Linux Basic Security Techniques
Before typing one single line about how to protect a Linux machine there are some things that we need to have in mind and that are commonly mistaken:
* Having Linux as your main operating system does not mean it’s already secure.
* If you can’t break it, it does not mean no one else can.
* This is not a guide to break into someone else’s computer.
* No info I can give to you is unknown to hackers or crackers, believe me they know, and even
more, the attempt of this article is to stop script kiddies and give hacker wanna bee’s a hard time trying to brake in to your computer.
* I might not cover all about security which is a wide subject but Ill try to cover as much as possible in an end-user/medium-advance perspective.
* If you are interested in the security subjects, you should acknowledge that you have to be a bit (or maybe hell a lot!) paranoid, and there is know safe place to hide except, computer shut down, locked behind 4 walls with guards and dogs, and even thought it might have a security flaw.
With this in mind we can proceed with the rest of the article, if anywhere in the article I use material or content that does not belong to me I will make a reference to its author and give proper credit for his work.
In the beginning there was nothing … but then internet came, and for a time it was fine, as I mention before nowhere is safe, and this is due the fact that protocols where not meant to be secure just to work, as you might know, the internet as we know it today was originally meant to work as network that would guarantee communication between to computers no matter if computers where different brand or different OS and so on, this was for military purposes.
Since it was not necessary in the end, universities all over United States? With one purpose in mind, not having to call another university through the phone, and do it through the net which was a lot cheaper, and as the internet evolved it was released to the public as we know it today..
As you might know already protocols like HTTP, TELNET and FTP do not encrypt anything that we pass to them, any script kiddies could use a sniffer to gather username and passwords, commands written to the system or server and even emails and conversations, and that was the reason to create SSL (Secure Socket Layer), to encrypt the data that we are sending to those protocols.
From a Server perspective, although a Firewall is always helpful to tell what packets to accept, drop or reject (Basic Chains on iptables), this wont help much if you have miss configured services or if your server are out of date, there schools that say that they can have a more secure environment just by focusing in the services, and they need no firewall working in the background.
I will try to cover the most basic concepts of the firewall by excellence in Linux, iptables, I advice you to go to netfilter.org and review Rusty's How-To’s so you have a better picture on how the firewall work and how to make more advance rules.
Linux Services
Something that some Linux users don’t realize or put attention to is the boot up services, by this I mean services that auto start at boot time, the advice here is if you don’t need don’t start it, this is because you are leaving another port open for an attacker to try to brake in to your system.
There are several ways to know what ports are open on a certain workstation or server, one of them is to do a classic telnet to the server to the port we want to test lets say you want to test example.com and check if HTTP is on you could do the following:
telnet example.com 80
If it give us a black page it means that we successfully established a connection to example.com through port 80 which is the standard for web servers, but this might be exhausting to try with all possible ports on a computer, that’s where nmap comes in.
If you saw the matrix reloaded you might remember nmap when Trinity hacks into a server, and what does nmap do? Well nmap returns the ports open on a host, it tries to give you and accurate result about the current versions of the services you are running, the operating system and kernel version.
You can download nmap from its home page at insecure.org, I will type a few examples of nmap and Ill try to explain what the different parameters mean, with no parameters nmap returns:
nmap example.com
Starting Nmap 4.03 ( http://www.insecure.org/nmap/ ) at 2007-01-16 20:36 PST
Interesting ports on www.example.com (192.0.34.166):
(The 1671 ports scanned but not shown below are in state: filtered)
PORT STATE SERVICE
53/tcp closed domain
80/tcp open http
443/tcp closed https
Nmap finished: 1 IP address (1 host up) scanned in 24.720 seconds
As you can see, it’s not saying much about the versions on the services that we have installed so we need to pass a few parameters to the nmap command in order to have more detailed info, most of the commands start with –s[X] Where X is the parameter, Ill give you a quick example:
-sS -> TCP Syn Scan
-sL -> List Scan
-sP -> Ping Scan
-sT -> TCP Connect Scan
-sU -> UDP scan
-sN -> TCP Null Scan
-sF ->,FIN Scan
-sX -> Xmas Scan
-sA -> TCP ACK Scan
-sW -> TCP Window Scan
-sM -> Maimon Scan
-sI -> idle Scan
-sO -> IP protocol Scan
-sV -> Version Detection
-sR -> RCP Scan
-O -> Enable OS detection
This is just to mention some of them, you can combine all of them however you wish we this is a quick example:
nmap -sS -sU -O example.com
You can get this log by clicking on:
Nmap Log
As you can see if you download the attached filed that has the log of this event you’ll see there as a lot more info that just running it by itself with no parameters at all, and if you want to know the list of ip addresses behind a certain host just use the list parameter like:
nmap -sL example.com
Starting Nmap 4.03 ( http://www.insecure.org/nmap/ ) at 2007-01-16 21:25 PST
Host www.example.com (192.0.34.166) not scanned
Nmap finished: 1 IP address (0 hosts up) scanned in 0.007 seconds
Although it won’t secure your Linux Server it will give a better picture of the info your Linux box is giving out to the rest of the world.
