Linux internet server security and configuration tutorial

If you wish to turn off this feature edit the file /etc/ftpaccess and change: class all real,guest,anonymous * to class all real,guest * For more on FTP configuration see: YoLinux Web s

Trang 1

Perform the following steps to secure your web site:

See Distribution erratas and security fixes [Red Hat Linux Errata] Update your system where appropriate

It is best for security reasons that you reduce the number of network services exposed The more sevices exposed, the greater your vulnerability Reduce the number of network services accessible through the xinet or inet daemon by:

inetd (Red Hat 7.0 and earlier): Comment out un-needed services in the /etc/initd.conf file

Sample: (FTP is the only service I run)

ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -a

Restart the daemon to apply changes: /etc/rc.d/init.d/inetd restart

xinetd (Red Hat 7.1): All network services are turned off by default during an upgrade Sample file: /etc/xinetd.d/wu-ftpd:

Turning on/off an xinetd service:

Edit the file: /etc/xinetd.d/service-name

Changing to the line "disable = yes" turns off an xinetd serivce

Changing to the line "disable = no" turns on an xinetd serivce

Xinetd configuration must be performed for each and every file in the directory /etc/xinetd.d/ in order to configure each and every network service

Restart the daemon to apply changes: /etc/rc.d/init.d/xinetd restart

You may also use the command:

chkconfig wu-ftpd on

OR

chkconfig wu-ftpd off This will edit the appropriate file (/etc/xinetd.d/wu-ftpd) and restart the xinetd process

Tip:

List init settings including all xinetd controlled services: chkconfig list

List status of services (Red Hat/Fedora Core based systems): service status-all

Reduce the number of non-inetd network services These will be started by scripts in /etc/rc.d/rc*.d/ directories There may be no need to run sendmail (mail server), portmap (RPC listener required by NFS), lpd (Line printer server daemon Hackers probe my system for this service all the time.), innd (News server), linuxconf etc For example, sendmail can be removed from the boot process using the command: chkconfig del sendmail or by using the configuration tool ntsysv The service can be terminated using the command /etc/rc.d/init.d/sendmail stop At the very least one should run the command chkconfig list to see what processes are configured to be operable after boot-up See the YoLinux init process tutorial

Apache: Turn off modules you are not going to use With past ssl exploits, those using this philosophy did not get burned

Apache 1.3.x config file /etc/httpd/conf/httpd.conf

Comment out the use of the ssl module by placing a "#" in the first column

One can also block the https port 443 using firewall rules:

iptables -A INPUT -p tcp -s 0/0 -d 0/0 dport 443 -j DROP

Basic Security Steps / Overview:

service ftp

{

disable = yes - FTP default is off Note that this line controlls whether the xinetd service is enabled or not

socket_type = stream

wait = no

user = root

server = /usr/sbin/in.ftpd

server_args = -l -a

log_on_success += DURATION USERID

log_on_failure += USERID

nice = 10

}

#<IfDefine HAVE_SSL>

#LoadModule ssl_module modules/libssl.so

#</IfDefine>

#<IfDefine HAVE_SSL>

#AddModule mod_ssl.c

#</IfDefine>

Listen 80

#Listen 443

</IfDefine>

#<IfModule mod_ssl.c>

#

#<VirtualHost _default_:443>

#

Trang 2

iptables -A INPUT -p udp -s 0/0 -d 0/0 dport 443 -j DROP

Verify your configuration List the open ports and processes which hold them: netstat -punta (Also try netstat -nlp)

List RPC services: [root]# rpcinfo -p localhost

Ideally you would NOT be running portmapper so not RPC services would be available Turn off portmapper: service portmap stop

(or: /etc/init.d/portmap stop) and remove it from the system boot sequence: chkconfig del portmap (Portmap is required by NFS.)

