1. Manuals
  2. Brands
  3. Red Hat Manuals
  4. Software
  5. ENTERPRISE LINUX 4 - DEVELOPER TOOLS GUIDE
  6. Manual

Red Hat ENTERPRISE LINUX 4 - SECURITY GUIDE Manual

Hide thumbs Also See for ENTERPRISE LINUX 4 - SECURITY GUIDE:
Table of Contents

Advertisement

Quick Links

Download this manual See also: Administration Manual, Manual

Red Hat Enterprise Linux 4

Security Guide
For Red Hat Enterprise Linux 4

Advertisement

Table of Contents
loading

Related Manuals for Red Hat ENTERPRISE LINUX 4 - SECURITY GUIDE

Summary of Contents for Red Hat ENTERPRISE LINUX 4 - SECURITY GUIDE

  • Page 1: Red Hat Enterprise Linux

    Red Hat Enterprise Linux 4 Security Guide For Red Hat Enterprise Linux 4...
  • Page 2 Security Guide Red Hat Enterprise Linux 4 Security Guide For Red Hat Enterprise Linux 4 Edition 2 Copyright © 2008 Red Hat, Inc Copyright © 2008 Red Hat, Inc. The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA").

  • Page 3: Table Of Contents

    Introduction 1. Document Conventions ....................viii 1.1. Typographic Conventions ................... viii 1.2. Pull-quote Conventions ..................ix 1.3. Notes and Warnings ..................... x 2. More to Come ........................ x 2.1. Send in Your Feedback ..................xi I. A General Introduction to Security 1.
  • Page 4 Security Guide 4.3.2. Creating User Passwords Within an Organization ........26 4.4. Administrative Controls ..................28 4.4.1. Allowing Root Access ................29 4.4.2. Disallowing Root Access ................29 4.4.3. Limiting Root Access ................32 4.5. Available Network Services ................. 33 4.5.1.
  • Page 5 7. Firewalls 7.1. Netfilter and iptables ..................64 7.1.1. iptables Overview ................64 7.2. Using iptables ....................64 7.2.1. Basic Firewall Policies ................65 7.2.2. Saving and Restoring iptables Rules ............ 66 7.3. Common iptables Filtering ................66 7.4. FORWARD and NAT Rules ................... 67 7.4.1.
  • Page 6 Security Guide 10.5.1. Reinstalling the System ................94 10.5.2. Patching the System ................94 10.6. Reporting the Incident ..................94 V. Appendixes A. Hardware and Network Protection A.1. Secure Network Topologies ................97 A.1.1. Physical Topologies ................. 97 A.1.2. Transmission Considerations ..............98 A.1.3.

  • Page 7: Introduction

    Introduction Welcome to the Security Guide! The Security Guide is designed to assist users of Red Hat Enterprise Linux in learning the processes and practices of securing workstations and servers against local and remote intrusion, exploitation, and malicious activity. The Security Guide details the planning and the tools involved in creating a secured computing environment for the data center, workplace, and home.

  • Page 8: Document Conventions

    Introduction 1. Document Conventions This manual uses several conventions to highlight certain words and phrases and draw attention to specific pieces of information. Liberation Fonts In PDF and paper editions, this manual uses typefaces drawn from the set. The Liberation Fonts set is also used in HTML editions if the set is installed on your system. If not, alternative but equivalent typefaces are displayed.

  • Page 9: Pull-Quote Conventions

    Pull-quote Conventions To insert a special character into a gedit file, choose Applications > Accessories > Character Map from the main menu bar. Next, choose Search > Find… from the Character Map menu bar, type the name of the character in the Search field and click Next.

  • Page 10: Notes And Warnings

    Introduction Source-code listings are also set in mono-spaced roman but add syntax highlighting as follows: package org.jboss.book.jca.ex1; import javax.naming.InitialContext; public class ExClient public static void main(String args[]) throws Exception InitialContext iniCtx = InitialContext(); Object = iniCtx.lookup("EchoBean"); EchoHome home = (EchoHome) ref; Echo echo = home.create();...

  • Page 11: Send In Your Feedback

    If you spot a typo in the Security Guide, or if you have thought of a way to make this manual better, we would love to hear from you! Submit a report in Bugzilla (http://bugzilla.redhat.com/ bugzilla/) against the component rhel-sg.

  • Page 13: A General Introduction To Security

    Part I. A General Introduction to Security This part defines information security, its history, and the industry that has developed to address it. It also discusses some of the risks that computer users or administrators face.