Something else some users forget is that the X server XFree86 works as a server, and its capable of receiving TCP packets, we want to make sure no one can make undesired connections to our X, if you are using startx to “start X” then jus do the following:
startx --nolisent tcp
This will prevent attempts of sending packets or connecting to X trough port 6000, in case you are using a graphical greeter (Login Manager) you cant specify the –nolisent parameter but you’ll have to add the following line on its configuration files, example using XDM see bellow:
vi /etc/X11/xdm/Xservers
We have to add the line:
:0 local /usr/local/bin/X -auth /root/.Xauthority -nolisten tcp
Just remember, in Linux things are what they say they are if it says server you can assume it’s a server.
Linux Firewall
Let’s talk about iptables, but before we rush into iptables details, lets talk about it’s past.
If ipchains sounds familiar to you, then we could say you have heard about iptables father, why is this? Well iptables use to be ipchains and it worked on the kernel 2.2.x, after 2.4 and 2.5 kernel was released the firewall module was now iptables instead of ipchains.
We could say that iptables is ipchains improved, if you are familiar to ipchains and you want to start using iptables I suggest you to go to netfilter.org and read Rusty’s How-To about the differences between ipchains and iptables and it will give a better idea on how to migrate or reuse your policies.
I’m assuming you already know how the ip addresses work on a network (“or what an ip address is”) along with basic knowledge of what NAT and DHCP is and basic knowledge about what a private ip and public ip address is.
As you might know the net works with packets that are sent all over the network, and the firewall’s job is to determine whether to accept the package, drop it and so on.
Every package that are sent through the network regardless the kind or where is it being sent to contain the following info:
* Source address
* Headers
* Body
* Destination address
And this is how the firewall knows how to treat the package, iptables is under /sbin, so you will only be able to interact with it with a privileged user account or the root account itself.
So lets start with some iptables basics, like its predecessor it works by chains, and by default comes with 3 chains INPUT, OUTPUT and FORWARD.
When something is sent to your host it goes to the INPUT chain, when it goes from your host to somewhere else it goes to the OUTPUT chain and in a DHCP server scenario when someone on the network send a package somewhere and it has to go through the server first its automatically send to the FORWARD chain without the end user or ourselves noticing anything.
Configuring iptables is easy, what’s hard is to build up your security policy for you host, this are the basic parameters for chains operations on the firewall:
-N -> Create new chain
-X -> Delete an empty chain
-L -> List the rules on all or just one chain
-P -> Change the policy for a chain
In a security conscious environment or host, the policy with unknown packets or anything unknown to the firewall, the policy should always be DROP, and we will talk about this later.
The basic parameters to manipulate rules inside a chain are the following:
-A -> Append new rule
-D -> Delete rule
The rest of them are just an extension of this 2.
With this in mind, we can check our own policies:
iptables -L
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
As you can see, we have ACCEPT as our policy, we can change that by doing the following:
iptables –P INPUT DROP
iptables –L INPUT
Chain INPUT (policy DROP)
target prot opt source destination
Of course if you don’t have any accept rule, you will be disconnected from everywhere in the world so if you are connected to your host directly through a service like SSH and you don’t have an accept rule under INPUT you would be kicking yourself out of the server, and if you are not able to physically change it back to where it was you would have to request either someone else do it or reboot it, in both cases you will have to give out the root password, or you could wait till you can do it yourself directly at it, so if you you’re going to change the general policy try to have at least enough accept rules not to kick yourself out, believe me it happened to me once.
Anyways lets get our hands dirty, before going any further some of this examples were taken from Rusty’s How-To, and some of them are ours, we just want to make sure to give Rusty proper credit for his work and efforts.
We will start with the basics, adding a simple rule to a chain:
As we know (or we should know) when we use the ping command in any host, what we are doing is sending a ICMP type 8 packet and waiting for the host to reply with an ICMP type 0 packet, this is how ping works, you speak and the host answers, in the following example, we will block incoming pings to ourselves and Ill explain how this work:
ping 127.0.0.1 –c 4
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.082 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.091 ms
64 bytes from 127.0.0.1: icmp_seq=3 ttl=64 time=0.090 ms
64 bytes from 127.0.0.1: icmp_seq=4 ttl=64 time=0.089 ms
--- 127.0.0.1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3000ms
rtt min/avg/max/mdev = 0.082/0.088/0.091/0.003 ms
So far this looks like a DOS ping the only difference is we have to specify how many packets we would like to send (-c 4).
iptables –A INPUT –s 127.0.0.1 –p ICMP –j DROP
We are adding (-A) a new rule into the INPUT chain of the firewall telling to jump (-j) to DROP anything that comes from (-s) 127.0.0.1 and it’s an ICMP packet (-p, its protocol no packet).
