COSC 316 COMPUTER HOSTS SECURITY

1
COSC 316 COMPUTER HOSTS SECURITY

• SOUNDARARAJAN EZEKIEL
• COMPUTER SCIENCE DEPARTMENT
• INDIANA UNIVERSITY OF PENNYLVANIA
• INDIANA, PA 15705

2
Part III Network and Internet Security Chapter
12 Securing TCP and UDP services

• We will talk about
• Understanding Unix Internet Servers and Services
• Controlling Access to Servers
• Primary Unix Network Service
• Managing Services Securely

3
Chapter 12 Securing TCP and UDP Services

• Connecting a Unix computer to the Internet is not
  an action that should be taken lightly
• Before you place a Unix compuer on the internet,
  you must make certain that no security problems
• Otherwise, your machine will be identifies,
  broken into and compromised before you even have
  a chance to download the latest software
• There are two ways to assure the security of a
  Unix system
• You can install OS formatted machine use second
  computer and down load patches then copy to the
  first machine
• Find a not widely used machine and install this
  OS and search the internet for security issues.
  If you did not find any then you are safe and
  install in your machine.

4
Understanding Unix Internet Servers and Services

• Most Unix network services are provided by
  individual programs called servers
• For a server to operate, it must be assigned a
  protocol (TCP or UDP), be assigned a port number,
  and somehow be started
• The /etc/services -- file a is small local data
  base part of Unix OS not widespread usefor
  each service this file specifies the services
  well known port number and notes whether the
  service is available as a TCP or UDP services
• This file can be replaced by distributed database
  system such as NIS, NIS, Netinfo, DCE

5
Continue

• Getservbyname - most UNIX servers determine
  their port n umbers by looking up each port in
  the /etc/services file using this library call
• Some network serves bypass this functional call
  and simply hardcode th service number into their
  program
• Ports cannot be trusted- Ports ranged from
  0-1023 are called trusted ports- port assignment
  are standard super user has privileges to be
  able to start listening for incoming connections
  an such port or to originate connections to a
  remote server using one of these ports as the
  source port

6
Starting the Servers

• There are fundamentally 2 kinds of network
  servers on the Unix system
• Servers that are always running these servers
  are started automatically when the OS starts up.
  Servers started at boot time are usually the
  servers that should provide rapid responses to
  user request, must handle many network requests
  from a single server process example nfsd(
  network file system daemon) httpd( the apache web
  server) and sendmail
• Servers that are run only when needed These
  servers are usually started from inetd, the UNIX
  Internet daemon and handle single request It is
  a flexible program that can listen to dozens of
  internet ports and automatically start the
  appropriate daemon as needed.

7
The inetd program

• Originally, BSD Unix set a different server
  program running for every network service as the
  number of service grew in the mid 80s, Unix
  system started having more and more server
  program sleeping in the background, waiting for
  network connection.
• It is run at boot time as part of the startup
  procedure when it starts executing, it examine
  the contents of the /etc/inetd.conf file to
  determine which network services it is supposed
  to manage.

8

• A sample of inetd.conf file
• ftp strea tcp nowait root /usr/sbin/ftpd
  ftpd
• Each of the line contains 6 fields, separated by
  spaces or tabs
• Service name--- ftp, telnet,
• Socket type ---- indicates whether the service
  expects to communicate via a stream or on a
  datagram basis
• Protocol type TCP or UDP
• Wait/nowait if the entry is wait the server
  expected to process all subsequent connections
  received on the socket. Nowait is specified, the
  server process for additional datagram or
  connection request received
• User specified the UID that the server process
  will be run as . Root0, daemon 1, nobody (
  any other user)2-65534
• Command name and arguments--- specifies the
  command name to execute and the argument passed
  to the command, starting with argv0

9
Controlling access to servers

• Unix is a friendly and trusting OS. By default,
  network services are offered to every other
  computer on the network. Unfortunately, this
  practice is not an advisable policy in todays
  networked world.
• There are several techniques that you can use to
  control access to servers that do not provide
  their own system for access control these include
• Us TCP Wrappers
• Use a host-based firewall program
• Use a standalone firewall appliance

10
What TCP Wrappers does

• The TCP Wrappers system give the system
  administrator a high degree of control over
  incoming TCP connections
• It opens the /etc/hosts.allow file. This file
  contains access control rules and actions for
  each protocol
• It scan through the file, line by line, until it
  finds a rule that matches the particular
  protocol and source host that has connected to
  the server.
• It executes the action specified in the rule. If
  appropriate, control is then turned over to the
  network server
• if no matching action is found, the file
  /etc/hosts.deny is opened and sequentially read
  line by line. If a matching line is found, access
  is denied and the corresponding action performed
• If no match is found in either the /etc/hosts.
  Allow or the /etc/hosts.deny file, then the
  connection is allowed by default