  • Page 15: Security Overview

    Chapter 1. Security Overview Because of the increased reliance on powerful, networked computers to help run businesses and keep track of our personal information, industries have been formed around the practice of network and computer security. Enterprises have solicited the knowledge and skills of security experts to properly audit systems and tailor solutions to fit the operating requirements of the organization.

  • Page 16: Computer Security Timeline

    Chapter 1. Security Overview Section 1.1.2, “Computer Security Timeline” as the Mitnick and the Vladimir Levin cases (refer to more information) that prompted organizations across all industries to rethink the way they handle information transmission and disclosure. The popularity of the Internet was one of the most important developments that prompted an intensified effort in data security.
  • Page 17 Computer Security Timeline 1.1.2.3. The 1980s • IBM develops and markets PCs based on the Intel 8086 microprocessor, a relatively inexpensive architecture that brought computing from the office to the home. This serves to commodify the PC as a common and accessible tool that was fairly powerful and easy to use, aiding in the proliferation of such hardware in the homes and offices of malicious users.

  • Page 18: Security Today

    Chapter 1. Security Overview • Possibly the most heralded of all crackers is Kevin Mitnick, who hacked into several corporate systems, stealing everything from personal information of celebrities to over 20,000 credit card numbers and source code for proprietary software. He is arrested and convicted of wire fraud charges and serves 5 years in prison.

  • Page 19: Standardizing Security

    Standardizing Security 1.1.4. Standardizing Security Enterprises in every industry rely on regulations and rules that are set by standards making bodies such as the American Medical Association (AMA) or the Institute of Electrical and Electronics Engineers (IEEE). The same ideals hold true for information security. Many security consultants and vendors agree upon the standard security model known as CIA, or Confidentiality, Integrity, and Availability.

  • Page 20: Technical Controls

    Chapter 1. Security Overview 1.2.2. Technical Controls Technical controls use technology as a basis for controlling the access and usage of sensitive data throughout a physical structure and over a network. Technical controls are far-reaching in scope and encompass such technologies as: •...

  • Page 21: Attackers And Vulnerabilities

    Chapter 2. Attackers and Vulnerabilities To plan and implement a good security strategy, first be aware of some of the issues which determined, motivated attackers exploit to compromise systems. But before detailing these issues, the terminology used when identifying an attacker must be defined. 2.1.

  • Page 22: Threats To Network Security

    Chapter 2. Attackers and Vulnerabilities 2.2. Threats to Network Security Bad practices when configuring the following aspects of a network can increase the risk of attack. 2.2.1. Insecure Architectures A misconfigured network is a primary entry point for unauthorized users. Leaving a trust-based, open local network vulnerable to the highly-insecure Internet is much like leaving a door ajar in a crime- ridden neighborhood —...

  • Page 23: Unpatched Services

    Unpatched Services 2.3.2. Unpatched Services Most server applications that are included in a default installation are solid, thoroughly tested pieces of software. Having been in use in production environments for many years, their code has been thoroughly refined and many of the bugs have been found and fixed. However, there is no such thing as perfect software and there is always room for further refinement.

  • Page 24: Threats To Workstation And Home Pc Security

    Chapter 2. Attackers and Vulnerabilities Inherently, such services can also more easily fall prey to what the security industry terms the man-in- the-middle attack. In this type of attack, a cracker redirects network traffic by tricking a cracked name server on the network to point to his machine instead of the intended server. Once someone opens a remote session to the server, the attacker's machine acts as an invisible conduit, sitting quietly between the remote service and the unsuspecting user capturing information.

  • Page 25: Configuring Red Hat Enterprise Linux For Security

    Part II. Configuring Red Hat Enterprise Linux for Security This part informs and instructs administrators on proper techniques and tools to use when securing Red Hat Enterprise Linux workstations, Red Hat Enterprise Linux servers, and network resources. It also discusses how to make secure connections, lock down ports and services, and implement active filtering to prevent network intrusion.

  • Page 27: Security Updates

    Chapter 3. Security Updates As security vulnerabilities are discovered, the affected software must be updated in order to limit any potential security risks. If the software is part of a package within an Red Hat Enterprise Linux distribution that is currently supported, Red Hat, Inc is committed to releasing updated packages that fix the vulnerability as soon as possible.