Now let’s ping ourselves again to see what happens:
ping 127.0.0.1 –c 4
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
--- 127.0.0.1 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3000ms
Although this is not a practical example it is valid especially to use the delete parameter (-D).
In order to delete a rule on any chain in this case INPUT there are 2 ways of doing this, the first one is using the number of rule:
iptables –D INPUT 1
Another way to do it is to type the exact same rule but use –D instead of –A like this:
iptables –D INPUT –s 127.0.0.1 –p ICMP –j DROP
Either one of them will do the same, delete the only rule we have.
Let’s talk about source and destination, like we said when we started talking about iptables and the content inside a packet we mentioned that a packet has a source and destination address in it so the firewall knows how to deal with it or who it belongs to.
As much as it knows what the inbound interface and outbound network interface are to handle it, I’ll try to explain this.
As you can see the firewall by default comes with 3 basic chains INPUT, OUTPUT and FORWARD.
When a packet has our host as destination it goes to the INPUT chain, in the INPUT chain there is no outbound interface just inbound.
When we send a packet to any host it goes to the OUTPUT chain in the OUTPUT chain there is no inbound interface just outbound.
The FORWARD chain is the only chain that has both inbound and outbound, and this due routing scenarios where our host is the gateway/firewall and everything that goes from any workstation behind it should go to through the FORWARD chain of our host and be evaluated and finally forwarded to its destination if accepted.
IP addressing rages can also be implemented instead of having to write all the ip address schema for a network you could easily just use 192.168.0.0/24 which would make the rule valid for the whole class C on 192.168.0.0.
Also, for experienced or new developers that have just discovered the soy of using logical operators, you can also use them in your firewall rules, we will show you one.
Why is this of any relevance? Well easy, we can start building more advance rules, we will, so let’s start.
Let’s say we would like to DROP all the traffic that comes through our computer except for the traffic that comes from our network 192.168.0.0/24 on port 80.
I will show you how to do this in 2 different ways.
The first one - In this case we would need to change the default policy in the INPUT chain to DROP that way we will make sure that anything that comes to our host has to be dropped unless there’s any contradictory rule:
iptables INPUT –P DROP
iptables –A INPUT –s 192.168.0.0/24 –p TCP --dport80 –j ACCEPT
Basically what we are doing we are dropping everything except for traffic that comes from the network 192.168.0.0/24 that is protocol TCP and its going to port 80.
Finally I will list some of the most basic but yet powerful parameters for ip tables.
-s Source (source from traffic)
-d Destination(destination for traffic)
-p Protocol (is not case sensitive)
--sport Source port
--dport Destination port
-i Input interface
-o Output interface
-f Fragments
As you might notice there’s –f parameter that stands for fragments you can drop all fragments of packages for certain destination, Ill use one of Rusty’s examples:
iptables –A OUTPUT –f –d 192.168.1.1 –j DROP
This example would drop any fragment going to 192.168.1.1.
A fragment is nothing but a large packet chopped into little pieces so they can be sent through the network.
For more information on iptables read Rusty’s FAQ’s at netfilter.org try to read about flags.
System Audit
There are several ways to audit your system but not much of them are as effective as the one we are about to talk about, Nessus.
How does Nessus work? Or what is Nessus? Nessus is a security audit software that will tell you about any recent or known vulnerability on your system, how it works? Well it gets automatically updated via internet and has many plugins available for different test, it can tell if one of your services is not working correctly and tell you why or give you any suggestion in this subject.
It currently work’s on Linux, Windows and Mac OS, and it can be ported to other Unix-Like Operating Systems.
You can install Nessus on your Linux box with one just line:
lynx –source http://install.nessus.org | sh
This will download the script and execute it, or you could wget the source could from somewhere else and compile it yourself, the installation is pretty much up to you.
Once the installation has finished we have to start the Nessus server by typing:
nessusd&
Also in order to connect to the Nessus server and run any sort of diagnosis on your box you need to create a Nessus user you can create an user by typing this:
nessus –adduser
Once you’re done with this we can start having fun with our brand newly installed vulnerability scanner.
The GUI interface of the Nessus client is pretty intuitive, you will connect to the Nessus server through port 1241, and under host you should have localhost (which is your host) and user the user and password you just set up.
Once logged in you can jump to the scan tab, Nessus comes with a bunch of features like port rage scan, services scan, plugins, etc, that will make your scan easier.
We are not discarding the network install tools such as apt or yum:
apt-get install nessus
or:
yum -y install nessus
This is much easier but troublesome when you are not using a debian nor red hat based distro.
You can actually jump on your own in this one, if you have any suggestions or you find errors on this document feel free to email me at enrique.vidal at gmail dot com.