Unix+Security+Advanced+Admin+ Session2 Feb14

UNIX SYSTEM SECURITY AND ADVANCED ADMINISTRATION

(SÉCURITÉ SYSTÈME SOUS UNIX ET ADMINISTRATION AVANCÉE)

A.Davous, 01/02/2009 1Unix Security Advanced Admin

FOREWORD

“No absolute security as long as system is accessed”

“In system administration, the evil is in details”

• For questions, contact is [email protected] • with [ESGI] in subject field – otherwise, mail will be

considered as spam by server rules.


mailto:[email protected]

INTRODUCTION

• UNIX FLAVORS• COMMON SENSE RULES OF SECURITY• HOW SECURITY IS COMPROMISED• UNIX DAEMONS, SERVICES AND SERVERS• HANDS-ON : SUN VIRTUAL BOX


WELL-KNOWN EXAMPLES

• Sendmail debug commands modeas sendmail runs with setuid rootso user can run any command with root power(try sudo and vi !...)

• Command passwd –f : no control of entered GECOS fieldso user can add any new line in password file

• Buffer overflow is a variantUser can execute shellcode (to get run root shell) previously saved at some memory address for programs that accepts any entry without control (exploit)

• SYN flooding : by sending high rate of TCP open session requests (SYN), server is filling its queue with half-open sessions data

• SQL-injection : SQL request to database may be forged to execute malicious code

A.Davous, 01/02/2009 Unix Security Advanced Admin 4

FOR INFORMATION – UNIX RELEASES

UNIX Solaris Linux

1969 AT&T Labs Unix

1977 Berkeley BSD Unix

1983 System V From BSD & SysV : From scratch :

1991 Solaris 1.0 (= SunOS 4) Linus Torwalds Linux

1992 FreeBSD, OpenBSD

1993 Slackware ; Debian

1994 Kernel 1.0 stable – RedHat

1995 Solaris 2.5 (= SunOS 5.5)

2000 Solaris 8 (= SunOS 5.8)

2001 Solaris 9 (= SunOS 5.9) Kernel 2.4

2003 Fedora Core – Kernel 2.6

2005 Solaris 10

2008 Fedora 10

A.Davous, 17/09/2008 5Solaris vs. Linux

FOR INFORMATION – UNIX FLAVORS

• Unix time line http://www.levenez.com/unix/

• Linux distributions time line http://futurist.se/gldt/gldt76.png


http://www.levenez.com/unix/

REMINDER – UNIX MANDATORY

• Read, read again documentationman, man –k, makewhatis -u

• vi – what else could be expected ?vim but config and security

• Shells : sh – best choice for scriptingthen tcsh or bash… (current : ps)

• find, diff, touch, sort [-n]• xargs• grep, egrep, awk, Perl, expect


WELL-KNOWN ATTACKSName Category Definition

Sniffing Network Get information from network transactions

Spoofing or masquerading

Network Take identity of someone else

Denial of service

Network Try to stop or degrade service – usually by flooding technique

Replaying Authentication Replay abusive authentication or transaction

Repudiation Authentication Reject authentication or transaction

Spam Mail Undesirable mail

Phishing Mail Disguised mail to get confidential data

Hoax Mail Joke with more or less consequences

Dictionary Password Test with list of most current words

Brute force Password By trying a large number of possibilities

Social engineering

All Getting personal information by any mean (physical, social network, …)


MALICIOUS PROGRAMS (MALWARES)Name Definition

Virus Insert malicious code on machine

Worm Separate process that exploited security holes in network

Trojan horses Malicious program disguised as something innocuous or desirable

Backdoor Method to bypass normal authentication procedures

Rootkit Software set installed to get abusive rights, install backdoor and stay hidden

Spyware Gather information for commercial purpose

Key logger Copies down the user’s keystrokes

Bomb Crash the system at a given time

Exploit Exploit a security breach of a software


Most of these can be detected locally (by signature) – except some exploits that can be detected at network level (firewall)