  • Page 28: Using The Red Hat Errata Website

    When security errata reports are released, they are published on the Red Hat Errata website available at http://www.redhat.com/security/. From this page, select the product and version for your system, and then select security at the top of the page to display only Red Hat Enterprise Linux Security Advisories.

  • Page 29: Installing Signed Packages

    Installing Signed Packages rpm --import /mnt/cdrom/RPM-GPG-KEY To display a list of all keys installed for RPM verification, execute the following command: rpm -qa gpg-pubkey* For the Red Hat key, the output includes the following: gpg-pubkey-db42a60e-37ea5438 To display details about a specific key, use the rpm -qi command followed by the output from the previous command, as in this example: rpm -qi gpg-pubkey-db42a60e-37ea5438 It is extremely important to verify the signature of the RPM files before installing them to ensure...

  • Page 30: Applying The Changes

    Chapter 3. Security Updates Replace <old-kernel-package> in the previous example with the name of the older kernel RPM. Note It is not a requirement that the old kernel be removed. The default boot loader, GRUB, allows for multiple kernels to be installed, then chosen from a menu at boot time. Important Before installing any security errata, be sure to read any special instructions contained Section 3.1.5, “Applying the...
  • Page 31 Applying the Changes lsof /usr/lib/libwrap.so* This command returns a list of all the running programs which use TCP wrappers for host access control. Therefore, any program listed must be halted and relaunched if the tcp_wrappers package is updated. SysV Services SysV services are persistent server programs launched during the boot process.
  • Page 32 Chapter 3. Security Updates killall imapd Refer to the chapter titled TCP Wrappers and xinetd in the Reference Guide for general information regarding xinetd.

  • Page 33: Workstation Security

    Chapter 4. Workstation Security Securing a Linux environment begins with the workstation. Whether locking down a personal machine or securing an enterprise system, sound security policy begins with the individual computer. After all, a computer network is only as secure as its weakest node. 4.1.

  • Page 34: Boot Loader Passwords

    Chapter 4. Workstation Security 2. Preventing System Booting — Some BIOSes allow password protection of the boot process. When activated, an attacker is forced to enter a password before the BIOS launches the boot loader. Because the methods for setting a BIOS password vary between computer manufacturers, consult the computer's manual for specific instructions.

  • Page 35: Password Security

    Password Security password --md5 <password-hash> Replace <password-hash> with the value returned by /sbin/grub-md5-crypt The next time the system boots, the GRUB menu does not allow access to the editor or command interface without first pressing p followed by the GRUB password. Unfortunately, this solution does not prevent an attacker from booting into a non-secure operating system in a dual-boot environment.

  • Page 36: Creating Strong Passwords

    Chapter 4. Workstation Security If shadow passwords are deselected during installation, all passwords are stored as a one-way hash in the world-readable /etc/passwd file, which makes the system vulnerable to offline password cracking attacks. If an intruder can gain access to the machine as a regular user, he can copy the / etc/passwd file to his own machine and run any number of password cracking programs against it.
  • Page 37 Creating Strong Passwords • 1dumbKopf • Do Not Use Hacker Terminology — If you think you are elite because you use hacker terminology — also called l337 (LEET) speak — in your password, think again. Many word lists include LEET speak. Some insecure examples include the following: •...

  • Page 38: Creating User Passwords Within An Organization

    Chapter 4. Workstation Security • Mix Letters and Numbers — Adding numbers to passwords, especially when added to the middle (not just at the beginning or the end), can enhance password strength. • Include Non-Alphanumeric Characters — Special characters such as &, $, and > can greatly improve the strength of a password (this is not possible if using DES passwords).

  • Page 39: Password Aging

    Creating User Passwords Within an Organization 4.3.2.1. Forcing Strong Passwords To protect the network from intrusion it is a good idea for system administrators to verify that the passwords used within an organization are strong ones. When users are asked to create or change passwords, they can use the command line application passwd, which is Pluggable Authentication Manager (PAM) aware and therefore checks to see if the password is easy to crack or too short in length via the pam_cracklib.so PAM module.

  • Page 40: Administrative Controls

    Chapter 4. Workstation Security There are two primary programs used to specify password aging under Red Hat Enterprise Linux: the chage command or the graphical User Manager (system-config-users) application. The -M option of the chage command specifies the maximum number of days the password is valid. So, for instance, to set a user's password to expire in 90 days, type the following command: chage -M 90 <username>...

