Tcpwrapper Ssh Xinetd
-
Upload
vibhor-sharma -
Category
Documents
-
view
2 -
download
1
description
Transcript of Tcpwrapper Ssh Xinetd
RH253
Red Hat Network Services and Security Administration
Welcome!
2
Objectives
Understanding and Managing NAT Firewall IP-Routing ( Router Configuration ) NAT Firewall
Understanding and Managing TCP Wrappers Understanding hosts.allow and hosts.deny Appling Security using TCP Wrappers
Understanding and Managing xinetd daemon Understanding xinetd daemon Appling Security using xinetd daemon
Securing Computer using SSH communications Understanding SSH Sending and Receiving Public Keys
3
Enabling Routing Step 1: Assign following IP-Address information on each computer
4
ROUTERROUTER
station1station1 station2station2
IP-ADDRESSIP-ADDRESS = 10.1.1.2= 10.1.1.2
SUBNET MASK SUBNET MASK = 255.0.0.0= 255.0.0.0
DEFAULT G/WDEFAULT G/W = 10.1.1.1= 10.1.1.1
IP-ADDRESSIP-ADDRESS = 192.168.0.2= 192.168.0.2
SUBNET MASK SUBNET MASK = 255.255.255.0= 255.255.255.0
DEFAULT G/WDEFAULT G/W = 192.168.0.1= 192.168.0.1
IP-ADDRESSIP-ADDRESS = 192.168.0.1= 192.168.0.1
SUBNET MASK SUBNET MASK = 255.255.255.0= 255.255.255.0
IP-ADDRESSIP-ADDRESS = 10.1.1.1= 10.1.1.1
SUBNET MASK SUBNET MASK = 255.0.0.0= 255.0.0.0
InternalInternal ExternaExternall
5
Enabling Routing Step 1: Assign following IP-Address information on each computer Step 2: Enable IP-Forwarding vi /etc/sysctl.confvi /etc/sysctl.conf net.ipv4.ip_forward = 0net.ipv4.ip_forward = 0 toto net.ipv4.ip_forward = 1net.ipv4.ip_forward = 1 sysctl -psysctl -p
6
Understanding and Managing NAT Firewall
7
NAT Firewall?
Network Address Translation (NAT) places private IP subnetworks behind one or a small pool of public IP addresses, masquerading all requests to one source rather than several
8
Types of NAT Firewall POSTROUTING [ SNAT ]POSTROUTING [ SNAT ] PREROUTING [ DNAT ]PREROUTING [ DNAT ]
9
POSTROUTING [ SNAT ]
Source NAT Translates the source address of outbound packets, and the destination address of return packets
Example:
iptables -t nat -A POSTROUTING –s 10.1.1.2 –p tcp --dport 80 –j iptables -t nat -A POSTROUTING –s 10.1.1.2 –p tcp --dport 80 –j
SNAT –to-source 192.168.0.1SNAT –to-source 192.168.0.1
10
PREROUTING [ DNAT ]
Destination NAT Translates the destination address of Inbound packets, and the source address of return packets
Example:
iptables -t nat -A PREROUTING –d 192.168.0.1 –p iptables -t nat -A PREROUTING –d 192.168.0.1 –p
tcp - -dport 80 –j DNAT –to-dest 10.1.1.2tcp - -dport 80 –j DNAT –to-dest 10.1.1.2
11
Understanding and Managing TCP Wrappers
12
What is TCP Wrappers ?
An important part of maintaining another level of security computer, with TCP Wrappers; you can also restrict access to your system by remote hosts by using list of hosts are kept in the /etc/hosts.allow and /etc/hosts.deny files.
TCP Wrappers stand guard between an incoming request and the requested service.
13
Configuration Files
When a client connects to a “ tcp wrapped” service, the access control list /etc/hosts.allow and /etc/hosts.deny are examined. The server will then either choose to accept or drop the connection, depending on the control list configuration. Policies can be specified for individual services and are usually configured in terms of the clients IP-Address.
