securing linux

About This Presentation

Title:

securing linux

Description:

securing linux attacks from the outside outside versus inside attacks from the outside have all the cool toys have all the notoriety attacks from the inside less ... – PowerPoint PPT presentation

Number of Views:106

Avg rating:3.0/5.0

Slides: 69

Provided by: content2L

Category:

more less

Transcript and Presenter's Notes

Title: securing linux

1
securing linux

attacks from the outside

2
outside versus inside

attacks from the outside
have all the cool toys
have all the notoriety
attacks from the inside
less glamorous
but more likely to be the source of an attack!

3
overview

attacks may focus on different layers!
higher level attacks focus on software
especially daemons
lower level attacks focus on hardware
IP and MAC addresses
two very powerful tools
telnet
netcat

4
topics

attacking passwords
DNS issues
routing issues
trusted hosts
attacking applications

5
topics (cont'd)

advanced packet sniffing
ping of death and teardrop
denial of service (DoS)
distributed denial of service (DDoS)
honey pots

6
attacking passwords

default passwords (fixing stupid)
in software, such as webmin
in hardware, such as routers
pre-installed passwords are not secure
the whole world has access to them!
Google default passwords
Service level passwords
service

7
attacking passwords

countermeasures
understand the default settings
set passwords as appropriate
no dictionary words
understand weak / common passwords
google 500 worst passwords

8
attacking passwords

password guessing
the infamous guest / guest account
original UNIX passwords used DES
maximum of 8 characters
if alphanumeric characters, then 62 8
brute force cracking is possible
brutus (windows)
brutus.pl (linux)
common sources for passwords
Star Wars, Star Trek, Lord of the Rings, ...
dictionary searches are possible no common words

9
attacking passwords

countermeasures
use MD5 or blowfish rather than DES
passwords should exceed 16 characters
disable finger and rwho services
which freely give away user id
thus reducing work for the cracker
set time delay following invalid login
to the largest tolerable value

10
attacking passwords

packet sniffing
normally, a network interface card retrieves only
packets destined for its MAC address
however, a network interface card can be placed
in promiscuous mode which retrieves all packets
packet sniffers look at all passing packets to
glean information
examples
tcpdump
ethereal
hunt

11
attacking passwords

packet sniffing can be reduced somewhat by using
switches rather than hubs
hub packet distributed along all branches
switches packet distributed along single branch

12
attacking passwords

plain text passwords are obvious security risk
telnet, rlogin, rsh, rcp ftp
http, pop3, imap
openSSH provides secure connections
slogin, ssh, scp, sftp, https
information encrypted

13
attacking passwords

openSSL secure socket layer
stunnel wrapper for an insecure transaction
insecure service normally listens on port number
X
stunnel is configured to listen on port number Y
a secure connection implemented on port number Y
information redirected to insecure service on
port number X
To secure a connection on a SMTP server, stunnel
maps insecure
port 25 to 465. Traffic passes via SSL to port
465 to the stunnel application which
transparently forwards it to port 25

14
DNS issues

both attacks based upon UDP protocol
first response is assumed to be correct response!
two forms of attack
DNS spoofing
DNS cache poisoning

15
DNS issues

DNS spoofing
eavesdropper (packet sniffer) attempts to respond
faster than DNS server
provides incorrect IP address in response to
query
countermeasures
utilize switches rather than hubs
to reduce packet sniffing abilities
DNSSEC is being developed
to enhance overall DNS security

16
DNS issues

DNS cache poisoning
caching speeds up DNS process by reducing the
number of queries
a renegade server can provide additional
incorrect information in response to a query
countermeasures
upgrade BIND utility
keep software up to date
split DNS service
internal (trusted) server versus
external (untrusted) server

17
routing issues

attacks seek to take advantage of features within
routing to enhance communication
four forms of attack
IP forwarding
source routing
dynamic routing tables
ICMP redirection

18
routing issues

IP forwarding
gateway machines are essential to connect
networks, but not every dual-homed host needs to
function as a gateway
example
public web server communicates with private
database
countermeasures
disable IP forwarding where appropriate
echo 0 gt /proc/sys/net/ipv4/ip_forward