Anonymous FTP (Using wu_ftpd - Last shipped with RH 8.0 RH 9 and FC use vsftpd): By default Red Hat comes configured for anonymous FTP This

allows users to ftp to your server and log in with the login anonymous and use an email address as the password If you wish to turn off this feature edit the

file /etc/ftpaccess and change:

class all real,guest,anonymous *

to

class all real,guest *

For more on FTP configuration see: YoLinux Web server FTP configuration tutorial

Use the find command to locate vulnerabilities - find suid and guid files as well as world writable files and directories

Use the command chattr and lsattr to make a file unmodifiable over and above the usual permissions

Make a file unmodifiable: chattr +i /bin/ls

Make directories unmodifiable: chattr -R +i /bin /sbin /boot /lib

Make a file append only: chattr +a /var/log/messages

Use "tripwire" [sourceforge: tripwire] for security monitoring of your system for signs of unauthorized file changes Tripwire is offered as part of the base Red Hat 7.1 installation For earlier releases it is available as an RPM on the Red Hat Power tools CD Tripwire configuration is covered below

Watch your log files especially /var/log/messages and /var/log/secure

Avoid generic account names such as guest

Use PAM network wrapper configurations to disallow passwords which can be found easily by crack or other hacking programs PAM authentication can also disallow root network login access (Default Red Hat configuration You must login as a regular user and su - to obtain root access This is NOT the default for ssh and must be changed as noted below.)

See YoLinux Network Admin Tutorial on using PAM

Remote access should NOT be done with clear text telnet but with an encrypted connection using ssh (Later in this tutorial)

Proc file settings for defense against attackes This includes protective measures against IP spoofing, SYN flood or syncookie attacks

Use Linux firewall rules to protect against attacks (ipchains or iptables) Access denial rules can also be imlemented on the fly by portsentry

(Place at the end of /etc/rc.d/rc.local to be executed upon system boot, or some other appropriate script)

iptables script:

ipchains script:

Note:

iptables uses the chain rule "INPUT" and ipchains uses the lower case descriptor "input"

View rules with iptables -L or ipchains -L command

iptables man page

ipchains man page

When running an internet web server it is best from a security point of view, that one NOT run printing, X-Window, NFS or any services which may be exploited if a vulnerability is discovered or if misconfigured regardless of firewall rules

Also see:

YoLinux Internet Gateway Tutorial

Red Hat 7.1 firewall GUI configuration tool /usr/sbin/gnome-lokkit

Use portsentry to monitor network hacker attacks (Later in this tutorial)

A minimal and monolithic kernel might also provide a small bit of protection (avoid trojan modules) as well as running on less common hardware (MIPS, Alpha, etc so buffer overflow instructions will not run.)

National Security Agency (NSA): Security-Enhanced Linux - Altered for increased security

DDoS (Distributed Denial of Service) attacks: The only thing you can do is have gobs of bandwidth and processing power/firewall Lots of processing power

or a firewall are useless without gobs of bandwidth as the network can get sooo overloaded from a distributed attack

Also see:

Turn off ICMP

Monitor the attack with tcpdump

Unfortunately the packets are usually spoofed and in my case the FBI didn't care If the server is a remote server, have a dial-up modem or a second IP address and route for access because the attacked route is blocked by the flood of network attacks You can also request that your ISP drop ICMP traffic to the IP addresses of your servers (and UDP if all you are running is a web server Name servers use UDP.) For very interesting reading see "The Strange Tale" of the GRC.com DDoS attack (Very interesing read about the anatomy of the hacker bot networks.)

User access can be restricted with the configuration files:

iptables -A INPUT -p tcp -s 0/0 -d 0/0 dport 2049 -j DROP - Block NFS

iptables -A INPUT -p udp -s 0/0 -d 0/0 dport 2049 -j DROP - Block NFS

iptables -A INPUT -p tcp -s 0/0 -d 0/0 dport 6000:6009 -j DROP - Block X-Windows

iptables -A INPUT -p tcp -s 0/0 -d 0/0 dport 7100 -j DROP - Block X-Windows font server

iptables -A INPUT -p tcp -s 0/0 -d 0/0 dport 515 -j DROP - Block printer port

iptables -A INPUT -p udp -s 0/0 -d 0/0 dport 515 -j DROP - Block printer port

iptables -A INPUT -p tcp -s 0/0 -d 0/0 dport 111 -j DROP - Block Sun rpc/NFS

iptables -A INPUT -p udp -s 0/0 -d 0/0 dport 111 -j DROP - Block Sun rpc/NFS

iptables -A INPUT -p all -s localhost -i eth0 -j DROP - Deny outside packets from internet which

claim to be from your loopback interface

# Allow loopback access This rule must come before the rules denying port access!!

iptables -A INPUT -i lo -p all -j ACCEPT - This rule is essential if you want your own computer

iptables -A OUTPUT -o lo -p all -j ACCEPT to be able to access itself throught the loopback interface