SECURITY KEY CONCEPTS

• Security goals: confidentiality, integrity, availabilityauthentication, non-repudiation

• 3 usual answers to threats: ignore, improvise or try to ‘over’ secure

• Right answer: determine field, identify and evaluate cost of resources (financial, confidentiality or production), determine security risks and strategy, monitor, upgrade


STRATEGIES• Strategies :

Accept threat – but have a recovery planReduce threat – by appropriate meansTransfer threat – to a vendorBypass threat – by blocking access

• Understanding is key:Example of mail user privilegeProtect all layers – example of firewallsReduce exposed surfaceProtect but detect and answer – administrate !

• Security is or must be part of :conception, operation and deployment


RISKS AND STRATEGY

Risks• Human – malicious but often from authorized users• Technical – hardware (physical access), software• This is up to sysadmin to decide what are they and right

level of protection

Strategy• Security and comfort is a compromise• Have a security policy especially recovery procedure


HOW TO DO

In-depth (passive) protection• (Physical – premises access)• Network filtering• Passwords• Encryption• Backup

(Active) security process• Monitor and add corrections• Full audit• Upgrade


SECURED DESIGN• Open design or secret design debate

(hidden flaws, issues discovered by community, provocation to exploits)

Common breaches• Least user access (chroot as solution)• Buffer overflow• Printf function (insert conversion keys into string)• Web programming (URL forging)• Transactions, client/server (man-in-the middle,

encryption, hashing as solutions)


SOME TABLE LAWS…• If someone can execute something on your computer or if someone can

modify your OS, or if someone can physically access to your computer, it will not belong to you anymore

• As well, if someone can execute something on your web site, it will not belong to you anymore

• Weak passwords leads to security breach• System is as secured as sysadmin wants• Encrypted data are as secured as the used key to encrypt• An anti-virus not updated is as useful as no anti-virus• Anonymity is not useful but confidentiality is• Technology is not be-all• Security measures works well when they are simple to use for

sysadmin and transparent to users


REMINDER : PROCESSES

• Processes have four identities : real (for accounting) and effective (for access permissions) UID and GID ; usually the same except with setuid or setgid bit set

• Command ps• Find setuid and setgid files over the system:

find / -type f –perm /u+s,g+s -ls

Kinds of processes• Interactive – controlled with & (run in background), ^Z (stop job), bg (restart

in background), jobs (list current jobs)• Batch• Daemons


DAEMONS, SERVERS, SERVICES

• Daemon, server, service concepts• Daemon : programs not part of kernel ; process that performs a

specific function or system-related task• Start at boot time or on demand

Specific system daemons• init primordial process

• cron that schedule commands• inetd that manages some of them


WELL KNOWN DAEMONS

Name Description

init First process

syslogd, rsyslogd Syslog logging

sendmail Mail MTA – Mail Transfer Agent

lpd, lpsched Print scheduler

crond Cron process scheduler

getty, mingetty Terminal support

syncd, fsflush, bdflush, pdflush Disk buffer management

pagedaemon, swapper, kswap Swap management

inetd Main daemon to start on-demand TCP/IP services as telnetd, ftpd, rshd – see /etc/inetd.conf

named Bind DNS – Dynamic Name Resolution

routed, gated TCP/IP routing daemons

dhcpd DHCP – Dynamic Host Configuration Protocol

portmap, rpcbind Port service resolution for RPC – Remote Procedure Call

nfsd NFS – Network File System

smbd, nmbd Samba

httpd Apache HTTP server

timed, ntpd, xntpd NTP – Network Time Protocol


init DAEMON

• First process to run after system boot• Always have PID 1 and is ancestor of all other processes• After startup, init consults /etc/inittab (or for BSD

/etc/ttys) to determine on which physical ports it should expect users to log in (getty processes – even tough large use of network daemons today, or xdm for graphical interface)

