10. Firewall
advertisement
Linuxdasys 2003: Linux Security Tutorial
10. Firewall
10.1 What is a Firewall
10.2 NAT Network Address Translation
10.3 Packet Filter
10.4 Statefull Packet Filter
10.6 Firewall Architectures
10.7 how iptables work
10.8 using iptable
10.9 Exercise iptables
© Michael Hamm, Service Informatique, CRP Henri Tudor
page 1 of 52
Linuxdasys 2003: Linux Security Tutorial
10.1 What is a Firewall
What is a Firewall?
- a network device for access control;
- to deny unauthorized access to an internal network,
- work as a single point of access control;
What to protect?
- private Data:
- confidentiality,
- integrity;
- availability;
- resources;
- reputation;
What to protect against?
- break ins;
- Denial of Service;
- lost (steal) of information;
© Michael Hamm, Service Informatique, CRP Henri Tudor
page 2 of 52
Linuxdasys 2003: Linux Security Tutorial
10.1 What is a Firewall
What a Firewall can do?
- very important security measure to roll out the security policy;
- log important internet activities,
- minimize to point of access for an attacker;
What a Firewall CAN NOT do?
- protect against bad-willing internal users,
- can not protect other ways into you network;
- can not protect against absolutely new dangerous;
- can not be setup and be managed on its own;
Problems with Firewalls:
- disturb the common way, users access the internet, making users
angry;
- internal problem almost are more important than external problems;
© Michael Hamm, Service Informatique, CRP Henri Tudor
page 3 of 52
10.2 NAT Network Address Translation
Linuxdasys 2003: Linux Security Tutorial
-
static NAT 1:1;
Hidden NAT / Masquerading (*:1);
172.23.20.2
10.1.11.2
172.23.20.3
Internet
10.1.11.3
10.1.11.4
172.23.20.4
172.23.20.5
10.1.12.0/24
© Michael Hamm, Service Informatique, CRP Henri Tudor
page 4 of 52
Application Layer
Application Layer
WebBrowser, eMail Client…
WebBrowser, eMail Client…
Transport
Layer (TCP/UDP)
Transport
Layer (TCP/UDP)
Transport
Layer (TCP/UDP)
Network
Layer (IP)
Network
Layer (IP)
Network
Layer (IP)
Data Link
Layer
Data Link
Layer
Data Link
Layer
Physical
Layer
Physical
Layer
Physical
Layer
Alice
Router
Bob
© Michael Hamm, Service Informatique, CRP Henri Tudor
TCP/IP
Linuxdasys 2003: Linux Security Tutorial
10.3 Packet Filter
page 5 of 52
10.4 Statefull Packet Filter
Linuxdasys 2003: Linux Security Tutorial
Example:
FTP File Transfer Protocoll
FTP Client
10.1.11.100
FTP Server
10002 10001
21
20
AHA, I dynamically have
to generate a rule:
allow incoming from
172.23.20.2:20 to
10.1.11.100:10002
Control
Port 10002
OK
Data Channel
TCP ACK
active mode
172.23.20.2
© Michael Hamm, Service Informatique, CRP Henri Tudor
page 6 of 52
10.5 Application Layer Gateway
Linuxdasys 2003: Linux Security Tutorial
WebBrowser, eMail Client…
Application Layer
Application Layer
WebBrowser, eMail Client…
Transport
Layer (TCP/UDP)
Transport
Layer (TCP/UDP)
Transport
Layer (TCP/UDP)
Network
Layer (IP)
Network
Layer (IP)
Network
Layer (IP)
Data Link
Layer
Data Link
Layer
Data Link
Layer
Physical
Layer
Physical
Layer
