Page 1 Red Hat Enterprise Linux 3 Security Guide...
Page 2 All other trademarks and copyrights referred to are the property of their respective owners. The GPG ﬁngerprint of the security@redhat.com key is: CA 20 86 86 2B D6 9D FC 65 F6 EC C4 21 91 80 CD DB 42 A6 0E...
Page 3: Table Of Contents
Table of Contents Introduction............................i 1. Document Conventions......................ii 2. More to Come ........................iv 2.1. Send in Your Feedback ..................iv I. A General Introduction to Security ....................i 1. Security Overview......................... 1 1.1. What is Computer Security? .................. 1 1.2.
Page 4 7.6. Viruses and Spoofed IP Addresses ..............70 7.7. IP6Tables......................70 7.8. Additional Resources ................... 71 III. Assessing Your Security ......................73 8. Vulnerability Assessment....................75 8.1. Thinking Like the Enemy ..................75 8.2. Deﬁning Assessment and Testing ................ 75 8.3.
Page 5: Introduction
Red Hat Enterprise Linux Reference Guide provides detailed information suited for more experi- • enced users to refer to when needed, as opposed to step-by-step instructions. HTML, PDF, and RPM versions of the manuals are available on the Red Hat Enterprise Linux Docu- mentation CD and online at http://www.redhat.com/docs/.
Page 6: Document Conventions
Linux Release Notes for information that may not have been available prior to our documenta- tion being ﬁnalized. They can be found on the Red Hat Enterprise Linux CD #1 and online at http://www.redhat.com/docs/. 1. Document Conventions When you read this manual, certain words are represented in different fonts, typefaces, sizes, and weights.
Page 7 Introduction text found on a GUI interface A title, word, or phrase found on a GUI interface screen or window is shown in this style. Text shown in this style is being used to identify a particular GUI screen or an element on a GUI screen (such as text associated with a checkbox or ﬁeld).
Page 8: More To Come
Introduction The directory for the kernel source is , where /usr/src/ version-number / version-number is the version of the kernel installed on this system. Additionally, we use several different strategies to draw your attention to certain pieces of informa- tion. In order of how critical the information is to your system, these items are marked as note, tip, important, caution, or a warning.
Page 9: Send In Your Feedback
If you spot a typo in the Red Hat Enterprise Linux Security Guide, or if you have thought of a way to make this manual better, we would love to hear from you! Submit a report in Bugzilla ) against the component http://bugzilla.redhat.com/bugzilla/ rhel-sg Be sure to mention the manual’s identiﬁer: rhel-sg(EN)-3-Print-RHI (2003-07-25T17:12) By mentioning the identiﬁer, we know exactly which version of the guide you have.
Page 10 Introduction...
Page 11: A General Introduction To Security
I. A General Introduction to Security This part deﬁnes information security, its history, and the industry that has developed to address it. It also discusses some of the risks that computer users or administrators face. Table of Contents 1. Security Overview ........................... 1 2.
Page 13: Security Overview
Chapter 1. Security Overview Because of the increased reliance on powerful, networked computers to help run businesses and keep track of our personal information, industries have been formed around the practice of network and computer security. Enterprises have solicited the knowledge and skills of security experts to prop- erly audit systems and tailor solutions to ﬁt the operating requirements of the organization.
Page 14 Chapter 1. Security Overview more information) that prompted organizations across all industries to rethink the way they handle information transmission and disclosure. The popularity of the Internet was one of the most important developments that prompted an intensiﬁed effort in data security. An ever-growing number of people are using their personal computers to gain access to the resources that the Internet has to offer.
Page 15 Chapter 1. Security Overview 1.1.2.3. The 1980s IBM develops and markets PCs based on the Intel 8086 microprocessor, a relatively inexpensive • architecture that brought computing from the ofﬁce to the home. This serves to commodify the PC as a common and accessible tool that was fairly powerful and easy to use, aiding in the proliferation of such hardware in the homes and ofﬁces of malicious users.
Page 16 Chapter 1. Security Overview Kevin Poulsen and an unknown accomplice rig radio station phone systems to win cars and cash • prizes. He is convicted for computer and wire fraud and is sentenced to 5 years in prison. The stories of cracking and phreaking become legend, and several prospective crackers convene at •...
Page 17: Security Controls
Chapter 1. Security Overview This three-tiered model is a generally accepted component to assessing risks of sensitive information and establishing security policy. The following describes the CIA model in further detail: Conﬁdentiality — Sensitive information must be available only to a set of pre-deﬁned individuals. •...
Page 18: Conclusion
Chapter 1. Security Overview File integrity auditing software • 1.2.3. Administrative Controls Administrative controls deﬁne the human factors of security. It involves all levels of personnel within an organization and determines which users have access to what resources and information by such means as: Training and awareness •...
Page 19: Attackers And Vulnerabilities
Chapter 2. Attackers and Vulnerabilities To plan and implement a good security strategy, ﬁrst be aware of some of the issues which determined, motivated attackers exploit to compromise systems. But before detailing these issues, the terminology used when identifying an attacker must be deﬁned. 2.1.
