L120: Linux System Administration II

Yüklə 1,05 Mb.

səhifə	9/16
tarix	11.10.2017
ölçüsü	1,05 Mb.
	#4275

1 ... 5 6 7 8 9 10 11 12 ... 16

Basic Security

Prerequisites

None

Goals

Overview of local and network security issues

Understand the secure shell

Configure a NTP server

1. Local Security

The BIOS
If anyone has access to a rescue disks or a linux disk that boots from a floppy or a CDROM it is extremely easy to gain read access to any files on the system. To prevent this the BIOS should be set to boot only off the hard drive. Once this is done set a password on the BIOS.
File permissions
To prevent attackers causing too much damage it is recommended to take the following steps.

1) Make vital system tools immutable, or logfiles append-only:

chattr +i /bin/login

chattr +i /bin/ps

chattr +a /var/log/messages

2) Make directories /tmp and /home nosuid or noexec:

Lines to be changed in /etc/fstab

/tmp /tmp ext2 nosuid 1 2

/home /home ext2 noexec 1 2

3) Find all files on the system that don't belong to a user or a group:

find / -nouser –o –nogroup

find / -perm +4000

Log Files
The main logs are
/var/log/messages : contains information logged by the syslogd daemon
/var/log/secure : contains information on failed logins, added users, etc.
The last tool lists all successful logins and reboots. The information is read from the /var/log/wtmp file.
The who and w tools list all users currently logged onto the system using the /var/run/utmp file.

User Limits

When the /etc/nologin file is present (can be empty) it will prevent all users from login in to the system (except user root). If the nologin file contains a message this will be displayed after a successful authentication.
In the /etc/security/ directory are a collection of files that allow administrators to limit user CPU time, maximum file size, maximum number of connections, etc
/etc/security/access.conf : dissallow logins for groups and users from specific locations.
/etc/security/limits.conf
The format of this file is

<domain> <type> <item> <value>

domain a user name, a group name (with @group)

type hard or soft

item core - limits the core file size (KB)

data - max data size (KB)

fsize - maximum filesize (KB)

memlock - max locked-in-memory address space (KB)

nofile - max number of open files

cpu - max CPU time (MIN)

proc - max number of processes

as - address space limit

maxlogins - max number of simultaneous logins for this user

priority - the priority to run user process with

locks - max number of file locks the user can hold

2. Network Security

In this section we breakdown the network security into host based security and port based security.

Host Based Security
Access to resources can be granted based on the host requesting the service. This is handled by tcp_wrappers. The libwrap library also known as tcp_wrappers provides host based access control lists for a variety of network services. Many services, such as xinetd, sshd, and portmap, are compiled against the libwrap library thereby enabling tcp_wrapper support for these services.
When a client connects to a service with tcp_wrapper support, the /etc/hosts.allow and /etc/hosts.deny files are parsed to challenge the host requesting the service. Based on the outcome the service will either be granted or denied.
The hosts_access files have 2, optionally 3 colon separated fields. The first field is the name of the process, the second is the fully qualified host name or domain name with a "leading dot", IP address or subnet with a "trailing dot". Wildcards like ALL and EXCEPT are also accepted.
The syntax for the /etc/hosts.{allow | deny} file is as follows:

service : hosts [EXCEPT] hosts

Example:

/etc/hosts.deny

ALL: ALL EXCEPT .example.com

/etc/hosts.allow

ALL: LOCAL 192.168.0.

in.ftpd: ALL

sshd: .example.com

Tcp_wrappers can run a command locally upon a host match in the host_access files.

This is accomplished with the spawn command. With the use of the % character, substitutions can be made for the host name and the service.
Example:

/etc/hosts.deny
ALL: ALL : spawn (/bin/echo `date` from %c for %d >> /var/log/tcpwrap.log)

For more information on the use of % substitutions see the hosts_access (5) man page.

Port Based Security
With packet filtering functionality built into the Linux kernel, it is possible to limit access to resources by creating rulesets with utilities such as ipchains and iptables, which are able to evaluate a packet entering any of its network interfaces. The rules determine what happens to each packet.