• Also take care of zombie processes (not running but listed)• Init defines run levels (passed as argument to it from boot loader) : 0

to 6 and s (single-user)• Additional layer is given with startup scripts in /etc/init.d, linked

to startup and stop scripts in /etc/rcX.d


REMINDER : BOOTING – SHUTTING DOWN

Solaris SPARC Solaris x86/64 Linux (Fedora Core)

Boot PROM(device detection)

Access with STOP-Aboot –s : single-userboot –r : reconfigure

See ls –l /dev/rdsk/c0t0d0s0

ROM BIOS

MBR of boot device

Boot loader (GRUB since 5.10,

see /boot/grub/menu.lst)

Boot loader (GRUB see /boot/grub/menu.lst)

Kernel loading and initialization

Device configurationtouch /RECONFIGURE

Device detection and configuration

Execution of startup scriptsLevel 0 : shut down (init 0) - Level 1 or S : single user (init –s) - Level 6 : reboot (init 6)

Scripts management none or see 5.10 Configuration : /etc/default

Execution of startup scriptsLevel 0 : shut down (init 0) - Level 1 or S :

single user (init –s) - Level 6 : reboot (init 6)

Scripts management : chkconfigConfiguration : /etc/sysconfig

Multiuser mode

Shutdown/usr/sbin/shutdown –g secs –i6/usr/sbin/shutdown –g secs –i0/usr/sbin/shutdown –g secs –iS

Shutdown/usr/sbin/shutdown secs –r/usr/sbin/shutdown secs –h

/usr/sbin/shutdown secs –f

A.Davous, 17/09/2008 Solaris vs. Linux 20

Solaris SPARC Solaris x86/64 Linux (Fedora Core)

Boot PROM(device detection)

Access with STOP-Aboot –s : single-userboot –r : reconfigure

See ls –l /dev/rdsk/c0t0d0s0

ROM BIOS

MBR of boot device

Boot loader (GRUB since 5.10)

Boot loader (GRUB see /boot/grub/menu.lst)

Kernel loading and initialization

Device configurationtouch /RECONFIGURE

Device detection and config.

Execution of startup scriptsLevel 0 : shut down (init 0) - Level 1 or S : single user (init –s) - Level 6 : reboot (init 6)

Scripts management none or see 5.10 Configuration : /etc/default

Exec. of startup scriptsLevel s : the same

Scripts management : chkconfigConfiguration : /etc/sysconfig

Multiuser mode

Shutdown/usr/sbin/shutdown –g secs –i6 (reboot)/usr/sbin/shutdown –g secs –i0 (shut down)/usr/sbin/shutdown –g secs –iS (single user)

(skip scandisk)

Shutdown/usr/sbin/shutdown secs –r/usr/sbin/shutdown secs –h

/usr/sbin/shutdown secs –f

OTHER CONCEPTS

• Command dmesg• Core dump : ulimit –c• Path :

- try not modify root profile PATH variable- do not set empty or ‘.’ in PATH variable- in scripts (and configurations like cron), always use full path for commands (as variables at beginning)

• Disk quotas may be use to isolate an application (vs. original purpose)• vi and other editors dump files feature• History of shell commands• who –r• cp -p


ANSWERS TO QUESTIONS - 1

• Gentoo (2003)Visible on time line ; derives from Enoch (1999) which was build from scratch.

Compile on installation taking into account processor’s instruction set.• ESCAPING TO SHELL WITH VI, MORE, …

Type : (semi column) to get into command modeThen ! (exclamation mark) to run any shell commandType any command

• locate – updatedbSearch of a pattern ( *file* ) instead of a filename ( file )locate ntp == find / -name ”*ntp*”locate –b ’\ntp’ == find / -name ntp

• History length : on sh or bash this is set with $HISTSIZE (tcsh $HISTORY). See following profiles slide and hands-on (depending on shell, use man, setenv or printenv)


ANSWERS TO QUESTIONS - 2• grep

# egrep pattern file(s) Shows filenames & lines that match [ filename: line ]# egrep –L pattern file(s)Lists files that does not contain any line matching