Page 20: Threats To Server Security
Chapter 2. Attackers and Vulnerabilities 2.2. Threats to Network Security Bad practices when conﬁguring the following aspects of a network can increase the risk of attack. 2.2.1. Insecure Architectures A misconﬁgured network is a primary entry point for unauthorized users. Leaving a trust-based, open local network vulnerable to the highly-insecure Internet is much like leaving a door ajar in a crime- ridden neighborhood —...
Page 21 Chapter 2. Attackers and Vulnerabilities 2.3.2. Unpatched Services Most server applications that are included in a default installation are solid, thoroughly tested pieces of software. Having been in use in production environments for many years, their code has been thoroughly reﬁned and many of the bugs have been found and ﬁxed. However, there is no such thing as perfect software and there is always room for further reﬁnement.
Page 22: Threats To Workstation And Home Pc Security
Chapter 2. Attackers and Vulnerabilities between the remote service and the unsuspecting user capturing information. In this way a cracker can gather administrative passwords and raw data without the server or the user realizing it. Another category of insecure services include network ﬁle systems and information services such as NFS or NIS, which are developed explicitly for LAN usage but are, unfortunately, extended to in- clude WANs (for remote users).
Page 23: Conﬁguring Red Hat Enterprise Linux For Security
II. Conﬁguring Red Hat Enterprise Linux for Security This part informs and instructs administrators on proper techniques and tools to use when securing Red Hat Enterprise Linux workstations, Red Hat Enterprise Linux servers, and network resources. It also discusses how to make secure connections, lock down ports and services, and implement active ﬁltering to prevent network intrusion.
Page 25: Security Updates
To apply the update, use the Red Hat Update Agent or schedule the package to be updated through the website http://rhn.redhat.com. Red Hat Enterprise Linux includes the Red Hat Network Alert Notiﬁcation Tool, a convenient panel icon that displays visible alerts when there is an update for a Red Hat Enterprise Linux system.
Page 26 When security errata reports are released, they are published on the Red Hat Errata website available at http://www.redhat.com/apps/support/errata/. From this page, select the product and version for your system, and then select security at the top of the page to display only Red Hat Enterprise Linux Security Advisories.
Page 27 Chapter 3. Security Updates After verifying the GPG key and downloading all the packages associated with the errata report, install the packages as root at a shell prompt. This can be done safely for most packages (except kernel packages) by issuing the following com- mand: rpm -Uvh /tmp/updates/*.rpm For kernel packages it is advised that the following command be used:...
Page 28 Chapter 3. Security Updates Applications User-space applications are any programs which can be initiated by a system user. Typically, such applications are used only when a user, script, or automated task utility launches them and do not persist for long periods of time. Once such a user-space application is updated, halt any instances of the application on the system and launch the program again to use the updated version.
Page 29 Chapter 3. Security Updates ps -aux | grep imap This command returns all active IMAP sessions. Individual sessions can then be terminated by issuing the following command: kill -9 In the previous example, replace with the process identiﬁcation number for an IMAP session.
Page 30 Chapter 3. Security Updates...
Page 31: Workstation Security
Chapter 4. Workstation Security Securing a Linux environment begins with the workstation. Whether locking down a personal machine or securing an enterprise system, sound security policy begins with the individual computer. After all, a computer network is only as secure as the weakest node. 4.1.
Page 32 Chapter 4. Workstation Security 2. Preventing System Booting — Some BIOSes allow password protection of the boot process. When activated, an attacker is forced to enter a password before the BIOS launches the boot loader. Because the methods for setting a BIOS password vary between computer manufacturers, consult the computer’s manual for speciﬁc instructions.
Page 33 Chapter 4. Workstation Security Replace with the value returned by password-hash /sbin/grub-md5-crypt The next time the system boots, the GRUB menu does not allow access to the editor or command interface without ﬁrst pressing [p] followed by the GRUB password. Unfortunately, this solution does not prevent an attacker from booting into a non-secure operating system in a dual-boot environment.
Page 34: Password Security
Chapter 4. Workstation Security Important When editing , the command must be run for the changes to /etc/lilo.conf /sbin/lilo -v -v take effect. If a password has been conﬁgured and anyone other than root can read the ﬁle, LILO installs properly, but notiﬁes the user that the permissions on the conﬁguration ﬁle are incorrect. If a global password is not desirable, the password directive can be added to any stanza corresponding to any kernel or operating system.
Page 35 Chapter 4. Workstation Security cracking attacks. If an intruder can gain access to the machine as a regular user, he can copy the ﬁle to his own machine and run any number of password cracking programs against /etc/passwd it. If there is an insecure password in the ﬁle, it is only a matter of time before the password cracker discovers it.
Page 36 Chapter 4. Workstation Security Some insecure examples include the following: H4X0R • 1337 • Do Not Use Personal Information — Steer clear of personal information. If the attacker knows • your identity, the task of deducing your password becomes easier. The following is a list of the types of information to avoid when creating a password: Some insecure examples include the following: Your name...
Page 37 Chapter 4. Workstation Security With all these rules, it may seem difﬁcult to create a password meeting all of the criteria for good passwords while avoiding the traits of a bad one. Fortunately, there are some steps one can take to generate a memorable, secure password.
Page 38 Their are two primary programs used to specify password aging under Red Hat Enterprise Linux: the command or the graphical User Manager ( ) application. chage redhat-config-users option of the command speciﬁes the maximum number of days the password is valid. chage So, for instance, to set a user’s password to expire in 90 days, type the following command:...