  • Page 41: Allowing Root Access

    Allowing Root Access 4.4.1. Allowing Root Access If the users within an organization are a trusted, computer-savvy group, then allowing them root access may not be an issue. Allowing root access by users means that minor activities, like adding devices or configuring network interfaces, can be handled by the individual users, leaving system administrators free to deal with network security and other important issues.
  • Page 42 Chapter 4. Workstation Security Method Description Effects Does Not Affect · kdm · su · xdm · sudo · Other network services · ssh that open a tty · scp · sftp Disabling Edit the /etc/ssh/ Prevents root access via This only prevents root root SSH sshd_config file and set...
  • Page 43 Disallowing Root Access whether via the console or a raw network interface. This is dangerous as a user can login into his machine as root via Telnet, which sends his password in plain text over the network. By default, Red Hat Enterprise Linux's /etc/securetty file only allows the root user to login at the console physically attached to the machine.

  • Page 44: Limiting Root Access

    Chapter 4. Workstation Security 4.4.3. Limiting Root Access Rather than completely deny access to the root user, the administrator may want to allow access only via setuid programs, such as su or sudo. 4.4.3.1. The su Command Upon typing the su command, the user is prompted for the root password and, after authentication, is given a root shell prompt.

  • Page 45: Available Network Services

    Available Network Services The basic format of the sudo command is as follows: sudo <command> In the above example, <command> would be replaced by a command normally reserved for the root user, such as mount. Important Users of the sudo command should take extra care to log out before walking away from their machines since sudoers can use the command again without being asked for a password within a five minute period.

  • Page 46: Risks To Services

    New Security Enhancements in Red Hat Enterprise Linux v.3, Update 3, available at the following URL: http://www.redhat.com/solutions/info/whitepapers/ To limit exposure to attacks over the network, all services that are unused should be turned off. 4.5.2. Identifying and Configuring Services To enhance security, most network services installed with Red Hat Enterprise Linux are turned off by default.

  • Page 47: Insecure Services

    Insecure Services • lpd — An alternate print server. • xinetd — A super server that controls connections to a host of subordinate servers, such as vsftpd and telnet. • sendmail — The Sendmail mail transport agent is enabled by default, but only listens for connections from the localhost.

  • Page 48: Personal Firewalls

    Chapter 4. Workstation Security Examples of inherently insecure services includes the following: • rlogin • rsh • telnet • vsftpd All remote login and shell programs (rlogin, rsh, and telnet) should be avoided in favor of SSH. Section 4.7, “Security Enhanced Communication Tools” (refer to for more information about sshd.) FTP is not as inherently dangerous to the security of the system as remote shells, but FTP servers...

  • Page 49: Security Enhanced Communication Tools

    Security Enhanced Communication Tools (system-config-securitylevel). This tool creates broad iptables rules for a general-purpose firewall using a control panel interface. For more information about using this application and the options it offers, refer to the chapter titled Basic Firewall Configuration in the System Administrators Guide. For advanced users and server administrators, manually configuring a firewall with iptables is likely Chapter 7, Firewalls the best option.

  • Page 51: Server Security

    Chapter 5. Server Security When a system is used as a server on a public network, it becomes a target for attacks. For this reason, hardening the system and locking down services is of paramount importance for the system administrator. Before delving into specific issues, review the following general tips for enhancing server security: •...
  • Page 52 Chapter 5. Server Security The contents of the file look like this: 220-Hello, %c 220-All activity on ftp.example.com is logged. 220-Act up and you will be banned. The %c token supplies a variety of client information, such as the username and hostname, or the username and IP address to make the connection even more intimidating.

  • Page 53: Enhancing Security With Xinetd

    Enhancing Security With xinetd 5.1.2. Enhancing Security With xinetd The xinetd super server is another useful tool for controlling access to its subordinate services. This section focuses on how xinetd can be used to set a trap service and control the amount of resources any given xinetd service can use to thwart denial of service attacks.

  • Page 54: Securing Portmap

    Chapter 5. Server Security • instances = <number_of_connections> — Dictates the total number of connections allowed to a service. This directive accepts either an integer value or UNLIMITED. • per_source = <number_of_connections> — Dictates the connections allowed to a service by each host.

