20061108
From Wsms
previous next
GO TO:
Linux Class Notes
Networking Concepts, Tools & Security
Contents |
How will we get rid of our friend that keeps trying to get in to our system?
We have done a lot. For example, we have configurated the ssh, so nobody can connect as root.
There is a configuration file in the directory /etc/ssh. The file is /etc/ssh/sshd_config, and it is used to configurate the ssh. Remember that we changed a line that says "PernmitRootLogin no", and that is the reason we see 829 or more failed attempts to get into our server as root, via ssh.
There is not a tool that tells us if we applied all recomended policies to keep our system secure. It is good to research if there are some new developments in this field.
Ok, let's do something about this:
First, we have to understand what is happening:
- Our port 22 is opened to everybody
- Somebody gets in through that port, and uses the sshd program. We have a PAM algorithm to authenticate the users and let or not them to pass.
- Our PAM is stopping this ilegal attempts in the ssh authentication process.
- We want to stop this attempts in some point before ssh (for example before the ssh authentication algorithm)
- We can decide to close our ports (22, 221, 443, etc...) for this ip address that is bothering us.
- There are a lot of tools to do this. We will talk about one called portsentry. This tool is able to update the firewall, when it detects what the administrator thinks is "suspicious" activity (or illegal activity). The problem of portsentry is that it was very difficult to write rules.
Working with tcp wrappers
TCP Wrappers can be used to GRANT or DENY access to various services on your machine to the outside network or other machines on the same network. It does this by using simple Access List Rules which are included in the two files /etc/hosts.allow and /etc/hosts.deny.
This is the way it works: we have an application running in our system, and if tcpwrappers have been implemented for that applications, the request for the application goes first to tcpwrappers, and then tcpwrappers send the request to the application we are running.
Later in our course, we will work with something called portmap that works as tcpwrapers, and look for those two configuration files. It gives us the impression that tcpwrapers is implemented by the sshd.
What we will do is put the not wished ip address in the /etc/hosts.deny file, and our application will be protected since then.
The steps are this:
- Make sure you're logged on as root
- Go to your defauld directory
- Save the firewall rules as they are now (to restore them if you mess something)
- iptables-save > firewall.currentdate (remember that if you want to restore the firewall you only have to use the iptables-restore command)
- Edit the drop-packet file
- Add a command there: iptables -A INPUT -p tcp -s xxx.xxx.xxx.xxx -j REJECT --reject-with tcp-reset (this will append this line to the /etc/sysconfig/iptables file) please make sure that the line goes before the input j -RH ... line, becauseif it goes after this line, it will not work!!!!!!!!
- Instead of xxx.xxx.xxx.xxx, you put the address you are interesting on blocking. If you execute that command, the thing that happens is when you restart your firewall
- service iptables restart :::: that address will be blocked.
(Note: Before editing /etc/sysconfig/iptables, Joe made a copy: "iptables.old" at ~)
The problem with this is that you will never again be able to use a more friendly tool to edit the iptables file.
George says that we can also edit the /etc.hosts.deny file, and add this line
ALL: not.desired.ip.address
And without restarting anything, you will reject that address when a user tries to connect to our server. Awesome!!!
- Tips
- We can use "iptables-save -c" to trace how many bytes have been used by certain rules. That will show us if some of those "non-desired" guests have been trying to get in to our system.
Joe suggests to use the command "man hosts_access", so we can see examples of using this commands to block and unblock access to our server.
Working with snort
Snort is a very interesting tool.
SnortĀ® is an open source network intrusion prevention and detection system utilizing a rule-driven language, which combines the benefits of signature, protocol and anomaly based inspection methods. With millions of downloads to date, Snort is the most widely deployed intrusion detection and prevention technology worldwide and has become the de facto standard for the industry. (http://www.snort.org/)
When you run snort, it is very heavy, and will use a lot of resourses of the system. Snort snifs to a file, and files get very big very quickly.
You can use the snort tool as a sniffer, to see what is the traffic of data about.
Set a host name on your virtual machine
One issue that has come up quite a bit is that many students are confused about which Linux machine they are logging into. If you see a prompt like this:
[ggeller@rop ~]$
then you are probably logged into the class server. The teacher is the only person who has the root password for the class server. The class server has an internal IP address of 10.101.1.200. The server name for this machine is given in /etc/sysconfig/network
[ggeller@rop ~]$ cat /etc/sysconfig/network NETWORKING=yes HOSTNAME=rop.ncc.sdccd.net GATEWAY=10.101.1.1
As an aside, the external address for rop.ncc.sdccd.net is 209.129.16.200. This is the address you access if you ssh in from your home computer.
When you log onto your virtual linux system, the one that you are running under Microsoft Virtual PC, you probably see a prompt like this:
[ggeller@localhost ~]$
As above, the hostname is set by the entry in /etc/sysconfig/network. So, su - to become root, cd to /etc/sysconfig, backup the file and edit it:
[ggeller@localhost ~]$ su - Password: [root@localhost ~]$ cd /etc/sysconfig [root@localhost sysconfig]$ cp -p network network.original [root@localhost sysconfig]$ vi network ... [root@localhost sysconfig]$ cat network NETWORKING=yes HOSTNAME=wsNN.rop.ncc.sdccd.net
Replace NN with the number on your hard disk drive, 01, 02, etc.
To make apache happy, you also need to change /etc/hosts so that it reads somehting like:
# Do not remove the following line, or various programs # that require network functionality will fail. 127.0.0.1 localhost.localdomain localhost ws05.rop.ncc.sdccd.net ws05
Then next time you login your prompt will look something like:
[ggeller@ws06 ~]$
Install snort, fwbuilder and webmin on your virtual machine
[root@ws06 Desktop]# yum -y install snort fwbuilder
The webmin rpm is available from sourceforge.net via http://www.webmin.com/download.html. After you download it, install it with:
[root@ws06 Desktop]# yum localinstall webmin-1.300-1.noarch.rpm