Physical
Layer
Alice
Router
Bob
© Michael Hamm, Service Informatique, CRP Henri Tudor
TCP/IP
Application Layer
page 7 of 52
10.5 Application Layer Gateway
1
Linuxdasys 2003: Linux Security Tutorial
2
3
10.1.11.101
Internet
5
4
172.23.20.1
10.1.11.1
1. Client like to visit 172.23.20.2:80, Proxy is 10.1.11.1:3128
2. Client open a connection to 10.1.11.1:3128
3. Proxy open a connection to 172.23.20.2:80
4. 172.23.20.2 send the answer to 172.23.20.1
5. Proxy send the answer to 10.1.11.101
© Michael Hamm, Service Informatique, CRP Henri Tudor
page 8 of 52
Linuxdasys 2003: Linux Security Tutorial
10.6 Firewall Architectures
Unsafe
Network
Packet Filter
To safe
Network
© Michael Hamm, Service Informatique, CRP Henri Tudor
page 9 of 52
Unsafe
Network
Applicaton
Gateway
To safe
Network
Single - homed Application Gateway
Dual - homed Application Gateway
Linuxdasys 2003: Linux Security Tutorial
10.6 Firewall Architectures
© Michael Hamm, Service Informatique, CRP Henri Tudor
Unsafe
Network
Applicaton
Gateway
To safe
Network
page 10 of 52
Linuxdasys 2003: Linux Security Tutorial
10.6 Firewall Architectures
Unsafe
Network
Unsafe
Network
Applicaton
Packet Filter
Gateway
Applicaton
Packet Filter
To safe
Network
© Michael Hamm, Service Informatique, CRP Henri Tudor
Gateway
To safe
Network
page 11 of 52
Linuxdasys 2003: Linux Security Tutorial
10.6 Firewall Architectures
Unsafe
Network
Packet Filter
Applicaton
Unsafe
Network
Applicaton
Gateway
Gateway
Packet Filter
To safe
Network
To safe
Network
© Michael Hamm, Service Informatique, CRP Henri Tudor
page 12 of 52
10.6 Firewall Architectures
Linuxdasys 2003: Linux Security Tutorial
Screened Subnet (DMZ)
De-Militarised Zone:
Unsafe
Network
DMZ
Packet Filter
LAN
Packet Filter
To safe
Network
© Michael Hamm, Service Informatique, CRP Henri Tudor
page 13 of 52
10.6 Firewall Architectures
Linuxdasys 2003: Linux Security Tutorial
DMZ with Singel - Homed or Dual - Homed Application Gateway:
Unsafe
Network
DMZ
Unsafe
Network
DMZ
Packet Filter
Packet Filter
Applicaton
Applicaton
Gateway
Gateway
Packet Filter
To safe
Network
© Michael Hamm, Service Informatique, CRP Henri Tudor
Packet Filter
To safe
Network
page 14 of 52
10.6 Firewall Architectures
Linuxdasys 2003: Linux Security Tutorial
DMZ with Internet Server:
Unsafe
Network
DMZ
Packet Filter
Applicaton
Gateway
Packet Filter
To safe
Network
© Michael Hamm, Service Informatique, CRP Henri Tudor
page 15 of 52
10.6 Firewall Architectures
Linuxdasys 2003: Linux Security Tutorial
DMZ with Intranet Server:
Unsafe
Network
DMZ
Packet Filter
Applicaton
Gateway
Packet Filter
To safe
Network
© Michael Hamm, Service Informatique, CRP Henri Tudor
page 16 of 52
10.6 Firewall Architectures
Linuxdasys 2003: Linux Security Tutorial
DMZ with a complex Mail and DNS concept:
Unsafe
Network
DMZ
Packet Filter
MAIL
DNS
External Server
Applicaton
Gateway
MAIL
DNS
Internal Server
Packet Filter
To safe
Network
© Michael Hamm, Service Informatique, CRP Henri Tudor
page 17 of 52
Linuxdasys 2003: Linux Security Tutorial
10.7 how iptables work
1.
2.
3.
4.