Iptables hase the following options

-A Append rule to a chain

-D Delete a rule

-P Change the default Policy for a chain

-I Insert

-F Flush the rules(s) in a chain

-N Create a user defined chain

-X Delete a user defined chain

-L List

F
iltering rules (decisions to allow or deny a packet, etc..) have been separated from packet alteration operations (network address translation (NAT), etc). This has been achieved by introducing independent tables, each table is assigned a specific role and each table contains its own built-in chains and may also contain user-defined chains.

Figure: The Netfilter kernel framework for iptables
Iptables has three tables each containing the following built-in chains:
filter: this table is the default and deals with filtering rules using its built-in chains INPUT, OUTPUT and FORWARD
nat: only network address translation (NAT) operations are defined in this table. The built-in chains are PREROUTING, POSTROUTING and INPUT
mangle: this table handles packet alterations other than natting. There are two built-in chains PREROUTING and OUTPUT.
NOTICE: the built-in chains for iptables are all in UPPERCASE!!

TARGETS: Different targets are valid depending on the table.
Valid targets for the filter table are DROP, REJECT, ACCEPT or MIRROR.

Valid targets for the nat table are REDIRECT (in the PREROUTING and OUTPUT chains),

MASQUERADE (in the POSTROUTING chain),

DNAT (in the PREROUTING and OUTPUT chains) and

SNAT (in the POSTROUTING and OUTPUT chains).
Example: All packets from 192.168.0.254 will be logged and denied

iptables -A INPUT -s 192.168.0.254 -j LOG

iptables -A INPUT -s 192.168.0.254 -j DROP

POLICY: The iptables chain policy can be set to either DROP, ACCEPT or MIRROR

Example: The default policy is set to drop all packets

iptables -P INPUT DROP

iptables -P FORWARD DROP

iptables -P OUTPUT DROP

-- more background
With the development of the 2.4 Linux kernel came the development of the Netfilter project, which uses the iptables utility to manage firewall rules. Another major difference between iptables and ipchains is that iptables has support for evaluating the packets based on their state in terms of other packets that have passed through the kernel. It is this stateful packet evaluation that makes iptables far superior.

Example: 1) Deny all packets on the INPUT chain:

iptables -P INPUT DENY

2) Accept established connections that have been initiated by the host:

iptables -A INPUT -m state –-state ESTABLISHED -j ACCEPT

Example: A Basic script that will work as a gateway. Here are the highlights:
- allow IP forwarding:

echo "1" > /proc/sys/net/ipv4/ip_forward
- masquerade:

$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE
- allow connections to port 80 ONLY:

$IPTABLES -A INPUT -p TCP -i $INET_IFACE -m state --state NEW --dport http -j ACCEPT

#!/bin/sh

# Variables

IPTABLES="/sbin/iptables"

LAN_IFACE="eth0"

INET_IFACE="eth1"

INET_IP="1.2.3.4"

LOCALHOST_IP="127.0.0.1/32"

LAN_IP="192.168.0.1/32"

LAN_BCAST="192.168.0.0/24"
# Setup IP Masquerading
echo "1" > /proc/sys/net/ipv4/ip_forward

$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE

# Specify the default policy for the built in chains

$IPTABLES -P INPUT DROP

$IPTABLES -P FORWARD DROP

$IPTABLES -P OUTPUT DROP

# Specify INPUT Rules

$IPTABLES -A INPUT -i !$INET_IFACE -j ACCEPT

$IPTABLES -A INPUT -p TCP -i $INET_IFACE -m state --state NEW --dport http -j ACCEPT

$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Specify FORWARD Rules

$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT

$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Specify OUTPUT RULES

$IPTABLES -A OUTPUT -p ALL -s $LOCALHOST_IP -j ACCEPT

$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT

3. The Secure Shell

The secure shell is a secure replacement for telnet and remote tools like rlogin, rsh and rcp. The daemon sshd is started on the server using the rc-script /etc/init.d/sshd. The ssh service uses port 22 and clients connect using the ssh tool.

