1 / 56

securing linux

what people can see. securing linux. Big Picture. How rob a bank. A bit of History. 1954 & 1960 Bell System Tech Journals, trunk routing and frequencies Pranks Wozniak called Pope 2600 Hz Tone Captain Crunch whistle Phone Phreaking

baba
Télécharger la présentation

securing linux

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. what people can see securing linux

  2. Big Picture How rob a bank

  3. A bit of History • 1954 & 1960 Bell System Tech Journals, trunk routing and frequencies • Pranks Wozniak called Pope • 2600 Hz Tone Captain Crunch whistle • Phone Phreaking • Steve Wozniak’s blue box tone generator • 1990 Phone system became digital • War dialing early form of scanning • Wargames 1983

  4. Socket Programming • USPS Addressing • 1520 Orchard Road Apt 2A • IP Addressing • 192.168.10.50/5900 • Service / Application listens on open port • Instance messaging, VOIP in Games, telnet, FTP, HHTP • Protocols – languages

  5. overview • Network topologies • eggshell architectures • where to get information • news groups and mailing lists • mapping a network • ping sweeps and traceroutes • mapping a host • port scans and OS fingerprinting • network scanners • everything in a single powerful package • social engineering • exploiting human nature

  6. where to get information • news groups and mailing lists • forums • WHOIS database • www.arin.org • DNS

  7. Traditional topology

  8. Enhanced traditional topology

  9. Secure network topology

  10. news groups / mailing lists / forums • these are valuable resources • system administrator • newbie • BUT people get over excited and reveal too much information (gear head syndrome) • golden rule - remain faceless and traceless • security through obscurity • post only using generic terms

  11. news groups / forums • they are a source of information • personal information • name, address, title, phone, e-mail • system configuration • network architecture • real host names and IP addresses • hardware: brand names and model numbers • archives • this information never goes away!!! • http://www.archive.org

  12. news groups / mailing lists • countermeasures: • use generic titles, not real names • use switchboard numbers, not personal numbers • separate e-mail address • work-related communication (generic title) • webadmin@cs.lewisu.edu • personal communication • smithpaul@cs.lewisu.edu • limit any public description of network • fictitious IP addresses & fictitious host names

  13. WHOIS databasewww.arin.org • whenever a URL is registered • information must be submitted with registration • this information is publicly available • whois utility • may require installation • linux example: • whois lewisu.edu • whois ibm.com

  14. WHOIS database • countermeasures: • use generic titles, not real names • use switchboard numbers, not personal numbers • separate e-mail address • work-related communication (generic title) • techdirector@cs.lewisu.edu • personal communication • smithpaul@cs.lewisu.edu • obviously you MUST give valid information • the goal is NOT to give away valuable information unnecessarily

  15. DNS issues • zone files have numerous options which provide information • HINFO system info: CPU and OS • TXT additional text • RP responsible person information • zone transfers • mandatory from primary server to secondary server

  16. DNS Basics • Domain name system performs ip to name resolutions on the internet • Started in 1983 RFC 882 has grown to one of the largest and most powerful parts of the net. • Other than name translation a number of protocols and applications use DNS for their main activity • SMTP for mapping email address to their server • SPF records, telephone numbers & addresses, certificates and other info stored in DNS zone records

  17. BIND • Berkeley Internet Name Domain Server • BIND is open-source software that implements the DNS protocols for the Internet.

  18. DNS issues • dig DNS lookup utility (domain information groper) is a flexible tool for interrogating DNS name servers. • linux example: • dig -t hinfo hostname • dig -t txt hostname

  19. DNS issues • reverse lookups (IP address --> URL) often provide too much free information • 129.42.58.216 --> www.ibm.com • www is a standard prefix for a web server • linux example: • dig www.lewisu.edu • dig -x 204.248.57.178

  20. DNS issues • every version of bind (4, 8, and 9) has its flaws! • 9 was a total rewrite and still had issues • the following command • host -c chaos -t txt version.bind <server> • will usually tell you the specific vesion • linux example: • dig -c chaos -t txt version.bind

  21. DNS issues • countermeasures: faceless & traceless • edit /etc/named.conf • delete HINFO records • delete TXT records • RP records should contain generic title • eliminate zone transfers • primary to secondary server • allow-transfer { 233.45.164.27; }; • otherwise • allow-transfer { none; }; • disable the version.bind response • version “not available”;

  22. protocols and services • network layer • IP: internet protocol • transport layer • ICMP: internet control message protocol • UDP: user datagram protocol • TCP: transmission control protocol • services

  23. IP: internet protocol • foundational layer for higher level protocols • packet header contains • source IP address • destination IP address

  24. ICMP: internet control message protocol • purpose of ICMP is to provide feedback about IP performance • packet header contains • source IP address, destination IP address • packet type, checksum, data • most well-known packet types • 7 echo request • 0 echo reply • 3 destination unreachable • 30 traceroute

  25. UDP: user datagram protocol • purpose of UDP is minimal transport service with no guarantee of delivery • connection-less • packet header contains • source IP address, destination IP address • source port number, destination port number • length, checksum, data • faster communication • but packet loss possible

  26. TCP: transmission control protocol • purpose of TCP is a transport service with guarantee of delivery • connection-oriented • packet header contains • source IP address, destination IP address • source port number, destination port number • sequence #, control bits, checksum, data • slower communication • but no packet loss