• awk

# ifconfig -a | awk 'BEGIN {printf "%-4s %-19s %-15s\n","If","MAC","IP"} / Link/ {a=a+1 ; printf "%.4s %17s",$1,$5 ; getline ; printf "%15s\n",substr($2,6,15)} END {print "Total nbr:", a}'

If MAC IP

eth0 00:09:5B:BD:FA:D2 192.168.0.1

eth1 00:0E:A6:9F:7C:AA 89.156.6.39

lo 127.0.0.1

Total nbr: 3


USERS ADMINISTRATION - PROFILES

Main shells

Startup Upon termination Other

sh /etc/profile (login shells)

.profile (login shells)

Any command or script specified using trap ″command″ 0

tcsh /etc/csh.cshrc (always)

/etc/csh.login (login shells)

.tcshrc (always)

.cshrc (if no .tcshrc file is present)

.login (login shells)

.logout (login shells) .history (saves history based on "$savehist")

.cshdirs (saves directory stack)

bash /etc/profile (login shells)

.bash_profile (login shells)

.profile (login if no .bash_profile file is present)

.bashrc (interactive non-login shells)

$ENV (non-interactive shells)

.bash_logout (login shells)

.inputrc (readline initialization)


Nothing specific to OS but to shell. However, it is worth to know !

PASSWORD CRACK TOOLSUsage of these tools are illegal on computers where you have not been explicitly authorized to do it.

But it is recommended to test your own password files – anyhow, crackers will do it with them.

Crack• Locations: /usr/share/crack ; /usr/libexec/crack ; /usr/bin• Quick-start commands:

# umask 077# ~/scripts/shadmrg.sv /etc/passwd /etc/shadow > /root/unshadp# Crack –nice 5 /root/unshadp# CrackReporter

• Results in ~/run directory

John the Ripper• Locations: /usr/share/john ; /usr/libexec/john• Quick start commands:

# umask 077# unshadow /etc/passwd /etc/shadow > /root/unshadp# john [--rules --wordfile=FILE] /root/unshadp

• Results in ~/john.pot


EXAMPLE FOR JOHN - 1


EXAMPLE FOR JOHN - 2

...New UNIX password: 12345...12345 (essai1)

guesses: 1 time: 0:00:00:05 8% (2) c/s: 4880 trying: Sunshine1 ^C

...New UNIX password: cathy...cathy (essai1)

guesses: 1 time: 0:00:00:04 6% (2) c/s: 4891 trying: decembers ^C...New UNIX password: djk7sdf...

guesses: 0 time: 0:00:00:34 37% (2) c/s: 4886 trying: blondie? ^C


SOME PHYSICAL ATTACKS

• Physical access must be protected – if not, attacker can open the case and reset EEPROM (where BIOS password is saved) or can steal hard disk…

• BIOS (or boot PROM for Sun) level must be protected (with password) – if not, attacker can boot on its own CD/DVD

• If partitions are not encrypted, booting with a CD/DVD gives access to data (with mount command) and so to /etc/passwd (this is an official recovery procedure of lost root password)

• For backup purpose, recovery CD (or software installation CD) are usually needed# mkbootdisk `uname –r`

• Network may need to be redundant (High Availability) by duplicating network interfaces, switches, routers. Multiple redundant interfacing is named channel bounding (or IP multipath for Sun) – otherwise, DoS


ROOT PASSWORD RECOVERY

Simplest procedure using single user mode – case of Fedora 10• When Grub screen, edit current boot line (e)• Edit kernel line (e) by adding ‘single’ at end (single user mode)• Save and boot (b)• Command passwd can be entered with root privileges to reset root

password

GRUB protected if :• GRUB bootloader have a timeout (/boot/grub/menu.lst) –

suppress it (0)• Or a password (add line password –md5 PASSWORD in menu.lst)

Encrypted password is given by command# grub-md5-cryptwhich returns a PASSWORD that can be pasted

