RH253

Red Hat Network Services and Security Administration

Welcome!

2

Objectives

Understanding and Managing NAT Firewall IP-Routing ( Router Configuration ) NAT Firewall

Understanding and Managing TCP Wrappers Understanding hosts.allow and hosts.deny Appling Security using TCP Wrappers

Understanding and Managing xinetd daemon Understanding xinetd daemon Appling Security using xinetd daemon

Securing Computer using SSH communications Understanding SSH Sending and Receiving Public Keys

3

Enabling Routing Step 1: Assign following IP-Address information on each computer

4

ROUTERROUTER

station1station1 station2station2

IP-ADDRESSIP-ADDRESS = 10.1.1.2= 10.1.1.2

SUBNET MASK SUBNET MASK = 255.0.0.0= 255.0.0.0

DEFAULT G/WDEFAULT G/W = 10.1.1.1= 10.1.1.1

IP-ADDRESSIP-ADDRESS = 192.168.0.2= 192.168.0.2

SUBNET MASK SUBNET MASK = 255.255.255.0= 255.255.255.0

DEFAULT G/WDEFAULT G/W = 192.168.0.1= 192.168.0.1

IP-ADDRESSIP-ADDRESS = 192.168.0.1= 192.168.0.1

SUBNET MASK SUBNET MASK = 255.255.255.0= 255.255.255.0

IP-ADDRESSIP-ADDRESS = 10.1.1.1= 10.1.1.1

SUBNET MASK SUBNET MASK = 255.0.0.0= 255.0.0.0

InternalInternal ExternaExternall

5

Enabling Routing Step 1: Assign following IP-Address information on each computer Step 2: Enable IP-Forwarding vi /etc/sysctl.confvi /etc/sysctl.conf net.ipv4.ip_forward = 0net.ipv4.ip_forward = 0 toto net.ipv4.ip_forward = 1net.ipv4.ip_forward = 1 sysctl -psysctl -p

6

Understanding and Managing NAT Firewall

7

NAT Firewall?

Network Address Translation (NAT) places private IP subnetworks behind one or a small pool of public IP addresses, masquerading all requests to one source rather than several

8

Types of NAT Firewall POSTROUTING [ SNAT ]POSTROUTING [ SNAT ] PREROUTING [ DNAT ]PREROUTING [ DNAT ]

9

POSTROUTING [ SNAT ]

Source NAT Translates the source address of outbound packets, and the destination address of return packets

Example:

iptables -t nat -A POSTROUTING –s 10.1.1.2 –p tcp --dport 80 –j iptables -t nat -A POSTROUTING –s 10.1.1.2 –p tcp --dport 80 –j

SNAT –to-source 192.168.0.1SNAT –to-source 192.168.0.1

10

PREROUTING [ DNAT ]

Destination NAT Translates the destination address of Inbound packets, and the source address of return packets

Example:

iptables -t nat -A PREROUTING –d 192.168.0.1 –p iptables -t nat -A PREROUTING –d 192.168.0.1 –p

tcp - -dport 80 –j DNAT –to-dest 10.1.1.2tcp - -dport 80 –j DNAT –to-dest 10.1.1.2

11

Understanding and Managing TCP Wrappers

12

What is TCP Wrappers ?

An important part of maintaining another level of security computer, with TCP Wrappers; you can also restrict access to your system by remote hosts by using list of hosts are kept in the /etc/hosts.allow and /etc/hosts.deny files.

TCP Wrappers stand guard between an incoming request and the requested service.

13

Configuration Files

When a client connects to a “ tcp wrapped” service, the access control list /etc/hosts.allow and /etc/hosts.deny are examined. The server will then either choose to accept or drop the connection, depending on the control list configuration. Policies can be specified for individual services and are usually configured in terms of the clients IP-Address.

Both files have same basic syntax to allow or deny clients list

Service List : Client ListService List : Client List

14

Configuration Files Three stages of access checking

Is access explicitly permitted? Otherwise, is access is explicitly denied? Otherwise, by default, permit access!

Configuration stored in two files Permissions in /etc/hosts.allow/etc/hosts.allow Denials in /etc/hosts.deny/etc/hosts.deny

15

Configuration Files Examples: sshd: .example.com sshd: .example.com sshd: ALL EXCEPT .cracker.orgsshd: ALL EXCEPT .cracker.org sshd: ALL EXCEPT .cracker.org EXCEPT trusted.cracker.orgsshd: ALL EXCEPT .cracker.org EXCEPT trusted.cracker.org ALL EXCEPT sshd: ALLALL EXCEPT sshd: ALL ALL EXCEPT sshd: ALL EXCEPT .cracker.orgALL EXCEPT sshd: ALL EXCEPT .cracker.org ALL EXCEPT sshd: ALL EXCEPT .cracker.org EXCEPT trusted.cracker.orgALL EXCEPT sshd: ALL EXCEPT .cracker.org EXCEPT trusted.cracker.org

16

TCP Wrappers & Connection Banners Displaying a suitable banner when users connect to a service is a good

way to let potential attackers know that the system administrator is being vigilant.

Banner for vsftpd. Create a banner file. It can be anywhere on the system, but it must have same name as the daemon. /etc/banners/vsftpd and contains the following line:

220-Hello, %c

220-All activity on ftp.example.com is logged.

220-Inappropriate use will result in your access privileges being removed.

The %c token supplies a variety of client information, such as the username and hostname, or the username and IP address.

For this banner to be displayed to incoming connections, add the following line to the /etc/hosts.allow file:

vsftpd : ALL : banners /etc/banners/

17

TCP Wrappers & Attack Warnings If a particular host or network has been detected attacking the server, TCP

Wrappers can be used to warn the administrator of subsequent attacks from that host or network using the spawn directive.

