securing linux

what people can see

Big Picture

How rob a bank

A bit of History

• 1954 & 1960 Bell System Tech Journals, trunk routing and frequencies

• Pranks Wozniak called Pope • 2600 Hz Tone Captain Crunch whistle • Phone Phreaking• Steve Wozniak’s blue box tone generator • 1990 Phone system became digital• War dialing early form of scanning • Wargames 1983

Socket Programming

• USPS Addressing– 1520 Orchard Road Apt 2A

• IP Addressing – 192.168.10.50/5900

• Service / Application listens on open port

• Instance messaging, VOIP in Games, telnet, FTP, HHTP

• Protocols – languages

overview• Network topologies

– eggshell architectures

• where to get information– news groups and mailing lists

• mapping a network– ping sweeps and traceroutes

• mapping a host– port scans and OS fingerprinting

• network scanners– everything in a single powerful package

• social engineering– exploiting human nature

where to get information

• news groups and mailing lists

• forums

• WHOIS database– www.arin.org

• DNS

Traditional topology

Enhanced traditional topology

Secure network topology

news groups / mailing lists / forums

• these are valuable resources– system administrator

– newbie

• BUT people get over excited and reveal too much information (gear head syndrome)

• golden rule - remain faceless and traceless

• security through obscurity– post only using generic terms

news groups / forums

• they are a source of information– personal information

• name, address, title, phone, e-mail

– system configuration• network architecture

• real host names and IP addresses

• hardware: brand names and model numbers

– archives• this information never goes away!!!

• http://www.archive.org

news groups / mailing lists

• countermeasures:– use generic titles, not real names

– use switchboard numbers, not personal numbers

– separate e-mail address• work-related communication (generic title)

– webadmin@cs.lewisu.edu

• personal communication– smithpaul@cs.lewisu.edu

– limit any public description of network• fictitious IP addresses & fictitious host names

WHOIS database www.arin.org

• whenever a URL is registered– information must be submitted with registration

– this information is publicly available

• whois utility– may require installation

• linux example:– whois lewisu.edu

– whois ibm.com

WHOIS database

• countermeasures:

– use generic titles, not real names

– use switchboard numbers, not personal numbers

– separate e-mail address

• work-related communication (generic title)

– techdirector@cs.lewisu.edu

• personal communication

– smithpaul@cs.lewisu.edu

• obviously you MUST give valid information

• the goal is NOT to give away valuable information unnecessarily

DNS issues

• zone files have numerous options which provide information– HINFO system info: CPU and OS

– TXT additional text

– RP responsible person information

• zone transfers– mandatory from primary server to secondary

server

DNS Basics

• Domain name system performs ip to name resolutions on the internet

• Started in 1983 RFC 882 has grown to one of the largest and most powerful parts of the net.

• Other than name translation a number of protocols and applications use DNS for their main activity– SMTP for mapping email address to their server– SPF records, telephone numbers & addresses,

certificates and other info stored in DNS zone records

BIND

• Berkeley Internet Name Domain Server

• BIND is open-source software that implements the DNS protocols for the Internet.

DNS issues

• dig DNS lookup utility (domain information groper) is a flexible tool for interrogating DNS name servers.

• linux example:

– dig -t hinfo hostname

– dig -t txt hostname

DNS issues

• reverse lookups (IP address --> URL) often provide too much free information– 129.42.58.216 --> www.ibm.com

– www is a standard prefix for a web server

• linux example:– dig www.lewisu.edu

– dig -x 204.248.57.178

DNS issues

• every version of bind (4, 8, and 9) has its flaws!