One packet enters the network interface;
Interface unpack the Data Link Layer information
Interface forward the packet to the kernel
The kernel investigate the packet and choose to reject, drop or accept
© Michael Hamm, Service Informatique, CRP Henri Tudor
page 18 of 52
Linuxdasys 2003: Linux Security Tutorial
10.7 how iptables work
© Michael Hamm, Service Informatique, CRP Henri Tudor
page 19 of 52
10.8 using iptables
Linuxdasys 2003: Linux Security Tutorial
To view all rules presently loaded into netfilter, we use this command:
iptables –list
We can also specify a single chain to view, rather than viewing all
chains at once:
iptables --list INPUT
To see numbered rules (by default, they're listed without numbers), use
the --line-numbers option:
iptables --line-numbers --list INPUT
To remove all rules from all chains, we use:
iptables –flush
The basic syntax for writing iptables rules is:
iptables -I [nsert] chain_name rule_# rule_specific
-D [elete]
-R [eplace]
-A [ppend]
© Michael Hamm, Service Informatique, CRP Henri Tudor
page 20 of 52
10.8 using iptables
Linuxdasys 2003: Linux Security Tutorial
Examples:
to delete the third rule in the OUTPUT chain, we'd use the command:
iptables -D OUTPUT 3
To append a rule to the bottom of the INPUT chain:
iptables -A INPUT -p tcp --dport 80 -j ACCEPT -m state --state NEW
Options:
-s sourceIP
-d destinationIP
-p tcp ¦ udp ¦ icmp ¦ all
-- dport destinationPort
--sport sourcePort
--tcp-flags mask mask
#SYN,ACK,PSH,URG,FIN,RST,ALL,NONE
--icmp-type type
-m state –state statespec
-j accept ¦ drop ¦ log ¦ reject ¦ [chain_name]
# Load state module, and match packet if packet's state
# matches statespec. statespec is a comma-delimited list
# containing some combination of NEW, ESTABLISHED, INVALID,
# or RELATED.
© Michael Hamm, Service Informatique, CRP Henri Tudor
page 21 of 52
10.9 Exercise iptables
Linuxdasys 2003: Linux Security Tutorial
touch my_iptables.sh
chmod 700 my_iptables.sh
vi my_iptables.sh
#!/bin/bash
# Flush old rules
iptables –-flush
iptables –-delete-chain
# set default deny policy
iptables –P INPUT DROP
iptables –P FORWARD DROP
iptables –P OUTPUT DROP
# loopback device
iptables –A INPUT –i lo –j ACCEPT
iptables –A OUTPUT –o lo –j ACCEPT
© Michael Hamm, Service Informatique, CRP Henri Tudor
page 22 of 52
10.9 Exercise iptables
Linuxdasys 2003: Linux Security Tutorial
# Do some rudimentary anti-IP-spoofing drops
iptables -A INPUT -s 255.0.0.0/8 -j LOG --log-prefix "Spoofed source IP! »
iptables -A INPUT -s 255.0.0.0/8 -j DROP
iptables -A INPUT -s 0.0.0.0/8 -j LOG --log-prefix "Spoofed source IP!«
iptables -A INPUT -s 0.0.0.0/8 -j DROP
iptables -A INPUT -s 127.0.0.0/8 -j LOG --log-prefix "Spoofed source IP!«
iptables -A INPUT -s 127.0.0.0/8 -j DROP
iptables -A INPUT -s 192.168.0.0/16 -j LOG --log-prefix "Spoofed source IP!«
iptables -A INPUT -s 192.168.0.0/16 -j DROP
iptables -A INPUT -s 172.16.0.0/12 -j LOG --log-prefix " Spoofed source IP!«
iptables -A INPUT -s 172.16.0.0/12 -j DROP
iptables -A INPUT -s 10.0.0.0/8 -j LOG --log-prefix " Spoofed source IP!«
iptables -A INPUT -s 10.0.0.0/8 -j DROP
iptables -A INPUT -s 192.168.0.??? -j LOG --log-prefix "Spoofed localhost!«
iptables -A INPUT -s 192.168.0.??? -j DROP
© Michael Hamm, Service Informatique, CRP Henri Tudor
page 23 of 52
Linuxdasys 2003: Linux Security Tutorial
10.9 Exercise iptables
# the INPUT chain
# Anti-stealth-scanning rule
iptables -A INPUT –p tcp ! Syn –m state –-state NEW
–j LOG –-log-refix « Stealth Scann Attemp? »
iptables -A INPUT –p tcp ! Syn –m state –-state NEW –j DROP
# Accept inbound packets that are part of previously-OK'ed sessions
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
# Accept inbound packets which initiate SSH sessions
iptables -A INPUT -p tcp -j ACCEPT –s 192.168.0.0/8 --dport 22 -m
state --state NEW
# Accept inbound packets which initiate FTP sessions
iptables -A INPUT -p tcp -j ACCEPT --dport 21 -m state --state NEW
# Accept inbound packets which initiate HTTP sessions
iptables -A INPUT -p tcp -j ACCEPT --dport 80 -m state --state NEW
# Log anything not accepted above
iptables -A INPUT -j LOG --log-prefix "Dropped by default:"
© Michael Hamm, Service Informatique, CRP Henri Tudor
page 24 of 52
10.9 Exercise iptables
Linuxdasys 2003: Linux Security Tutorial
# the OUTPUT chain:
# If it's part of an approved connection, let it out
iptables -I OUTPUT 1 -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow outbound ping (comment-out when not needed!)
