • Also take care of zombie processes (not running
    but listed)
  • Init defines run levels (passed as argument to it
    from boot loader) 0 to 6 and s (single-user)
  • Additional layer is given with startup scripts
    in /etc/init.d, linked to startup and stop
    scripts in /etc/rcX.d

23
SERVICE MANAGEMENT IMPLEMENTATIONS EXAMPLES
24
SERVICES MANAGEMENT COMPLEMENTS
  • Commands init 0, init 6, init sps ef,
    kill -ltsignalgt, pgrep, pkill, ltservice-scriptgt
    startstoprestart (service startup script)
  • Command chkconfig (specific to Fedora)usage
    chkconfig --list name chkconfig --add
    ltnamegt chkconfig --del ltnamegt
    chkconfig --override ltnamegt chkconfig
    --level ltlevelsgt ltnamegt ltonoffresetresetprior
    itiesgtchkconfig header in startup scripts
  • And finally, system-config-services GUI applet
    specific to Linux
  • Command service and semi-graphical GUI
    sysvconfig, both specific to Debian

25
OTHER CONCEPTS
  • Command dmesg (kernel log)
  • Core dump ulimit c
  • Path - try not modify root profile PATH
    variable- do not set empty or . in PATH
    variable- in scripts (and configurations like
    cron), always use full path for commands (as
    variables at beginning)
  • Disk quotas may be use to isolate an application
    (vs. original purpose)
  • vi and other editors dump files feature
  • History of shell commands
  • who r
  • cp -p

26
ANSWERS TO QUESTIONS - 1
  • Gentoo (2003)Visible on time line derives from
    Enoch (1999) which was build from scratch.
  • Compile on installation taking into account
    processors instruction set.
  • ESCAPING TO SHELL WITH VI, MORE,
  • Type (semi column) to get into command
    mode
  • Then ! (exclamation mark) to run any shell
    command
  • Type any command
  • locate updatedbSearch of a pattern ( file )
    instead of a filename ( file )locate ntp
    find / -name ntplocate b \ntp
    find / -name ntp
  • History length on sh or bash this is set with
    HISTSIZE (tcsh HISTORY). See following
    profiles slide and hands-on (depending on shell,
    use man, setenv or printenv)

27
ANSWERS TO QUESTIONS - 2
  • grep egrep pattern file(s) Shows filenames
    lines that match filename line egrep L
    pattern file(s)Lists files that does not contain
    any line matching
  • awk
  • ifconfig -a awk 'BEGIN printf "-4s -19s
    -15s\n","If","MAC","IP" / Link/ aa1
    printf ".4s 17s",1,5 getline printf
    "15s\n",substr(2,6,15) END print "Total
    nbr", a'
  • If MAC IP
  • eth0 00095BBDFAD2 192.168.0.1
  • eth1 000EA69F7CAA 89.156.6.39
  • lo 127.0.0.1
  • Total nbr 3

28
REMINDER FILES
  • In Unix everything is a file (IO from files or
    from peripherals are the same)
  • In Unix, a file belongs to a user AND to a group
    (no mandatory relationship between both) a user
    can belong to many groups so, to give access to
    a set of files or commands belonging to a group
    is done by adding the user to the group
  • When a file is created, it belong to the user who
    created it and its group except if upper
    directory is setgid (BSD style)
  • Commands chown -R, chgrp, chmod
  • Access rights for files (directory) r read (can
    ls it), w write (can supp/rename files into), x
    execute (can cd into)(to be executable, a script
    shell needs rx, a binary only x )
  • umask 022 command in profile files to set
    permission of new files
  • Special access t sticky bit (can write a dir
    but not supp file /tmp)s setuid bit (set
    resources access of process to owner and not to
    the one that run it)s setgid bit (for a file,
    set resources access of process to owning group
    and not the one that run it for a dir, see
    upper)find / -user root -xdev perm -4000
    -2000

29
FILESYSTEM HIERARCHY STANDARD 1
30
FILESYSTEM HIERARCHY STANDARD 2
31
PACKAGES MANAGEMENT
32
PHYSICAL SECURITY
  • USERS AND GROUPS
  • PASSWORD CRACK TOOLS
  • SUDO
  • PHYSICAL ATTACKS
  • HIGH AVAILABILITY
  • CHANNEL BONDING

33
USERS AND GROUPS
  • Su switch user su - switch to root with
    loading root environment
  • Password
  • passwd user
  • Sudo optional package (configuration by
    visudo) sudo command
  • Users base files /etc/passwd and /etc/shadow
    (encrypted passwords) head -2
    /etc/passwdrootx00root/root/bin/bashbinx
    11bin/bin/sbin/nologin (UserxUIDGIDGECOS
    home-dirshell) man s5 shadow vipw -s
  • Groups base file /etc/group head -2
    /etc/grouprootx0rootbinx1root,bin,daemon

34
USERS ADMINISTRATION - PROFILES
Nothing specific to OS but to shell. However, it
is worth to know !
35
OTHER CONCEPTS
  • Users management commands highly dependant to
    OSadduser, useradd, ...
  • Command dmesg
  • Command ls ls -als head -4total 4080
    nbr-of-blocks16 drwxr-xr-x 146 root root
    12288 2009-02-21 0444 . 8 drwxr-xr-x 24 root
    root 4096 2009-02-10 1803 .. 8 drwxr-xr-x
    4 root root 4096 2008-01-23 1525
    acpisize-in-blocks user group
    size-in-bytes type
    last-modif-date permissions
    name nbr of
    links
  • Command chown -R
  • Command chmod
  • Symbolic links
  • File types (command file)d (dir), l (symbolic
    link), b (bloc), c (character), s (socket), p
    (pipe)

36
PASSWORD CRACK TOOLS
  • Usage of these tools are illegal on computers
    where you have not been explicitly authorized to
    do it.
  • But it is recommended to test your own password
    files anyhow, crackers will do it with them.
  • Crack
  • Locations /usr/share/crack /usr/libexec/crack
    /usr/bin
  • Quick-start commands umask 077
    /scripts/shadmrg.sv /etc/passwd /etc/shadow gt
    /root/unshadp Crack nice 5 /root/unshadp
    CrackReporter
  • Results in /run directory
  • John the Ripper
  • Locations /usr/share/john /usr/libexec/john
  • Quick start commands umask 077 unshadow
    /etc/passwd /etc/shadow gt /root/unshadp john
    --rules --wordfileFILE /root/unshadp
  • Results in /john.pot

