Securing Network using Linux

advertisement
Securing Network using Linux
Lesson Outline
•
•
•
•
Setting up a secure system
TCP Wrapper configuration
Firewalls in Linux
Authentication Systems
– NIS
– Kerberos
Types of Security Threats
• Denial of Service (DoS)
– This attack disrupts a service on the system
• Intrusion
– Unauthorised access by compromising a
service or logging in by stealing a password
• Snooping
– This attack involves interception of the data
of another user, listening to all sensitive
information transmitted
• Viruses, worms and Trojan Horses
Setting up a Secure System
• There are some very basic things that you
have to do in order to secure your system
• Shutting down the redundant services
– You have to disable all network daemons (services)
that are not needed by the system
– Any network port that is listening for connections
can be vulnerable to attacks due to probable
exploits against running daemon
– To find out the ports that are opened type:
# netstat -an
Setting up a secure system (cont.)
• Looking in /etc/services or by passing -p to netstat
we can tell which service is running per port
• Check each port that looks like unnecessary
• Examples vulnerable services:
– telnetd, sendmail, ftpd: Send clear
passwords through the web. Instead of
telnet use ssh
• Shutting down services involves editing the
appropriate files on your system
Setting up a Secure System (cont.)
• On RedHat based systems daemons are
started by scripts in the /etc/rc.d/init.d
directory
• Depending on the runlevel each
daemon/services in linked to the
appropriate rcX.d directory where 0<X<6
Setting up a secure system
• What to have in mind all the time:
– Never use simple passwords. Try to make
them complex by mixing letters,symbols
and numbers
– Do NOT work on the root account unless
absolutely necessary
– Do not ignore the log files
– Update your system in a regular basis
TCP Wrapper Configuration
• A simple and effective way to protect the
system
• TCP Wrappers “wrap” a service access (e.g.
apache web server)monitoring the
connections to it and refusing unauthorised
sites
• It is used in conjunction with inetd and xinetd
• It's a good way to control the access to
services that do not provide any native access
control mechanism
TCP Wrapper Configuration (cont.)
• TCP Wrapper is the first thing encounter when
a connection is established with a service
protected by the wrapper
• TCP Wrapper is responsible for determining
whether the connection comes from a source
host that it is allowed to do so
• Depending on whether you are using TCP
Wrappers with inetd or xinetd there are two
different approaches
TCP Wrapper Configuration (cont.)
with inetd
• If the system is using the inetd daemon you have to edit
the /etc/inetd.conf file to use the TCP wrapper
• Using TCP wrappers requires just a small change to
/etc/inetd.conf
• E.g. for the finger daemon
finger stream tcp nowait root /usr/sbin/in.fingerd in.fingerd
has to be changed to:
finger stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.fingerd
This cause the tcpd command, representing the TCP wrapper, to be
executed instead of the in.fingerd and protect the daemon
TCP Wrapper Configuration (cont.)
with xinetd
• xinetd is the replacement of inetd
adopted by some distros
• In most cases xinetd has built-in support
for TCP wrappers
• You need to modify the TCP wrapper
configuration files (/etc/hosts.allow,
/etc/hosts.deny)
TCP Wrapper Configuration (cont.)
with xinetd
• /etc/hosts.allow and /etc/hosts.deny specify the
access rules that are applied in daemon protection
• When a TCP wrapper is invoked it obtains the IP
address of the connecting host and its hostname
• If the IP of the host is specified in the /etc/hosts.allow
then access is permitted to the daemon/service
• If no match is found, the /etc/hosts.deny is consulted.