Page 39: Administrative Controls
Groups or type the command at a shell prompt (for example, in an XTerm redhat-config-users or a GNOME terminal). Click on the Users tab, select the user from the user list, and click Properties from the button menu (or choose File => Properties from the pull-down menu).
Page 40 Chapter 4. Workstation Security network devices are impossible without administrative access. As a result system administrators must decide how much administrative access the users on their network should receive. 4.4.1. Allowing Root Access If the users within an organization are a trusted, computer-savvy group, then allowing them root access may not be a bad thing.
Page 41 Chapter 4. Workstation Security Method Description Effects Does Not Affect Disabling An empty Prevents access to the root Programs that do not log root ﬁle account via the console or in as root, but perform /etc/securetty access prevents root login on any the network.
Page 42 Chapter 4. Workstation Security 4.4.2.2. Disabling Root Logins To further limit access to the root account, administrators can disable root logins at the console by editing the ﬁle. This ﬁle lists all devices the root user is allowed to log into. If the /etc/securetty ﬁle does not exist at all, the root user can log in through any communication device on the system, whether via the console or a raw network interface.
Page 43 Settings => Users & Groups or type the command at a shell prompt. Select redhat-config-users the Users tab, select the user from the user list, and click Properties from the button menu (or choose File => Properties from the pull-down menu).
Page 44 Chapter 4. Workstation Security Next, open the PAM conﬁguration ﬁle for ) in a text editor and remove the /etc/pam.d/su comment [#] from the following line: auth required /lib/security/pam_wheel.so use_uid Doing this permits only members of the administrative group to use the program. wheel Note The root user is part of the...
Page 45: Available Network Services
Chapter 4. Workstation Security %users localhost=/sbin/shutdown -h now This example states that any user can issue the command as long as it is /sbin/shutdown -h now issued from the console. The man page for has a detailed listing of options for this ﬁle. sudoers 4.5.
Page 46 Red Hat Enterprise Linux ships with three programs designed to switch services on or off. They are the Services Conﬁguration Tool ( ), ntsysv, and . For redhat-config-services chkconfig information on using these tools, refer to the chapter titled Controlling Access to Services in the Red Hat Enterprise Linux System Administration Guide.
Page 47: Personal Firewalls
Chapter 4. Workstation Security Also, remote memory dump services, like , pass the contents of memory over the network netdump unencrypted. Memory dumps can contain passwords or, even worse, database entries and other sensitive information. Other services like reveal information about users of the system. finger rwhod Examples of inherently insecure services includes the following:...
Page 48: Security Enhanced Communication Tools
Chapter 4. Workstation Security ). This tool creates broad rules for a general-purpose redhat-config-securitylevel iptables ﬁrewall using a control panel interface. For more information about using this application and what options it offers, refer to the chapter titled Basic Firewall Conﬁguration in the Red Hat Enterprise Linux System Administration Guide.
Page 49: Server Security
Chapter 5. Server Security When a system is used as a server on a public network, it becomes a target for attacks. For this reason, hardening the system and locking down services is of paramount importance for the system administrator. Before delving into speciﬁc issues, review the following general tips for enhancing server security: Keep all services up to date to protect against the latest threats.
Page 50 Chapter 5. Server Security The contents of the ﬁle look like this: 220-Hello, %c 220-All activity on ftp.example.com is logged. 220-Act up and you will be banned. token supplies a variety of client information, such as the username and hostname, or the username and IP address to make the connection even more intimidating.
Page 51 Chapter 5. Server Security 5.1.2. Enhancing Security With xinetd super server is another useful tool for controlling access to its subordinate services. This xinetd section focuses on how can be used to set a trap service and control the amount of resources xinetd any given service can use to thwart denial of service attacks.
Page 52: Securing Nis
Chapter 5. Server Security — Dictates the amount of time in seconds that a ser- • rlimit_cpu = number_of_seconds vice may occupy the CPU. This directive accepts either an integer value or UNLIMITED Using these directives can help prevent any one service from overwhelming the system, xinetd resulting in a denial of service.
Page 53 Chapter 5. Server Security — Also called the service, this daemon allows users to • /usr/sbin/rpc.yppasswdd yppasswdd change their NIS passwords. — Also called the service, this daemon is responsible for NIS • /usr/sbin/rpc.ypxfrd ypxfrd map transfers over the network. —...
Page 54 Chapter 5. Server Security Below is a sample entry from a ﬁle: /var/yp/securenets 255.255.255.0 192.168.0.0 Warning Never start an NIS server for the ﬁrst time without creating the ﬁle. /var/yp/securenets This technique does not provide protection from an IP spooﬁng attack, but it does at least place limits on what networks the NIS server services.
Page 55: Securing Nfs
Chapter 5. Server Security 5.4. Securing NFS The Network File System or NFS is an RPC service used in conjunction with and other portmap related services to provide network accessible ﬁle systems for client machines. For more information on how NFS works, refer to the chapter titled Network File System (NFS) in the Red Hat Enterprise Linux Reference Guide.
Page 56: Securing The Apache Http Server
Enterprise Linux Reference Guide, the chapter titled Apache HTTP Server Conﬁguration in the Red Hat Enterprise Linux System Administration Guide, and the Stronghold manuals, available at http://www.redhat.com/docs/manuals/stronghold/. Below is a list of conﬁguration options administrators should be careful using. 5.5.1.