11
Continue

• The action implemented by TCP Wrappers are quite
  sophisticated. Specifically, options can
• Compare the incoming hostname and requested
  service with an access control list to see if
  this host or this combination of host and service
  has been explicitly denied. If either is denied,
  TCP Wrappers drop the connection.
• Log the result with syslog.
• Use the ident protocol to determine the username
  associated with the incoming connection
• Optionally send a banner to the connecting
  client. Banners are useful for displaying legal
  messages or advisories
• Optionally run an auxiliary command
• Perform a double reserve lookup of the IP
  address, makingh sure that the DNS entries for
  the IP address and hostname match
• Pass control of the connection to the real
  network daemon, or pass control to some other
  program that can take further action

12
Host-Based Packet Firewall

• Many Unix-based system contain a built-in packet
  firewall. The firewall is controlled with rules
  that are loaded into the kernel at runtime.
• Rules can block or allow packets to flow based on
  packet type, host, protocol, and even
  packet-level flags
• Using these rules, you can implement a broad
  variety of polices for traffic, such as
• Disallow all incoming traffic by default, but
  permit a few exceptions, such as allowing anyone
  o make an HTTP connections to port 80, and a list
  of predefined hosts to make an SSH connection to
  port 22. this deny everything that isnt
  permitted approach is a recommended security
  practice

13
Continue

• Allow all incoming traffic, except from those
  hosts specifically excluded.,
• Allow outgoing HTTP connections to anywhere on
  the internet but allow incoming connections only
  from a few select hosts
• Log firewall violations for later analysis
• Traditionally, Linux system based on the 2.2
  kernel have used the ipchains IP firewall, Linux
  system based on the 2.4 kernel have used the
  netfilter IP firewall and BSD based ystem have
  used the ipfirewall

14
Primary Unix Network Services

• Lets us describe selected network services that
  are usually provied as part of the standard Unix
  package, focusing on the major security
  implications of each of theses services
• Every network service carries both known and
  unknown security risks smaller to substantial
  risk
• Security of configuration files and home
  directories need to be protected properly

15
Continue

• Echo and chargen( TCP and UDP ports 7 and 19)-
  echo and chargen are two services that were
  designed for development and testing of IP
  networks and implementations
• The echo service accepts connections on TCP port
  7 or individual datagrams on UDP port 7 and
  echoes back everything that it receives to the
  sender
• The chargen( character generator) service accepts
  TCP connections and UDP datagram on port 19 and
  sends back a character pattern.

16
Continue

• 2. systat (TCP Port 11)- it is designed to
  provide status information about your computer to
  other computers on the network
• FTP file Transfer Protocol (TCP ports 20 and
  21)- allows you transfer complete file between
  systems
• SSH the Secure Shell ( TCP Port 22)- originally
  developed by Tatu Ylonen, SSH( the Secure Shell)
  is a cryptographically enabled protocol for
  remote login, file copying and TCP connection
  tunneling originally implemented soley by Tatu
  Ylonens ssh command line Unix utility, today the
  SSH protocol is implemented by dozens of
  programs on many platforms.

17
Continue

• 5. Telnet (TCP Port 23)- Telnet is a service
  designed to allow you to log onto a remote
  computer on the Internet. Telnet gives you a
  virtual terminal on the remote computer. The
  Unix version of Telnet is implemented with the
  telnet client and telnetd server programs- the
  client program is quite flexible in addition to
  contacting the appropriate servers, the client
  can be used to open a connection to any TCP/IP
  based server that uses a text based protocol
• To use telnet, type the name of the command
  followed by the name of the computer to which you
  wish to connect. Example telnet prose

18
Continue

• 6. SMTP Simple Mail Transfer protocol (TCP Port
  25)- The simple mail transfer protocol is an
  internet standard for transferring electronic
  mail between computers
• 7. TACACS and TACACS( UDP Port 49)- TACACS the
  Terminal Access Controller Access Control Server)
  protocol was developed by Cisco and is used to
  authenticate logins to terminal servers
• 8. Domain Name System (DNS) (TCP and UDP Port
  53)-It is a distributed database that is used
  so that computers may determine IP addresses from
  hostnames, determine where to deliver mail within
  an organization, and determine a hostname from an
  IP address. The process of using this
  distributed system is called resolving

19
Continue

• 9. BOOTP Bootstrap Protocol, and DHCP Dynamic
  Host Configuration Protocol (UDP Ports 67 and
  68) Both are designed to dynamically configure
  devices on a local area network. These protocols
  are typically used to assign IP addresses to
  workstations, laptops, and network appliance
  devices BOOTP is the original variant of this
  protocol and dates back to the 80s DHCP
  extended the BOOTP protocol b y allowing clients
  to be assigned leases on specific IP addresses
  for a certain period of time and by allowing the
  delivery of arbitrary name/value pairs to the
  client as part of the protocol . It dates back to
  the 90s and is now widely used

