Securing Your Deployment with MongoDB and Red Hat's Identity Management in Red Hat Enterprise Linux
securing linux
description
Transcript of securing linux
securing linux
what people can see
Big Picture
How rob a bank
A bit of History
• 1954 & 1960 Bell System Tech Journals, trunk routing and frequencies
• Pranks Wozniak called Pope • 2600 Hz Tone Captain Crunch whistle • Phone Phreaking• Steve Wozniak’s blue box tone generator • 1990 Phone system became digital• War dialing early form of scanning • Wargames 1983
Socket Programming
• USPS Addressing– 1520 Orchard Road Apt 2A
• IP Addressing – 192.168.10.50/5900
• Service / Application listens on open port
• Instance messaging, VOIP in Games, telnet, FTP, HHTP
• Protocols – languages
overview• Network topologies
– eggshell architectures
• where to get information– news groups and mailing lists
• mapping a network– ping sweeps and traceroutes
• mapping a host– port scans and OS fingerprinting
• network scanners– everything in a single powerful package
• social engineering– exploiting human nature
where to get information
• news groups and mailing lists
• forums
• WHOIS database– www.arin.org
• DNS
Traditional topology
Enhanced traditional topology
Secure network topology
news groups / mailing lists / forums
• these are valuable resources– system administrator
– newbie
• BUT people get over excited and reveal too much information (gear head syndrome)
• golden rule - remain faceless and traceless
• security through obscurity– post only using generic terms
news groups / forums
• they are a source of information– personal information
• name, address, title, phone, e-mail
– system configuration• network architecture
• real host names and IP addresses
• hardware: brand names and model numbers
– archives• this information never goes away!!!
• http://www.archive.org
news groups / mailing lists
• countermeasures:– use generic titles, not real names
– use switchboard numbers, not personal numbers
– separate e-mail address• work-related communication (generic title)
• personal communication– [email protected]
– limit any public description of network• fictitious IP addresses & fictitious host names
WHOIS database www.arin.org
• whenever a URL is registered– information must be submitted with registration
– this information is publicly available
• whois utility– may require installation
• linux example:– whois lewisu.edu
– whois ibm.com
WHOIS database
• countermeasures:
– use generic titles, not real names
– use switchboard numbers, not personal numbers
– separate e-mail address
• work-related communication (generic title)
• personal communication
• obviously you MUST give valid information
• the goal is NOT to give away valuable information unnecessarily
DNS issues
• zone files have numerous options which provide information– HINFO system info: CPU and OS
– TXT additional text
– RP responsible person information
• zone transfers– mandatory from primary server to secondary
server
DNS Basics
• Domain name system performs ip to name resolutions on the internet
• Started in 1983 RFC 882 has grown to one of the largest and most powerful parts of the net.
• Other than name translation a number of protocols and applications use DNS for their main activity– SMTP for mapping email address to their server– SPF records, telephone numbers & addresses,
certificates and other info stored in DNS zone records
BIND
• Berkeley Internet Name Domain Server
• BIND is open-source software that implements the DNS protocols for the Internet.
DNS issues
• dig DNS lookup utility (domain information groper) is a flexible tool for interrogating DNS name servers.
• linux example:
– dig -t hinfo hostname
– dig -t txt hostname
DNS issues
• reverse lookups (IP address --> URL) often provide too much free information– 129.42.58.216 --> www.ibm.com
– www is a standard prefix for a web server
• linux example:– dig www.lewisu.edu
– dig -x 204.248.57.178
DNS issues
• every version of bind (4, 8, and 9) has its flaws!