ipchains -A input -p tcp -s 0/0 -d 0/0 2049 -y -j REJECT - Block NFS

ipchains -A input -p udp -s 0/0 -d 0/0 2049 -j REJECT - Block NFS

ipchains -A input -p tcp -s 0/0 -d 0/0 6000:6009 -y -j REJECT - Block X-Windows

ipchains -A input -p tcp -s 0/0 -d 0/0 7100 -y -j REJECT - Block X-Windows font server

ipchains -A input -p tcp -s 0/0 -d 0/0 515 -y -j REJECT - Block printer port

ipchains -A input -p udp -s 0/0 -d 0/0 515 -j REJECT - Block printer port

ipchains -A input -p tcp -s 0/0 -d 0/0 111 -y -j REJECT - Block Sun rpc/NFS

ipchains -A input -p udp -s 0/0 -d 0/0 111 -j REJECT - Block Sun rpc/NFS

ipchains -A input -j REJECT -p all -s localhost -i eth0 -l - Deny and log (option -l) outside packets from internet

which claim to be from your loopback interface

Trang 3

/etc/security/limits.conf

/etc/security/group.conf

/etc/security/time.conf

See YoLinux SysAdmin tutorial - restrict users

Remove un-needed users from the system See /etc/passwd By default Red Hat installations have many user accounts created to support various processes It you do not intend to run these processes, remove the users i.e remove user ids games, uucp, rpc, rpcd,

SSH protocol suite of network connectivity tools are used to encrypt connections accross the internet SSH encrypts all traffic including logins and passwords to effectively eliminate network sniffing, connection hijacking, and other network-level attacks In a regular telnet session the password is transmitted across the Internet unencrypted

SSH is a commercial product but available freely for non-commercial use from SSH Communications Security at http://www.ssh.com/ Two versions are available, SSH1 and SSH2 The newer SSH2 supports FTP and has more options than SSH1 SSH2 can be purchased and/or downloaded from their web site Note that

SSH1 does have a major vulnerability issues The "woot-project" web site cracking and defacing gang uses this vulnerability DO NOT USE SSH1

PROTOCOL!!!!! Summary of SSH1 issues and what to avoid ("woot-project" exploit/attack description/recovery)

OpenSSH was developed by the the OpenBSD Project and is freely available OpenSSH is compatable with SSH1 and SSH2 OpenSSH relies on the OpenSSL project for the encrypted communications layer Current releases of Linux come with OpenSSH/OpenSSL (Comes with Red Hat Linux 7.x+)

Links:

OpenSSH.org - Shell Supports SSH1 and SSH2 protocols

OpenSSL.org - Encrypted network layer

FreeSSH.org - SSH for other platforms

SSH:

SSh.com - Secure shell

DataFellows.com - F-Secure

FreeSSH.org - SSh for other platforms

Secure Shell IETF working group - (Internet Engineering Task Force)

SSH tunneling / port forwarding - (for POP and SMTP etc)

OpenSSH:

Download:

Download OpenSSH RPM's (sourceforge) - statically linked with OpenSSL 0.9.5 - Pick this one for an easy complete RPM install

Download OpenSSH source (tgz)

Red Hat Linux 6.x Open SSL RPM downloads (redhat.com) (SSL only)

Note: SSH and SSL are included with Red Hat Linux 7.0+

Installation:

Common to Client and Server:

rpm -ivh openssh-2.9p2-8.7.i386.rpm

Client:

rpm -ivh openssh-askpass-2.9p2-8.7.i386.rpm

rpm -ivh openssh-clients-2.9p2-8.7.i386.rpm

rpm -ivh openssh-askpass-gnome-2.9p2-8.7.i386.rpm - Gnome desktop users

Server:

rpm -ivh openssh-server-2.9p2-8.7.i386.rpm

If upgrading from SSH1 you may have to use the RPM option force

The rpm will install the appropriate binaries, configuration files and openssh-server will install the init script /etc/rc.d/init.d/sshd so that sshd will start upon system boot

Configuration:

Client configuration file /etc/ssh/ssh_config: (Default)

SSH: (Secure Shell)