37
EXAMPLE FOR JOHN - 1
  • For this example to work, password check must be
    removed from PAM cp p /etc/pam.d/system-auth
    /etc/pam.d/system-auth.BAKChange pam_cracklib.so
    from requisite to optional.But better with
    Fedora set USECRACKLIB to yes in
    /etc/sysconfig/authconfig.NO ! If root, it is ok
    !
  • useradd essai1 passwd essai1Changing
    password for user essai1.New UNIX password
    essai1BAD PASSWORD it is based on a dictionary
    wordRetype new UNIX password essai1 unshadow
    /etc/passwd /etc/shadow gt /root/essai1 john
    /root/essai1Loaded 3 password hashes with 3
    different salts (FreeBSD MD5 32/32)essai1
    (essai1)guesses 1 time 0000003 6 (2)
    c/s 4836 trying skulls CSession aborted

38
EXAMPLE FOR JOHN - 2
  • ...New UNIX password 12345...12345
    (essai1)
  • guesses 1 time 0000005 8 (2) c/s 4880
    trying Sunshine1 C
  • ...New UNIX password cathy...cathy
    (essai1)
  • guesses 1 time 0000004 6 (2) c/s 4891
    trying decembers C...New UNIX password
    djk7sdf...
  • guesses 0 time 0000034 37 (2) c/s 4886
    trying blondie? C

39
SOME PHYSICAL ATTACKS
  • Physical access must be protected if not,
    attacker can open the case and reset EEPROM
    (where BIOS password is saved) or can steal hard
    disk
  • BIOS (or boot PROM for Sun) level must be
    protected (with password) if not, attacker can
    boot on its own CD/DVD
  • If partitions are not encrypted, booting with a
    CD/DVD gives access to data (with mount command)
    and so to /etc/passwd (this is an official
    recovery procedure of lost root password)
  • For backup purpose, recovery CD (or software
    installation CD) are usually needed mkbootdisk
    uname r
  • Network may need to be redundant (High
    Availability) by duplicating network interfaces,
    switches, routers. Multiple redundant interfacing
    is named channel bounding (or IP multipath for
    Sun) otherwise, DoS

40
ROOT PASSWORD RECOVERY
  • Simplest procedure using single user mode case
    of Fedora 10
  • When Grub screen, edit current boot line (e)
  • Edit kernel line (e) by adding single at end
    (single user mode)
  • Save and boot (b)
  • Command passwd can be entered with root
    privileges to reset root password
  • GRUB protected if
  • GRUB bootloader have a timeout (/boot/grub/menu.ls
    t) suppress it (0)
  • Or a password (add line password md5 PASSWORD in
    menu.lst)Encrypted password is given by
    command grub-md5-cryptwhich returns a PASSWORD
    that can be pasted

41
ROOT LOGIN DEVICES
  • Kinds of terminals
  • console console
  • ttyn (tty1,..) serial terminals
  • vc/n (vc/1,..) virtual consoles
  • Where root can directly login to
  • Configurable in /etc/securetty
  • Security
  • Should be all disabled (by commenting with )
    except console and/or tty1

42
ROOT, SUDO AND SECURITY
  • Never log as root directly
  • su (minus to inherit root environment instead
    of users one)
  • Never change root shell
  • Package sudo used to give some determined root
    rights to standard users (with their own
    passwords !)- Configuration file /etc/sudoers
    (440) editable only with visudo command see man
    sudo, man sudoers- Never configure shells or
    utilities that escape to shell as commands (more,
    less, vi,) because commands will be executed as
    root !- sudo v , restart timeout- sudo may be
    integrated to PAM- passwords are not encrypted
    SSH is the solution- usage can be forced by
    replacing su command to a symbolic link to sudo

43
SUDO CONFIGURATION LINES EXAMPLES
  • Host_Alias FILESERVERS fs1, fs2User_Alias ADMI
    NS antoine, johnCmnd_Alias SOFTWARE
    /bin/rpm, /usr/bin/yumDefaults requirettyroot
    ALL (ALL) ALLantoine fs1 /sbin/mount,
    /mnt/cdromADMINS FILESERVERS SOFTWAREdgb fs2
    (operator) /bin/ls
  • The most important sudoers config should be set
    to span over multiples servers (by simple file
    transfer and copy)
  • Last the user dgb may run /bin/ls, but only as
    operator eg, sudo u operator /bin/ls

44
ANSWERS TO QUESTIONS - 1
  • Ubuntu (8-10) iptables startup script
  • cd /etc/init.d grep i iptables ufw if
    iptables -L ufw-user-input -n gt/dev/null 2gt1
    thenufw execs"iptables"ufw
    execs"iptables"ufw iptables -L
    ufw-user-input -n gt/dev/null 2gt1 cat
    /etc/init.d/ufw. . .

45
ANSWERS TO QUESTIONS 1bis
  • Virtualization
  • http//fr.wikipedia.org/wiki/Virtualisation_(infor
    matique)
  • A Operating system-level virtualization
    (isolated OS) on Sun, Solaris 10 handle
    concepts of containers (zone and resources) on
    Unix, chroot on Linux, the same concept is
    operated with Linux-VServer
  • B Paravirtualization (software interface
    simulating hardware) VirtualBox, simple but low
    performance - Vmware Server, Player, Workstation
  • C Hypervisor (manage guest kernels calls to
    hardware) on Linux, Xen can support
    virtualization of other OS than itself as long as
    ported to it - Vmware ESXi
  • A B C
    Images Wikipedia

46
ANSWERS TO QUESTIONS - 2
  • FreeBSD (7.1) switch user to root with su
  • Problem when logged as antoinegt
    iduid1001(antoine) gid1001(antoine)
    groups1001(antoine)gt su Feb 18 110902
    magfbsd su BAD SU antoine to root on
    /dev/ttyv0su Sorry
  • Man su (extract) ...by default only users in
    the ''wheel'' group can switch to UID 0
    (''root'')...
  • Correction procedure log as root first
  • magfbsd iduid0(root) gid0(wheel)
    groups0(wheel),5(operator)magfbsd cp -p
    /etc/group /etc/group.ORIGmagfbsd vi /etc/group
    add user antoine to wheel group
  • Test relog as antoine
  • gt iduid1001(antoine) gid1001(antoine)
    groups1001(antoine)gt su PasswordFeb 18
    111709 magfbsd su antoine to root on
    /dev/ttyv0magfbsd iduid0(root) gid0(wheel)
    groups0(wheel),5(operator)

47
ANSWERS TO QUESTIONS - 3
  • Init levels and services management
  • INIT LEVELS
  • SERVICES MANAGEMENT IMPLEMENTATIONS EXAMPLES
  • Tree command
  • tree d L 2
  • Telnet connections handling by TcpWrappers (see
    also new slides)
  • In /etc/hosts.allowin.telnetd LOCAL
  • Behavior against SYN received on a closed port
  • If the connection does not exist (CLOSED) then a
    reset is sent in response to any incoming segment
    except another reset. In particular, SYNs
    addressed to a non-existent connection are
    rejected by this means.
  • RFC793 found at http//www.faqs.org/rfcs/