• 9 was a total rewrite and still had issues– the following command
• host -c chaos -t txt version.bind <server>
– will usually tell you the specific vesion
• linux example:– dig -c chaos -t txt version.bind
DNS issues
• countermeasures: faceless & traceless– edit /etc/named.conf
• delete HINFO records
• delete TXT records
• RP records should contain generic title
• eliminate zone transfers– primary to secondary server
» allow-transfer { 233.45.164.27; };
– otherwise
» allow-transfer { none; };
• disable the version.bind response» version “not available”;
protocols and services
• network layer– IP: internet protocol
• transport layer– ICMP: internet control message protocol
– UDP: user datagram protocol
– TCP: transmission control protocol
• services
IP: internet protocol
• foundational layer for higher level protocols
• packet header contains– source IP address
– destination IP address
ICMP: internet control message protocol
• purpose of ICMP is to provide feedback about IP performance
• packet header contains– source IP address, destination IP address
– packet type, checksum, data
• most well-known packet types– 7 echo request
– 0 echo reply
– 3 destination unreachable
– 30 traceroute
UDP: user datagram protocol
• purpose of UDP is minimal transport service with no guarantee of delivery– connection-less
• packet header contains– source IP address, destination IP address
– source port number, destination port number
– length, checksum, data
• faster communication– but packet loss possible
TCP: transmission control protocol
• purpose of TCP is a transport service with guarantee of delivery– connection-oriented
• packet header contains– source IP address, destination IP address
– source port number, destination port number
– sequence #, control bits, checksum, data
• slower communication– but no packet loss
TCP: transmission control protocol
• control bits include:
– SYN, ACK, RST, FIN, ...
• building a connection:
– source sends SYN
– destination sends SYN/ACK
– source sends ACK
• terminating a connection:
– source sends FIN/ACK
– destination sends ACK
– destination sends FIN/ACK
– source sends ACK
services
• port numbers fall into three categories:– 0 through 1023 well-known
– 1024 through 49151 registered
– 49152 through 65535 dynamic / private
• www.iana.org has responsibility for assigning well-known port numbers
• well-known port numbers can only be used by root
services
• linux example:– less /etc/services
mapping a network
• ping sweeps– cracker sees what is out there?
• traceroutes– cracker learns how to get there?
• countermeasures
ping sweeps
• types of ping sweeps– icmp ping traditional echo request
– echo port ping request to port 7 (echo)
– fast ping icmp ping to multiple hosts
– network sweep
ping sweeps
• countermeasures:– edit iptables and firewalls
• no incoming / outgoing ICMP requests
• limit ICMP requests to internal network only
• drop ICMP at firewall
– be sure echo port and chargen port are disabled
• edit /etc/inetd.conf or /etc/xinetd.conf
• consider disabling inetd or xinetd completely!
fundamental network tools
• netcat / nc– swiss army knife of network communication
– invaluable to both• the system administrator
• the cracker
• nmap– basic tool for
• ping sweeps
• port scans
ntop
• ntop is a network traffic probe that shows network usage– similar to the UNIX top command
• ntop is a daemon that monitors the network
• ntop has a web interface
traceroutes
• once potential targets have been identified via ping sweeps, the cracker can augment information about the hosts using traceroute
• often provides information regarding– location
• ISP names and locations often visible
– hardware• descriptive names for routers, switches, and hosts
traceroutes
• flavors– UNIX traceroute
• command– traceroute <target>
• sequence of UDP packets having increasing TTLs
– Matt's traceroute• command
– mtr <target>
• sequence of ICMP packets having increasing TTLs
traceroutes
• countermeasures:– edit iptables and firewalls
• drop ICMP request packets
• drop UDP packets in traceroute range– 33,435 through 33,524
– do NOT use descriptive names for components within the network
• function / role
• vendor
mapping a host
• port scans– cracker sees what ports are open
• OS fingerprinting– cracker determines underlying software
• countermeasures
port scans
• what ports are open on the target host?