iptables -A OUTPUT -p icmp -j ACCEPT --icmp-type echo-request
# Allow outbound DNS queries, e.g. to resolve IPs in logs
iptables -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
# Log anything not accepted above - if nothing else, for t-shooting
iptables -A OUTPUT -j LOG --log-prefix "Dropped by default:"
© Michael Hamm, Service Informatique, CRP Henri Tudor
page 25 of 52
Linuxdasys 2003: Linux Security Tutorial
11. IDS – Intrusion Detection System
11.1 What is ID
11.2 Host Based IDS
11.3 Tripwire
11.4 Network Based IDS
11.5 Snort
© Michael Hamm, Service Informatique, CRP Henri Tudor
page 26 of 52
11.1 What is ID
Linuxdasys 2003: Linux Security Tutorial
“the art of detecting inappropriate, incorrect, or anomalous activity”
- IDS provides:
-- Monitoring and analysis of user and system activity;
-- Auditing of system configurations and vulnerabilities;
-- Assessing the integrity of critical system and data files;
-- Operating system audit ;
- Classify by operation mode:
- Host Intrusion Detection Systems - HIDS;
- Network Intrusion Detection Systems - NIDS;
- Network Node intrusion Detection Systems - NNIDS;
- Classify by how they work:
- Knowledge Based Intrusion Detection Systems;
- Behavior ( Anomalous ) Based Intrusion Detection Systems:
© Michael Hamm, Service Informatique, CRP Henri Tudor
page 27 of 52
Linuxdasys 2003: Linux Security Tutorial
11.1 What is ID
An IDS CAN provide the following:
- add an additional layer of security to your infrastructure;
- trace user activity from point of entry to point of impact;
- recognize and report alterations of data;
- detect when your system is under attack;
- detect errors in your system configuration;
The IDS CAN NOT provide:
- be the answer to all security problems;
- compensate for a weak identification and authentication mechanisms;
- compensate a weak security policy;
- conduct investigations of attacks without human intervention;
- compensate for weaknesses in network protocols;
- compensate for problems in the quality or integrity of
information the system provides;
© Michael Hamm, Service Informatique, CRP Henri Tudor
page 28 of 52
Linuxdasys 2003: Linux Security Tutorial
11.2 Host Based IDS
- protocoll analyzer
-- Logsurfer
-- Fwlogwatch
-- Logwatch
-- Logsentry (ex. Logcheck)
- file integrity
-- Tripwire
- right management / Kernel + Process Level
-- LIDS – Linux Intrusion Detection-System
-- SNARE
© Michael Hamm, Service Informatique, CRP Henri Tudor
page 29 of 52
11.3 Tripwire
Linuxdasys 2003: Linux Security Tutorial
Tripwire File Hierarchy
/user/sbin/tripwire
/etc/tripwire/
/var/lib/tripwire/$(HOSTNAME)
/var/lib/tripwire/report/$(HOSTNAME)
Binaries
Configuration Files
DF File
Report Files
Installing
- RH9.0 CDROM 3
- use rpm
- cd /etc/tripwire
- ./twinstall.sh
© Michael Hamm, Service Informatique, CRP Henri Tudor
page 30 of 52
11.3 Tripwire
Linuxdasys 2003: Linux Security Tutorial
Tripwire Configuration twcfg.txt --> tw.cfg
ROOT
=/usr/sbin
POLFILE
=/etc/tripwire/tw.pol
DBFILE
=/var/lib/tripwire/$(HOSTNAME).twd
