Bài giảng LPI202 - Chapter 07 Advanced Linux Network Administration

System Security Chapter 07Advanced Linux Network Administration ObjectivesIpchains and Iptables Configuring a routerSecuring FTP serversSecure shell (OpenSSH)TCP_wrappersSecurity tasks What is a Firewall?A set of related programs that protects the resources of a private network from users from other networks. A mechanism for filtering network packets based on information contained within the IP header.A means of maintaining sanity.Firewall ProgramsIpfwadm : Linux kernel 2.0.34Ipchains : Linux kernel 2.2.*Iptables : Linux kernel 2.4.*FirewallsNetwork LevelTwo TypesPacket FilterStateful Packet Inspection – SPIIPTables is BothFilteringInformation NeededIP Address (Phone Number)Port (Extension)Can Filter by Source or DestinationCan Filter by StateIPTablesSPINEWESTABLISHEDRELATEDINVALIDNetwork Address Translation – NATDNATSNATREDIRECTIPTablesnotes onlyIPTablesPacket ManglingModify Packets Before/After DecisionExamplePrioritize TrafficMinimize-DelayMaximize-ReliabilityMinimize-CostNormal-ServiceIPTablesTCP Header +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Version| IHL |Type of Service| Total Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Identification |Flags| Fragment Offset | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Time to Live | Protocol | Header Checksum | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Destination Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Port | Destination Port | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Sequence Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Acknowledgment Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | Control | | Ipchains packet traversalIptables packet traversalBasic iptables syntaxiptables --flushiptables -A INPUT -i lo -j ACCEPTiptables -A OUTPUT -o lo -j ACCEPTiptables --policy INPUT DROPiptables --policy OUTPUT DROPiptables --policy FORWARD DROPiptables TargetsACCEPTlet the packet throughDROPdrop the packet QUEUEpass the packet to the userspaceRETURNstop traversing this chain and resume the calling chainiptables syntaxiptables -I INPUT -i eth1 -p tcp -s 192.168.56.1 \--sport 1024:65535 -d 192.168.56.2 --dport 22 \-j ACCEPTiptables -I OUTPUT -o eth1 -p tcp ! --syn \-s 192.168.56.2 --sport 22 -d 192.168.56.1 \--dport 1024:65535 -j ACCEPTForwarding Packetsiptables -A FORWARD -i \-o -s 192.168.56.1/32 --sport \1024:65535 -m state --state \ NEW,ESTABLISHED,RELATED -j ACCEPTiptables -A FORWARD -i \-o -m state --state \ESTABLISHED,RELATED -j ACCEPT*don't forget /proc/sys/net/ipv4/ip_forwardiptables -L -v -nChain INPUT (policy DROP 280 packets, 32685 bytes) pkts bytes target prot opt in out source destination 3300 136K ACCEPT tcp -- eth1 * 192.168.56.1 192.168.56.2 tcp dpt:22 140 51297 LOG all -- eth0 * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 378K 46M LOG all -- eth1 * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 140 10220 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 4435 1275K LOG all -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 4717 882K LOG all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 13 624 ACCEPT tcp -- eth0 eth1 0.0.0.0/0 192.168.56.1 tcp dpt:22 state NEW 4379 1214K ACCEPT all -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 4609 877K ACCEPT all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 9 396 ACCEPT tcp -- eth1 eth0 0.0.0.0/0 10.10.90.10 tcp dpt:22 state NEW Chain OUTPUT (policy DROP 7 packets, 588 bytes) pkts bytes target prot opt in out source destination 5687 6275K ACCEPT tcp -- * eth1 192.168.56.2 192.168.56.1 tcp spt:22 102 48836 LOG all -- * eth4 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 478904 8127K LOG all -- * eth1 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 140 10220 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0LOG - Target