● Host Authentication
With ssh both the host and the user authenticate. The host authentication is done by swapping keys. The host’s public and private keys are usually kept in /etc/ssh if you are using OpenSSH. Depending on the protocol used the host key file will be called ssh_host_key for Protocol 1 and ssh_host_rsa_key or ssh_host_dsa_key for Protocol 2. Each of these keys have their corresponding public key, for example ssh_host_key.pub.
When an ssh client connects to a server, the server will give the hosts public key. At this stage the user will be prompted with something like this:

The authenticity of host 'neptune (10.0.0.8)' can't be established.

RSA key fingerprint is 8f:29:c2:b8:b5:b2:e3:e7:ec:89:80:b3:db:42:07:f4.

Are you sure you want to continue connecting (yes/no)?

If you accept to continue the connection the server’s public key will be added to the local $HOME/.ssh/known_hosts file.

● User Authentication (using passwords)

Then the user is prompted for the password for his account on the remote server and logs in.

● User Authentication (using keys)

The user authentication can also involve swapping keys. For this the user will need to generate a pair of private/public keys. For example:

ssh-keygen -t dsa -b 1024

will generate a 1024 bit DSA key. By default these keys will be saved in $HOME/.ssh and in this example are called id_dsa and id_dsa.pub.

If we assume we have a id_dsa.pub key we can ‘plant’ this key on a remote account and avoid typing passwords for further connections. To do this we need to copy the content of the file id_dsa.pub into a file called authorized_keys2 kept in the remote $HOME/.ssh directory.

WARNING

All private keys in /etc/ssh/* and ~/.ssh/* should have a permission of 600

● sshd configuration file

Sample /etc/ssh/sshd_config file:
#Port 22

#Protocol 2,1

#ListenAddress 0.0.0.0

#ListenAddress ::

# HostKey for protocol version 1

#HostKey /etc/ssh/ssh_host_key

# HostKeys for protocol version 2

#HostKey /etc/ssh/ssh_host_rsa_key

#HostKey /etc/ssh/ssh_host_dsa_key

●ssh configuration file

Sample /etc/ssh/ssh_config or $HOME/.ssh/config file:
# Host *

# ForwardX11 no

# RhostsAuthentication no

# RhostsRSAAuthentication no

# RSAAuthentication yes

# PasswordAuthentication yes

# HostbasedAuthentication no

# CheckHostIP yes

# IdentityFile ~/.ssh/identity

# IdentityFile ~/.ssh/id_rsa

# IdentityFile ~/.ssh/id_dsa

# Port 22

# Protocol 2,1

# Cipher 3des

NOTICE

The sshd daemon has been compiled with libwrap. We can see this with the following:

ldd /usr/sbin/sshd | grep wrap

libwrap.so.0 => /usr/lib/libwrap.so.0 (0x0075f000)

This means that sshd is a valid entry for /etc/hosts.allow or /etc/hosts.deny.

4. Time Configuration

The System date

The system date can be changed with the date command.The syntax is:

date MMDDhhmmCCYY[.ss]

The Harware Clock

The hardware clock can be directly changed with the hwclock utility. The main options are:

-r or --show prints the current times

-w or --systohc set the hardware clock to the current system time

-s or --hctosys set the system time to the current hardware clock time

Time Zones

In addition to UCT time some countries apply “ day light saving” policies which add or remove an hour at a given date every year. These policies are available on a liniux system in /usr/share/zoneinfo/. By copying the appropriate zone file to /etc/localtime on can enforce a particular zone policy.

For example if we copy /usr/share/zoneinfo/Hongkong to /etc/localtime the next time we run date this will give us the time in Hongkong. This is because date will read /etc/localtime each time it is run.

Using NTP

The Coordinated Universal Time (UTC) is a standard used to keep track of time based on the Earth's rotation about it's axis. However because of the slight irregularities of the rotation leap seconds need to be inserted into the UTC scale using atomic clocks.

Since computers are not equipped with atomic clocks the idea is to use a protocol to synchronize computer clocks across the Internet. NTP stands for Network Time Protocol and is one such protocol.

Computers that are directly updated by an atomic clock are called primary time servers and are used to update a larger number of secondary time servers. This forms a tree structure similar to the DNS structure. The root servers are on the first level or stratum, the secondary server on the second and so on.