20
Continue

• 10.TFTP Trivial File Transfer Protocol (UDP Port
  69)- is a UDP-based file transfer program that
  provides no security
• 11. finger( TCP Port 79)- it has 3 uses
• a. if you run finger with no arguments, the
  program prints the username, full name, location,
  login time, and office telephone number of every
  user currently logged into your system
• b. if you run finger with a name argument, the
  program searches through the /etc/passwd file and
  prints detailed information for every user with a
  first name, last name, or username that matches
  the name you specified
• c. If you run finger with an argument that
  contains the at sign _at_ , the program connects to
  the finger server on the remote machine, submits
  a finger query and displays the result

21
Continue

• 12. HTTP, HTTPS, Hyper Text Transfer Protocol
  (TCP Ports 80, 443)- it is the protocol that is
  used to request and receive documents from
  servers on the WWW. Access to the web has been a
  driving force behind the growth of the internet,
  and many sites that have internet connectivity
  are pressured to provide both client applications
  and web servers for their users.
• HTTP servers typically listen on port 80 HTTPS
  servers, which implement secure HTTP by using
  SSL/TLS typically listen on port 443

22
Continue

• 13. POP, POPS Post Office Protocol and IMAP,
  IMAPS Internet Message Access Protocol(TCP
  Ports 109, 110, 143, 993, 995)
• The Post Office Protcol(POP) is a system that
  provides user on client machines a way to
  retrieve their electronic mail from a server it
  runs port 109, 110
• The internet Message Access Protocol (IMAP)
  perfoms a similar function, although this
  protocol allows the client to manage mail message
  in multiple mailboxes. It runs in prot 143

23
Continue

• 14. Sun RPC portmapper (UDP and TCP Ports 111)-
  the portmapper program is used as part of Sun
  Microsystems Remote Procedure Call (RPC) system
  to dynamically assign the TCP and UDP ports used
  for remote procedure calls, portmapper is thus
  similar to the inetd daemon, in that it mediates
  communications between network clients and
  network servers
• 15. Identification Protocol( TCP Port 113)-
  commonly called ident, but sometimes called auth-
  provides a mechanism to query remote system for
  the username that corresponds to a particular TCP
  connections

24
Continue

• 16. NNTP Network News Transport Protocol (TCP
  Port 119)- is used by many large sites to
  transport Usenet Netnews article between news
  servers
• 17. NTP- Network Time Protocol (UDP Port 123)-
  is a set of protocol that can be used to
  synchronize the clocks on multiple computers
• 18. SNMP simple Network Management Protocol (UDP
  Ports 161 and 162)- is a protocol designed to
  allow the remote management of devices on your
  network

25
Continue

• 19. rexec(TCP Port 512)- remote execution allows
  to execute commands on other computers without
  having to log into them
• 20. rlogin and rsh (TCP Ports 513 and 514)-
  these programs provide remote terminal service
  that is similar to telnet. rlogin is the client
  program, and rlogind is the server
• 21. RIP Routed Routing Internet Protocol (UDP
  Port 520) is used by Internet gateways to
  exchange information about new networks and
  gateways

26
Continue

• 22. The X Window system (TCP Ports 6000-6063)- X
  is a popular networked- based window system that
  allows many programs to share a single graphical
  display
• 23. RPC rpc.rexd (TCP Port 512)- the rpc.rexd
  service is a Sun RPC server that allows for
  remote program execution- using this , any user
  who can execute RPC commands on your machine
  can run arbitrary shell command

27
Managing Services Securely

• Once you have deployed a Unix server on a
  network, it is important that you mange it
  securely.
• You should periodically monitor your server and
  the network for potential problems or abuse.
• Most network topologies provide 3 locations for
  monitoring
• Host
• LAN
• Point your network connect to other network

28
Managing Services Securely

• Monitoring your Host with netstat- you can use
  the netstat command to list all of the active and
  pending TCP/IP connections between your machine
  and every other machine on the internet.
• Monitoring your network with tcpdump- you can
  use dcpdump command to watch packets as they move
  over your network
• Network scanning- you can use network scanners
  to scan your network for known problems
• There are several kinds of network scanners
  availabel today
• Commercial network scanners
• Freeware security scanners
• Freeware port scanners

29
Conclusion

• A network connection lets your computer
  communicate with the outside world, but it can
  also permit attackers in the outside world to
  reach into your computer and to damage therefore
• Decide whether the convenience of each internet
  service is outweighed by its danger
• Know all of the services that your computer makes
  available one the network and remove or disable
  those that you think are too dangerous
• Pay specific attention to trap doors and Trojan
  horses that could compromise your internal
  network.
• Educate your users to be suspicious of strangers
  on the network