REPORTFILE
=/var/lib/tripwire/report/$(HOSTNAME)$(DATE).twr
SITEKEYFILE
=/etc/tripwire/site.key
LOCALKEYFILE =/etc/tripwire/$(HOSTNAME)-local.key
EDITOR
=/bin/vi
LATEPROMPTING =false
LOOSEDIRECTORYCHECKING =false
MAILNOVIOLATIONS =true
EMAILREPORTLEVEL =1
REPORTLEVEL
=3
MAILMETHOD
=SENDMAIL
SYSLOGREPORTING =true
MAILPROGRAM
=/usr/lib/sendmail -oi -t
© Michael Hamm, Service Informatique, CRP Henri Tudor
page 31 of 52
11.3 Tripwire
Linuxdasys 2003: Linux Security Tutorial
Tripwire Configuration twpol.txt --> tw.pol
############################################
#
##
############################################ #
#
# #
# Global Variable Definitions
# #
#
##
############################################
@@section GLOBAL
TWDOCS="/usr/doc/tripwire";
TWBIN="/usr/sbin";
TWPOL="/etc/tripwire";
TWDB="/var/lib/tripwire";
TWSKEY="/etc/tripwire";
TWLKEY="/etc/tripwire";
TWREPORT="/var/lib/tripwire/report";
# HOSTNAME=dumpstar;
# HOSTNAME=arthur;
ADMIN1=“root@localhost";
© Michael Hamm, Service Informatique, CRP Henri Tudor
page 32 of 52
11.3 Tripwire
Linuxdasys 2003: Linux Security Tutorial
Tripwire Configuration twpol.txt --> tw.pol
@@section
SEC_CRIT
=
SEC_SUID
=
SEC_BIN
=
SEC_CONFIG =
SEC_LOG
FS
$(IgnoreNone)-SHa ;
$(IgnoreNone)-SHa ;
$(ReadOnly) ;
$(Dynamic) ;
= $(Growing) ;
SEC_INVARIANT = +tpug ;
SIG_LOW
= 33 ;
SIG_MED
= 66 ;
SIG_HI
= 100 ;
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
Critical files that cannot change
Binaries with the SUID or SGID flags
Binaries that should not change
Config files that changed infrequenty
but accessed often
Files that grow, but that should never
change ownership
Directories that should never change
permission or ownership
Non-critical files that are of minimal
security impact
Non-critical files that are of
significant security impact
Critical files that are significant
points of vulnerability
© Michael Hamm, Service Informatique, CRP Henri Tudor
page 33 of 52
11.3 Tripwire
Linuxdasys 2003: Linux Security Tutorial
Tripwire Configuration twpol.txt --> tw.pol
##########################
# Tripwire Binaries
(
rulename = "Tripwire Binaries",
emailto = $(ADMIN1),
severity = $(SIG_HI)
)
{
$(TWBIN)/siggen
$(TWBIN)/tripwire
$(TWBIN)/twadmin
$(TWBIN)/twprint
}
© Michael Hamm, Service Informatique, CRP Henri Tudor
->
->
->
->
$(SEC_BIN)
$(SEC_BIN)
$(SEC_BIN)
$(SEC_BIN)
;
;
;
;
page 34 of 52
11.3 Tripwire
Linuxdasys 2003: Linux Security Tutorial
Tripwire Configuration twpol.txt --> tw.pol
##########################
# Tripwire Data Files
(
rulename = "Tripwire Data Files",
emailto = $(ADMIN1),
severity = $(SIG_HI)
)
{
$(TWDB)
$(TWPOL)/tw.pol
$(TWPOL)/tw.cfg
# $(TWLKEY)/$(HOSTNAME)-local.key
$(TWSKEY)/site.key
#don't scan the individual reports
$(TWREPORT)
(recurse=0) ;
}
© Michael Hamm, Service Informatique, CRP Henri Tudor
-> $(SEC_CONFIG) -i ;
-> $(SEC_BIN) -i ;
-> $(SEC_BIN) -i ;
-> $(SEC_BIN) ;
-> $(SEC_BIN) ;
-> $(SEC_CONFIG)
page 35 of 52
11.3 Tripwire
Linuxdasys 2003: Linux Security Tutorial
Tripwire Configuration twpol.txt --> tw.pol