48
HIGH AVAILABILITY (HA)
  • Data RAID, Multipath
  • Service access clusters, network redundancy
  • Geographic spanning
  • Load sharing, load balancing, fail over
  • For Linux, specific project Linux-HA
    http//www.linux-ha.org/ (based on
    heartbeat-2.1.x, stonith, DRDB packages)
    Excellent in-deep technical paper
    http//www.linux-ha.org/_cache/HeartbeatTutorials_
    _LCA2007-tutorial.pdfIncludes explanations of HA
    concepts (split-brain, fencing, quorum, SPOF,
    data sharing, )

49
(LINUX) CHANNEL BONDING - 1
  • Four concepts required (details may vary over
    distributions) (Linux) kernel modules, (Linux)
    network cards configuration, channel bonding
    itself, HA modes
  • Note Linux NetworkManager service (used for
    laptop automatic network interfaces
    configuration) should be disabled and stopped
    but network service started
  • Virtual interface /etc/sysconfig/network-scripts
    /ifcfg-bond0
  • Regular interfaces /etc/sysconfig/network-scri
    pts/ifcfg-eth0/etc/sysconfig/network-scripts/ifcf
    g-eth1
  • Module loading and configuration
    /etc/modprobe.d/bonding
  • Commands used to debug lsmod grep bond
    Check module loadingmodprobe -r bonding
    Load/unload module/etc/init.d/network
    stopstart Start/stop network
    serviceifconfig a Print interfaces
    statusifconfig eth0 up/down Enable/disable
    interfacecat /var/log/messages grep i bond
    Check logs

50
(LINUX) CHANNEL BONDING - 2
51
NETWORK SECURITY
  • TCP/IP SECURITY WEAKNESSES
  • XINETD DAEMON AND SERVICES
  • TCPWRAPPERS
  • PORT SCANNING
  • DHCP
  • NETWORK CONFIGURATION FILES
  • NETWORK COMMANDS
  • IP ALIASING
  • TCP/IP STACK SECURITY
  • TOOLS WIRESHARK AND NMAP

52
REMINDER NETWORKING - 1
  • TCP/IP layers application telnet, NFS, FTP,
    SSH, HTTP session DNS, DHCP transport TCP,
    UDP internet (OSI network) IP, ICMP,
    routing network access (Ethernet, ARP)
  • MAC address 48 bits 24 first OUI
    (Organizationally Unique Identifier)
  • Service transport protocol (TCP or UDP)
    port/etc/protocols associate internet protocol
    (OSI network layer) and protocol
    identifier/etc/services associate transport
    protocol (transport layer) and port number
  • IPv6 128 bits address (48 firsts for FAI - end
    for MAC)Compatible IPv4 (FFFFa.b.c.d)
    ,loopback is 1 , broadcast is
    FF021http//www.potaroo.net/tools/ipv4/index.ht
    ml

53
REMINDER NETWORKING - 2
  • Classes, networks, hosts, masks, broadcast
    calculation see ipcalculator or ipcalc
  • Networks, sub-networks and masksSub-networks are
    used to resize number of hosts belonging to a
    network, especially for class CMask should
    always be set hosts belonging to different
    sub-networks cant communicate except via a
    router this is a way to reduce traffic over LAN
  • ARP - RARP
  • ICMP
  • UDP connectionless
  • TCP connection oriented

54
ICMP PING
  • Usually filtered by firewalls (at least
    interesting types)
  • Think about kernel tuning (sysctl a grep i
    icmp) to avoid flooding
  • Tools hping3 many options, xprobe2 (not
    really reliable or OS now secured ?)
  • ICMP types used for fingerprinting
  • Type 8 Echo request
  • Type 13 Timestamp request
  • Type 15 Information request
  • Type 17 Subnet address mask request
  • Ping flooding
  • Send pings to broadcast or multicast addresses,
    amplification

55
DHCP
  • Network layer as ICMP
  • Used to manage leases and allocate IP address
    and other parameters as gateway, DNS addresses,
  • Addresses can be allocated permanently (based on
    MAC client address) or for a given duration
    (lease)
  • Protocol Client send a DHCPDISCOVER on
    broadcastServers are answering with
    DHCPOFFERClient sends to all DHCP servers with a
    DHCPREQUEST including chosen serverChosen server
    finally returns DHCPACK with IP parametersClient
    may decline parameters with DHCPDECLINE and
    process is restarted
  • DHCP servers must have a static address ! As
    well, DHCP must not be used for DNS, LDAP, for
    security reason spoofing of address, because
    there is no authentication mechanism of server
    identity

56
DHCP CLIENT CONFIGURATION
57
TCP/IP NETWORK PROTOCOLS MAP (from protocol.com
website)
58
TCP/IP NETWORK PROTOCOLS MAP (from RADCOM website)
  • (Attached PDF file,available from RADCOMat
    www.radcom.com)

59
WELL-KNOWN SERVICES AND PORTS
60
TCP/IP SECURITY WEAKNESSES - 1
  • TCP/IP leads to an unsecure network by itself
  • No IP source authentication no encrypted
    headers or content flood is easy
  • SMTP no authentication of source mail address
  • Ping flood
  • Route sourcing is an IP spoofing technique
  • Dynamic IP address do not use it on systems
    that shares resources (NFS, Samba) or provides
    network resources (DNS, DHCP, mail server)
  • IP provides connectionless service it routes
    and sends a datagram no sequence guaranty
    options fields for source routing and record
    route no encryption no authentication
  • TCP, on top of IP, provides connection oriented
    service, delivery, and in sequence guaranties
    (sequence number, 3-way handshakes, timers, see
    TCP state machine)

61
TCP/IP SECURITY WEAKNESSES - 2
  • TCP sequence number (32 bits) counting
    exchanged bytes to check delivery and sequence.
    Both sides initial Sequence Numbers (ISN) are
    random to distinguish multiple connections
    receiver window size based on it to control flow
  • 3-way handshake SYN, SYNACK, ACK release
    FIN, FINACK, ACK
  • TimersConnection establishment timer (75
    s)TIME_WAIT interval timer (120 s) allow
    segment in transit to be removedFor example,
    KEEK_ALIVE timer (3600 s) can stall TCP state
    machine
  • Flaws leading to DoS synchronous establishment
    (no timer at SYN_RCVD, stalled) SYNFIN leads
    to CLOSE_WAIT (no timer also, stalled)
  • SYN flooding leading to DoS due to full listen
    queue of half opened connections (connection
    timer is 75 s)

