Felitaur Enterprises, Linux Sysadmin, Week 7

logo © 1996 Phil Waclawski

Felitaur Site
Offerings

About Me

Crafts

Services

ftp files

Help Files

What's New?

Home Page

Other Links

Anatomy &
Physiology

Arthropods

Biology

Computers

Ferrets

Fun Links

Internet

Linux

S.C.A.

Win 95/NT

Comments or
Suggestions
webmaster@ felitaur.com

Introduction to Security for Linux Lecture Overview Index | Linux SysAdmin Homepage

Overview
Security The following commands/programs will be used/discussed this week: passwd pwck and grpck chage rpm -Va ifconfig (promiscuous?) tcpd Tripwire ® PortSentry SATAN and SAINT Nessus nmap and nmapfe Secure Shell (ssh and sshd) Snort ssh and sftp md5sum and gpg keys xinetd (/etc/hosts.deny and /etc/hosts.allow)
Questions
What is ifconfig used for in this case?? What is a good password? A bad password? What is meant by "social engineering? What do the following do? pwck and grpck chage rpm -Va What services (servers) are vulnerable to attack? What services should not be installed unless there is a REAL need for them? What should you do with unwanted services in inetd.conf (or xinetd.d)? Why is ssh better than telnet? Why is ftp considered a security risk? How is sftp different? What is tcpd? What are tcp wrappers, why are they useful? What is the purpose of the files hosts.allow and hosts.deny in /etc ? What is the purpose of software like SATAN, SAINT and COPS? Why do you probably NOT want to run them on anyone's network but the one you own? What is meant by a scanner attack? Can you detect scanner attacks? What is Nessus used for? Where would you check to see who is/has been trying to access various services on your machine? What is a Denial of service attack? (DOS) What about a Distributied Denial of Service Attack? (DDOS) What good does it do to set the /tmp partition noexec?
Activities & Assignments
Assignment 1 Go to Snort Go to "Get Snort" in left hand menu Under "Addons and Downloads" click on "binaries" then "linux" in the central menu that comes up Download snort-2.8.0-1.RH5.i386.rpm (at the top) (May have to right click, save link as) Use the rpm utility as root to install snort first. (rpm -Uvh snortfilename.rpm or do it during download) Then go to "downloads" and "rules" and download the rules (unregistered user release and the community rules sections) which whould be at the top of their respective sections mv snortrules-whatever.tar.gz to /etc/snort tar -xzvf snortrules-whatever.tar.gz inside /etc/snort then service snortd restart (do twice, the second time should get two OK's) If not, make sure the rules that are included at the bottom of snort.conf match the rulesets in /etc/snort/rules Most likely it has been added to runlevel 3 for you (check /etc/rc.d/rc3.d and see if snortd is there. Otherwise you will have to add snortd to run level 3 startup Most likely via chkconfig --level 3 snortd on As it will not show up in the "server settings" "services" GUI until at least one directory in rc#.d has a symbolic link to it. Read on the snort page some of the many options you can add. (Of which there are many, including more pro-active responses. FINALLYCheck out the file "alert" in /var/log/snort to see what's going on ;) Assignment 2 Make sure to run yum install libpcap-devel so you have the libraries Go to the "portsentry" page below Download the portsentry "package" use tar to untar and unzip the package cd into portsentry-2.0b1 and use pico or vi to open portsentry.conf Change the interface address to your ip (use ifconfig to find) search for "iptables" Uncomment the line that mentions iptables and Kill route (remove the # sign) and change /usr/local/bin/iptables to /sbin/iptables and replace the # sign for the ipchains line above that Close portsentry.conf Then, as root, run the next two commands inside that directory Type "make linux" Then "make install" Go to /etc/rc.d/ and edit rc.local and add... /usr/local/psionic/portsentry2/portsentry echo "35000 61000" > /proc/sys/net/ipv4/ip_local_port_range Now at the command line as root type /usr/local/psionic/portsentry2/portsentry Then check out the logs in /var/log (especially read "messages") Note, several of the windows servers are nosey buggers, so we m need to edit portsentry.ignore to keep from locking ourselves out of the internet Go to /usr/local/psionic/portsentry2/ and add the following lines to portsentry.ignore 140.198.0.0/16 192.168.0.0/16 Assignment 3 Download the tarball for chkrootkit as root, untar/unzip the file Go into the new chkrootkit directory If you read the README file, it tells you to compile it with the command make sense So, do so, then do ./chkrootkit and look at the results Assignment 4 As root open /etc/fstab For the /tmp partition change "defaults" to "noexec" When you reboot, what will this do to /tmp?
Resources
Check out the various web page resources on the Linux System Administration home page. A Taste of Computer Security (Good article) Open SSH Check Rootkit Tripwire (Free Linux Version) Intrusion Detection with AIDE Portsentry Archive Linux Security.com Nessus Shields Up! SNORT IDS Saint Bastille Linux Hardening Script