19
routing issues

source routing
it is possible to specify a path through a large
network from source to destination
netcat -g ltIP1gt -g ltIP2gt ... ltdestinationgt
packets appear to come from last source
countermeasures
disable source routing
on Linux
echo 0 gt /proc/sys/net/ipv4/conf/all/accept_source
_route
on routers

20
routing issues

dynamic routing tables
routing tables can be static (unchanging)
routing tables can be dynamic (changing)
dynamic tables useful for larger networks
Linux daemons routed or gated
however, information from routers
can be spoofed (unreliable source)
can be spurious (unreliable data)
countermeasures
disable dynamic routing
do not activate routed or gated daemon
manually configure static routing table

21
routing issues

ICMP redirection
if multiple gateways exist in a large network,
then routers must communicate best routes and
redirect traffic
once again, information from routers
can be spoofed
can be spurious
countermeasures
disable ICMP redirection
echo 0 gt /proc/sys/net/ipv4/conf/all/accept_redire
cts
manually configure gateways
route add -net ltnet_addrgt gw ltgw_addrgt

22
trusted hosts

if plain text passwords are a bad idea, then
requiring no password is even worse!
tcp-wrappers (inetd and xinetd)
/etc/hosts.allow permissible users
/etc/hosts.deny unacceptable users
based on IP addresses which can be spoofed
ifconfig eth00 inet ltIP_spoof_addressgt
netcat -S ltIP_spoof_addressgt -D lttargetgt
decisions based solely on the source IP address
should be considered questionable

23
trusted hosts

other offenders
rlogin, rsh, rcp
/etc/hosts.equiv /.rhosts
slogin, ssh, scp, sftp
/etc/hosts.equiv /.shosts
nfs network file system protocol
/etc/exports
plus tcp-wrappers
nis network information service protocol
/etc/defaultdomainname
plus tcp-wrappers

24
trusted hosts

countermeasures
never use the above features!!!
except on the most trusted private networks
understand that any IP address can be spoofed
drop all incoming packets at the gateway firewall
that have private IP addresses

25
attacking applications

default or poor configuration
too many system administrators use the default
configuration for software which comes with the
Linux distribution
either universally known
or universally available on the internet
too many system administrators do not know how to
properly configure the software they use
poor choices
incorrect options
in either case, crackers will exploit these
weaknesses!

26
attacking applications

RPC remote procedure calls
support mechanism for two popular utilities
NFS and NIS
does not require dedicated ports
portmapper daemon (port 111 TCP and UDP)
maintains table of utilized ports for active
services
portmapper table is available to public
rpcinfo -p ltservergt
nmap -sS -sR ltservergt
recent Linux distributions have incorporated
portmapper within tcp-wrappers
/etc/hosts.allow and /etc/hosts.deny

27
attacking applications

UNIX RPC
called Open Network Connect (ONC)
Windows RPC
called Distributed Computing Environment (DCE)
countermeasures
block port 111 at gateway firewall
do NOT use RPC!

28
attacking applications

NFS network file system
created in 1989 by Sun Microsystems
utilizes port 2049 TCP and UDP
server configuration file
/etc/exports
inappropriate use of wild cards
bad, world accessible file systems
worse, world writable file systems
information readily available
showmount -e ltservergt
contents of file /etc/exports
showmount -a ltservergt
displays currently mounted file systems

29
attacking applications

countermeasures
block port 2049 at gateway firewall
do NOT use NFS!
consider more modern / secure alternatives
such as Andrew File System (AFS)

30
attacking applications

NIS network information system
distributes important files across the network
/etc/hosts, /etc/networks, /etc/passwd,
/etc/groups
information readily available
ypwhich
ypcat ltfilegt
passwords (although still encrypted) are clearly
visible

31
attacking applications

countermeasures
block port 111 at gateway firewall
do NOT use NIS!
consider more modern / secure alternatives
such as Lightweight Directory Access Protocol
(LDAP)