206.182.68.0/24 network has been detected attempting to attack the server. Place the following line in the /etc/hosts.deny file to deny any connection attempts from that network, and to log the attempts to a special file:

ALL : 206.182.68.0 : spawn /bin/ 'date' %c %d >> /var/log/intruder_alert

The %d token supplies the name of the service that the attacker was trying to access.

To allow the connection and log it, place the spawn directive in the /etc/hosts.allow file.

18

TCP Wrappers & Enhanced Logging If certain types of connections are of more concern than others, the log

level can be elevated for that service using the severity option.

Anyone attempting to connect to port 23 (the Telnet port) on an FTP server is a cracker. To denote this, place an emerg flag in the log files instead of the default flag, info, and deny the connection.

To do this, place the following line in /etc/hosts.deny:

in.telnetd : ALL : severity emerg

This uses the default authpriv logging facility, but elevates the priority from the default value of info to emerg, which posts log messages directly to the console.

19

Understanding and Managing xinetd daemon

20

What is xinetd daemon?

The xinetd (which stands for Extended Internet Services Daemon) program can start a number of these server daemons simultaneously. The xinetd program listens for connection requests for all of the active servers with scripts in the /etc/xinetd.d directory. There's a generic configuration file for xinetd services, /etc/xinetd.conf. The scripts in the /etc/xinetd.d directory also function as service specific configuration files.

21

Generic xinetd Configuration

Each file in the /etc/xinetd.d directory specifies a particular service you want to allow xinetd to manage. By default, scripts in this directory are disabled.

xinetd provides its own set of access control functions

hosts basedhosts based

time basedtime based

22

Sample configuration service telnetservice telnet {{

disabledisable = = yesyes

flagsflags == REUSEREUSE

socket_type socket_type == streamstream

waitwait == nono

useruser == rootroot

only_fromonly_from == 192.168.0.24/24192.168.0.24/24

no_accessno_access == 192.168.0.1192.168.0.1

access_timesaccess_times == 08:00-16:0008:00-16:00

serverserver == /usr/sbin/in.telnetd/usr/sbin/in.telnetd

log_on_failurelog_on_failure +=+= USERIDUSERID

}}

23

Understanding and Managing SSH

24

What is SSH?

SSH™ (or Secure SHell) is a protocol which facilitates secure

communications between two systems using a client/server architecture

and allows users to log into server host systems remotely. Unlike other

remote communication protocols, such as FTP or Telnet, SSH encrypts

the login session, rendering the connection difficult for intruders to

collect unencrypted passwords.

25

After an initial connection, the client can verify that it is connecting to the same server it had connected to previously.

The client transmits its authentication information to the server using strong, 128-bit encryption.

All data sent and received during a session is transferred using 128-bit encryption, making intercepted transmissions extremely difficult to decrypt and read.

The client can forward X11 applications from the server. This technique, called X11 forwarding, provides a secure means to use graphical applications over a network.

Features of SSH

26

Why we should use SSH?Network threats can be categorized as follows:

Interception — Attacker can be somewhere on the network between the communicating parties, copying any information passed between them. The attacker may intercept and keep the information, or alter the information and send it on to the intended recipient. This attack can be mounted through the use of a packet sniffer — a common network utility.

Impersonation — Attacker's system is configured to pose as the intended recipient of a transmission. If this strategy works, the user's system remains unaware that it is communicating with the wrong host.

27

Procedure for SSH communication SSH communication includes following series of events to help

protect the integrity of SSH communication between two hosts. A cryptographic handshake is made so that the client can verify

that it is communicating with the correct server. The transport layer of the connection between the client and

remote host is encrypted using a symmetric cipher. The client authenticates itself to the server. The remote client interacts with the remote host over the

encrypted connection.

28

Using SSH Step 1: Create key pair ssh-keygen -t rsa/dsassh-keygen -t rsa/dsa Step 2: Send Public Key to Client scp id_dsa.pub root@x.x.x.x:scp id_dsa.pub root@x.x.x.x: Step 3: On second computer copy file into ~/.ssh/authorized_keys

cp id_dsa.pub .ssh/authorized_keyscp id_dsa.pub .ssh/authorized_keys

29

X11 Forwarding Opening an X11 session over an SSH connection is as easy as

connecting to the SSH server using the -Y option and running an X program on a local machine.

ssh -Y <user>@example.com / x.x.x.x

When an X program is run from the secure shell prompt, the SSH client and server create a new secure channel, and the X program data is sent over that channel to the client machine transparently.

X11 forwarding can be very useful. For example, X11 forwarding can be used to create a secure, interactive session of the Printer Configuration Tool. To do this, connect to the server using ssh and type:

system-config-printer &

After supplying the root password for the server, the Printer Configuration Tool appears and allows the remote user to safely configure printing on the remote system.

30

Port Forwarding - SSH SSH can secure insecure TCP/IP protocols via port forwarding. When

using this technique, the SSH server becomes an encrypted conduit to the SSH client.

Port forwarding works by mapping a local port on the client to a remote port on the server. SSH can map any port from the server to any port on the client; port numbers do not need to match for this technique to work.

To create a TCP/IP port forwarding channel which listens for connections on the localhost, use the following command:

ssh -L local-port:remote-host:remote-port username@hostname

31

Port Forwarding - SSH To check email on a server called mail.example.com using POP3

through an encrypted connection, use the following command:

ssh -L 1100:mail.example.com:110 mail.example.com

Once the port forwarding channel is in place between the client machine and the mail server, direct a POP3 mail client to use port 1100 on the localhost to check for new mail. Any requests sent to port 1100 on the client system are directed securely to the mail.example.com server.

32

XDMCP – X Display Manager Control

Protocol

Thank You !!!