• 9 was a total rewrite and still had issues– the following command

• host -c chaos -t txt version.bind <server>

– will usually tell you the specific vesion

• linux example:– dig -c chaos -t txt version.bind

DNS issues

• countermeasures: faceless & traceless– edit /etc/named.conf

• delete HINFO records

• delete TXT records

• RP records should contain generic title

• eliminate zone transfers– primary to secondary server

» allow-transfer { 233.45.164.27; };

– otherwise

» allow-transfer { none; };

• disable the version.bind response» version “not available”;

protocols and services

• network layer– IP: internet protocol

• transport layer– ICMP: internet control message protocol

– UDP: user datagram protocol

– TCP: transmission control protocol

• services

IP: internet protocol

• foundational layer for higher level protocols

• packet header contains– source IP address

– destination IP address

ICMP: internet control message protocol

• purpose of ICMP is to provide feedback about IP performance

• packet header contains– source IP address, destination IP address

– packet type, checksum, data

• most well-known packet types– 7 echo request

– 0 echo reply

– 3 destination unreachable

– 30 traceroute

UDP: user datagram protocol

• purpose of UDP is minimal transport service with no guarantee of delivery– connection-less

• packet header contains– source IP address, destination IP address

– source port number, destination port number

– length, checksum, data

• faster communication– but packet loss possible

TCP: transmission control protocol

• purpose of TCP is a transport service with guarantee of delivery– connection-oriented

• packet header contains– source IP address, destination IP address

– source port number, destination port number

– sequence #, control bits, checksum, data

• slower communication– but no packet loss

TCP: transmission control protocol

• control bits include:

– SYN, ACK, RST, FIN, ...

• building a connection:

– source sends SYN

– destination sends SYN/ACK

– source sends ACK

• terminating a connection:

– source sends FIN/ACK

– destination sends ACK

– destination sends FIN/ACK

– source sends ACK

services

• port numbers fall into three categories:– 0 through 1023 well-known

– 1024 through 49151 registered

– 49152 through 65535 dynamic / private

• www.iana.org has responsibility for assigning well-known port numbers

• well-known port numbers can only be used by root

services

• linux example:– less /etc/services

mapping a network

• ping sweeps– cracker sees what is out there?

• traceroutes– cracker learns how to get there?

• countermeasures

ping sweeps

• types of ping sweeps– icmp ping traditional echo request

– echo port ping request to port 7 (echo)

– fast ping icmp ping to multiple hosts

– network sweep

ping sweeps

• countermeasures:– edit iptables and firewalls

• no incoming / outgoing ICMP requests

• limit ICMP requests to internal network only

• drop ICMP at firewall

– be sure echo port and chargen port are disabled

• edit /etc/inetd.conf or /etc/xinetd.conf

• consider disabling inetd or xinetd completely!

fundamental network tools

• netcat / nc– swiss army knife of network communication

– invaluable to both• the system administrator

• the cracker

• nmap– basic tool for

• ping sweeps

• port scans

ntop

• ntop is a network traffic probe that shows network usage– similar to the UNIX top command

• ntop is a daemon that monitors the network

• ntop has a web interface

traceroutes

• once potential targets have been identified via ping sweeps, the cracker can augment information about the hosts using traceroute

• often provides information regarding– location

• ISP names and locations often visible

– hardware• descriptive names for routers, switches, and hosts

traceroutes

• flavors– UNIX traceroute

• command– traceroute <target>

• sequence of UDP packets having increasing TTLs

– Matt's traceroute• command

– mtr <target>

• sequence of ICMP packets having increasing TTLs

traceroutes

• countermeasures:– edit iptables and firewalls

• drop ICMP request packets

• drop UDP packets in traceroute range– 33,435 through 33,524

– do NOT use descriptive names for components within the network

• function / role

• vendor

mapping a host

• port scans– cracker sees what ports are open

• OS fingerprinting– cracker determines underlying software

• countermeasures

port scans

• what ports are open on the target host?