32
attacking applications

countermeasures
turn off all unnecessary services
keep software up-to-date
SuSE Yast On-line Update (YOU)
Red Hat Up2Date
pay attention to log files for signs of attack

33
attacking applications

network clients
both server and client must be correctly
configured
both server and client must communicate correctly
examples
e-mail buffer overflow in From entry
web malicious JAVA script, poor cgi scripts
GnuPG format string bug in early version

34
attacking applications

countermeasures
keep software up-to-date
pay attention to all configuration file options
uninstall unused software

35
attacking applications

X11 issues
X11 is built on server client model
unlike Windows the client and the server need not
be the same computer!
more flexibility gt more security issues!
typical server client model is reversed
server keyboard, mouse, monitor
client application on remote host
typical attacks
keystroke capture
screenshots

36
attacking applications

countermeasures
limit graphical login (xdm, kdm, gdm) to
localhost
block port 177 on the host
disable X11 services to the network
block ports 60006064 on the host
startx -- --nolisten tcp
restrict access to X server using the xhost
command
require authentication using Xauth utility

37
attacking applications

openSSH issues
openSSH is a highly recommended secure
application
supports
remote login
file transfer
remote shells
it is highly configurable
even including options which reduce its inherent
security!

38
attacking applications

pay special attention to the following files
/etc/ssh/ssh_config system-wide configuration
/.ssh/config person configuration
include the following entries
host
ForwardX11 no
ForwardAgent no

39
advanced packet sniffing

although switches are preferable to hubs,
switches are vulnerable
ARP spoofing enables software, like hunt, to
circumvent this feature
packet floods to a switch may cause the switch to
revert to the performance of a hub

40
advanced packet sniffing

session hijacking
rather than passively watch packets go by, a
cracker can assume the identity of either host in
a communication socket
usually done after a user has obtained elevated
privileges (to super user)
a cracker can even return control to the original
user as if only a minor system glitch had occurred

41
advanced packet sniffing

software
hunt
dsniff (suite of tools)
dsniff
dnsspoof
arpspoof
sshmitm man in the middle
webmitm man in the middle
ettercap
netwox / netwag

42
man in the middle

attack against secure communications
exploits weakness in human nature
does not exploit weakness in the secure protocol
normal (secure) communication
A contacts B
B sends a certificate verifying itself to A
A begins communicating with B

43
man in the middle

man in the middle attack
C contacts B
B sends a certificate verifying itself to C
C begins communicating with B
C spoofs or poisons DNS for A
diverting packets intended for B to C
A contacts B (really C)
C sends a certificate verifying itself to A
A ignores the pop-up box
A begins communicating with B (really C)

44
man in the middle

man in the middle attack (cont'd)
C now controls the communication
C has options
can relay
can replay (with modifications that benefit C)
countermeasures
pay attention to certificate pop-ups!
read
verify
disconnect if uncertain

45
intrusion detection software

monitor network traffic for signs of suspicious
activity
more sophisticated than ntop in its analysis
appears to be a developing area of study
software
snort
firestorm
prelude

46
ping of death and teardrop

the following two attacks are based on the
fundamental structure of packets
ping of death
ICMP packet size should not exceed 65,536 bytes
a larger packet caused a buffer overflow
condition
teardrop
large packets are divided and must be reassembled
multiple packets that do not reassemble caused a
kernel panic

47
ping of death and teardrop

countermeasures
newer Linux kernels are not susceptible
keep the Linux kernel up to date
newer routers automatically filter such packets

48
denial of service

an explicit attempt by attackers to prevent
legitimate users from accessing a service
flavors
ICMP ping flood
TCP SYN flood
UDP flood
ICMP smurf flood
local resource exhaustion

49
denial of service

ICMP ping flood
simple ping command, but deliver packets as fast
as possible
ping -f -s 2048 lttargetgt
countermeasures
filter ICMP echo requests

50
denial of service

TCP SYN flood
a rapid sequence of SYN request with no matching
ACK packet
tries to overflow the TCP half-open connections
queue
countermeasures
during a SYN flood
increase the size of the half-open connections
queue
/proc/sys/net/ipv4/tcp_max_syn_backlog
decrease the value(s) in the following files
/proc/sys/net/ipv4/timeout_synack
/proc/sys/net/ipv4/timeout_synrecv

51
denial of service

UDP flood
targets two systems
targetA echo port port 7
targetB chargen port port 19
send UDP packet to targetA
source IP address as targetB
source port as chargen port (character generator)
destination IP address as targetA
destination port as echo port
especially cool if targetA and targetB are the
same computer!