  • Page 55: Securing Nis

    Securing NIS iptables -A INPUT -p udp -s! 192.168.0.0/24 --dport 111 -j DROP Note> Chapter 7, Firewalls Refer to for more information about implementing firewalls with IPTables commands. 5.3. Securing NIS NIS stands for Network Information Service. It is an RPC service, called ypserv, which is used in conjunction with portmap and other related services to distribute maps of usernames, passwords, and other sensitive information to any computer claiming to be within its domain.

  • Page 56: Edit The /Var/Yp/Securenets File

    Chapter 5. Server Security ypcat -d <NIS_domain> -h <DNS_hostname> passwd If this attacker is a root user, they can obtain the /etc/shadow file by typing the following command: ypcat -d <NIS_domain> -h <DNS_hostname> shadow Note If Kerberos is used, the /etc/shadow file is not stored within an NIS map. To make access to NIS maps harder for an attacker, create a random string for the DNS hostname, such as o7hfawtgmhwg.domain.com.

  • Page 57: Use Kerberos Authentication

    Use Kerberos Authentication iptables -A INPUT -p ALL -s! 192.168.0.0/24 --dport 834 -j DROP iptables -A INPUT -p ALL -s! 192.168.0.0/24 --dport 835 -j DROP Note> Chapter 7, Firewalls Refer to for more information about implementing firewalls with IPTables commands. 5.3.5.

  • Page 58: Do Not Use The No_Root_Squash Option

    Chapter 5. Server Security /tmp/nfs/ bob.example.com(rw) This line in the /etc/exports file, on the other hand, shares the same directory to the host bob.example.com with read-only permissions and shares it to the world with read/write permissions due to a single space character after the hostname. /tmp/nfs/ bob.example.com (rw) It is good practice to check any configured NFS shares by using the showmount command to verify what is being shared:...

  • Page 59: Do Not Remove The Includesnoexec Directive

    Do Not Remove the IncludesNoExec Directive UserDir enabled UserDir disabled root These directives activate user directory browsing for all user directories other than /root/. To add users to the list of disabled accounts, add a space delimited list of users on the UserDir disabled line.

  • Page 60: Anonymous Access

    Chapter 5. Server Security Replace <insert_greeting_here> in the above directive with the text of the greeting message. For mutli-line banners, it is best to use a banner file. To simplify management of multiple banners, place all banners in a new directory called /etc/banners/. The banner file for FTP connections in this example is /etc/banners/ftp.msg.

  • Page 61: User Accounts

    User Accounts chmod 730 /var/ftp/pub/upload A long format listing of the directory should look like this: drwx-wx--- 2 root 4096 Feb 13 20:05 upload Warning Administrators who allow anonymous users to read and write in directories often find that their servers become a repository of stolen software. Additionally, under vsftpd, add the following line to the /etc/vsftpd/vsftpd.conf file: anon_upload_enable=YES 5.6.3.

  • Page 62: Limiting A Denial Of Service Attack

    Chapter 5. Server Security For more information about how email works and an overview of common configuration settings, refer to the chapter titled Email in the Reference Guide. This section assumes a basic knowledge of how to generate a valid /etc/mail/sendmail.cf by editing the /etc/mail/sendmail.mc and running the m4 command as explained in the Reference Guide.
  • Page 63 Verifying Which Ports Are Listening A more reliable way to check which ports are listening on the network is to use a port scanner such as nmap. The following command issued from the console determines which ports are listening for TCP connections from the network: nmap -sT -O localhost The output of this command looks like the following:...
  • Page 64 Chapter 5. Server Security open port belongs to ypbind (NIS), which is an RPC service handled in conjunction with the portmap service. The lsof command reveals similar information since it is also capable of linking open ports to services: lsof -i | grep 834 Below is the relevant portion of the output for this command: ypbind IPv4...

  • Page 65: Virtual Private Networks

    Chapter 6. Virtual Private Networks Organizations with several satellite offices often connect to each other with dedicated lines for efficiency and protection of sensitive data in transit. For example, many businesses use frame relay or Asynchronous Transfer Mode (ATM) lines as an end-to-end networking solution to link one office with others.