ExtensionLOG--log-level--log-prefix--log-tcp-sequence--log-tcp-options--log-ip-optionsiptables -A OUTPUT -o eth0 -j LOGiptables -A INPUT -m state --state INVALID -j LOG --log-prefix "INVALID input: "Raw iptables log outputJun 25 09:05:11 hebe kernel: IN=eth1 OUT= MAC=00:00:92:a7:df:05:02:07:01:23:5e:29:08:00 SRC=10.90.10.112 DST=10.90.10.116 LEN=44 TOS=0x00PREC=0x00 TTL=60 ID=7276 PROTO=TCP SPT=47785 DPT=10003 WINDOW=16384 RES=0x00 SYN URGP=0Jun 25 09:05:11 hebe kernel: IN=eth1 OUT= MAC=00:00:92:a7:df:05:02:07:01:23:5e:29:08:00 SRC=10.90.10.112 DST=10.90.10.116 LEN=44 TOS=0x00PREC=0x00 TTL=60 ID=7276 PROTO=TCP SPT=47785 DPT=10003 WINDOW=16384 RES=0x00 SYN URGP=0Jun 25 09:05:12 hebe kernel: IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:06:5b:d1:24:bb:08:00 SRC=10.90.50.251 DST=10.90.255.255 LEN=241 TOS=0x00 PREC=0x00 TTL=128 ID=547 PROTO=UDP SPT=138 DPT=138 LEN=221Jun 25 09:05:12 hebe kernel: IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:06:5b:d1:24:bb:08:00 SRC=10.90.50.251 DST=10.90.255.255 LEN=241 TOS=0x00 PREC=0x00 TTL=128 ID=547 PROTO=UDP SPT=138 DPT=138 LEN=221Jun 25 09:05:12 hebe kernel: IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:04:74:0b:81:08:00 SRC=10.90.10.6 DST=10.90.255.255 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=44852 PROTO=UDP SPT=137 DPT=137 LEN=58Jun 25 09:05:12 hebe kernel: IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:04:74:0b:81:08:00 SRC=10.90.10.6 DST=10.90.255.255 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=44852 PROTO=UDP SPT=137 DPT=137 LEN=58Jun 25 09:05:15 hebe kernel: IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:60:cf:20:2d:37:08:00 SRC=10.90.10.104 DST=10.90.255.255 LEN=78 TOS=0x00 PREC=0x00 TTL=1 ID=60733 DF PROTO=UDP SPT=137 DPT=137 LEN=58Jun 25 09:05:15 hebe kernel: IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:60:cf:20:2d:37:08:00 SRC=10.90.10.104 DST=10.90.255.255 LEN=78 TOS=0x00 PREC=0x00 TTL=1 ID=60733 DF PROTO=UDP SPT=137 DPT=137 LEN=58Jun 25 09:05:23 hebe kernel: IN=eth1 OUT= MAC=00:00:92:a7:df:05:02:07:01:23:5e:29:08:00 SRC=10.90.10.112 DST=10.90.10.116 LEN=44 TOS=0x00PREC=0x00 TTL=60 ID=11698 PROTO=TCP SPT=4778log_analysis output3 Chain: input Interface: eth0 >> 211.39.225.244 1559 => 192.168.56.2 TCP 273744 Chain: input Interface: eth0 >> 211.44.96.76 1659 => 192.168.56.2 TCP 273744 Chain: input Interface: eth0 >> 24.209.129.7 2846 => 192.168.56.2 TCP 273744 Chain: input Interface: eth0 >> 4.41.13.124 1537 => 192.168.56.2 TCP 273743 Chain: input Interface: eth0 >> 61.255.229.7 3714 => 192.168.56.2 TCP 273743 Chain: input Interface: eth0 >> 64.231.21.254 2361 => 192.168.56.2 TCP 273744 Chain: input Interface: eth0 >> 65.24.46.200 1992 => 192.168.56.2 TCP 273744 Chain: input Interface: eth0 >> 65.33.176.170 1328 => 192.168.56.2 TCP 273744 Chain: input Interface: eth0 >> 65.43.103.123 3672 => 192.168.56.2 TCP 273744 Chain: input Interface: eth0 >> 66.188.158.191 3064 => 192.168.56.2 TCP 273743 Chain: input Interface: eth0 >> 80.224.203.178 4697 => 192.168.56.2 TCP 273743 Chain: input Interface: eth0 >> 12.220.98.42 1380 => 192.168.56.2 TCP 273743 Chain: input Interface: eth0 >> 193.205.135.94 2498 => 192.168.56.2 TCP 14333 Chain: input Interface: eth0 >> 198.83.120.42 1711 => 192.168.56.2 TCP 14333 Chain: input Interface: eth0 >> 202.108.234.155 3877 => 192.168.56.2 TCP 14333 Chain: input Interface: eth0 >> 202.140.162.42 19914 => 192.168.56.2 TCP 14333 Chain: input Interface: eth0 >> 205.158.95.87 1367 => 192.168.56.2 TCP 14333 Chain: input Interface: eth0 >> 208.2.225.43 3818 => 192.168.56.2 TCP 14333 Chain: input Interface: eth0 >> 212.118.71.3 1429 => 192.168.56.2 TCP 14334 Chain: input Interface: eth0 >> 61.85.33.8 2113 => 192.168.56.2 TCP 273744 Chain: input Interface: eth0 >> 61.99.45.198 4515 => 192.168.56.2 TCP 273743 Chain: input Interface: eth0 >> 62.90.204.2 3798 => 192.168.56.2 TCP 14333 Chain: input Interface: eth0 >> 63.231.101.56 61428 => 192.168.56.2 