• what daemon is listening on each open port?– what software? what version?

port scans

• tools– netcat

• UDP scans

• TCP scans

– nmap• UDP scans

• TCP scans

• TCP stealth scans

– strobe

port scans• countermeasures:

– klaxon• incorporated into /etc/inetd.conf or /etc/xinetd.conf

• to listen on unused ports

– scanlogd• monitors ports for sudden increase in activity

– portsentry• monitors up to 64 ports

• able to take action against an intruder!– tcp wrappers and/or iptables

– psad• analysis of firewall logs

port scans• identifying software listening on a given port

is usually as simple as– telnet <target> <port>

• software typically displays a banner announcing itself and its version number!

• countermeasures:– remove / modify banner display

– example:• in /etc/sendmail.cf

– OsmtpGreetingMessage=$jUPS 2005;$b

OS fingerprinting

• OS fingerprinting– telnet is notorious for identifying

• the operating system, the distribution, even the kernel

– open ports often provide clues• smtp, ssh, and portmap => UNIX

• netbios => Windows

– /etc/issue, /etc/issue.net, and /etc/motd• often convey too much information

OS fingerprinting

• active OS fingerprinting– send sequence of special IP packets to target

– catalog responses

– compare with database of responses from various operating systems

– software• queso

• nmap

• xprobe

OS fingerprinting

• countermeasures:– utilize a firewall in front of servers

• operating system detected is that of firewall and not that of the server

– disable ICMP packets at the firewall• negates xprobe

– install IP Personality• only for Linux 2.4 kernels?

• using iptables, can impersonate ANY operating system

OS fingerprinting

• passive OS fingerprinting– does not initiate any additional IP traffic

– uses packet sniffing to gather information

– software• siphon

• pOf

OS fingerprinting

• countermeasures– can change some parameters of the operating

system• cat /proc/sys/net/ipv4/ip_default_ttl

– default value is 64

• echo 35 > /proc/sys/net/ipv4/ip_default_ttl– change to 35

• edit error messages masquerade as something else– apache httpd.conf

network scanners

• combine ping sweeps, traceroutes, port scans, and OS fingerprinting together and you have a

• network scanner• ISS: Internet Security Scanner

– first publicly available

• NESSUS

– the Cadillac of network scanners!

network scanners• other network scanners

– Nmap

– SATAN: Security Administrator's Tool for Analyzing Networks

• SANTA!

– SAINT: Security Administrator's Integrated Network Tool

– SARA: Security Auditor's Research Assistant

– NSAT: Network Security Analysts Tool

• text based!

– raccess: Remote Access System

• doesn't just check host; it exploits if possible!

social engineering• ten common techniques of social

engineering– impersonation

• pretend to be some from inside the company to obtain passwords

• usually coupled with research regarding IT personnel

– sympathy• usually request access to hardware: server room or

PC

• usually coupled with dire consequences if unable to complete the task

social engineering

• ten common techniques (cont'd)– wooing

• develop a trust relationship with the victim

• to obtain a wide range of information

– intimidation• for victims who do not respond well to sympathy or

wooing

• pretense: company official, government official, inspector

social engineering

• ten common techniques (cont'd)– greed

• money or goods in exchange for information

– confusion• create a diversion which vacates an office

• access logged-on session

social engineering

• ten common techniques (cont'd)– shoulder surfing

• passive observation of typing– either by physical presence as a trusted individual

– or by using some form of eavesdropping

– dumpster diving• searching garbage for useful information

– either discarded papers

– or removable media

social engineering

• ten common techniques (cont'd)– phishing

• request for victim to visit a false web site

• for purpose of updating invalid / obsolete information

– reverse social engineering• present oneself as an expert who can fix a problem

• results in a reversal of roles:– victim asks the questions

– social engineer provides the answers

» often being granted access to the computer systems

diy pen testing

• whois lewisu.edu• host lewisu.edu• dig lewisu.edu• traceroute www.google.com• ping lewisu.edu• Check your box

– netstat –anp

– dmesg | more

– ps aux

Summary

• Removed extra packages, services / daemons, close unneeded ports

• Methodology of least privilege

• Adopt a minimalist approach

• Acknowledge no security silver bullets!

• Adopt a comprehensive secure design utilizing multiple layers of defense