A.Davous, 17/09/2008 Solaris vs. Linux 29

ROOT, sudo AND SECURITY

• Never log as root directly• su – (minus to inherit root environment instead of user’s one)• Never change root shell• Package sudo used to give some determined root rights to standard

users (with their own passwords !)- Configuration file : /etc/sudoers (440) editable only with visudo command – see man sudo, man sudoers- Never configure shells or utilities that escape to shell as commands (more, less, vi,…) because commands will be executed as root !- sudo –v , restart timeout- sudo may be integrated to PAM- passwords are not encrypted ; SSH is the solution- usage can be forced by replacing su command to a symbolic link to sudo


SUDO CONFIGURATION LINES EXAMPLES

Host_Alias FILESERVERS = fs1, fs2User_Alias ADMINS = antoine, johnCmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/yumDefaults requiretty

root ALL = (ALL) ALLantoine fs1 = /sbin/mount, /mnt/cdromADMINS FILESERVERS = SOFTWAREdgb fs2 = (operator) /bin/ls

• The most important : sudoers config should be set to span over multiples servers (by simple file transfer and copy)

• Last : the user dgb may run /bin/ls, but only as operator eg,# sudo –u operator /bin/ls


REMINDER : TELNET, (T)FTP, R* SERVICES

• Started by (x)inetd server• Reminder telnet : useful for (tests not only port 23)

# telnet host [port]• TFTP : used for X terminals startup : no authentication at all• telnet, FTP : security problem with clear-text passwords shown…• R* services

Commands : rlogin, rsh, rcp, ruptime, rwhoConfiguration : /etc/hosts.equiv , ~/.rhostsSyntax : user@hostAuthentication is done without password if succeeded (handy for rcp)But security problem : if one listed host is unsecured, local host is unsecured ! This is because with r* services authentication scheme, local authentication is based on remote one.

So use rsync for file transfer (nothing to do with r* services) or better SSH/SFTP for everything.


INETD AND XINETD

• Extended Internet services daemon• Unique daemon that waits for incoming connections for a number of other services and

start corresponding server (echo, telnet, FTP, r* services… most are standard and/or well-known Unix services – but not all)

• Process : inetd or xinetd (reminder : kill –HUP)• Startup for xinetd : /etc/init.d/xinetd• Log by syslog – but configurable• Old style configuration (inetd) :

/etc/inetd.conf (reminder : /etc/services)• Configuration (xinetd) in :

/etc/xinetd.conf/etc/xinetd.d/* (one config file per service)

• Even tough (x)inetd is a mandatory service (think about installing embedded servers with no SSH package installed yet), controlled services are more and more disabled for security reasons …

• … why ? For example, telnet and FTP are sending clear-text passwords !• Other : installation with core, verbose mode


TCPWRAPPERS

• Package that secure connections to given well-known services – those handled by (x)inetd for sure, but others (SSH)…

• …which ones ? For sshd example :# strings –f /sbin/sshd | grep hosts_access/usr/sbin/sshd: hosts_access (YES ! If no line returned, no)

• TcpWrappers is transparently inserted between network and service ; adds access control and logging features

• Binary: tcpd – but not a daemon (invoked at connection). This is why no service to restart after configuration modification

• Configuration files:/etc/hosts.allow/etc/hosts.deny

• Syntax of configuration linesservice_list : host_list [ : (command to log) ]host_list may be an hostname, a list, an IP address or network, a keyword (ALL, LOCAL) – but never use EXCEPT as shown in documentation


ROOT LOGIN DEVICES

Kinds of terminals• console # console• ttyn (tty1,..) # serial terminals• vc/n (vc/1,..) # virtual consoles