# $OpenBSD: ssh_config,v 1.9 2001/03/10 12:53:51 deraadt Exp $

# This is ssh client systemwide configuration file See ssh(1) for more

# information This file provides defaults for users, and the values can

# be changed in per-user configuration files or on the command line

# Configuration data is parsed as follows:

# 1 command line options

# 2 user-specific file

# 3 system-wide file

# Any configuration value is only changed the first time it is set

# Thus, host-specific definitions should be at the beginning of the

# configuration file, and defaults at the end

# Site-wide defaults for various options

Trang 4

Change the line: # Protocol 2,1

to: Protocol 2

This will eliminate use of SSH1 protocol

Uncomment the options required or accept the hard-coded defaults The hard coded defaults for OpenSSH client are compatable with SSH1 client files and sshd server An upgrade to OpenSSH client will not require any changes to the files in $HOME/.ssh/

Server configuration file /etc/ssh/sshd_config:

Default:

# Host *

# ForwardAgent no

# ForwardX11 no

# RhostsAuthentication no

# RhostsRSAAuthentication yes

# RSAAuthentication yes

# PasswordAuthentication yes

# FallBackToRsh no

# UseRsh no

# BatchMode no

# CheckHostIP yes

# StrictHostKeyChecking yes

# IdentityFile ~/.ssh/identity

# IdentityFile ~/.ssh/id_rsa

# IdentityFile ~/.ssh/id_dsa

# Port 22

# Protocol 2,1 - Change this line to: Protocol 2

# Cipher 3des

# Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc

# EscapeChar ~

Host *

ForwardX11 yes

# $OpenBSD: sshd_config,v 1.38 2001/04/15 21:41:29 deraadt Exp $

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# This is the sshd server system-wide configuration file See sshd(8)

# for more information

Port 22

#Protocol 2,1 - Change to: Protocol 2

#ListenAddress 0.0.0.0

#ListenAddress ::

HostKey /etc/ssh/ssh_host_key

HostKey /etc/ssh/ssh_host_rsa_key

HostKey /etc/ssh/ssh_host_dsa_key

ServerKeyBits 768

LoginGraceTime 600 - Change to: LoginGraceTime 120

KeyRegenerationInterval 3600

PermitRootLogin yes - Change to: PermitRootLogin no

#

# Don't read ~/.rhosts and ~/.shosts files

IgnoreRhosts yes

# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication

#IgnoreUserKnownHosts yes

StrictModes yes

X11Forwarding yes

X11DisplayOffset 10

PrintMotd yes

#PrintLastLog no

KeepAlive yes

# Logging

SyslogFacility AUTHPRIV

LogLevel INFO

#obsoletes QuietMode and FascistLogging

RhostsAuthentication no

#

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

RhostsRSAAuthentication no

# similar for protocol version 2

HostbasedAuthentication no

#

RSAAuthentication yes

# To disable tunneled clear text passwords, change to no here!

PasswordAuthentication yes

PermitEmptyPasswords no

# Uncomment to disable s/key passwords

#ChallengeResponseAuthentication no

# Uncomment to enable PAM keyboard-interactive authentication

# Warning: enabling this may bypass the setting of 'PasswordAuthentication'

#PAMAuthenticationViaKbdInt yes

# To change Kerberos options

#KerberosAuthentication no

#KerberosOrLocalPasswd yes

#AFSTokenPassing no

#KerberosTicketCleanup no

# Kerberos TGT Passing does only work with the AFS kaserver

#KerberosTgtPassing yes

#CheckMail yes

#UseLogin no

Trang 5

Note:

Ssh protocol version 1 is not as secure, it should not take 10 minutes to type your password and if someone logs in as root without logging in as a particular user first then tracability is lost if there are multiple admins, thus the changes were made as suggested above

Setting "PermitRootLogin no" mandates that remote logins use an undetermined user login This removes root, a known login on all Linux systems, from the list of dictionary atttacks available

It is a good idea to change the "Banner" so that a login greeting and legal disclaimer is presented to the user i.e change file /etc/issue.net contents to:

Access is granted to this server only to authorized personel of Mega Corp

By default, the /etc/issue.net message presents to the hacker the OS name, kernel release and information which can be used to determine potential vulnerabilities

Generate keys:

Client:

Use the command: /usr/bin/ssh-keygen -t rsa

Generating public/private rsa key pair

Enter file in which to save the key (/home/user-id/.ssh/id_rsa):

Enter passphrase (empty for no passphrase):

Enter same passphrase again:

Your identification has been saved in /home/user-id/.ssh/id_rsa

Your public key has been saved in /home/user-id/.ssh/id_rsa.pub

The key fingerprint is:

XXXblablablaXXXaf:90:8f:dc:65:0d:XXXXXXXXXXXXXX user-id@node-name

Files generated:

$HOME/.ssh/id_rsa - binary

$HOME/.ssh/id_rsa.pub - ssh-rsa 223564257432 email address - Multiple keys/lines allowd

Server:

FTP the file $HOME/.ssh/id_rsa.pub to the server

cd $HOME/.ssh/

cat id_rsa.pub >> authorized_keys

Using ssh: On client use the following command and login as you normally would with a telnet session:

ssh name-of server

The first time you use ssh it will issue the following message:

The authenticity of host 'node.your-domain.com (XXX.XXX.XXX.XXX)' can't be established

RSA key fingerprint is XXXXblablablaXXX1:81:29:00:3a:c5:fb:XXXXXXXXXXX

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added 'node.your-domain.com,XXX.XXX.XXX.XXX' (RSA) to the list of known hosts

user@node.your-domain.com's password:

Answer yes It won't ask again

To use a different user name for the login, state it on the command line: ssh -l username name-of server

Note: You can now also use the command sftp for secure ftp file transfers using ssh

OpenSSH Man Pages:

ssh - OpenSSH SSH client (remote login program)

sshd - OpenSSH ssh daemon

ssh-keygen - Used to create RSA keys (host keys and user authentication keys)

ssh-add - adds RSA or DSA identities for the authentication agent Used to register new keys with the agent

scp - secure copy (remote file copy program)

ssh-agent - authentication agent This can be used to hold RSA keys for authentication

sftp - Secure file transfer program

sftp-server - SFTP server subsystem

Other OpenSSH Links:

Red Hat Open SSH Guide - Also scp, sftp, Gnome ssh-agent

Linux Journal: OpenSSH Part I

SSH for MS/Windows Links:

PuTTY

Tera Term

TTSSH - An SSH Extension to Tera Term

SSH Notes:

The sshd should not be started using xinetd/inetd due to time necessary to perform calculations when it is initailized

#MaxStartups 10:30:60

#Banner /etc/issue.net

#ReverseMappingCheck yes

Subsystem sftp /usr/libexec/openssh/sftp-server

Trang 6

This tool will monitor the network probes and attacks against your server It can be configured to log and counter these probes and attacks PortSentry can modify your /etc/hosts.deny (PAM module) file and issue IP firewall commands automatically to block hackers

PortSentry can be loaded as an RPM but this tutorial covers compiling PortSentry from source to configure a more preferable system logging

Note: Version 1.1 of portsentry can issue iptables, ipchains or route commands to thwart attacks Linux Kernel 2.2 (Red Hat 6.x and 7.0) uses ipchains Linux kernel 2.4 (Red Hat 7.1) uses iptables but can also use ipchains but NOT both Route commands can be used by any Unix system

Steps to install and configure portsentry:

1 Download and unzip source code

2 Edit include file and compile

3 Start PortSentry

ssh client will suid to root sshd on the server is run as root Root privileges are required to communicate on ports lower than 1024 The -p option may be used to run SSH on a different port

RSA is used for key exchange, and a conventional cipher (default Blowfish) is used for encrypting the session

Encryption is started before authentication, and no passwords or other information is transmitted in the clear

Authentication:

Login is invoked by the user The client tells the server the public key that the user wishes to use for authentication

Server then checks if this public key is admissible

If yes then random number is generated and encrypts it with the public key and sends the value to the client

The client then decrypts the number with its private key and computes a checksum The checksum is sent back to the server

The server computes a checksum from the data and compares the checksums

Authentication is accepted if the checksums match

SSH will use $HOME/.rhosts (or $HOME/.shosts)

To establish a secure network connection on another TCP port, use "tunneling" options with the ssh command:

Forward TCP local port to hostport on the remote-host:

ssh remote-host -L port:localhost:hostport command

Specifying ports lower than 1024 will require root access

FTP opens various ports and thus is not a good candidate Port 21 is only used to establish the connection

Man pages:

ssh - secure shell client (remote login program)

sshd - secure shell daemon (server)

ssh-keygen - Used to create RSA keys (host keys and user authentication keys)

ssh-keyscan - gather ssh public keys

ssh-add - adds identities for the authentication agent Used to register new keys with the agent

scp - secure copy (remote file copy program)

slogin

sftp - secure file transfer program client

sftp-server - secure file transfer program server

ssh-agent - Authentication agent This can be used to hold RSA keys for authentication

telnet - user interface to the TELNET protocol

Documentation:

/usr/share/doc/openssh-2.9p2/

/usr/share/doc/openssh-askpass-2.9p2/

/usr/share/doc/openssl-0.9.6/

Test:

The network sniffer Ethereal was used to sniff network transmissions between the client and server for both telnet and ssh with the following results:

Test telnet clear text login: (port 23)

The text sent by the client is green text on a black background

The rest of the text was transmitted by the server

Note that both the login ("JoeUser") and password ("super-secret-password") were captured

Test ssh encrypted login: (port 22)

Note that the entire login and password exchange was encrypted

PortSentry:

Trang 7

4 Read logs

1 Download and unzip source code:

Download: PortSentry source code

(Note: Portsentry version 1.1 includes a bug fix required for Red Hat 7.1 kernel 2.4)

Move to your source directory and unzip: tar -xzf portsentry-1.1.tar.gz

2 Edit include file and compile:

cd portsentry-1.1/

Read file README.install It details the following:

Edit file: portsentry_config.h

Set options:

CONFIG_FILE - PortSentry run-time configuration file

WRAPPER_HOSTS_DENY - The path and name of TCP wrapper hosts.deny file

(Note: I use /opt/portsentry/ because I like to locate custom files/software there It allows for an easy backup by separating it from the OS If you prefer, you can use /etc/portsentry/ for configurations files and follow the Linux/Unix file system logic)

The above default, "LOG_DAEMON", will log messages to the /var/log/messages file

To log to a separate file dedicated to PortSentry logging: (This will eliminate logging clutter in the main system logging file)

Add logging directives to syslogd configuration file: /etc/syslog.conf

Change the following line to reflect that portsentry messages are not going to be logged to the regular syslog output file /var/log/messages

*.info;mail.none;news.none;authpriv.none;local6.none /var/log/messages

Add the following line to assign a portsentry log facility:

local6.* /var/log/portsentry.log Note: Use tab not spaces in the syslog configuration file

Restart syslogd: /etc/rc.d/init.d/syslog restart

Set portsentry_config.h entry to new log facility:

#define SYSLOG_FACILITY LOG_LOCAL6

Options for the SYSLOG_FACILITY are defined in /usr/include/sys/syslog.h

They include:

Options for the SYSLOG_LEVEL include:

#define CONFIG_FILE "/opt/portsentry/portsentry.conf"

#define WRAPPER_HOSTS_DENY "/etc/hosts.deny"

#define SYSLOG_FACILITY LOG_DAEMON

#define SYSLOG_LEVEL LOG_NOTICE

SYSLOG_FACILITY Facility Name Description

LOG_LOCAL0 local0 reserved for local use

LOG_SYSLOG syslog messages generated internally by syslogd

LOG_AUTHPRIV authpriv security/authorization messages (private)

Trang 8

Edit file: portsentry.conf to set paths for configuration files and ports to monitor

Uncomment and modify if necessary the appropriate statements The TCP_PORTS=, UDP_PORTS= lists are ignored for stealth scan detection modes I added UDP port 68 (BOOTP) and TCP 21 (ftp), 22 (ssh), 25 (smtp mail), 53 (dns bind), 80 (http web server), 119 (news) to the

ADVANCED_EXCLUDE_UDP and ADVANCED_EXCLUDE_TCP statements respectively

List of ports used by Remote Access trojans

PAM options:

KILL_HOSTS_DENY="ALL: $TARGET$"

For more on PAM see YoLinux network Admin Tutorial

Route deny options: (Options: network "route" or firewall command "iptables/ipchains")

1 Simple method to drop network return routes if ipchains are not compiled into your kernel:

KILL_ROUTE="/sbin/route add -host $TARGET$ reject"

You can check the addresses dropped with the command: netstat -rn They will be routed to interface "-"

2 For Linux 2.2.x kernels (version 2.102+) using ipchains: (Best option)

KILL_ROUTE="/sbin/ipchains -I input -s $TARGET$ -j DENY -l"

OR

KILL_ROUTE="/sbin/ipchains -I input -s $TARGET$ -j DENY"