  • Page 66: Ipsec Installation

    Chapter 6. Virtual Private Networks another). The IPsec implementation in Red Hat Enterprise Linux uses Internet Key Exchange (IKE), which is a protocol implemented by the Internet Engineering Task Force (IETF) to be used for mutual authentication and secure associations between connecting systems. An IPsec connection is split into two logical phases.
  • Page 67 IPsec Host-to-Host Configuration configuration of IPsec on each host. The hosts need only a dedicated connection to a carrier network (such as the Internet) and Red Hat Enterprise Linux to create the IPsec connection. The first step in creating a connection is to gather system and network information from each workstation.
  • Page 68 Chapter 6. Virtual Private Networks The next example shows the specific configuration for the phase 1 connection to the remote host. The file is named X.X.X.X.conf (X.X.X.X is replaced with the IP address of the remote IPsec router). Note that this file is automatically generated once the IPsec tunnel is activated and should not be edited directly.
  • Page 69 IPsec Host-to-Host Configuration statement is Workstation B's IP address. The opposite is true of Workstation B. The following shows a typical racoon.conf file when IPsec connection is activated. # Racoon IKE daemon configuration file. # See 'man racoon.conf' for a description of the format and entries. path include "/etc/racoon";...

  • Page 70: Ipsec Network-To-Network Configuration

    Chapter 6. Virtual Private Networks /sbin/ifup ipsec0 To test the IPsec connection, run the tcpdump utility to view the network packets being transfered between the hosts (or networks) and verify that they are encrypted via IPsec. The packet should include an AH header and should be shown as ESP packets. ESP means it is encrypted. For example: 17:13:20.617872 pinky.example.com >...
  • Page 71 IPsec Network-to-Network configuration The IPsec connection between each network uses a pre-shared key with the value of r3dh4tl1nux, and the administrators of A and B agree to let racoon automatically generate and share an authentication key between each IPsec router. The administrator of LAN A decides to name the IPsec connection ipsec0, while the administrator of LAN B names the IPsec connection ipsec1..
  • Page 72 Chapter 6. Virtual Private Networks path include "/etc/racoon"; path pre_shared_key "/etc/racoon/psk.txt"; path certificate "/etc/racoon/certs"; sainfo anonymous pfs_group 2; lifetime time 1 hour ; encryption_algorithm 3des, blowfish 448, rijndael ; authentication_algorithm hmac_sha1, hmac_md5 ; compression_algorithm deflate ; include "/etc/racoon/X.X.X.X.conf" The following is the specific configuration for the connection to the remote network. The file is named X.X.X.X.conf (replace X.X.X.X with the IP address of the remote IPsec router).
  • Page 73 IPsec Network-to-Network configuration that they are encrypted via IPsec. For example, to check the IPsec connectivity of LAN A, type the following: tcpdump -n -i eth0 host lana.example.com The packet should include an AH header and should be shown as ESP packets. ESP means it is encrypted.

  • Page 75: Firewalls

    Chapter 7. Firewalls Information security is commonly thought of as a process and not a product. However, standard security implementations usually employ some form of dedicated mechanism to control access privileges and restrict network resources to users who are authorized, identifiable, and traceable. Red Hat Enterprise Linux includes several powerful tools to assist administrators and security engineers with network-level access control issues.

  • Page 76: Netfilter And Iptables

    Chapter 7. Firewalls Method Description Advantages Disadvantages protocol or type from LAN applications and protocols Telnet, etc.) or protocol clients to a proxy machine, function outside of the LAN restricted (most proxies which then makes those · Some proxy servers work with TCP connected requests to the Internet on can cache frequently-...

  • Page 77: Basic Firewall Policies

    Basic Firewall Policies service ip6tables stop chkconfig ip6tables off To make iptables start by default whenever the system is booted, you must change runlevel status on the service using chkconfig. chkconfig --level 345 iptables on The syntax of iptables is separated into tiers. The main tier is the chain. A chain specifies the state at which a packet is manipulated.

  • Page 78: Saving And Restoring Iptables Rules

    Chapter 7. Firewalls 7.2.2. Saving and Restoring iptables Rules Firewall rules are only valid for the time the computer is on; so, if the system is rebooted, the rules are automatically flushed and reset. To save the rules so that they are loaded later, use the following command: /sbin/service iptables save The rules are stored in the file /etc/sysconfig/iptables and are applied whenever the service is...

  • Page 79: Forward And Nat Rules

    FORWARD and NAT Rules There may be times when you require remote access to the LAN from outside the LAN. Secure services such as SSH, can be used for encrypted remote connection to LAN services. For administrators with PPP-based resources (such as modem banks or bulk ISP accounts), dial-up access can be used to circumvent firewall barriers securely, as modem connections are typically behind a firewall/gateway because they are direct connections.
  • Page 80 Chapter 7. Firewalls sysctl -w net.ipv4.ip_forward=1 If this command is run via shell prompt, then the setting is not remembered after a reboot. You can permanently set forwarding by editing the /etc/sysctl.conf file. Find and edit the following line, replacing 0 with 1: net.ipv4.ip_forward = 0 Execute the following command to enable the change to the sysctl.conf file: sysctl -p /etc/sysctl.conf...