62
TCP/IP SECURITY WEAKNESSES - 3
  • IP spoofing in case an attacker takes one other
    host IP address (no control from server) but 2
    catches attacker does not see responses ()
    (sent to regular host) and/or must guess ISN or
    next sequence number () (after authentication
    for example)() Sequence guessing can be done
    because ISN is not so random() Source routing
    may be used (even tough more prohibited today)
  • Connection hijacking man in the middle attack
    by exploiting desynchronized state (forcing
    host to reject packets with sequence number
    inside windows because it has already accepted
    its own forged)
  • ICMPBy sending forged Time Exceeded or
    Destination Unreachable to both parties (DoS)By
    sending Echo Request to multicast or broadcast
    addresses (DoS)By sending Redirect to one of
    ends to take control of connection
    (spoofing)These attacks usually done from local
    network
  • DNS if attacked network is trusting domain
    names, attacker can map IP address of its host to
    belong to domain. Reverse mapping done to avoid
    such an attack

63
NETWORKING COMMANDS
  • hostname (nodename)
  • ifconfig
  • ping
  • arp -n -a ...
  • netstat -rn ...
  • route add del ...
  • traceroute
  • nslookup, dig
  • lsof -i

64
(LINUX) NETWORKING FILES
  • /etc/hosts Hostname resolution
  • /etc/inetd.conf (/etc/xinetd.conf,
    /etc/xinetd.d/)
  • /etc/services Service port resolution
  • /etc/securetty TTY access
  • /etc/hosts.equiv R services
  • /.rhosts R services
  • /etc/hosts.allow, /etc/hosts.deny
    TcpWrappers
  • /etc/resolv.conf Name servers declaration
  • /etc/nsswitch.conf Name services resolution
    methods
  • /etc/sysconfig/network-scripts/ Ethernet
    config
  • /etc/sysconfig/network Hostname,
    GW, options
  • /etc/networks Network resolution
  • /etc/protocols Protocol name resolution

65
INETD AND XINETD
  • Extended Internet services daemon
  • Unique daemon that waits for incoming connections
    for a number of other services and start
    corresponding server (echo, telnet, FTP, r
    services most are standard and/or well-known
    Unix services but not all)
  • Process inetd or xinetd (reminder kill
    HUP)
  • Startup for xinetd /etc/init.d/xinetd
  • Log by syslog but configurable
  • Old style configuration (inetd) /etc/inetd.conf
    (reminder /etc/services)
  • Configuration (xinetd) in /etc/xinetd.conf/etc/
    xinetd.d/ (one config file per service)
  • Even tough (x)inetd is a mandatory service (think
    about installing embedded servers with no SSH
    package installed yet), controlled services are
    more and more disabled for security reasons
  • why ? For example, telnet and FTP are sending
    clear-text passwords !
  • Other installation with core, verbose mode

66
REMINDER TELNET, (T)FTP, R SERVICES
  • Started by (x)inetd server
  • Reminder telnet useful for (tests not only port
    23) telnet host port
  • TFTP used for X terminals startup no
    authentication at all
  • telnet, FTP security problem with clear-text
    passwords shown
  • R services Commands rlogin, rsh, rcp,
    ruptime, rwhoConfiguration /etc/hosts.equiv ,
    /.rhostsSyntax user_at_hostAuthentication is
    done without password if succeeded (handy for
    rcp)But security problem if one listed host is
    unsecured, local host is unsecured ! This is
    because with r services authentication scheme,
    local authentication is based on remote one.
  • So use rsync for file transfer (nothing to do
    with r services) or better SSH/SFTP for
    everything.

67
TCPWRAPPERS
  • Package that secure connections to given
    well-known services those handled by (x)inetd
    for sure, but others (SSH)
  • which ones ? For sshd example strings f
    /sbin/sshd grep hosts_access/usr/sbin/sshd
    hosts_access (YES ! If no line returned, no)
  • TcpWrappers is transparently inserted between
    network and service adds access control and
    logging features
  • Binary tcpd but not a daemon (invoked at
    connection). This is why no service to restart
    after configuration modification
  • Configuration files/etc/hosts.allow/etc/hosts.d
    eny
  • Syntax of configuration linesservice_list
    host_list (command to log) host_list may
    be an hostname, a list, an IP address or network,
    a keyword (ALL, LOCAL) but never use EXCEPT as
    shown in documentation

68
TELNET CONNECTION EXAMPLE
  • For example, steps to debug telnet over xinetd
    connection
  • Check actual status of service xinetd
    /etc/init.d/xinetd status must be up and
    running (or ps ef grep inet)
  • Check telnet service must be enabled either in
    /etc/xinetd.conf or /etc/xinetd.d/telnet
    configuration files disable no
  • Check local connection telnet localhost
  • Check local firewall if any TCP port 23 must be
    open
  • Check TcpWrappers configuration in.telnetd must
    be allowed at least for client used to connect
    or network it belongs to eventually for ALL
    during testing
  • Check anyway /var/log/messages logs
  • For security reason - against spoofing, telnet
    server (but FTP also) is always trying a reverse
    resolution of hostnames so local and distant
    addresses should be resolvable (in our test
    case, set in /etc/hosts because no DNS available
    /etc/nsswitch.conf)
  • Check reboot chkconfig must show service is on
    for next reboot

69
TCP STATE MACHINE
70
PORT SCANNING INTRO
  • TCP ports scanning
  • Normal handshake, port open SYN, SYNACK,
    ACKNormal handshake, port closed SYN, RSTACK
  • (note this is logged ! )
  • Half-open SYN scan, port open SYN, SYNACK,
    RSTHalf-open SYN scan, port closed SYN,
    RSTACK(note this may not be logged but
    usually is)
  • Anyhow, some systems (FW) will think about SYN
    flooding. So nmap can be used with T option to
    slow down flood
  • Probe malformed TCP packet (i.e. FIN probe
    with FIN flag set, or XMAS probe with FIN, URG,
    PUSH, TCP flags set, NULL probe with TCP
    set)Stealth TCP scan, port open TCP probe, No
    response (this is garbage)Stealth TCP scan,
    port closed TCP probe, RSTACK(notes also
    named inverse TCP flag Windows does not respect
    standard and does not send RST from a closed port
    nmap can use options for each kind of probe
    sF, sX, sN)
  • Some other techniques analysis of ACK probe,
    TTL field, window field
  • UDP ports scanning
  • UDP probe, port open UDP probe, No response
  • UDP probe, port closed UDP probe, ICMP dest
    port unreachable
  • (note nmap can use option sU)
  • Using specific UDP service clients to test server
    not realistic for large number of ports