##########################
# Commonly accessed directories that should remain static
# with regards to owner and group
(
rulename = "Invariant Directories",
emailto = $(ADMIN1),
severity = $(SIG_MED)
)
{
/
-> $(SEC_INVARIANT) (recurse = 0) ;
/home
-> $(SEC_INVARIANT) (recurse = 0) ;
/usr
-> $(SEC_INVARIANT) (recurse = 0) ;
/usr/local
-> $(SEC_INVARIANT) (recurse = 0) ;
/etc
-> $(SEC_CONFIG) ;
/etc/mtab
-> $(SEC_CONFIG) -i ; # Inode number
# changes on any mount/unmount
/etc/issue.net
-> $(SEC_CONFIG) -i ; # Inode number
# changes
}
© Michael Hamm, Service Informatique, CRP Henri Tudor
page 36 of 52
11.3 Tripwire
Linuxdasys 2003: Linux Security Tutorial
Tripwire Configuration twpol.txt --> tw.pol
##########################
# File System and Disk Administration Programs
# OS Utilities
# User Binaries
(
rulename = "File System and OS Utilities",
emailto = $(ADMIN1),
severity = $(SIG_HI)
)
{
/sbin
-> $(SEC_CRIT) ;
/bin
-> $(SEC_CRIT) ;
/usr/sbin
-> $(SEC_CRIT) ;
/usr/bin
-> $(SEC_CRIT) ;
/usr/local/sbin
-> $(SEC_BIN) (recurse = 1) ;
/usr/local/bin
-> $(SEC_BIN) (recurse = 1) ;
}
© Michael Hamm, Service Informatique, CRP Henri Tudor
page 37 of 52
11.3 Tripwire
Linuxdasys 2003: Linux Security Tutorial
Tripwire Configuration twpol.txt --> tw.pol
##########################
# Temporary directories
(
rulename = "Temporary directories",
emailto = $(ADMIN1),
recurse = false,
severity = $(SIG_LOW)
)
{
/var/tmp
-> $(SEC_INVARIANT) ;
/tmp
-> $(SEC_INVARIANT) ;
}
© Michael Hamm, Service Informatique, CRP Henri Tudor
page 38 of 52
11.3 Tripwire
Linuxdasys 2003: Linux Security Tutorial
Tripwire Configuration twpol.txt --> tw.pol
##########################
# ReadOnly
(
rulename = "ReadOnly",
emailto = $(ADMIN1),
severity = $(SIG_MED)
)
{
/lib
/var
/var/log
/var/spool
}
->
->
->
->
$(SEC_BIN) ;
$(SEC_LOG) ;
$(SEC_LOG) -il ;
$(SEC_INVARIANT) ;
© Michael Hamm, Service Informatique, CRP Henri Tudor
page 39 of 52
11.3 Tripwire
Linuxdasys 2003: Linux Security Tutorial
Tripwire Configuration twpol.txt --> tw.pol
##########################
# Libraries
(
rulename = "Libraries",
emailto = $(ADMIN1),
severity = $(SIG_MED)
)
{
/var/lib
/usr/lib
/usr/local/lib
}
-> $(SEC_BIN) ;
-> $(SEC_BIN) ;
-> $(SEC_BIN) ;
© Michael Hamm, Service Informatique, CRP Henri Tudor
page 40 of 52
11.3 Tripwire
Linuxdasys 2003: Linux Security Tutorial
Tripwire Configuration twpol.txt --> tw.pol
##########################
# Critical System Boot Files
(
rulename = "Critical system boot files",
emailto = $(ADMIN1),
severity = $(SIG_HI)
)
{
/boot
-> $(SEC_CRIT) ;
# /sbin/lilo
-> $(SEC_CRIT) ;
!/boot/System.map ;
!/boot/module-info ;
}
© Michael Hamm, Service Informatique, CRP Henri Tudor
page 41 of 52
11.3 Tripwire
Linuxdasys 2003: Linux Security Tutorial
Tripwire Configuration twpol.txt --> tw.pol
##########################
# These files change every time the system boots
(
rulename = "System boot changes",
emailto = $(ADMIN1),
severity = $(SIG_HI)
)
{
!/var/run/ftp.pids-all ; # Comes and goes on reboot.