TCP 14333 Chain: input Interface: eth0 >> 66.28.45.209 4268 => 192.168.56.2 TCP 1433NAT OverviewSource NATThe source address of the initial packet is modified.Performed on the POSTROUTING Chain.Includes MASQUERADE functionality.Destination NATThe destination address of the initial packet is modified.Performed on the PREROUTING or OUTPUT chain.SNAT Masquerade Exampleiptables -t nat -A POSTROUTING -o eth0 -j \ MASQUERADEiptables -A FORWARD -i eth1 -o eth0 -m state \ --state NEW, ESTABLISHED, RELATED -j ACCEPTiptables -A FORWARD -o eth1 -m state --state \ ESTABLISHED, RELATED -j ACCEPTStandard SNAT Exampleiptables -t nat -A POSTROUTING -o \ -j SNAT --to-source \ iptables -A FORWARD -i \ -o -m state --state \ NEW,ESTABLISHED,RELATED -j ACCEPTiptables -A FORWARD -o \ -m state --state ESTABLISHED,RELATED -j ACCEPTDNAT - Host Forwardingiptables -t nat -A PREROUTING -i \-p tcp --sport 1024:65535 -d --dport 80 \-j DNAT --to-destination iptables -A FORWARD -i \-o -p tcp --sport 1024:65535 \-d --dport 80 -m state \--state NEW,ESTABLISHED,RELATED -j ACCEPTiptables -A FORWARD -i \-m state --state ESTABLISHED,RELATED -j ACCEPTAdvanced DNATPort Redirection:iptables -t nat -A PREROUTING -i \-p tcp --sport 1024:65535 -d --dport 80 \-j DNAT --to-destination :81Server Farms:iptables -t nat -A PREROUTING -i \-p tcp --sport 1024:65535 -d \--dport 80 -j DNAT \--to-destination 192.168.56.10-192.168.56.15Firewall OptimizationPlace loopback rules as early as possible.Place forwarding rules as early as possible.Use the state and connection-tracking modules to bypass the firewall for established connections.Combine rules to standard TCP client-server connections into a single rule using port lists.Place rules for heavy traffic services as early as possible.User Defined Chainsiptables -A INPUT -i $INTERNET -d \-j EXT-inputiptables -A EXT-input -p udp --sport 53 \--dport 53 -j EXT-dns-server-iniptables -A EXT-input -p tcp ! --syn --sport 53 \--dport 1024:65535 -j EXT-dns-server-iniptables -A EXT-dns-server-in -s $NAMESERVER_1 \-j ACCEPTConfiguring a routerIp forwardingTo enable IP forwarding temporarily (until the next reboot): echo 1 > /proc/sys/net/ipv4/ip_forwardTo enable permanently, edit /etc/sysctl.conf and set: net.ipv4.ip_forward = 1Static routeThe route program is used to add or remove predefined routesDynamic routerouted GatedZebraSecuring FTP serversFTP [File Transfer Protocol] is one of the oldest and most popular servicesThe following steps will enhance securely FTP serverDisable Anonymous Access.Enable Logging.Harden file permission.Enable Disk Quotas. Use Logon Time Restrictions.Restrict Access by IP.Audit Logon Events.Enable Strong Password Requirement.VSFTPInstallationRPM packages of vsftpd Install from source tarballConfiguration /etc/vsftpd.confStarting the FTP-ServicexinetdStandaloneVSFTPD - Configuration# Anonymus FTP-access permitted? YES/NO anonymous_enable=NO # Permit anonymus upload? YES/NOanon_upload_enable=NO # Permission for anonymus users to make new directories? YES/NO anon_mkdir_write_enable=NO # Permission for anonymus users to do other write operations - like renaming or deleting? YES/NO anon_other_write_enable=NO VSFTPD - Configuration# Log on by local users permitted? YES/NO local_enable=YES # Shall local users be locked into their home directory? YES/NO chroot_local_user=YES # General write permission? YES/NO write_enable=YES # Enable messages when changing directories? YES/NOdirmessage_enable=YES # Welcome banner at users logon. ftpd_banner="Welcome to neo5k’s FTP service."VSFTPD - Configuration# Activate logging? YES/NOxferlog_enable=YES # Logging of all FTP activities? YES/NO # Careful! This can generate large quantities of data. log_ftp_protocol=NO # Confirm connections are established on port 20 (ftp data) only. YES/NO connect_from_port_20=YES # Timeout during idle sessions, Data connection timeout idle_session_timeout=600data_connection_timeout=120 # Access through Pluggable Authentication Modules (PAM)pam_service_name=vsftpd VSFTP Starting the FTP-Service XinetdIt is recommended to start the vsftp daemon with xinetd/etc/xinetd.d/vsftpd# vsftp daemon. service ftp { disable = no socket_type = stream wait = no user = root server = /usr/sbin/vsftpd no_access = 192.168.1.3 log_on_success += PID HOST DURATION log_on_failure += HOST } VSFTP Starting the FTP-ServiceStandaloneEdit file "/etc/vsftpd.conf" and make the following changes:# Shall the vsftp daemon run in standalone operation? YES/NO listen=YES After that entry the daemon can be startet with following entry [ neo5k@server]# /usr/sbin/vsftpd &[ neo5k@server]# netstat -anp|grep 21 Secure shell (OpenSSH)SSH FeaturesCommand line terminal connection toolReplacement for rsh, rcp, telnet, and othersAll traffic encryptedBoth ends authenticate themselves to the other endAbility to carry and encrypt non-terminal trafficBrief HistorySSH.com’s SSH1, originally completely free with source code, then license changed with version 1.2.13SSH.com’s SSH2, originally only commercial, but now free for some uses.OpenSSH team took the last free SSH1 release, refixed bugs, added features, and added support for the SSH2 protocol.InstallationOpenSSH is included with a number of Linux distributions, and available for a large number of UnicesOn RPM-based linuxes:“rpm –Uvh openssh*.rpm”Basic usessh SshServerNamessh –l UserName SshServerNamessh SshServerName CommandToRunssh –v SshServerNameServer Host Key checksUses same login passwordAnd if we need to encrypt other traffic?Basic usessh SshServerNamessh –l UserName SshServerNamessh SshServerName CommandToRunssh –v SshServerNameServer Host Key checksUses same login passwordAnd if we need to encrypt other traffic?Port ForwardingI want to listen on port 5110 on this machine; all packets arriving here get sent to mailserver, port 110:ssh –L 5110:mailserver:110 mailserverAll web traffic to my firewall should be redirected to the web server running on port 8000 on my machine instead:ssh –R 80:MyMachine:8000 firewallPort ForwardingI want to listen on port 5110 on this machine; all packets arriving here get sent to mailserver, port 110:ssh –L 5110:mailserver:110 mailserverAll web traffic to my firewall should be redirected to the web server running on port 8000 on my machine instead:ssh –R 80:MyMachine:8000 firewallX Windows forwardingNo setup – already done!Run the X Windows application in the terminal window:xclock &The screen display shows up on your computer, and any keystrokes and mouse movements are sent back, all encrypted.Securely copying filesscpscp –p localfile remotemachine:/remotepath/filePrompts for authentication if neededAll traffic encryptedReplaces ftp, rcp, file sharingSSH key backgroundOld way: password stored on server, user supplied password compared to stored versionNew way: private key kept on client, public key stored on server.SSH key creationGeneral command:ssh-keygen –b 1024 –c “Comment” –f ~/.ssh/identity_fileDifferent forms for each of the SSH flavorsAssign a hard-to-guess passphrase to the private key during creation.Key can be used for multiple serversSSH key installation3 versions of ssh: interoperability is good, but poorly documentedssh-keyinstall utility automates the creation and installation“ssh-keyinstall –s SshServerName” creates keys, if needed, and installs them on the remote serverNeed password during key install onlyUsing SSH keysssh SshServerNamessh –l UserName SshServerNamessh SshServerName CommandToRunssh –v SshServerNamessh-agentRemembers your private key(s)Other applications can ask ssh-agent to authenticate you automatically.Unattended remote sessions.ssh-agent bashssh-agent startxeval `ssh-agent` #Less preferredssh-add [KeyName]Runs on top of Connection LayerProvides file transferProvides general file system accessDriven by commands similar to FTPSshd