  • Page 81: Dmzs And Iptables

    DMZs and iptables iptables -A FORWARD -i eth0 -p tcp --dport 80 -d 172.31.0.23 -j ACCEPT This rule allows forwarding of incoming HTTP requests from the firewall to its intended destination of the Apache HTTP Server server behind the firewall. 7.4.1.

  • Page 82: Iptables And Connection Tracking

    Chapter 7. Firewalls these targets. However, to avoid user confusion and attempts to continue connecting, the REJECT target is recommended. 7.6. iptables and Connection Tracking iptables includes a module that allows administrators to inspect and restrict connections to services available on an internal network using a method called connection tracking. Connection tracking stores connections in a table, which allows administrators to allow or deny access based on the following connection states: •...

  • Page 83: Additional Resources

    Additional Resources chkconfig --level 345 ip6tables on The syntax is identical to iptables in every aspect except that ip6tables supports 128-bit addresses. For example, SSH connections on a IPv6-aware network server can be enabled with the following rule: ip6tables -A INPUT -i eth0 -p tcp -s 3ffe:ffff:100::1/128 --dport 22 -j ACCEPT http:// For more information about IPv6 networking, refer to the IPv6 Information Page at www.ipv6.org/.

  • Page 85: Assessing Your Security

    Part III. Assessing Your Security This part provides an overview of the theory and practice of security assessment. From network monitors to cracking tools, an administrator can learn more about securing a system and a network by cracking into it.

  • Page 87: Vulnerability Assessment

    Chapter 8. Vulnerability Assessment Given time, resources, and motivation, a cracker can break into nearly any system. At the end of the day, all of the security procedures and technologies currently available cannot guarantee that any systems are safe from intrusion. Routers help secure gateways to the Internet. Firewalls help secure the edge of the network.

  • Page 88: Defining Assessment And Testing

    Chapter 8. Vulnerability Assessment 8.2. Defining Assessment and Testing Vulnerability assessments may be broken down into one of two types: Outside looking in and inside looking around. When performing an outside looking in vulnerability assessment, you are attempting to compromise your systems from the outside.

  • Page 89: Establishing A Methodology

    Establishing a Methodology • Creates proactive focus on information security • Finds potential exploits before crackers find them • Results in systems being kept up to date and patched • Promotes growth and aids in developing staff expertise • Abates Financial loss and negative publicity 8.2.1.

  • Page 90: Nessus

    Chapter 8. Vulnerability Assessment options and usage. Administrators can use Nmap on a network to find host systems and open ports on those systems. Nmap is a competent first step in vulnerability assessment. You can map out all the hosts within your network and even pass an option that allows Nmap to attempt to identify the operating system running on a particular host.

  • Page 91: Nikto

    Nikto For more information about Nessus, refer to the official website at the following URL: http://www.nessus.org/ 8.3.3. Nikto Nikto is an excellent common gateway interface (CGI) script scanner. Nikto not only checks for CGI vulnerabilities but does so in an evasive manner, so as to elude intrusion detection systems. It comes with thorough documentation which should be carefully reviewed prior to running the program.

  • Page 93: Intrusions And Incident Response

    Part IV. Intrusions and Incident Response It is inevitable that a network falls to intrusion or malicious use of network resources. This part discusses some proactive measures an administrator can take to prevent security breaches, such as forming an emergency response team capable of quickly and effectively responding to security issues. This part also details the steps an administrator can take to collect and analyze evidence of a security breach after the fact.

  • Page 95: Intrusion Detection

    Chapter 9. Intrusion Detection Valuable property needs to be protected from the prospect of theft and destruction. Some homes are equipped with alarm systems that can deter burglars, notify authorities when a break-in has occurred, and even warn owners when their home is on fire. Such measures are necessary to ensure the integrity of homes and the safety of homeowners.