Note: The second option is without the "-l" or logging option so ipchains won't keep logging the portscan in /var/log/messages

3 For those using iptables (RH 7.1+ Linux Kernel 2.4+):

KILL_ROUTE="/sbin/iptables -I INPUT -s $TARGET$ -j DROP"

(Note: The default used in portsentry.conf uses the incorrect path for Red Hat Change /usr/local/bin/iptables to /sbin/iptables) Note on Red Hat 7.1: During installation/upgrade the firewall configuration tool /usr/bin/gnome-lokkit may be invoked It will configure a firewall using ipchains and will add this to your boot process To see if ipchains and the Lokkit configuration is invoked during system boot, use the command: chkconfig list | grep ipchains You can NOT use portsentry to issue iptables rules if ipchain rules have been issued previously

More info on iptables and ipchains support/configuration in Red Hat 7.1 and kernel 2.4

Edit file: portsentry.ignore (contains IP addresses to ignore )

The at Home network routinely scans for news servers on port 119 from a server named authorized-scan1.security.home.net Adding the IP address of this server (24.0.0.203) greatly reduces the logging I also added their BOOTP server (24.9.139.130)

I manually issued the iptables (RH 7.1 kernel 2.4) commands on my workstation to drop the hosts and deny their scans At Home users may add the commands to the file /etc/rc.d/rc.local

Edit file: Makefile

INSTALLDIR = /opt

SYSLOG_LEVEL Priority Description

LOG_EMERG 0 system is unusable

LOG_ALERT 1 action must be taken immediately

LOG_CRIT 2 critical conditions

LOG_ERR 3 error conditions

LOG_WARNING 4 warning conditions

LOG_NOTICE 5 normal but significant condition

LOG_INFO 6 informational

LOG_DEBUG 7 debug-level messages

IGNORE_FILE="/opt/portsentry/portsentry.ignore"

HISTORY_FILE="/opt/portsentry/portsentry.history"

BLOCKED_FILE="/opt/portsentry/portsentry.blocked"

KILL_ROUTE="/sbin/route add -host $TARGET$ reject" - Generic Unix KILL_ROUTE

I prefer iptables/ipchains options below

ADVANCED_EXCLUDE_TCP="21,22,25,53,80,110,113,119" - server

ADVANCED_EXCLUDE_UDP="21,22,53,110,520,138,137,68,67"

OR

ADVANCED_EXCLUDE_TCP="113,139" - workstation

ADVANCED_EXCLUDE_UDP="520,138,137,68,67"

127.0.0.1

0.0.0.0

Your IP address

/sbin/iptables -I INPUT -s 24.0.0.203 -j DROP

/sbin/iptables -I INPUT -s 24.9.139.130 -j DROP

Trang 9

And remove the line under "uninstall": (dangerous line!!)

# /bin/rmdir $(INSTALLDIR)

And remove the line under "install": (troublesome line!!)

# chmod 700 $(INSTALLDIR)

Compile: make linux

Install (as root): make install

3 Run PortSentry for advanced UDP/TCP stealth scan detection:

portsentry -atcp

portsentry -audp

OR use init scripts below in next section

4 Check logfile for hacker attacks See: /var/log/messages or /var/log/portsentry.log if you are logging to a dedicated file

Also check /etc/hosts.deny to see a list of IP addresses that PortSentry has deamed attackers

Check the "HISTORY_FILE" /opt/portsentry/portsentry.history

Note: Is is possible to have all logging sent to a logging daemon on a single server This will allow the administrator to check the logs on only one server rather than individually on many

Note on Red Hat 7.1: Red Hat Powertools 7.1 now includes portsentry 1.0 I reccomend using version 1.1 configured as above

Powertools RPM layout:

/usr/sbin/portsentry - (chmod 700) executable

/etc/portsentry/ - (chmod 700) Directory used for configuration files

/etc/portsentry/portsentry.conf (chmod 600)

/etc/portsentry/portsentry.ignore (chmod 600)

/var/portsentry/portsentry.history

/var/portsentry/portsentry.blocked

Instead of using a firewall command (ipchains/iptables), a false route is used: /sbin/route add -host $TARGET$ gw 127.0.0.1