71
NMAP INTRO 1
  • The bad guys are already using nmap for
    reconnaissance, because a single scan can tell
    you a lot about the open doors and windows in a
    computers house. The good guys are using nmap to
    make their network safer. James Messer
    (Secrets of Network Cartography)
  • Nmap Network Mapper It is a port
    scannerDetects open ports, offered services and
    OS fingerprint of remote computer(s)Uses
    analysis techniques based on TCP, IP, UDP and
    ICMPGuesses OS from fingerprints answers from
    specific forged queriesOpen source created by
    Fyodor and distributed by Insecure.org
  • Warning Nmap can be seen as an intrusion
    attemptScans are detected with IDS Intrusion
    Detection System like Prelude
  • Tests can be done with scanme.nmap.org

72
NMAP INTRO 2
  • Available open source frontends nmapFE or
    zenmap
  • Ports detection states with nmap Open TCP
    connections or UDP packets acceptedClosed Access
    ible (with answer) but no listening
    application on that portFiltered Nmap cant
    say because request is drop before accessing
    port (firewall)Unfiltered Port is accessible but
    Nmap cant say if open or closedOpen-Filtered
    Nmap cant say if open or filteredClosed-Filtered
    Nmap cant say if closed or filtered

73
MAIN PORTS SCANNING TECHNIQUES NMAP
CORRESPONDENCE - 1
74
MAIN PORTS SCANNING TECHNIQUES NMAP
CORRESPONDENCE - 2
75
NMAP OPTIONS 1
76
NMAP OPTIONS 2
77
NMAP OPTIONS 3
78
NAME RESOLUTION AND ROUTING
  • Name resolution
  • /etc/hosts name resolution (eventually
    distributed by NIS, but to avoided)
  • /etc/resolv.conf domain definition and name
    servers location(suppression will deactivate DNS
    resolution)
  • /etc/hosts.conf name services switch (or
    /etc/nsswitch.conf)
  • Routing
  • On LAN (hubs) no routing necessary
  • On small networks, static routes may be necessary
  • On large networks (WAN), dynamic routing handled
    by routed and gated daemons (support of RIP,
    OSPF, BGP, EGP)
  • On Linux, static routes may be defined in
    /etc/sysconfig/static-routes

79
TCP/IP STACK (AND KERNEL) TUNING
80
TOOL WIRESHARK - 1
  • Other well-known tcpdump (well see it later)
  • Wireshark can import tcpdump dump file, snoop
    (Sun) dump file
  • Open-source and modular conception you can add
    your own decoder
  • Related to sniffing but many other obscure tools
    are used in real life by hackers
  • Promiscuous mode i.e. listen to all frames on
    LAN (libpcap needed WinPcap for Windows
    environment)
  • Can be used in text mode without GUI but not
    recommended (in line mode use tcpdump instead
    with o option to export dump to Wireshark)
  • Configurable columns (Edit, Preferences)
  • Filtering when capturing (lot of options) or
    viewing (also) can work as ring buffer with
    triggers
  • Important options Resolutions MAC, network,
    transport network should be avoided as it
    creates new trafficFragmented IP are
    reassembled by default but configurable (Edit,
    Preferences, IP protocol options)Analyze, Follow
    TCP stream useful to present TCP session in one
    window
  • Rich statistics options
  • Rich export and presentation options

81
TOOL WIRESHARK - 2
82
TOOL WIRESHARK - 3
  • (ANSWER TO THE QUESTION ABOUT RING BUFFER
    CAPTURE)
  • Define a capture filter not so easy sometimes,
    so should be tried first with preliminary
    testsExample not useful but for concept
    among all traffic, you want to catch ICMP request
    with TTL at 3 (we will trig this with traceroute
    to www.google.com) and its response icmp.type
    8 ICMP requesticmp.type 11 ICMP TTL
    exceededip.ttl 3 TTL at 3IP of
    www.google.com is 209.85.229.103So a capture
    filter could be ip.dst 209.85.229.103
    (icmp.type 8 icmp.type 11) ip.ttl 3

83
DATA SECURITY
  • RAID
  • LVM
  • BACKUP
  • NAS / SAN

84
DATA SECURITY
  • Software installed the less installed, the less
    security holes idea is to reduce field of
    potential attacks
  • Journaled file systems based on transactions,
    brutal power shutdown should have no effect on
    data integrity
  • RAID
  • As a reminder, command and file to know (on all
    OS) mount, umount/etc/fstab
  • From a security point of view, external (system)
    shares should usually mounted as read only

85
RAID - 1
  • RAID Redundant Array of Independent/inexpensive
    Disks
  • RAID is a way to aggregate multiple block
    resources to give an unified storage view to user
    in simple words, aggregate physical hard disks
    into virtual ones from system perspective
  • RAID may be implemented - physically RAID
    controllers preferred method- in system
    software low cost but low performance and
    security
  • To be really redundant, each physical disk or
    disk group must have its own disk controller
    especially if software implemented
  • But also multiple path access (multipath),
    multiple power supplies weakest link concept
    in HA
  • Compromise between availability, performance and
    cost

86
RAID - 2
  • RAID 0 blocks are spread over disks no
    reliability
  • RAID 1 mirroring, duplication of blocks
    limited performance
  • RAID 5 striped set with distributed parity or
    interleave parity high availability
  • RAID 10 or RAID 1 0
  • Images Wikipedia

87
RAID 1 REAL CASE EXEMPLE
  • Useful commands are listed - will shown during
    hands-on (based on Linux RAID 1 simulation over
    VirtualBox)
  • cat /etc/fstab File systems table
  • df k File systems usages
  • cat /etc/mdadm.conf RAID configuration
  • mdadm -detail /dev/md2 RAID details for
    /dev/md2
  • cat /proc/mdstat RAID actual status (1)
  • An example very simplified to detach /
    re-attach a sub-mirror to its mirror
  • /dev/md0 /boot , /dev/md1 swap , /dev/md2
    root , largest one /dev/md2 to see sync
  • /dev/md0 (/dev/sda1 /dev/sdb1) , /dev/md1
    (/dev/sda2 /dev/sdb2), /dev/md2 (/dev/sda3
    /dev/sdb3)
  • mdadm -detail /dev/md2 Try to run it at each
    step...
  • mdadm /dev/md2 -set-faulty /dev/sdb3 Faulty
    required to be removed
  • mdadm /dev/md2 -remove /dev/sdb3 Remove
    sub-mirror... Here the disk may be changed but
    other commands required (2) !
  • mdadm /dev/md2 -re-add /dev/sdb3 Re-adding
    sub-mirror
  • while true do cat /proc/mdstat grep recovery
    sleep 15 done
  • This command demonstrates a common usage of
    special proc files that can be generalized to
    other information, try cat /proc/meminfocat
    /proc/vmstat used by vmstat command
  • This should be done for all mirrors commands
    should be duplicated for /dev/md0 and /dev/md1
    (see demo).And second disk must be
    RAID-formatted with same partitions and sizes, at
    least for mirroring probably with mdadm as
    well, but to be verified.