If the IP is described there then the connection is
closed
• If no much exists both of the files then access is
granted
TCP Wrapper Configuration (cont.)
with xinetd
• The syntax of those two files is simple
• Each file contains a set of rules
• General rule form:
daemon_list : client_list : shell_command
where daemon_list is comma separated list of
daemons to which the rule applies, the client_list is
comma separated list of the hostnames or IP
addresses where the rule applies and
shell_command is optional, specifying the
command to be executed when rule matches
TCP Wrapper Configuration (cont.)
with xinetd
• Example rules:
1. /etc/hosts.deny
ALL:ALL # Deny everything from everywhere
In case that nothing is specified in the
/etc/hosts.allow then this rule will refuse connection
to any service by anyone
2. /etc/hosts.deny
ALL: ALL EXCEPT localhost
3. /etc/hosts.allow
in.fingerd: ALL
Firewalls in Linux
• It is the case that TCP Wrappers work
with services configured using xinetd
• For stand-alone services another tool
has to be used to control access
• In modern systems is common place to
get protection by IP filtering
• In IP filtering kernel inspects each
network packet transmitted or received
by the host machine
Firewalls in Linux (cont.)
• Kernel IP filtering mechanism decides
whether to allow or deny the access of a
certain packet
• IP filtering though does not provide protection
from DoS attacks, Trojan’s and viruses
• IP filters take their decision according to
packet headers which contain information
like:
– Protocol Type (TCP,UDP)
– Source and Destination Port Numbers
• E.g. Web Servers like Apache use port 80 on
TCP protocol
Firewalls in Linux (cont.)
• IP filtering in Linux is implemented by
the kernel
• There are three IP filtering/firewall
generations in Linux:
– ipfw (IP firewall) for kernel versions 2.0.X
– ipchains in kernel versions 2.2.x
– netfilter/iptables in kernel versions 2.4.x
• netfilter is the kernel module while iptables is
the user space configuration tool
Firewalls in Linux (cont.)
• We are going to describe
netfilter/iptables that refers to the
modern kernel versions 2.4.x
• Iptables command allows a rich and
complex IP filtering rule definition
• E.g.
iptables -A INPUT -m state --state NEW -m tcp -p
tcp --dport 22 -j ACCEPT
This command install an IP filter that
accepts new incoming connections to
TCP port 22 (the ssh service) on our
local system.
Firewalls in Linux (cont.)
• A set of rules defined by iptables is called
chain and is applied to all packets transmitted
or received
• There are three system chains defined by
kernel:
– INPUT: Applies to packets received
– OUTPUT: Applies to packets send
– FORWARD: Applies to all the packets that are
routed from one network interface (net card) of
the system to an other. Helpful when system
works as router or gateway
Firewalls in Linux (cont.)
• Actions that can be performed from
rules include:
– ACCEPT: Accepts the packet
– DROP: Drops the packet, i.e. refusing
transmitting or receiving it
– The default action can be configured to be
either ACCEPT or DROP
• netfilter also allows performing:
– Packet Logging
– Network Address Translation (NAT) aka IP
masquerading
Firewalls in Linux (cont.)
• Each Linux Distribution takes a slightly
different approach on managing firewall
• In RedHat-based distros all the rules
are stored in /etc/sysconfig/iptables
• You first specify the rules using the
iptables command and the you save
them typing as root:
– /sbin/service iptables save
Firewalls in Linux (cont.)
# Set default policy on the INPUT chain to DROP.
# -P sets the default action of the specified chain, so here
#DROP the packets of INPUT chain
iptables -P INPUT DROP
# ACCEPT all packets that have come from the loopback interface,
that
# is, from the local host. '-i lo' identifies the loopback interface.
iptables -A INPUT -i lo -j ACCEPT
-j here stands for “jump” meaning that if a packet matches the rules
then processing will jump to what follows. The options after –j are:
ACCEPT: Allow the transmission of the packet
DROP: Drop the packet
QUEUE: Pass the packet to a program for processing
RETURN: Returns the packet to the end of rule chain
Firewalls in Linux (cont.)
# ACCEPT packets belonging to an existing
(ESTABLISHED,RELATED) connection.'-A INPUT' is
used to append to the INPUT chain. '-m state' uses
the stateful inspection module.
iptables -A INPUT -m state --state
ESTABLISHED,RELATED -j ACCEPT
# ACCEPT new incoming FTP connections from
192.168.1/24.
iptables -A INPUT -m state --state NEW -m tcp -p
tcp -s 192.168.1/24 \ --dport 21 -j ACCEPT
Firewalls in Linux (cont.)
• You can see the list of rule currently
applied on the system by typing:
– iptalbes –L -v
Reference – Using the iptables
Download