Where root can directly login to• Configurable in /etc/securetty

Security• Should be all disabled (by commenting with #) except console

and/or tty1


WELL-KNOWN SERVICES AND PORTS

Service Port Service Port

FTP 21 (20), 990 (989) NTP 123

SSH 22 IMAP 143 (v2), 220 (v3), 993 (v4)

telnet 23, 992 SNMP 161, 162

SMTP 25, 992 LDAP 389, 636

DNS 53 LPD 515

DHCP (BOOTP) 67 (s), 68 (c) NFS 2049, 4045/udp

TFTP 69 X11 6000-19, 6063

HTTP(S) 80, (443) SMB 445

Kerberos 88, 749, 750 AD 3268, 3269

POP-3 110, 995

RPC 111


PORT SCANNINGTCP ports scanning• Normal handshake, port open : SYN, SYN+ACK, ACK

Normal handshake, port closed : SYN, RST+ACK

(note : this is logged ! )• Half-open SYN scan, port open : SYN, SYN+ACK, RST

Half-open SYN scan, port closed : SYN, RST+ACK(note : this may not be logged … but usually is)

• Anyhow, some systems (FW) will think about SYN flooding. So nmap can be used with –T option to slow down flood

• Probe = malformed TCP packet (i.e. “FIN” probe with FIN flag set, or “XMAS” probe with FIN, URG, PUSH, TCP flags set, “NULL” probe with TCP set)Stealth TCP scan, port open : TCP probe, No response (this is garbage)Stealth TCP scan, port closed : TCP probe, RST+ACK(notes : also named inverse TCP flag ; Windows does not respect standard and does not send RST from a closed port ; nmap can use options for each kind of probe : –sF, –sX, –sN)

• Some other techniques : analysis of ACK probe, TTL field, window field

UDP ports scanning• UDP probe, port open : UDP probe, No response

UDP probe, port closed : UDP probe, ICMP dest port unreachable

(note : nmap can use option –sU)• Using specific UDP service clients to test server – not realistic for large number of ports


REMINDER : NETWORK

• TCP/IP layers : application telnet, NFS, DNS, FTP, SSHtransport TCP, UDPinternet (OSI network) IP, ICMPnetwork access (Ethernet, ARP)

• MAC address 48 bits – 24 first OUI (Organizationally Unique Identifier)• Service = transport protocol (TCP or UDP) + port

/etc/protocols – associate internet protocol (OSI network layer) and protocol identifier/etc/services – associate transport protocol (transport layer) and port number

• IPv6 : 128 bits address (48 firsts for FAI - end for MAC)Compatible IPv4 (::FFFF:a.b.c.d) ,loopback is ::1 , broadcast is FF02::1http://www.potaroo.net/tools/ipv4/index.html


TCP/IP NETWORK PROTOCOLS MAP (from RADCOM website)


(Attached PDF file,available from RADCOM

at www.radcom.com)

TCP/IP NETWORK PROTOCOLS MAP (from protocol.com website)


TCP STATE MACHINE


TOOL: WIRESHARK - 1

• Other well-known tcpdump (we’ll see it later)• Wireshark can import tcpdump dump file, snoop (Sun) dump file• Open-source and modular conception – you can add your own decoder• Related to sniffing but many other obscure tools are used in real life by hackers• Promiscuous mode – i.e. listen to all frames on LAN (libpcap needed – WinPcap for Windows

environment)• Can be used in text mode without GUI – but not recommended (in line mode use tcpdump instead

with –o option to export dump to Wireshark)• Configurable columns (Edit, Preferences)• Filtering : when capturing (lot of options) or viewing (also…) – can work as ring buffer with triggers • Important options :

Resolutions : MAC, network, transport – network should be avoided as it creates new trafficFragmented IP – are reassembled by default but configurable (Edit, Preferences, IP protocol options)Analyze, Follow TCP stream : useful to present TCP session in one window

• Rich statistics options• Rich export and presentation options


TOOL: WIRESHARK - 2

FIELD TYPE MEANING

ip.addr IPv4 address Source or destination IP address

ip.dst IPv4 address Destination IP address

ip.flags.df Boolean Don’t fragment flag

ip.ttl Unsigned integer Time to live

http.request Boolean HTTP request

icmp.type Unsigned integer ICMP command type

ftp.response.data Characters string FTP data

dns.response Boolean DNS response


FILTER MEANING

ip.addr == 192.168.10.2 All packets coming from or going to 192.168.10.2 host

(ip.addr == 192.168.10.2) && (dns.response)