  27. TCP: transmission control protocol • control bits include: • SYN, ACK, RST, FIN, ... • building a connection: • source sends SYN • destination sends SYN/ACK • source sends ACK • terminating a connection: • source sends FIN/ACK • destination sends ACK • destination sends FIN/ACK • source sends ACK

  28. services • port numbers fall into three categories: • 0 through 1023 well-known • 1024 through 49151 registered • 49152 through 65535 dynamic / private • www.iana.org has responsibility for assigning well-known port numbers • well-known port numbers can only be used by root

  29. services • linux example: • less /etc/services

  30. mapping a network • ping sweeps • cracker sees what is out there? • traceroutes • cracker learns how to get there? • countermeasures

  31. ping sweeps • types of ping sweeps • icmp ping traditional echo request • echo port ping request to port 7 (echo) • fast ping icmp ping to multiple hosts • network sweep

  32. ping sweeps • countermeasures: • edit iptables and firewalls • no incoming / outgoing ICMP requests • limit ICMP requests to internal network only • drop ICMP at firewall • be sure echo port and chargen port are disabled • edit /etc/inetd.conf or /etc/xinetd.conf • consider disabling inetd or xinetd completely!

  33. fundamental network tools • netcat / nc • swiss army knife of network communication • invaluable to both • the system administrator • the cracker • nmap • basic tool for • ping sweeps • port scans

  34. ntop • ntop is a network traffic probe that shows network usage • similar to the UNIX top command • ntop is a daemon that monitors the network • ntop has a web interface

  35. traceroutes • once potential targets have been identified via ping sweeps, the cracker can augment information about the hosts using traceroute • often provides information regarding • location • ISP names and locations often visible • hardware • descriptive names for routers, switches, and hosts

  36. traceroutes • flavors • UNIX traceroute • command • traceroute <target> • sequence of UDP packets having increasing TTLs • Matt's traceroute • command • mtr <target> • sequence of ICMP packets having increasing TTLs

  37. traceroutes • countermeasures: • edit iptables and firewalls • drop ICMP request packets • drop UDP packets in traceroute range • 33,435 through 33,524 • do NOT use descriptive names for components within the network • function / role • vendor

  38. mapping a host • port scans • cracker sees what ports are open • OS fingerprinting • cracker determines underlying software • countermeasures

  39. port scans • what ports are open on the target host? • what daemon is listening on each open port? • what software? what version?

  40. port scans • tools • netcat • UDP scans • TCP scans • nmap • UDP scans • TCP scans • TCP stealth scans • strobe

  41. port scans • countermeasures: • klaxon • incorporated into /etc/inetd.conf or /etc/xinetd.conf • to listen on unused ports • scanlogd • monitors ports for sudden increase in activity • portsentry • monitors up to 64 ports • able to take action against an intruder! • tcp wrappers and/or iptables • psad • analysis of firewall logs

  42. port scans • identifying software listening on a given port is usually as simple as • telnet <target> <port> • software typically displays a banner announcing itself and its version number! • countermeasures: • remove / modify banner display • example: • in /etc/sendmail.cf • OsmtpGreetingMessage=$jUPS 2005;$b

  43. OS fingerprinting • OS fingerprinting • telnet is notorious for identifying • the operating system, the distribution, even the kernel • open ports often provide clues • smtp, ssh, and portmap => UNIX • netbios => Windows • /etc/issue, /etc/issue.net, and /etc/motd • often convey too much information

  44. OS fingerprinting • active OS fingerprinting • send sequence of special IP packets to target • catalog responses • compare with database of responses from various operating systems • software • queso • nmap • xprobe

  45. OS fingerprinting • countermeasures: • utilize a firewall in front of servers • operating system detected is that of firewall and not that of the server • disable ICMP packets at the firewall • negates xprobe • install IP Personality • only for Linux 2.4 kernels? • using iptables, can impersonate ANY operating system

  46. OS fingerprinting • passive OS fingerprinting • does not initiate any additional IP traffic • uses packet sniffing to gather information • software • siphon • pOf

  47. OS fingerprinting • countermeasures • can change some parameters of the operating system • cat /proc/sys/net/ipv4/ip_default_ttl • default value is 64 • echo 35 > /proc/sys/net/ipv4/ip_default_ttl • change to 35 • edit error messages masquerade as something else • apache httpd.conf

  48. network scanners • combine ping sweeps, traceroutes, port scans, and OS fingerprinting together and you have a • network scanner • ISS: Internet Security Scanner • first publicly available • NESSUS • the Cadillac of network scanners!

  49. network scanners • other network scanners • Nmap • SATAN: Security Administrator's Tool for Analyzing Networks • SANTA! • SAINT: Security Administrator's Integrated Network Tool • SARA: Security Auditor's Research Assistant • NSAT: Network Security Analysts Tool • text based! • raccess: Remote Access System • doesn't just check host; it exploits if possible!

  50. social engineering • ten common techniques of social engineering • impersonation • pretend to be some from inside the company to obtain passwords • usually coupled with research regarding IT personnel • sympathy • usually request access to hardware: server room or PC • usually coupled with dire consequences if unable to complete the task

More Related