server configuration: sshd_configSubsystem sftp /usr/local/libexec/sftp-serverClient usesftp username@sshserverFile Transfer Protocol (sftp)TCP_wrappersServices do not need to offer should be disabledThere are a number of ways to disable services:Disable service from xinetd server, /etc/xinetd.d/service_nameDisable = yes delete entirely packagenameMost Linux distributions ship with tcp_wrappers "wrapping" all your TCP servicestcp_wrapper (tcpd) is invoked from inetd instead of the real server.tcpd checks the host that is requesting the service, and either executes the real server, or denies access from that host.TCP_wrappersEdit /etc/inetd.conf and replace the path to each network service daemon that you wish to place under access control with the path to tcpdFor example, the entry for the finger daemon in /etc/inetd.conf finger stream tcp6 nowait nobody /usr/sbin/in.fingerd in.fingerdThe value in the sixth field is /usr/sbin/in.fingerd. To monitor access to the finger daemon, replace this value with /usr/sbin/tcpd, as in the following entry:finger stream tcp6 nowait nobody /usr/sbin/tcpd in.fingerdTCP_wrapperstcpd access control files/etc/hosts.allow : the list of hosts that are allowed to access the network's services/etc/hosts.deny : the list of hosts that are denied accessThe format of entries in both files is the same: service-list : host-list [: shell-command]A hosts.allow file might contain:imapd, ipopd3 : 172.16.12.ALL EXCEPT imapd, ipopd3 : ALL Controlling Access with xinetdxinetd has capabilities similar to those of wrapper. xinetd reads the /etc/hosts.allow , /etc/hosts.deny files and implements the access controls defined in those files. Additionally, xinetd provides its own logging and its own access controlsThe three parameters are:only_from: identifies the hosts that are allowed to connect to the serviceno_access: defines the hosts that are denied access to the serviceaccess_times: defines the time of day a service is available, in the form hour:min-hour:min.Controlling Access with xinetd/etc/xinetd.d/imap# default: off# description: The IMAP service allows remote users to access their mail using# an IMAP client such as Mutt, Pine, fetchmail, or Netscape \# Communicator.service imap{ disable = no socket_type = stream wait = no user = root server = /usr/sbin/imapd only_from = 127.0.0.1 bind = 127.0.0.1 log_on_success += HOST DURATION log_on_failure += HOST}lsofshow open files used by processeslsoflsof | grep LISTENTraditionally used to list PIDs of processes running on a given directory:lsof +D DIRECTORYLsof can also be used to display network sockets. For example the following line will list all internet connections:lsof -I Lsof outputNAME:name of the processPID:process ID USER:name of the user to whom the process belongsFD:File desciptor (e.g u = read write, r = read, w = write)TYPE:The file type (e.g REG = regular file)DEVICE:Major/Minor number (e.g 3,16 =/dev/hda16 )SIZE:Size or offset of the fileNODE:Inode of the file NAME:The name of the fileNMAPnmap - Network exploration tool and security scannerExample: scan Ip range to find opened port and OSNmap -sS -O 10.11.2.1-100Scan Types:SYN or Half-open: -sSUDP: -sUTCP NULL: -sNTCP Xmas: -sX++++ many more, Ack scans -sA, RPC scan -sR ...Other toolstcpdump – dump traffic on a networknetstat - Print network connections, routing tables ...Main options:r display routing tables l only listening servicesC display route cache --inet restrict to network socketsUpdate security alerts from Bugtraq, CERT, CIAC or other sourcesTest for open mail relays and anonymous FTP serversInstalling and configuring an intrusion detection system such as snort or TripwireUpdate the IDS configuration as new vulnerabilities are discovered Apply security patches and bugfixes.Security tasksSummaryIpchains and Iptables Configuring a routerSecuring FTP serversSecure shell (OpenSSH)TCP_wrappersSecurity tasks