All packets coming from or going to 192.168.10.2 host which are DNS responses

REMINDER : FILES• In Unix everything is a file (IO from files or from peripherals are the same)• In Unix, a file belongs to a user AND to a group (no mandatory relationship between

both) ; a user can belong to many groups ; so, to give access to a set of files or commands belonging to a group is done by adding the user to the group

• When a file is created, it belong to the user who created it and its group – except if upper directory is setgid (BSD style)

• Commands : chown [-R], chgrp, chmod• Access rights for files (directory) :

r read (can ls it), w write (can supp/rename files into), x execute (can cd into)(to be executable, a script shell needs rx, a binary only x )

• umask 022 command in profile files to set permission of new files• Special access :

t sticky bit (can write a dir but not supp file ; /tmp)s setuid bit (set resources access of process to owner and not to the one that run it)s setgid bit (for a file, set resources access of process to owning group and not the one that run it – for a dir, see upper)find / [-user root] -xdev –perm {-4000 | -2000}


SERVICES- COMPLEMENTS

• Commands : init 0, init 6, init sps –ef, kill -<signal>, pgrep, pkill, <service-script> start|stop|restart (service startup script)

• Command chkconfig (specific to Fedora):usage: chkconfig --list [name] chkconfig --add <name> chkconfig --del <name> chkconfig --override <name> chkconfig [--level <levels>] <name> <on|off|reset|resetpriorities>chkconfig header in startup scripts

• And finally, system-config-services GUI applet specific to Linux

• Command service and semi-graphical GUI sysvconfig, both specific to Debian


NETWORK COMMANDS

• hostname (nodename)• ifconfig• ping• arp [-n] [-a] ...• netstat [-rn] ...• route [add | del ] ...• traceroute• nslookup, dig


NAME RESOLUTION AND ROUTING

Name resolution• /etc/hosts – name resolution

(eventually distributed by NIS, but to avoided)• /etc/resolv.conf – domain definition and name servers location

(suppression will deactivate DNS resolution)• /etc/hosts.conf – name services switch

(or /etc/nsswitch.conf)

Routing• On LAN (hubs) no routing necessary• On small networks, static routes may be necessary• On large networks (WAN), dynamic routing handled by routed and gated

daemons (support of RIP, OSPF, BGP, EGP)• On Linux, static routes may be defined in /etc/sysconfig/static-routes


NETWORK FILES: DHCP AS EXAMPLE

Linux SolarisInterface config

/etc/sysconfig/network-scripts/ifcfg_eth0/etc/sysconfig/network

/etc/hostname.hme0/etc/init.d/network

Startup script

/etc/init.d/network(/sbin/ifup)

/etc/init.d/network

DHCP activation

BOOTPRTO=’dhcp’ in /etc/sysconfig/network-scripts/ifcfg_eth0

touch /etc/dhcp.hme0Config in /etc/default/dhcpagent

Daemon dhcpd dhcpagent

Client lease file

/etc/dhcp/dhcpd-eth0.info /etc/dhcp/hme0.dhc


Sun xVM VirtualBox - 1• VirtualBox release 2.1.2 found at www.virtualbox.org

(accept installation of USB and network drivers)Host and guest concepts, see manualGuest additions concept

• Fedora 10 found at fedoraproject.org/en/get-fedora (F10-i686-Live.iso, 32 bits although 64 supported by xVM, English edition, installable Live CD)


Sun xVM VirtualBox - 2• Installation procedure (example is Fedora)

New machine ; choose OS, select memory size (2 GB but less than host !), add virtual disk (fixed, 10 GB).Mount OS ISO local file as CD/DVD-ROMStart !... (ignore both messages – no additions installed yet)When started, use Install on hard disk icon. Select French keyboard.Shut down, unmount CD/DVD and restart.Upgrade system and application packages (Yum).Install dkms package (Dynamic Kernel Module Support Framework).Install GNU make, gcc packages.Mount Guest Additions ISO with Devices, Install Guest Additions xVM menu.Run Sun’s script (cd /media/VBOXADDITIONS_2.1.2_41885/ ; sh ./VBoxLinuxAdditions-x86.run)Restart.