88
(LINUX) LVM
  • LVM Linux Volume Management (used also for
    HP-UX)(Sun SVM Solstice Volume Management)
  • (Multiple) Set of
  • (Multiple) Physical Volumes PV (physical disks,
    partitions, RAID volumes or SAN units)
  • Volume Group VG (only one for many PV upward
    and many LV downward)
  • (Multiple) Logical Volumes LV(simply partitions
    on which a FS can be set)
  • Main useful feature hot configuration
    creation, extension

89
LVM REAL CASE EXEMPLE - 1
  • One Linux file system with a Linux swap as two LV
    in the same VG
  • root_at_moscou-fed cat /etc/fstab
  • fs_spec fs_file vfstype fs_mntops fs_freq
    fs_passno
  • /dev/VolGroup00/LogVol00 / ext3 defaults 1 1
  • UUID46916b32--b231142 /boot ext3 defaults 1
    2
  • tmpfs /dev/shm tmpfs defaults 0 0
  • devpts /dev/pts devpts gid5,mode620 0 0
  • dysfs /sys sysfs defaults 0 0
  • proc /proc proc defaults 0 0
  • /dev/VolGroup00/LogVol01 swap swap defaults 0
    0
  • Boot partition on first partition of sda, another
    physical disk partition sdb5 mounted on /media
  • root_at_moscou-fed df -k
  • Filesystem 1K-blocks
    Used Available Use Mounted on
  • /dev/mapper/VolGroup00-LogVol00 36736600
    3032376 33331436 9 /
  • /dev/sda1 194442 28192 156211
    16 /boot
  • tmpfs 370620 76 370544 1
    /dev/shm
  • /dev/sdb5 19354752 518808
    17852768 3 /media

90
LVM REAL CASE EXEMPLE - 2
  • Finally, LVM configuration shows two LV in one VG
    itself using only one PV (second partition of
    sda.)
  • root_at_moscou-fed lvm
  • lvmgt pvs
  • PV VG Fmt Attr PSize PFree
  • /dev/sda2 VolGroup00 lvm2 a- 37.06G 32.00M
  • lvmgt vgs
  • VG PV LV SN Attr VSize VFree
  • VolGroup00 1 2 0 wz--n- 37.06G 32.00M
  • lvmgt lvs
  • LV VG Attr LSize Origin Snap
    Move Log Copy Convert
  • LogVol00 VolGroup00 -wi-ao 35.59G
  • LogVol01 VolGroup00 -wi-ao 1.44G

91
FILE SYSTEM - TYPES
Tera T 10004 Exa E 10006
92
BACKUP - 1
  • Old days full backup of system into tapes
    (requires system boot disk of exactly same
    release)
  • Backup are for wimps. Real men upload their data
    to an FTP site and have everyone else mirror it.
    Linus Torvalds
  • Nowadays - mirroring of critic data files (on
    NAS, SAN with hot swap disks)- system
    duplication, clusters (geographically
    diversified)- snapshots (different concepts for
    LVM, virtual machines)
  • Strategy is highly dependant on actual case
    (front end or backend server)
  • What is to be backup if not everything
    Configuration files (/etc, /usr/local/etc,
    )Data (specific cases of databases SQL dumps
    or proprietary ways)

93
BACKUP 2 ()
94
BACKUP - 3
  • Well-known high-level applications on LINUX
  • Amanda 2.6.1 (Jan 2009) Advanced Maryland
    Automatic Network Disk ArchiverUses Samba or
    native Windows (VSS Volume Shadow Services) to
    backup Windows clients http//www.amanda.org/
  • Bacula 2.4.4 (Jan 2009)Modular architecture
    (highly developed) Admin workstation (tray
    monitor, command console), Backup server
    (director daemon), Database Server (MySQL or else
    for catalogs), File server (file daemon) and
    Storage Server (connected to backup device)
    http//www.bacula.org/fr/
  • Well-known high-level applications on Unix
    (usually large Network Management applications
    that handle at least a backup module)
  • IBM Tivoli
  • HP OpenView
  • BMC Patrol

95
TP1 - NTP
96
NTP - INTRODUCTION
  • NTP Network Time Protocol, for servers time
    synchronization thru network
  • Uses NTP protocol (UDP, port 123) formalized in
    IETF RFC1305NTP provides the mechanisms to
    synchronize time and coordinate time distribution
    in a large, diverse internet operating at rates
    from mundane to lightwave. antoine_at_magfed
    cat /etc/services egrep "ntpntp
    123/tcpntp 123/udp
    Network Time Protocol
  • Stratum concept the accuracy of each server
    is defined by a number called the stratum, with
    the topmost level (primary servers) assigned as
    one and each level downwards (secondary servers)
    in the hierarchy assigned as one greater than the
    preceding level.
  • 2 operating architectures - symmetric
    active/passive client pulls time information-
    client/server broadcast/multicast server pushes
    time information
  • Versions
  • root_at_moscou-fed ntpq
  • ntpqgt version
  • ntpq 4.2.4p6_at_1.1549-o Mon Jan 12 140732 UTC
    2009 (1)
  • ntpqgt ntpversion
  • NTP version being claimed is 2

97
NTP PACKAGE - 1
  • Package is ntp-4.2.4p6-1.fc10.i386 binary
    installation (Yum)
  • root_at_magfed rpm -qa grep -i ntp
  • ntp-4.2.4p6-1.fc10.i386
  • From ntp.org, actual version is
  • Release Version Date
  • Production 4.2.4p6 2009/01/08
  • Release Candidate 4.2.4p7 2009/03/30
  • Development 4.2.5p161 2009/03/31
  • Update available ? Probably not, but to check
  • root_at_magfed yum check-update
    ntp-4.2.4p6-1.fc10.i386Loaded plugins
    refresh-packagekitfedora
    2.8 kB 0000updates
    2.3 kB
    0000updates/primary_db
    3.1 MB 0002
  • and to update
  • root_at_magfed yum update ntp-4.2.4p6-1.fc10.i3
    86