Both files have same basic syntax to allow or deny clients list
Service List : Client ListService List : Client List
14
Configuration Files Three stages of access checking
Is access explicitly permitted? Otherwise, is access is explicitly denied? Otherwise, by default, permit access!
Configuration stored in two files Permissions in /etc/hosts.allow/etc/hosts.allow Denials in /etc/hosts.deny/etc/hosts.deny
15
Configuration Files Examples: sshd: .example.com sshd: .example.com sshd: ALL EXCEPT .cracker.orgsshd: ALL EXCEPT .cracker.org sshd: ALL EXCEPT .cracker.org EXCEPT trusted.cracker.orgsshd: ALL EXCEPT .cracker.org EXCEPT trusted.cracker.org ALL EXCEPT sshd: ALLALL EXCEPT sshd: ALL ALL EXCEPT sshd: ALL EXCEPT .cracker.orgALL EXCEPT sshd: ALL EXCEPT .cracker.org ALL EXCEPT sshd: ALL EXCEPT .cracker.org EXCEPT trusted.cracker.orgALL EXCEPT sshd: ALL EXCEPT .cracker.org EXCEPT trusted.cracker.org
16
TCP Wrappers & Connection Banners Displaying a suitable banner when users connect to a service is a good
way to let potential attackers know that the system administrator is being vigilant.
Banner for vsftpd. Create a banner file. It can be anywhere on the system, but it must have same name as the daemon. /etc/banners/vsftpd and contains the following line:
220-Hello, %c
220-All activity on ftp.example.com is logged.
220-Inappropriate use will result in your access privileges being removed.
The %c token supplies a variety of client information, such as the username and hostname, or the username and IP address.
For this banner to be displayed to incoming connections, add the following line to the /etc/hosts.allow file:
vsftpd : ALL : banners /etc/banners/
17
TCP Wrappers & Attack Warnings If a particular host or network has been detected attacking the server, TCP
Wrappers can be used to warn the administrator of subsequent attacks from that host or network using the spawn directive.
206.182.68.0/24 network has been detected attempting to attack the server. Place the following line in the /etc/hosts.deny file to deny any connection attempts from that network, and to log the attempts to a special file:
ALL : 206.182.68.0 : spawn /bin/ 'date' %c %d >> /var/log/intruder_alert
The %d token supplies the name of the service that the attacker was trying to access.
To allow the connection and log it, place the spawn directive in the /etc/hosts.allow file.
18
TCP Wrappers & Enhanced Logging If certain types of connections are of more concern than others, the log
level can be elevated for that service using the severity option.
Anyone attempting to connect to port 23 (the Telnet port) on an FTP server is a cracker. To denote this, place an emerg flag in the log files instead of the default flag, info, and deny the connection.
To do this, place the following line in /etc/hosts.deny:
in.telnetd : ALL : severity emerg
This uses the default authpriv logging facility, but elevates the priority from the default value of info to emerg, which posts log messages directly to the console.
19
Understanding and Managing xinetd daemon
20
What is xinetd daemon?
The xinetd (which stands for Extended Internet Services Daemon) program can start a number of these server daemons simultaneously. The xinetd program listens for connection requests for all of the active servers with scripts in the /etc/xinetd.d directory. There's a generic configuration file for xinetd services, /etc/xinetd.conf. The scripts in the /etc/xinetd.d directory also function as service specific configuration files.
21
Generic xinetd Configuration
Each file in the /etc/xinetd.d directory specifies a particular service you want to allow xinetd to manage. By default, scripts in this directory are disabled.
xinetd provides its own set of access control functions
hosts basedhosts based
time basedtime based
22
Sample configuration service telnetservice telnet {{
disabledisable = = yesyes
flagsflags == REUSEREUSE
socket_type socket_type == streamstream
waitwait == nono
useruser == rootroot
only_fromonly_from == 192.168.0.24/24192.168.0.24/24
no_accessno_access == 192.168.0.1192.168.0.1
access_timesaccess_times == 08:00-16:0008:00-16:00
serverserver == /usr/sbin/in.telnetd/usr/sbin/in.telnetd
log_on_failurelog_on_failure +=+= USERIDUSERID
}}
23
Understanding and Managing SSH
24
What is SSH?