Page 57: Securing Ftp
Chapter 5. Server Security 5.6. Securing FTP The File Transport Protocol (FTP) is an older TCP protocol designed to transfer ﬁles over a network. Because all transactions with the server, including user authentication, are unencrypted, it is consid- ered an insecure protocol and should be carefully conﬁgured. Red Hat Enterprise Linux provides three FTP servers.
Page 58 Chapter 5. Server Security 5.6.2. Anonymous Access The presence of the directory activates the anonymous account. /var/ftp/ The easiest way to create this directory is to install the package. This package sets a directory vsftpd tree up for anonymous users and conﬁgures the permissions on directories to read-only for anonymous users.
Page 59: Securing Sendmail
Chapter 5. Server Security 5.6.3.1. Restricting User Accounts The easiest way to disable a speciﬁc group of accounts, such as the root user and those with sudo privileges, from accessing an FTP server is to use a PAM list ﬁle as described in Section 4.4.2.4 Disabling Root Using PAM.
Page 60: Verifying Which Ports Are Listening
Chapter 5. Server Security Because NFS does not maintain control over user and group IDs, two or more users can have the same UID and therefore receive and read each other’s mail. 5.7.3. Mail-only Users To help prevent local user exploits on the Sendmail server, it is best for mail users to only access the Sendmail server using an email program.
Page 61 Chapter 5. Server Security netstat -anp | grep 834 The command returns the following output: 0 0.0.0.0:834 0.0.0.0:* LISTEN 653/ypbind The presence of the open port in is reassuring because a cracker opening a port surrepti- netstat tiously on a hacked system would likely not allow it to be revealed through this command. Also, the option reveals the process id (PID) of the service which opened the port.
Page 62 Chapter 5. Server Security...
Page 63: Virtual Private Networks
Chapter 6. Virtual Private Networks Organizations with several satellite ofﬁces often connect to each other with dedicated lines for efﬁ- ciency and protection of sensitive data in transit. For example, many businesses use frame relay or Asynchronous Transfer Mode (ATM) lines as an end-to-end networking solution to link one ofﬁce with others.
Page 64: Why Use Cipe
Chapter 6. Virtual Private Networks 6.2. Crypto IP Encapsulation (CIPE) CIPE is a VPN implementation developed primarily for Linux. CIPE uses encrypted IP packets that are encapsulated, or wrapped, in datagram (UDP) packets. CIPE packets are given destination header information and are encrypted using the default CIPE encryption mechanism. The packets are then transferred over IP as UDP packets via the CIPE virtual network device (cipcbx) over a carrier net- work to an intended remote node.
Page 65: Cipe Installation
Chapter 6. Virtual Private Networks CIPE is actively developed to work in conjunction with , and other rules- • iptables ipchains based ﬁrewalls. Peer acceptance of incoming CIPE UDP packets is all that is needed to coexist with existing ﬁrewall rules. CIPE conﬁguration is done through text ﬁles, allowing administrators to conﬁgure their CIPE •...
Page 66: Conﬁguring Clients For Cipe
Chapter 6. Virtual Private Networks ptpaddr 6.5.4.3 # our CIPE device’s IP address ipaddr 6.7.8.9 # my UDP address. Note: if you set port 0 here, the system will pick # one and tell it to you via the ip-up script. Same holds for IP 0.0.0.0. bigred.inka.de:6789 # ...and the UDP address we connect to.
Page 67 Chapter 6. Virtual Private Networks . This ﬁle contains parameters that /etc/sysconfig/network-scripts/ifcfg-cipcb0 determine whether the CIPE connection occurs at boot-time, what the name of the CIPE device is, and more. The following is the ﬁle for a remote client connecting to the CIPE server: ifcfg-cipcb0 DEVICE=cipcb0 ONBOOT=yes...
Page 68: Customizing Cipe
Chapter 6. Virtual Private Networks . /etc/sysconfig/network-scripts/ifcfg-$1 else EOT | logger Cannot find config file ifcfg-$1. Exiting. exit 1 if [ -n ${PEERROUTEDEV} ]; then EOT | logger Cannot find a default route to send cipe packets through! Punting and hoping for the best. # Use routing table to determine peer gateway export PEERROUTEDEV=‘/sbin/route -n | grep ^0.0.0.0 | head -n 1 \ | awk ’{ print $NF }’‘...
Page 69: Cipe Key Management
Chapter 6. Virtual Private Networks Parameter Description Passes arguments to the initialization script /etc/cipe/ip-up Sets the Carrier Time To Live (TTL) value; recommended value is 64 cttl Boolean value to enable debugging debug Names the CIPE device device Publicly-routable IP address of the CIPE machine ipaddr Choose an alternate script than the default...
Page 70: Ipsec
Chapter 6. Virtual Private Networks 6.9. IPsec Red Hat Enterprise Linux supports a protocol for connecting remote hosts and networks to each other using a secure tunnel on a common carrier network such as the Internet. The protocol, called IPsec, can be implemented using a host-to-host (one computer workstation to another) or network-to-network (one LAN/WAN to another).