98
NTP PACKAGE - 2
  • rpm -ql ntp-4.2.4p6-1.fc10.i386
  • /etc/ntp.conf
  • /etc/ntp/crypto
  • /etc/ntp/crypto/pw
  • /etc/rc.d/init.d/ntpd
  • /etc/sysconfig/ntpd
  • /usr/bin/ntpstat
  • /usr/sbin/ntp-keygen
  • /usr/sbin/ntpd
  • /usr/sbin/ntpdc
  • /usr/sbin/ntpq
  • /usr/sbin/ntptime
  • /usr/sbin/tickadj
  • /usr/share/doc/ntp-4.2.4p6
  • -- LOT OF DOC OR MAN FILES --
  • /var/lib/ntp
  • /var/lib/ntp/drift
  • /var/log/ntpstats

99
NTP COMMANDS - 1
  • Start (obvious), stop (obvious), status
  • antoine_at_magfed /etc/init.d/ntpd status
  • ntpd (pid 2122) is running...
  • root_at_moscou-fed ps -ef egrep "UIDntp"
  • UID PID PPID C STIME TTY TIME CMD
  • ntp 2288 1 0 1356 ? 000000 ntpd -u
    ntpntp -p /var/run/ntpd.pid g
  • Actual status you should have seen some
    problems with VM (?)
  • root_at_moscou-fed ntpq -p
  • remote refid st t when poll
    reach delay offset jitter

  • farnsworth.1270 131.188.3.223 2 u 336 1024
    377 11.417 4.163 0.259
  • ns1.azuria.net 193.67.79.202 2 u 901 1024
    377 9.586 9.058 1.761
  • crush.bmconseil 91.121.20.142 3 u 882 1024
    377 9.759 3.963 73.903
  • Where
  • denotes symmetric active
  • (star) denotes the peer server synchronized to
  • poll polling interval in secondsreach
    reachability register in octal (377 highest value
    255 base 10)delay, offset and jitter in ms

100
NTP COMMANDS - 2
  • ntpq standard NTP query program
  • ntpqgt help
  • ntpq commands
  • addvars debug lopeers passociations rl
    associations delay lpassociations passwd rmvars
    authenticate exit lpeers peers rv cl help
    mreadlist poll showvars clearvars host mreadvar
    pstatus timeout clocklist hostnames mrl quit
    version clockvar keyid mrv raw writelist cooked
    keytype ntpversion readlist writevar
  • ntpdc special NTP query program
  • ntpdcgt help
  • ntpdc commands
  • addpeer controlkey fudge keytype quit timeout
    addrefclock ctlstats help listpeers readkeys
    timerstats addserver debug host loopinfo
    requestkey traps addtrap delay hostnames
    memstats reset trustedkey authinfo delrestrict
    ifreload monlist reslist unconfig broadcast
    disable ifstats passwd restrict unrestrict clkbug
    dmpeers iostats peers showpeer untrustedkey
    clockstat enable kerninfo preset sysinfo version
    clrtrap exit keyid pstats sysstats

101
NTP CONFIGURATION - 1
  • Permit time synchronization with our time
    source, but do not
  • permit the source to query or modify the
    service on this system.
  • restrict default kod nomodify notrap nopeer
    noquery
  • restrict -6 default kod nomodify notrap nopeer
    noquery
  • Permit all access over the loopback interface.
    This could
  • be tightened as well, but to do so would effect
    some of
  • the administrative functions.
  • restrict 127.0.0.1
  • restrict -6 1
  • Hosts on local network are less restricted.
  • restrict 192.168.1.0 mask 255.255.255.0 nomodify
    notrap
  • Enable public key cryptography.
  • crypto
  • includefile /etc/ntp/crypto/pw
  • Key file containing the keys and key
    identifiers used when operating
  • with symmetric key cryptography.
  • keys /etc/ntp/keys
  • Specify the key identifiers which are trusted.

102
NTP CONFIGURATION - 2
  • restrict default ignore
  • restrict -6 default ignore
  • restrict 192.168.10.0 mask 255.255.255.0 kod
    nomodify notrap nopeer noquery
  • restrict 192.168.2.0 mask 255.255.255.0 kod
    nomodify notrap nopeer noquery
  • restrict 192.168.0.0 mask 255.255.255.0 nomodify
    notrap
  • restrict 127.0.0.1
  • restrict -6 1
  • Enable public key cryptography.
  • crypto
  • includefile /etc/ntp/crypto/pw
  • Key file containing the keys and key
    identifiers used when operating
  • with symmetric key cryptography.
  • keys /etc/ntp/keys
  • Specify the key identifiers which are trusted.
  • trustedkey 4 8 42
  • Specify the key identifier to use with the
    ntpdc utility.
  • requestkey 8
  • Specify the key identifier to use with the ntpq
    utility.

103
NTP LOG TRACE
  • tail f /var/log/messages grep ntp
  • Apr 9 073222 magfed ntpd2122 time reset
    0.234766 s
  • Apr 9 073222 magfed ntpd2122 kernel time
    sync status change 0001
  • Apr 9 073727 magfed ntpd2122 synchronized
    to 91.121.19.179, stratum 2
  • Apr 9 074036 magfed ntpd2122 synchronized
    to 193.48.168.130, stratum 2
  • STOP HERE
  • Apr 9 074305 magfed ntpd2122 ntpd exiting
    on signal 15
  • START HERE
  • Apr 9 074311 magfed ntpd2576 ntpd
    4.2.4p6_at_1.1549-o Mon Jan 12 140728 UTC 2009 (1)
  • Apr 9 074311 magfed ntpd2577 precision
    2.585 usec
  • Apr 9 074311 magfed ntpd2577 Listening on
    interface 0 wildcard, 0.0.0.0123 Disabled
  • Apr 9 074311 magfed ntpd2577 Listening on
    interface 1 wildcard, 123 Disabled
  • Apr 9 074311 magfed ntpd2577 Listening on
    interface 2 eth0, fe80a0027fffeac77f7123
    Enabled
  • Apr 9 074311 magfed ntpd2577 Listening on
    interface 3 lo, 1123 Enabled
  • Apr 9 074311 magfed ntpd2577 Listening on
    interface 4 lo, 127.0.0.1123 Enabled
  • Apr 9 074311 magfed ntpd2577 Listening on
    interface 5 eth0, 192.168.10.4123 Enabled
  • Apr 9 074311 magfed ntpd2577 Listening on
    routing socket on fd 22 for interface updates
  • Apr 9 074311 magfed ntpd2577 kernel time
    sync status 0040
  • Apr 9 074311 magfed ntpd2577 frequency
    initialized 16.601 PPM from /var/lib/ntp/drift