SSH™ (or Secure SHell) is a protocol which facilitates secure
communications between two systems using a client/server architecture
and allows users to log into server host systems remotely. Unlike other
remote communication protocols, such as FTP or Telnet, SSH encrypts
the login session, rendering the connection difficult for intruders to
collect unencrypted passwords.
25
After an initial connection, the client can verify that it is connecting to the same server it had connected to previously.
The client transmits its authentication information to the server using strong, 128-bit encryption.
All data sent and received during a session is transferred using 128-bit encryption, making intercepted transmissions extremely difficult to decrypt and read.
The client can forward X11 applications from the server. This technique, called X11 forwarding, provides a secure means to use graphical applications over a network.
Features of SSH
26
Why we should use SSH?Network threats can be categorized as follows:
Interception — Attacker can be somewhere on the network between the communicating parties, copying any information passed between them. The attacker may intercept and keep the information, or alter the information and send it on to the intended recipient. This attack can be mounted through the use of a packet sniffer — a common network utility.
Impersonation — Attacker's system is configured to pose as the intended recipient of a transmission. If this strategy works, the user's system remains unaware that it is communicating with the wrong host.
27
Procedure for SSH communication SSH communication includes following series of events to help
protect the integrity of SSH communication between two hosts. A cryptographic handshake is made so that the client can verify
that it is communicating with the correct server. The transport layer of the connection between the client and
remote host is encrypted using a symmetric cipher. The client authenticates itself to the server. The remote client interacts with the remote host over the
encrypted connection.
28
Using SSH Step 1: Create key pair ssh-keygen -t rsa/dsassh-keygen -t rsa/dsa Step 2: Send Public Key to Client scp id_dsa.pub [email protected]:scp id_dsa.pub [email protected]: Step 3: On second computer copy file into ~/.ssh/authorized_keys
cp id_dsa.pub .ssh/authorized_keyscp id_dsa.pub .ssh/authorized_keys
29
X11 Forwarding Opening an X11 session over an SSH connection is as easy as
connecting to the SSH server using the -Y option and running an X program on a local machine.
ssh -Y <user>@example.com / x.x.x.x
When an X program is run from the secure shell prompt, the SSH client and server create a new secure channel, and the X program data is sent over that channel to the client machine transparently.
X11 forwarding can be very useful. For example, X11 forwarding can be used to create a secure, interactive session of the Printer Configuration Tool. To do this, connect to the server using ssh and type:
system-config-printer &
After supplying the root password for the server, the Printer Configuration Tool appears and allows the remote user to safely configure printing on the remote system.
30
Port Forwarding - SSH SSH can secure insecure TCP/IP protocols via port forwarding. When
using this technique, the SSH server becomes an encrypted conduit to the SSH client.
Port forwarding works by mapping a local port on the client to a remote port on the server. SSH can map any port from the server to any port on the client; port numbers do not need to match for this technique to work.
To create a TCP/IP port forwarding channel which listens for connections on the localhost, use the following command:
ssh -L local-port:remote-host:remote-port username@hostname
31
Port Forwarding - SSH To check email on a server called mail.example.com using POP3
through an encrypted connection, use the following command:
ssh -L 1100:mail.example.com:110 mail.example.com
Once the port forwarding channel is in place between the client machine and the mail server, direct a POP3 mail client to use port 1100 on the localhost to check for new mail. Any requests sent to port 1100 on the client system are directed securely to the mail.example.com server.
32
XDMCP – X Display Manager Control
Protocol
Thank You !!!