Page 71 Chapter 6. Virtual Private Networks A unique name to identify the IPsec connection and distinguish it from other devices or connections • (for example, ipsec0 A ﬁxed encryption key or one automatically generated by • racoon A pre-shared authentication key that is used to initiate the connection and exchange encryption keys •...
Page 72: Ipsec Network-To-Network Conﬁguration
Chapter 6. Virtual Private Networks pfs_group 2; lifetime time 1 hour ; encryption_algorithm 3des, blowfish 448, rijndael ; authentication_algorithm hmac_sha1, hmac_md5 ; compression_algorithm deflate ; include "/etc/racoon/X.X.X.X.conf" To start the connection, either reboot the workstation or execute the following command as root on each host: /sbin/ifup ipsec0 To test the IPsec connection, run the...
Page 73 Chapter 6. Virtual Private Networks A unique name to identify the IPsec connection and distinguish it from other devices or connections • (for example, ipsec0 A ﬁxed encryption key or one automatically generated by • racoon A pre-shared authentication key that is used to initiate the connection and exchange encryption keys •...
Page 74 Chapter 6. Virtual Private Networks To change the authentication key at any time, edit the ﬁle on both IPsec routers. Both keys-ipsecX keys must be identical for proper connectivity. The following is the conﬁguration ﬁle for the IPsec connection. Note /etc/racoon/racoon.conf that the line at the bottom of the ﬁle appears only if presently connected to the IPsec tunnel...
Page 75 Chapter 6. Virtual Private Networks To test the IPsec connection, run the utility on the externally-routable device (eth0 in this tcpdump example) to view the network packets being transfered between the hosts (or networks) and verify that they are encrypted via IPsec. For example, to check the IPsec connectivity of LAN A, type the following: tcpdump -n -i eth0 host lana.example.com The packet should include an AH header and should be shown as ESP packets.
Page 76 Chapter 6. Virtual Private Networks...
Page 77: Firewalls
Chapter 7. Firewalls Information security is commonly thought of as a process and not a product. However, standard secu- rity implementations usually employ some form of dedicated mechanism to control access privileges and restrict network resources to users who are authorized, identiﬁable, and traceable. Red Hat En- terprise Linux includes several powerful tools to assist administrators and security engineers with network-level access control issues.
Page 78: Netﬁlter And Iptables
Chapter 7. Firewalls Method Description Advantages Disadvantages Proxy Proxy ﬁrewalls ﬁlter all Gives administrators Proxies are often requests of a certain control over what application speciﬁc protocol or type from LAN applications and protocols (HTTP, telnet, etc.) or clients to a proxy machine, function outside of the protocol restricted (most which then makes those...
Page 79 Chapter 7. Firewalls Warning The IP6Tables services should be turned off to use the IPTables service with the following commands: service ip6tables stop chkconfig ip6tables off To make IPTables start by default whenever the system is booted, you must change runlevel status on the service using chkconfig chkconfig --level 345 iptables on...
Page 80: Iptables Filtering
Chapter 7. Firewalls Note There is a distinction between the target actions when dealing with appended rules. REJECT DROP target denies access and returns a error to users who attempt to REJECT connection refused connect to the service. The , as the name implies, drops the packet without any warning to DROP users.
Page 81: Forward
Chapter 7. Firewalls CIPE connection requests from the outside can be accepted with the following command (replacing x with your device number): iptables -A INPUT -p udp -i cipcbx -j ACCEPT iptables -A OUTPUT -p udp -o cipcbx -j ACCEPT Since CIPE uses its own virtual device which transmits datagram (UDP) packets, the rule allows the interface for incoming connections, instead of source or destination ports (though they can be cipcb...
Page 82: Dmzs And Iptables
Chapter 7. Firewalls This allows LAN nodes to communicate with each other; however they are not allowed to com- municate externally (for example, to the Internet). To allow LAN nodes with private IP addresses to communicate with external public networks, conﬁgure the ﬁrewall for IP masquerading, which masks requests from LAN nodes with the IP address of the ﬁrewall’s external device (in this case, eth0): iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE 7.5.
Page 83: Additional Resources
Chapter 7. Firewalls Red Hat Enterprise Linux supports IPv6 ﬁrewall rules using the Netﬁlter 6 subsystem and the IP6Tables command. The ﬁrst step in using IP6Tables is to start the IP6Tables service. This can be done with the command: service ip6tables start Warning The IPTables services must be turned off to use the IP6Tables service exclusively: service iptables stop...
Page 84 Chapter 7. Firewalls 7.8.3. Related Documentation Linux Firewalls, by Robert Ziegler; New Riders Press. — contains a wealth of information on • building ﬁrewalls using both 2.2 kernel IPChains as well as Netﬁlter and IPTables. Additional security topics such as remote access issues and Intrusion Detection Systems are also covered.
Page 85: Assessing Your Security
III. Assessing Your Security This part provides an overview of the theory and practice of security assessment. From network mon- itors to cracking tools, an administrator can learn more about securing a system and a network by cracking into it. Table of Contents 8.
Page 87: Vulnerability Assessment
Chapter 8. Vulnerability Assessment Given the time, resources, and motivation, a cracker can break into nearly any system. At the end of the day, all the security procedures and technologies currently available cannot guarantee any systems are safe from intrusion. Routers can help to secure gateways to the Internet. Firewalls help secure the edge of the network.