104
NTP NETWORK TRACE - 1
  • With tcpdump by refresh of Windows client
    (Internet time parameters, Update time)
  • root_at_moscou-fed tcpdump -i eth0 port ntp
  • tcpdump verbose output suppressed, use -v or -vv
    for full protocol decode
  • listening on eth0, link-type EN10MB (Ethernet),
    capture size 96 bytes
  • 171820.207873 IP 192.168.0.128.ntp gt
    192.168.0.1.ntp NTPv3, Client, length 48
  • 171820.208009 IP 192.168.0.1.ntp gt
    192.168.0.128.ntp NTPv3, Server, length 48

105
NTP NETWORK TRACE - 2
  • Wireshark (capture filter ntp) and exporting
    and filtering trace (displayed packets) to text
    format
  • No. Time Source
    Destination Protocol Info _
  • 2337 10.597450 192.168.0.128
    192.168.0.1 NTP NTP client
  • Network Time Protocol
  • Reference Clock Update Time Apr 9, 2009
    151818.9180 UTC
  • Originate Time Stamp NULL
  • Receive Time Stamp NULL
  • Transmit Time Stamp Apr 9, 2009
    151953.9070 UTC
  • No. Time Source
    Destination Protocol Info _
  • 2338 10.597562 192.168.0.1
    192.168.0.128 NTP NTP server
  • Network Time Protocol
  • Flags 0x1c
  • 00.. .... Leap Indicator no warning
    (0)
  • ..01 1... Version number NTP Version 3
    (3)
  • .... .100 Mode server (4)
  • Peer Clock Stratum secondary reference (3)
  • Peer Polling Interval 10 (1024 sec)
  • Peer Clock Precision 0.000001 sec
  • Root Delay 0.0225 sec

106
NTP SECURITY - 1
  • Own NTP security (Access Control Support,
    authentication)
  • Local firewall (block NTP incoming but let
    outgoing to server, depending on mode symmetric
    or multicast)
  • Use IP addresses instead of hostnames (general
    rule)
  • Set correct permissions for binaries, for
    configuration files, for logs (general rule)
  • Secure NTP administration commands access
  • Problem not solved
  • root_at_moscou-fed ps -ef grep ntp
  • ntp 6511 1 0 2118 ? 000000 ntpd -I
    eth0 -u ntpntp -p /var/run/ntpd.pid g
  • root_at_moscou-fed netstat --inet -a egrep
    "Protontp"
  • Proto Recv-Q Send-Q Local Address
    Foreign Address State
  • udp 0 0 10.8.0.3ntp
    (tun0)
  • udp 0 0 89-156-6-39.rev.numntp
    (eth1)
  • udp 0 0 192.168.0.1ntp
    (eth0)
  • udp 0 0 localhost.localdomainntp
    (lo0)
  • udp 0 0 ntp
  • Even if option I eth0 added in
    /etc/sysconfig/ntpd
  • OPTIONS"-I eth0 -u ntpntp -p /var/run/ntpd.pid
    -g"

107
NTP SECURITY - 2
  • Simple security scheme with In /etc/ntp/keys on
    both client and server4 M shf49sIn
    /etc/ntp.conf on both client and
    servertrustedkey 4In /etc/ntp.conf on
    clientserver 192.168.0.1 key 4
  • If key is invalid on client side for example
  • root_at_moscou-fed ntpq -p
  • remote refid st t when poll
    reach delay offset jitter

  • 192.168.0.1 .AUTH. 16 u - 64
    0 0.000 0.000 0.000

108
NTP SECURITY - 3
  • No. Time Source
    Destination Protocol Info _
  • 2148 21.837346 192.168.0.135
    192.168.0.1 NTP NTP client
  • ...
  • Network Time Protocol
  • ...
  • Reference Clock ID 192.168.0.1
  • Reference Clock Update Time Apr 9, 2009
    195506.0316 UTC
  • Originate Time Stamp Apr 9, 2009
    195610.0764 UTC
  • Receive Time Stamp Apr 9, 2009 195610.0317
    UTC
  • Transmit Time Stamp Apr 9, 2009
    195716.0300 UTC
  • Key ID 00000004
  • Message Authentication Code
    931D66E8C3E8DD1E6C0A4A077BB8CA20
  • No. Time Source
    Destination Protocol Info _
  • 2149 21.837498 192.168.0.1
    192.168.0.135 NTP NTP server
  • ...
  • Network Time Protocol
  • ...
  • Reference Clock ID 88.191.77.246

109
NTP - REFERENCES
  • IETF NTP related RFC http//www.ietf.org/rfc/rfc
    1305.txt?number1305
  • NTP home site http//www.ntp.org/
  • Public NTP servers list http//support.ntp.org/b
    in/view/Servers/WebHome

110
SYSTEM HARDENING
  • SECURITY POLICY
  • PAM
  • CHROOTING
  • APACHE CHROOTING EXEMPLE
  • KERBEROS

111
SECURITY POLICY
  • Concept of hardening
  • Concept of security policy
  • GNU/Linux Fedora Sécurité, chapter 7
  • Unix and Linux Security Checklist v3.0
    AusCERThttp//www.auscert.org.au

112
HOW TO SECURE A SYSTEM
  • Physical
  • Disk partitioning (/, /boot, /var, /home)
  • File system mount securely (noexec, ro,..)
  • GRUB configuration
  • Update software
  • Remove or check (chmod 700 gcc) installed
    compilers
  • Remove unused packages (rpm e ltpackagegt but care
    with dependencies)
  • Disable interactive init startup
    (/etc/sysconfig/init, PROMPTno)
  • Disable unused services ( xinetd configuration,
    /etc/rcX.d, chkconfig, services GUI)
  • Define umask in profile system file
  • SELinux gt specific to Fedora, well see that
    later on
  • Remove unused users (especially guest type
    accounts as nobody but beware of actual owners
    of files !)
  • Look chapter 7 of ENI recommended book
  • IT IS ALL ABOUT WHAT HAS BEEN SHOWN FROM START TO
    END OF THIS COURSE

113
PAM - 1
  • PAM is a configurable mechanism, that let system
    to authenticate users, independently from
    programs or services
  • PAM Pluggable Authentication Module
  • PAM components- legacy services compatible
    with PAM (login, passwd)- modules (libraries .so
    in /lib/security) do authentication related
    tasks development- main configuration data (in
    /etc/pam.conf and /etc/pam.d/), by service
    probably nothing to do with them except
    development- user configuration data (in
    /etc/security/.conf), by service this is where
    sysadmin has to do setup

114
PAM - 2
  • Type values
  • auth instructs the application to prompt
    the user for a password
  • account performs non-authentication based
    account management (time, max logged users)
  • password updates authentication token
    associated with the user
  • session does things that need to be done after
    (logging, mounting directories)
  • Control values
  • sufficient success of
Write a Comment
User Comments (0)
About PowerShow.com