• what daemon is listening on each open port?– what software? what version?
port scans
• tools– netcat
• UDP scans
• TCP scans
– nmap• UDP scans
• TCP scans
• TCP stealth scans
– strobe
port scans• countermeasures:
– klaxon• incorporated into /etc/inetd.conf or /etc/xinetd.conf
• to listen on unused ports
– scanlogd• monitors ports for sudden increase in activity
– portsentry• monitors up to 64 ports
• able to take action against an intruder!– tcp wrappers and/or iptables
– psad• analysis of firewall logs
port scans• identifying software listening on a given port
is usually as simple as– telnet <target> <port>
• software typically displays a banner announcing itself and its version number!
• countermeasures:– remove / modify banner display
– example:• in /etc/sendmail.cf
– OsmtpGreetingMessage=$jUPS 2005;$b
OS fingerprinting
• OS fingerprinting– telnet is notorious for identifying
• the operating system, the distribution, even the kernel
– open ports often provide clues• smtp, ssh, and portmap => UNIX
• netbios => Windows
– /etc/issue, /etc/issue.net, and /etc/motd• often convey too much information
OS fingerprinting
• active OS fingerprinting– send sequence of special IP packets to target
– catalog responses
– compare with database of responses from various operating systems
– software• queso
• nmap
• xprobe
OS fingerprinting
• countermeasures:– utilize a firewall in front of servers
• operating system detected is that of firewall and not that of the server
– disable ICMP packets at the firewall• negates xprobe
– install IP Personality• only for Linux 2.4 kernels?
• using iptables, can impersonate ANY operating system
OS fingerprinting
• passive OS fingerprinting– does not initiate any additional IP traffic
– uses packet sniffing to gather information
– software• siphon
• pOf
OS fingerprinting
• countermeasures– can change some parameters of the operating
system• cat /proc/sys/net/ipv4/ip_default_ttl
– default value is 64
• echo 35 > /proc/sys/net/ipv4/ip_default_ttl– change to 35
• edit error messages masquerade as something else– apache httpd.conf
network scanners
• combine ping sweeps, traceroutes, port scans, and OS fingerprinting together and you have a
• network scanner• ISS: Internet Security Scanner
– first publicly available
• NESSUS
– the Cadillac of network scanners!
network scanners• other network scanners
– Nmap
– SATAN: Security Administrator's Tool for Analyzing Networks
• SANTA!
– SAINT: Security Administrator's Integrated Network Tool
– SARA: Security Auditor's Research Assistant
– NSAT: Network Security Analysts Tool
• text based!
– raccess: Remote Access System
• doesn't just check host; it exploits if possible!
social engineering• ten common techniques of social
engineering– impersonation
• pretend to be some from inside the company to obtain passwords
• usually coupled with research regarding IT personnel
– sympathy• usually request access to hardware: server room or
PC
• usually coupled with dire consequences if unable to complete the task
social engineering
• ten common techniques (cont'd)– wooing
• develop a trust relationship with the victim
• to obtain a wide range of information
– intimidation• for victims who do not respond well to sympathy or
wooing
• pretense: company official, government official, inspector
social engineering
• ten common techniques (cont'd)– greed
• money or goods in exchange for information
– confusion• create a diversion which vacates an office
• access logged-on session
social engineering
• ten common techniques (cont'd)– shoulder surfing
• passive observation of typing– either by physical presence as a trusted individual
– or by using some form of eavesdropping
– dumpster diving• searching garbage for useful information
– either discarded papers
– or removable media
social engineering
• ten common techniques (cont'd)– phishing
• request for victim to visit a false web site
• for purpose of updating invalid / obsolete information
– reverse social engineering• present oneself as an expert who can fix a problem
• results in a reversal of roles:– victim asks the questions
– social engineer provides the answers
» often being granted access to the computer systems
diy pen testing
• whois lewisu.edu• host lewisu.edu• dig lewisu.edu• traceroute www.google.com• ping lewisu.edu• Check your box
– netstat –anp
– dmesg | more
– ps aux
Summary
• Removed extra packages, services / daemons, close unneeded ports
• Methodology of least privilege
• Adopt a minimalist approach
• Acknowledge no security silver bullets!
• Adopt a comprehensive secure design utilizing multiple layers of defense