Page 88: Deﬁning Assessment And Testing
Chapter 8. Vulnerability Assessment 8.2. Deﬁning Assessment and Testing Vulnerability assessments may be broken down into one of two types: Outside looking in and inside looking around. When performing an outside looking in vulnerability assessment you are attempting to compromise your systems from the outside.
Page 89: Evaluating The Tools
Chapter 8. Vulnerability Assessment 8.2.1. Establishing a Methodology To aid in the selection of tools for vulnerability assessment, it is helpful to establish a vulnerability assessment methodology. Unfortunately, there is no predeﬁned or industry approved methodology at this time; however, common sense and best practices can act as a sufﬁcient guide. What is the target? Are we looking at one server, or are we looking at our entire network and every- thing within the network? Are we external or internal to the company? The answers to these questions are important as they will help you determine not only which tools to select but also the manner in...
Page 90 Chapter 8. Vulnerability Assessment The results of the scan (which could take up to a few minutes, depending on where the host is located) should look similar to the following: Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) Interesting ports on localhost.localdomain (127.0.0.1): (The 1591 ports scanned but not shown below are in state: closed) Port State...
Page 91 Chapter 8. Vulnerability Assessment Note Nikto is not included with Red Hat Enterprise Linux and is not supported. It has been included in this document as a reference to users who may be interested in using this popular application. More information about Nikto can be found at the following URL: http://www.cirt.net/code/nikto.shtml 8.3.4.
Page 92 Chapter 8. Vulnerability Assessment...
Page 93: Intrusions And Incident Response
IV. Intrusions and Incident Response It is inevitable that a network falls to intrusion or malicious use of network resources. This part dis- cusses some proactive measures an administrator can take to prevent security breaches, such as form- ing an emergency response team capable of quickly and effectively responding to security issues. This part also details the steps an administrator can take to collect and analyze evidence of a security breach after the fact.
Page 95: Intrusion Detection
Chapter 9. Intrusion Detection Valuable property needs to be protected from the prospect of theft and destruction. Some homes are equipped with alarm systems that can deter burglars, notify authorities when a break-in has occurred, and even warn owners when their home is on ﬁre. Such measures are necessary to ensure the integrity of homes and the safety of homeowners.
Page 96 Chapter 9. Intrusion Detection network and kernel event logs, can be quite verbose), analyzes them, re-tags the anomalous messages with its own system of severity rating, and collect them in its own specialized log for administrator analysis. Host-based IDSes can also verify the data integrity of important ﬁles and executables. It checks a database of sensitive ﬁles (and any ﬁles added by the administrator) and creates a checksum of each ﬁle with a message-ﬁle digest utility such as (128-bit algorithm) or...
Page 97 Chapter 9. Intrusion Detection then the ﬁle has been modiﬁed in some way and you need to assess whether to keep the ﬁle (such as with modiﬁed conﬁguration ﬁles in the directory) or delete the ﬁle and reinstall /etc/ the package that contains it. The following list deﬁnes the elements of the 8-character string in the above example) that notiﬁes of a veriﬁcation failure.
Page 98: Network-Based Ids
Chapter 9. Intrusion Detection Note These applications are not included with Red Hat Enterprise Linux and are not supported. They have been included in this document as a reference to users who may be interested in evaluating such applications. SWATCH http://www.stanford.edu/~atkins/swatch/ — The Simple WATCHer (SWATCH) uses log •...
Page 99 Chapter 9. Intrusion Detection RX bytes:2505498554 (2389.4 Mb) TX bytes:1521375170 (1450.8 Mb) Interrupt:9 Base address:0xec80 Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:21621 errors:0 dropped:0 overruns:0 frame:0 TX packets:21621 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:1070918 (1.0 Mb) TX bytes:1070918 (1.0 Mb) Using a tool such as...
Page 100 Chapter 9. Intrusion Detection Note Snort is not included with Red Hat Enterprise Linux and is not supported. It has been included in this document as a reference to users who may be interested in evaluating it. For more information about using Snort, refer to the ofﬁcial website at http://www.snort.org/.
Page 101: Incident Response
Chapter 10. Incident Response In the event that the security of a system has been compromised, an incident response is necessary. It is the responsibility of the security team to respond to the problem quickly and effectively. 10.1. Deﬁning Incident Response Incident response is an expedited reaction to a security issue or occurrence.
Page 102: Implementing The Incident Response Plan
Chapter 10. Incident Response Reporting the incident to the proper channels • An incident response must be decisive and executed quickly. Because there is little room for error, it is critical that practice emergencies are staged and response times measured. This way it is pos- sible to develop a methodology that fosters speed and accuracy, minimizing the impact of resource unavailability and potential damage in the event of an actual system compromise.
Page 103: Investigating The Incident
Chapter 10. Incident Response 10.3. Implementing the Incident Response Plan Once a plan of action is created, it must be agreed upon and actively implemented. Any aspect of the plan that is questioned during active implementation can result in poor response time and downtime in the event of a breach.
Page 104 Chapter 10. Incident Response This command creates a single ﬁle named using a 1k block size for speed. The image1 options force to continue reading and dumping data even if bad sectors are conv=noerror,sync encountered on the suspect drive. It is now possible to study the resulting image ﬁle or even attempt to recover deleted ﬁles.