!/root/.enlightenment ;
/dev/log
-> $(SEC_CONFIG) ;
/dev/console
-> $(SEC_CONFIG) -u ;
/dev/tty0
-> $(SEC_CONFIG) ; # tty devices
/dev/tty1
-> $(SEC_CONFIG) ; # tty devices
/dev/tty2
-> $(SEC_CONFIG) ; # tty devices
/dev/tty3
-> $(SEC_CONFIG) ; # are extremely
/dev/tty4
-> $(SEC_CONFIG) ; # variable
/dev/tty5
-> $(SEC_CONFIG) ;
/dev/tty6
-> $(SEC_CONFIG) ;
/dev/urandom
-> $(SEC_CONFIG) ;
/dev/initctl
-> $(SEC_CONFIG) ;
/var/run
-> $(SEC_CONFIG) ; # daemon PIDs
/var/lock
-> $(SEC_CONFIG) ;
/lib/modules
-> $(SEC_CONFIG) ;
}
© Michael Hamm, Service Informatique, CRP Henri Tudor
page 42 of 52
11.3 Tripwire
Linuxdasys 2003: Linux Security Tutorial
Tripwire Configuration twpol.txt --> tw.pol
##########################
# These files change the behavior of the root account
(
rulename = "Root config files",
emailto = $(ADMIN1),
severity = 100
)
{
/root
-> $(SEC_CRIT) -amc ; # Catch all
# additions to /root
/root/.bashrc
-> $(SEC_CONFIG) ;
/root/.profile
-> $(SEC_CONFIG) ;
/root/.bash_history
-> $(SEC_CONFIG) ;
}
© Michael Hamm, Service Informatique, CRP Henri Tudor
page 43 of 52
11.3 Tripwire
Linuxdasys 2003: Linux Security Tutorial
Tripwire Configuration twpol.txt --> tw.pol
##########################
# Critical devices
(
rulename = "Critical devices",
emailto = $(ADMIN1),
severity = $(SIG_HI),
recurse = false
)
{
/dev/kmem
/dev/mem
/dev/null
/dev/zero
/proc/devices
/proc/ksyms
/proc/loadavg
/proc/uptime
/proc/locks
/proc/version
/proc/meminfo
/proc/cmdline
/proc/misc
->
->
->
->
->
$(Device)
$(Device)
$(Device)
$(Device)
$(Device)
;
;
;
;
;
->
->
->
->
->
->
->
->
$(Device)
$(Device)
$(Device)
$(Device)
$(Device)
$(Device)
$(Device)
$(Device)
;
;
;
;
;
;
;
;
}
© Michael Hamm, Service Informatique, CRP Henri Tudor
page 44 of 52
11.3 Tripwire
running tripwire for the first time:
Linuxdasys 2003: Linux Security Tutorial
Create tw.cfg database
twadmin –m F –S site.key twcfg.txt
Create tw.pol database
twadmin –m P –S site.key twpol.txt
Initializing Tripwire Database
tripwire –init
running tripwire manually on a frequently base
tripwire –m c –I
running tripwire by crontab and receive the email-report
tripwire –m c –M > /dev/null
© Michael Hamm, Service Informatique, CRP Henri Tudor
page 45 of 52
11.4 Network Based IDS
Linuxdasys 2003: Linux Security Tutorial
- A network-based ID system monitors the traffic on its network segment
as a data source;
- placing the network interface card in promiscuous mode to capture all
network traffic;
- looking at the packets on the network as they pass by some sensor;
- sensor can only see the packets that happen to be carried on the
network segment it’s attached to;
- Packets are considered to be of interest if they match a signature;
- Three primary types of signatures are string signatures, port signatures,
and header condition signatures;
© Michael Hamm, Service Informatique, CRP Henri Tudor
page 46 of 52
11.4 Network Based IDS
Linuxdasys 2003: Linux Security Tutorial
String signatures look for a text string that indicates a possible attack.