52
denial of service

countermeasures
disable chargen service
disable echo service
disable inetd / xinetd

53
denial of service

ICMP smurf flood
ICMP echo request is sent to a broadcast address
with spoofed source IP address
generates multiple echo replies
potentially one from each host in the network
example
nemesis-icmp -I 8 -S lttargetgt -D ltbroadcastgt
countermeasures
disable broadcast requests
echo 1 gt /proc/sys/net/ipv4/icmp_ignore_broadcasts
echo 1 gt /proc/sys/net/ipv4/icmp_echo_ignore_all

54
denial of service

local resource exhaustion
although not an attack over the network, it is a
form of denial of service
fill up the storage area on a disk partition
fill up a sharable system resource queue
countermeasures
use Linux quotas
use the Linux ulimit command
use the Linux /etc/security/limits.conf file

55
distributed denial of service

a denial of service from a single source is bad
enough
imagine the impact if hundred (or thousands) of
computers coordinated an attack
unfortunately university systems are often
accomplices in these attacks
more open environment
more relaxed security

56
distributed denial of service

reflector attack
simplest of the DdoS attacks
send packets to numerous systems using a spoofed
source IP address

57
distributed denial of service

Trin00 Aug 99 against Univ of Minn
exploits against RPC services
a cracker compromises a large number of hosts
a small number of hosts are designated handler
nodes to help coordinate the attack
a large number of hosts are designated agent
nodes to carry out the actual attack
all communication is done via UDP
each packet contains a password
to prevent other crackers from taking control!
each agent launches a simple UDP flood

58
distributed denial of service

tribe 2000
builds upon the trin00 concepts
communication is done via ICMP, UDP, or TCP
can spoof IP addresses
can change its process name to hide itself from
detection
can launch a variety of attacks
ICMP ping flood
TCP SYN flood
UDP flood
ICMP smurf flood

59
distributed denial of service

countermeasures
incorporate all the countermeasures for a simple
denial of service
note
you can not prevent a denial of service
you can only minimize its impact
you can help ensure that your computer(s) do not
participate in a distributed denial of service

60
honeypots

a recent addition to the field of security has
been the concept of a honeypot
in essence, a honeypot is a decoy host designed
to lure a cracker away from more valuable hosts
and servers
some honeypots have been said to lure
approximately 85 of the SPAM intended for a
network away from the actual mail server

61
honeypots

flavors of honeypots
a honeypot
appearance of a simple server running crackable
software with poor firewall
intended to lure cracker toward it
a complete virtual network
appearance of a huge network of identical secure
machines
intended to frustrate the cracker with the amount
of work necessary to find a worthwhile target

62
honeypots

flavors of honeypots (cont'd)
a sticky pot
appearance of a simple server running crackable
software with poor firewall
with the added feature of designed to steadily
impede the cracker's host

63
honeypots

software
honeyd
labrea
thp
arpd
fakeap
WARNING Sticky pots, such as labrea, may violate
Illinois state law! It is against state law to
impede or slow electronic communication even if
the affected party is in violation of other laws.

64
concluding comments

fundamental principles
always keep software up to date
never run unnecessary services
Less is more -- if you dont know what it does
turn it off / uninstall unused software
i would like to add two more
implement egress filtering at the gateway
firewall
never retaliate against a potential cracker

65
egress filtering

egress filtering drops any outgoing packet whose
source address is NOT from the local area network
everybody knows to filter incoming traffic!
filtering outgoing traffic would effectively stop
a large percentage of IP spoofing
packets that do not meet security policies are
not allowed to leave - they are denied "egress
Egress filtering helps ensure that unauthorized
or malicious traffic never leaves the internal
network

66
retaliation