Configuring a client to query an NTP server:

An NTP daemon called ntpd is used to regularly query a remote time server. All that is needed is a server entry in /etc/ntp.conf pointing to a public or corporate NTP server. Public NTP servers can be found online.

The NTP protocol can also estimate the frequency errors of the hardware clock from a sequence of queries, this estimate is written to a file referred to by the driftfile tag.

Mininal /etc/ntp.conf file
server ntp2.somewhere.com
driftfile /var/lib/ntp/drift

NOTICE: on some systems the driftfile tag is pointing to /etc/ntp.drift or /etc/ntp/drift.

Once ntpd is started it will itself be an NTP server providing services on port 123 using UDP.

One off queries:

The ntp package also provides the ntpdate tool which can be use to set the time from the command line:

ntpdate ntp2.somewhere.com

5. Exercises and Summary

Files

Files	Description
/etc/fstab	noexec – mount option which prevents any executables to execute from the device
/etc/fstab	nosuid – mount option which prevents the SUID and SGID bits to take effect (see LPI101)
/etc/localtime	contains the time zone policy used to determine the system time (with date)
/etc/ntp.conf	configuration file for the NTP daemon ntpd
/etc/ntp.drift or /etc/ntp/drift	file used by ntpd to keep track of the hardware clock drift
/etc/security/access.conf	file used to grant or deny access based on the user's name and the origin (local tty or remote host). One can also specify a NIS group using @group notation
/etc/security/limits.conf	file used to impose resource limits on login (see the file itself for details)
/etc/ssh	directory containing configuration files for both the ssh client and the sshd server
/usr/share/zoneinfo/	collection of time zone files. Depending on the user's location one of these files is copied to /etc/localtime
/var/log/messages	the main system log file
/var/log/secure	log file containing information about failed logins or user accounts
/var/log/wtmp	the wtmp file records all logins and logouts.
/var/run/utmp	utmp(5) – the utmp file allows one to discover information about who is currently using the system. There may be more users currently using the user's private key used during the user authentication process of an ssh sessionhe system, because not all programs use utmp logging
$HOME/.ssh	directory containing knownhosts, authorized_keys2, id_dsa and id_dsa.pub
authorized_keys2	contains a list a public id keys from remote users that are authorised to use this account (via ssh)
id_dsa	the user's private key used during the user authentication process of an ssh session
id_dsa.pub	the user's public key used during the user authentication process of an ssh session – this key must be present in the authorized_keys2 file of the account one is attempting to ssh to
known_hosts	list of server public keys used for host authentication
ssh_config	configuration file for ssh
sshd_config	configuration file for sshd

Commands

Command	Description
chattr	change file attributes on an ext2/3 filesystem (see chattr(1) for details)
date	print or set the system time
hwclock	query or set the hardware clock
ipchains
iptables	iptables(8) – administration tool for IPv4 packet filtering and NAT
last	last(1) – searches back through the file /var/log/wtmp and displays a list of all users logged in (and out) since that file was created. The pseudo user reboot logs in each time the system is rebooted. Thus last reboot will show a log of all reboots since the log file was created
ntpd	the NTP daemon
ntpdate	ntpdate(1) – sets the local date and time by polling the Network Time Protocol (NTP) server(s) given as the server arguments to determine the correct time. It must be run as root on the local host
ssh	ssh(1) – program for logging into a remote machine and for executing commands on a remote machine. It is intended to replace rlogin and rsh, and provide secure encrypted communications between two untrusted hosts over an insecure network. X11 connections and arbitrary TCP/IP ports can also be forwarded over the secure channel
ssh-keygen	ssh-keygen(1) – generates , manages and converts authentication keys for ssh(1). ssh-keygen can create RSA keys for use by SSH protocol version 1 and RSA or DSA keys for use by SSH protocol version 2.83
sshd	sshd(8) – daemon program that listens for ssh connections from clients. It is normally started at boot from /etc/rc. It forks a new daemon for each incoming connection. The forked daemons handle key exchange, encryption, authentication, command execution, and data exchange
who	who(1) – show who is logged on

Yüklə 1,05 Mb.

Dostları ilə paylaş:

1 ... 5 6 7 8 9 10 11 12 ... 16