- "cat "+ +" > /.rhosts“
cause a UNIX system to become extremely vulnerable ;
Port signatures simply watch for connection attempts to well-known,
frequently attacked ports.
- telnet (TCP port 23), FTP (TCP port 21/20), SUNRPC
(TCP/UDP port 111), and IMAP (TCP port 143)
If any of these ports aren’t used by the site, then incoming packets
to these ports are suspicious;
© Michael Hamm, Service Informatique, CRP Henri Tudor
page 47 of 52
Linuxdasys 2003: Linux Security Tutorial
11.4 Network Based IDS
© Michael Hamm, Service Informatique, CRP Henri Tudor
page 48 of 52
Linuxdasys 2003: Linux Security Tutorial
11.5 Snort
Snort File Hierarchy
/usr/sbin/
/etc/snort
/var/log/snort
Binary Files
Config Files
Log Files
Installation
pre install libpcap from CD-ROM 2
use the tar.gz
cat /etc/passwd
cat /etc/shadow
cat /etc/group
ls –ld /var/log/snort
grep snort /etc/init.d/snortd
© Michael Hamm, Service Informatique, CRP Henri Tudor
page 49 of 52
11.5 Snort
Invoking snort as a sniffer
Linuxdasys 2003: Linux Security Tutorial
bash-# snort -dvi eth0
03/22-22:25:26.041707 192.168.100.20:1052 ->
10.10.117.13:80TCP TTL:63 TOS:0x10 ID:10528 IpLen:20
DgmLen:60 DF******S* Seq: 0x8651A4AB Ack: 0x0 Win:
0x16D0 TcpLen: 40TCP Options (5) => MSS: 1460 SackOK TS:
1805707 0 NOP WS:0
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
+=+=+=+=+=+=+
03/22-22:25:26.046576 10.10.117.13:80 ->
192.168.100.20:1052TCP TTL:64 TOS:0x0 ID:33016 IpLen:20
DgmLen:60 DF***A**S* Seq: 0x6D4A1B04 Ack: 0x8651A4AC Win:
0x7D78 TcpLen: 40TCP Options (5) => MSS: 1460 SackOK TS:
63072524 1805707 NOPTCP Options => WS: 0
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
+=+=+=+=+=+=+
© Michael Hamm, Service Informatique, CRP Henri Tudor
page 50 of 52
Linuxdasys 2003: Linux Security Tutorial
11.5 Snort
Using Snort as a Packet Logger
bash-# snort -d -l ./snort/ -h 10.10.20.0/24
-d decode packets
-h soecify the homenetwork
To "replay" the file (convert it to ASCII and display it) with Snort, use the -r
flag
bash-# snort -dv -r /var/log/snort/snort-0324\@2146.log
© Michael Hamm, Service Informatique, CRP Henri Tudor
page 51 of 52
11.5 Snort
Configuring and Using Snort as an IDS
Linuxdasys 2003: Linux Security Tutorial
snort.conf usually takes this form
-
Variable definitions
Preprocessor plug-in statements
Output (postprocessor) statements
Rules (in practice, usually include statements
referring to rule files)
Variable definitions
var HOME_NET 33.22.11.0/24,10.9.0.0/16,etc.
var DNS_SERVERS 33.22.11.1 33.22.11.32 etc
Preprocessor plug-in statements
output database: log, mysql, user=root dbname=snort
host=localhost
Rules
include bad-traffic.rules
© Michael Hamm, Service Informatique, CRP Henri Tudor
page 52 of 52
11.5 Snort
Linuxdasys 2003: Linux Security Tutorial
Starting snort in IDS mode
invoke snort with the -T flag to test your configuration
bash-# snort -T -c /etc/snort/snort.conf
When you and Snort are both happy
bash-# snort -Dd -z est -c /etc/snort/snort.conf
Review your log files:
- Port-scan entries in /var/log/snort/alert
- Some packet headers logged to /var/log/snort/portscan.log
© Michael Hamm, Service Informatique, CRP Henri Tudor
page 53 of 52