Page 105: Restoring And Recovering Resources
Chapter 10. Incident Response Command Function Example Determines the characteristics of file file /bin/ls ﬁles based on format, encoding, linked- libraries (if any), and ﬁle type (binary, text, and more). It is useful for determining whether an executable such as /bin/ls been modiﬁed using static libraries, which is a sure sign that the...
Page 106: Reporting The Incident
Chapter 10. Incident Response System recovery can be a tedious process. In many instances there are two courses of action from which to choose. Administrators can perform a clean re-installation of the operating system on each affected system followed by restoration of all applications and data. Alternatively, administrators can patch the offending vulnerabilities and bring the affected system back into production.
Page 107: Appendixes
V. Appendixes This part discusses some of the most common ways an intruder can breach computer systems or intercept data in transit. This part also details some of the most commonly used services and their associated port numbers, which can be useful to administrators looking to mitigate the risks of being cracked.
Page 109: Hardware And Network Protection
Appendix A. Hardware and Network Protection The best practice before deploying a machine into a production environment or connecting your net- work to the Internet is to determine your organizational needs and how security can ﬁt into the re- quirements as transparently as possible. Since the main goal of the Red Hat Enterprise Linux Security Guide is to explain how to secure Red Hat Enterprise Linux, a more detailed examination of hardware and physical network security is beyond the scope of this document.
Page 110 Appendix A. Hardware and Network Protection A.1.1.2. Linear Bus Topology The linear bus topology consists of nodes which connect to a terminated main linear cable (the back- bone). The linear bus topology requires the least amount of cabling and networking equipment, mak- ing it the most cost-effective topology.
Page 111 Appendix A. Hardware and Network Protection the 5GHz spectrum). These speciﬁcations have been approved as standards by the IEEE, and sev- eral vendors market 802.11x products and services. Consumers have also embraced the standard for small-ofﬁce/home-ofﬁce (SOHO) networks. The popularity has also extended from LANs to MANs (Metropolitan Area Networks), especially in populated areas where a concentration of wireless access points (WAPs) are available.
Page 112: Hardware Security
Appendix A. Hardware and Network Protection mented from the internal network. Firewalls and the hardening of hosts and applications are effective ways to deter casual intruders. However, determined crackers can ﬁnd ways into the internal network if the services they have cracked reside on the same logical route as the rest of the network. The externally accessible services should reside on what the security industry regards as a demilitarized zone (DMZ), a logical network segment where inbound trafﬁc from the Internet would only be able to access those services and are not permitted to access the internal network.
Page 113: Common Exploits And Attacks
Appendix B. Common Exploits and Attacks Table B-1 details some of the most common exploits and entry points used by intruders to access organizational network resources. Key to these common exploits are the explanations of how they are performed and how administrators can properly safeguard their network against such attacks. Exploit Description Notes...
Page 114 Appendix B. Common Exploits and Attacks Exploit Description Notes Eavesdropping Collecting data that passes between This type of attack works mostly two active nodes on a network by with plain text transmission eavesdropping on the connection protocols such as Telnet, FTP, and between the two nodes.
Page 115 Appendix B. Common Exploits and Attacks Exploit Description Notes Application Attackers ﬁnd faults in desktop and Workstations and desktops are more Vulnerabilities workstation applications such as prone to exploitation as workers do e-mail clients and execute arbitrary not have the expertise or experience code, implant trojans for future to prevent or detect a compromise;...
Page 116 Appendix B. Common Exploits and Attacks...
Page 117: Common Ports
Appendix C. Common Ports The following tables list the most common communication ports used by services, daemons, and programs included in Red Hat Enterprise Linux. This listing can also be found in the /etc/services ﬁle. For the ofﬁcial list of Well Known, Registered, and Dynamic ports as designated by the Internet Assigned Numbers Authority (IANA), refer to the following URL: http://www.iana.org/assignments/port-numbers Note...
Page 118 Appendix C. Common Ports Port # / Layer Name Comment re-mail-ck Remote Mail Checking Protocol domain domain name services (such as BIND) whois++ WHOIS++, extended WHOIS services bootps Bootstrap Protocol (BOOTP) services; also used by Dynamic Host Conﬁguration Protocol (DHCP) services bootpc Bootstrap (BOOTP) client;...
Page 119 Appendix C. Common Ports Port # / Layer Name Comment netbios-ssn NETBIOS Session Services used in Red Hat Enterprise Linux by Samba imap Internet Message Access Protocol (IMAP) snmp Simple Network Management Protocol (SNMP) snmptrap Traps for SNMP cmip-man Common Management Information Protocol (CMIP) cmip-agent Common Management Information Protocol (CMIP) mailq...
Page 120 Appendix C. Common Ports Port # / Layer Name Comment microsoft-ds Server Message Block (SMB) over TCP/IP kpasswd Kerberos password and key changing services photuris Photuris session key management protocol saft Simple Asynchronous File Transfer (SAFT) protocol gss-http Generic Security Services (GSS) for HTTP pim-rp-disc Rendezvous Point Discovery (RP-DISC) for Protocol Independent Multicast (PIM) services...
Page 121 Appendix C. Common Ports Port # / Layer Name Comment ircs Internet Relay Chat over Secure Sockets Layer (IRCS) pop3s Post Ofﬁce Protocol version 3 over Secure Sockets Layer (POP3S) Table C-1. Well Known Ports The following ports are UNIX-speciﬁc and cover services ranging from email to authentication and more.