My init script calls the portsentry executable twice with the apropriate command line arguments to monitor tcp and udp ports The Red Hat 7.1 init script uses the file /etc/portsentry/portsentry.modes and a for loop in the init script to call portsentry the appropriate number of times Their init script also recreates the portsentry.ignore file each time portsentry is started by including the IP addresses found with ifconfig and the addresses 0.0.0.0 and localhost Persistent addresses must be placed above a line stating: Do NOT edit below this otherwise it is not included in the creation of the new file The Red Hat 7.1 Powertools portsentry version logs everything to /var/log/messages My configuration avoids log clutter by logging to a separate file

Notes on DOS (Denial of Service) possibility: If portsentry is configured to shut down an attack with firewall rules, an attacker may use this feature to slow

down your machine over time by creating a huge set of firewall rules It would require the hacker to use (or spoof) a new IP address each time It is probably a good idea to monitor or even clear the firewall rules from time to time

iptables:

List firewall rules: iptables -L

Clear firewall rules: iptables -F

ipchains:

List firewall rules: ipchains -L

Clear firewall rules: ipchains -F

Clean-up script: /etc/cron.monthly/reset-chainrules

(-rwx - 1 root root)

This script is run automatically once a week by cron (The presence of this script in this directory for the Red Hat configuration makes it so)

Also see:

Psionic Software Home Page - PortSentry, Logcheck and HostSentry home page

FAQ: Firewall Forensics - Robert Graham

Other tools to detect portscans and network based hacker attacks:

scanlogd - Attack detection

InterSect Alliance - Intrusiuon analysis Identifies malicious or unauthorized access attempts

snort - Instead of monitoring a single server with portsentry, snort monitors the network, performing real-time traffic analysis and packet logging on IP

#!/bin/bash

# Purge and re-assign chain rules

ipchains -F

ipchains -A input -p tcp -s 0/0 -d 0/0 2049 -y -j REJECT

ipchains -A input -p udp -s 0/0 -d 0/0 2049 -j REJECT

ipchains -A input -p tcp -s 0/0 -d 0/0 6000:6009 -y -j REJECT

ipchains -A input -j REJECT -p all -s localhost -i eth0 -l

Trang 10

networks for the detection of an attack or probe

Also see: YoLinux IDS and Snort links

Using an init script to start and stop the portsentry program

Init configuration: /etc/rc.d/init.d/portsentry

The init script needs to be executable: chmod a+x /etc/rc.d/init.d/portsentry

After adding the following script, enter it into the init process with the command: chkconfig add portsentry or chkconfig level 345 portsentry on See YoLinux Init Tutorial for more information

Logrotate Configuration:

Create the following file to have your logs rotate

File: /etc/logrotate.d/portsentry

Also see the YoLinux Sys Admin tutorial covering logrotate

Tests:

Portscan your workstation - Use your web browser to go to this site Select "Probe my ports" and it will scan you You can then look at the

file /opt/portsentry/portsentry.blocked.atcp to see that portsentry dropped the scanning site:

#!/bin/bash

#

# Startup script for PortSentry

#

# chkconfig: 345 85 15

# description: PortSentry monitors TCP and UDP ports for network attacks

#

# processname: portsentry

# pidfile: /var/run/portsentry.pid

# config: /opt/portsentry/portsentry.conf

# config: /opt/portsentry/portsentry.ignore

# config: /opt/portsentry/portsentry.history

# config: /opt/portsentry/portsentry.blocked

# Source function library

/etc/rc.d/init.d/functions

# Source networking configuration

/etc/sysconfig/network

# Check that networking is up

[ ${NETWORKING} = "no" ] && exit 0

# See how we were called

case "$1" in

start)

echo -n "Starting portsentry: "

daemon /opt/portsentry/portsentry -atcp

/opt/portsentry/portsentry -audp

echo

touch /var/lock/subsys/portsentry

;;

stop)

echo -n "Shutting down portsentry: "

killproc portsentry

echo

rm -f /var/lock/subsys/portsentry

rm -f /var/run/portsentry.pid

;;

status)

status portsentry

;;

restart)

$0 stop

$0 start

;;

reload)

echo -n "Reloading portsentry: "

killproc portsentry -HUP

echo

;;

*)

echo "Usage: $0 {start|stop|restart|reload|status}"

exit 1

esac

exit 0

/var/log/portsentry.log {

rotate 12

monthly

errors root@localhost

missingok

postrotate

/usr/bin/killall -HUP portsentry 2> /dev/null || true

endscript

}

Định dạng
Số trang	16
Dung lượng	213,78 KB