Sun xVM VirtualBox - 3• Installation procedure particularities for Debian 4

Installation of small image via Internet.Disk partitioning without LVM, one root partition.Desktop and system packages.Synaptic Package Manager used for package installation : make, gcc and kernel headers (linux-headers-2.6.18-6 and linux-headers-2.6.18-6-686 ; check release with command uname –a).


REMOTE ACCESS TO SYSTEM

• Xming XLaunch utility• But otherwise, X specific, “exporting display” :

Run your X server on PC (nothing required if PuTTY used because X protocol is SSH’d encapsulated - port 22 ; otherwise, ports XDMCP 177 and 6000 should be opened)Then, on client : setenv DISPLAY server:0.0echo $DISPLAY

• Putty


REDHAT PACKAGE MANGER COMMANDS

# rpm –qa | grep <package-search-string> Get package name

# rpm –ql <package-name> List files included in package

# rpm –qc <package-name> List configuration files included in package

# rpm –qR <package-name> List required dependant packages

# rpm –qi <package-name> Information on package


USEFUL LINKShttp://www.dwheeler.com/secure-programs/ Secure Programming for Linux and Unix HOWTOwww.cpan.org Perl packages and morehttp://www.sun.com/software/security/jass Sun’s JASS Solaris Security Toolkithttp://www.digilife.be/quickreferences/quickrefs.htm Quick Reference Cards – useful for those related to Unixhttp://www.cert.org/cert/ CERT – Security informationhttp://www.auscert.org.au/5816 AusCERT – Unix and Linux Security Checklist v3.0http://www.protocols.com/pbook/tcpip1.htm#MAP RADCOM protocols.com web site (protocols map)


BIBLIOGRAPHYUnix System Administration Handbook – Evi Nemeth, Garth Snyder, Scott Seebass, Trent R. Hein – Prentice Hall

English. Third edition 2001. Few security aspects. All Unices covered (HP, Aix, Sun, RedHat, BSD). 854 p.

Essential System Administration – Aeleen Frisch – O’Reilly

English, but French version available (Les bases de l’administration système). Third edition 2002. Few security aspects. All Unices covered (HP, Aix, Sun, RedHat, BSD, Tru64). 1172 p.

TCP/IP illustrated volume 1 – Richard Stevens Addison-Wesley

English, but French version available (TCP/IP illustré - Vuibert). A must for TCP/IP matter. No OS privileged but Unix foundations. 592 p.

TCP/IP Network Administration – Craig Hunt – O’Reilly

English, but French version available. Third edition 2002. Covers RedHat and Solaris. 772 p.

Network Security Assessment – Chris McNab – O’Reilly

English. Second edition 2007. Covers Unix and Windows from network services breaches perspective. 478 p.

GNU/Linux Fedora, Spécial Sécurité – Huet-Verhille – ENI Editions

French. First edition 2007. Focuses on Fedora (as it is a native secured OS). 342 p. 39 €. Recommended for this course


WINDOWS TOOLS USED DURING THIS SESSION

Wireshark (prev. Ethereal), network protocol analyzer http://www.wireshark.org

PuTTY, SSH client http://www.chiark.greenend.org.uk/~sgtatham/putty/

Xming, PC X server http://www.straightrunning.com/XmingNotes/

VirtualBox, virtualization http://www.virtualbox.org/

EasyBCD, Windows Vista bootloader utility http://neosmart.net/

Apache JMeter, HTTP workbench http://jakarta.apache.org/jmeter/


Unix+Security+Advanced+Admin+ Session2 Feb14

Documents

Transcript of Unix+Security+Advanced+Admin+ Session2 Feb14