Page 122 Appendix C. Common Ports Port # / Layer Name Comment remotefs Brunhoff’s Remote Filesystem (RFS) [rfs_server, rfs] Table C-2. UNIX Speciﬁc Ports Table C-3 lists ports submitted by the network and software community to the IANA for formal registration in the port number list. Port # / Layer Name Comment...
Page 123 Appendix C. Common Ports Port # / Layer Name Comment 1997 gdp-port Cisco Gateway Discovery Protocol (GDP) 2049 nfs [nfsd] Network File System (NFS) 2102 zephyr-srv Zephyr notice transport and delivery Server 2103 zephyr-clt Zephyr serv-hm connection 2104 zephyr-hm Zephyr host manager 2401 cvspserver Concurrent Versions System (CVS) client/server...
Page 124 Appendix C. Common Ports Port # / Layer Name Comment 6000 x11 [X] X Window System services 7000 afs3-ﬁleserver Andrew File System (AFS) ﬁle server 7001 afs3-callback AFS port for callbacks to cache manager 7002 afs3-prserver AFS user and group database 7003 afs3-vlserver AFS volume location database...
Page 125 Appendix C. Common Ports networks. Port # / Layer Name Comment 1/ddp rtmp Routing Table Management Protocol 2/ddp Name Binding Protocol 4/ddp echo AppleTalk Echo Protocol 6/ddp Zone Information Protocol Table C-4. Datagram Deliver Protocol Ports Table C-5 is a listing of ports related to the Kerberos network authentication protocol. Where noted, v5 refers to Kerberos version 5 protocol.
Page 126 Appendix C. Common Ports Port # / Layer Name Comment 1127 suﬁledbg Software Upgrade Protocol (SUP) debugging 1178/tcp skkserv Simple Kana to Kanji (SKK) Japanese input server 1313/tcp xtel French Minitel text information system 1529/tcp support [prmsd, GNATS bug tracking system gnatsd] 2003/tcp cﬁnger...
Page 127 Appendix C. Common Ports Port # / Layer Name Comment 22321/tcp wnn4_Tw tWnn Chinese input system (Taiwan) 24554 binkp Binkley TCP/IP Fidonet mailer daemon 27374 Address Search Protocol 60177 tﬁdo Ifmail FidoNet compatible mailer service 60179 ﬁdo FidoNet electronic mail and news network Table C-6.
Page 128 Appendix C. Common Ports...
Page 129: Index
Index table, 105 communication ports, 105 communication tools secure, 36 Symbols GPG, 36 802.11x, 98 OpenSSH, 36 and security, 98 computer emergency response team, 90 controls, 5 administrative, 6 physical, 5 technical, 5 Apache HTTP Server conventions cgi security, 44 document, ii directives, 44 cracker...
Page 130 anonymous access, 46 categories, using this manual, i anonymous upload, 46 other Red Hat Enterprise Linux manuals, i greeting banner, 45 topics, i introducing, 45 TCP wrappers and, 47 intrusion detection systems, 83 user accounts, 46 and log ﬁles, 83 vsftpd, 45 deﬁning, 83 host-based, 83...
Page 131 password aging, 26 Nessus, 78 password security, 22 Netﬁlter, 66 aging, 26 additional resources, 71 and PAM, 25 Netﬁlter 6, 70 auditing tools, 26 netstat, 48 Crack, 26 network services, 33 John the Ripper, 26 Slurpie, 26 identifying and conﬁguring, 33 enforcement, 25 risks, 33 in an organization, 25...
Page 132 and intrusion detection, 84 limiting DoS, 47 check GPG signature, 14 TCP wrappers, 37 attack warnings, 38 importing GPG key, 14 banners, 37 logging, 38 xinetd, 39 managing resources with, 39 security considerations preventing DoS with, 39 hardware, 97 SENSOR trap, 39 network transmission, 98 services, 48 physical networks, 97...
Page 133 assessment, 75 deﬁning, 76 establishing a methodology, 77 testing, 76 white hat hacker (See hackers) Wi-Fi networks (See 802.11x) wireless security, 98 802.11x, 98 workstation security, 19 BIOS, 19 boot loaders passwords, 20 evaluating administrative control, 19 BIOS, 19 boot loaders, 19 communications, 19 passwords, 19 personal ﬁrewalls, 19...
Page 135: Colophon
Colophon The manuals are written in DocBook SGML v4.1 format. The HTML and PDF formats are produced using custom DSSSL stylesheets and custom jade wrapper scripts. The DocBook SGML ﬁles are written in Emacs with the help of PSGML mode. Garrett LeSage created the admonition graphics (note, tip, important, caution, and warning).

Red Hat ENTERPRISE LINUX 3 - SECURITY GUIDE Manual

Introduction

A General Introduction to Security

Conﬁguring Red hat Enterprise Linux for Security

Assessing Your Security

Intrusions and Incident Response

Appendixes

Index

Colophon

Quick Links

Related Manuals for Red Hat ENTERPRISE LINUX 3 - SECURITY GUIDE

Summary of Contents for Red Hat ENTERPRISE LINUX 3 - SECURITY GUIDE

Table of Contents