  • Page 96: Host-Based Ids

    Chapter 9. Intrusion Detection 9.2. Host-based IDS A host-based IDS analyzes several areas to determine misuse (malicious or abusive activity inside the network) or intrusion (breaches from the outside). Host-based IDSes consult several types of log files (kernel, system, server, network, firewall, and more), and compare the logs against an internal database of common signatures for known attacks.
  • Page 97 RPM as an IDS rpm --import /usr/share/doc/rpm-<version>/RPM-GPG-KEY rpm -V package_name The -V option verifies the files in the installed package called package_name. If it shows no output and exits, this means that none of the files have been modified in any way since the last time the RPM database was updated.

  • Page 98: Other Host-Based Idses

    Chapter 9. Intrusion Detection (MISSING KEYS: GPG#897da07a) Exercise caution when installing packages that are unsigned as they are not approved by Red Hat, Inc and could contain malicious code. RPM can be a powerful tool, as evidenced by its many verification tools for installed packages and RPM package files.
  • Page 99 Network-based IDS • arp cache poisoning • DNS name corruption • man-in-the-middle attacks Most network-based IDSes require that the host system network device be set to promiscuous mode, which allows the device to capture every packet passed on the network. Promiscuous mode can be set through the ifconfig command, such as the following: ifconfig eth0 promisc Running ifconfig with no options reveals that eth0 is now in promiscuous (PROMISC) mode.

  • Page 100: Snort

    Chapter 9. Intrusion Detection 9.3.1. Snort While tcpdump is a useful auditing tool, it is not considered a true IDS because it does not analyze and flag packets for anomalies. Instead, tcpdump prints all packet information to the screen or to a log file without any analysis.

  • Page 101: Incident Response

    Chapter 10. Incident Response In the event that the security of a system has been compromised, an incident response is necessary. It is the responsibility of the security team to respond to the problem quickly and effectively. 10.1. Defining Incident Response An incident response is an expedited reaction to a security issue or occurrence.

  • Page 102: The Computer Emergency Response Team (Cert)

    Chapter 10. Incident Response • Restoration of affected resources • Reporting the incident to the proper channels An incident response must be decisive and executed quickly. Because there is little room for error, it is critical that practice emergencies are staged and response times measured. This way it is possible to develop a methodology that fosters speed and accuracy, minimizing the impact of resource unavailability and potential damage in the event of an actual system compromise.

  • Page 103: Implementing The Incident Response Plan

    Implementing the Incident Response Plan medical, or financial records; and the importance of restoring service in mission-critical environments such as hospitals and banks. 10.3. Implementing the Incident Response Plan Once a plan of action is created, it must be agreed upon and actively implemented. Any aspect of the plan that is questioned during an active implementation can result in poor response time and downtime in the event of a breach.

  • Page 104: Collecting An Evidential Image

    Chapter 10. Incident Response 10.4.1. Collecting an Evidential Image Creating a bit-image copy of media is a feasible first step. If performing data forensic work, it is a requirement. It is recommended to make two copies: one for analysis and investigation, and a second to be stored along with the original for evidence in any legal proceedings.
  • Page 105 Gathering Post-Breach Information Command Function Example Used mostly as a piped command of for commands like ls, ps, or ifconfig. Prints the strings of printable strings strings /bin/ps |grep characters within a file. It is most 'mail' useful for auditing executables for anomalies such as mail commands to unknown addresses or logging to a non-standard log file.

  • Page 106: Restoring And Recovering Resources

    Chapter 10. Incident Response 10.5. Restoring and Recovering Resources While an incident response is in progress, the CERT team should be investigating while working toward data and system recovery. Unfortunately, it is the nature of the breach which dictates the course of recovery.

  • Page 107: Appendixes

    Part V. Appendixes This part discusses some of the most common ways an intruder can breach computer systems or intercept data in transit. This part also details some of the most commonly used services and their associated port numbers, which can be useful to administrators looking to mitigate the risks of being cracked.

  • Page 109: Hardware And Network Protection

    Appendix A. Hardware and Network Protection The best practice before deploying a machine into a production environment or connecting your network to the Internet is to determine your organizational needs and how security can fit into the requirements as transparently as possible. Since the main goal of the Security Guide is to explain how to secure Red Hat Enterprise Linux, a more detailed examination of hardware and physical network security is beyond the scope of this document.

  • Page 110: Transmission Considerations

    Appendix A. Hardware and Network Protection A.1.1.2. Linear Bus Topology The linear bus topology consists of nodes which connect to a terminated main linear cable (the backbone). The linear bus topology requires the least amount of cabling and networking equipment, making it the most cost-effective topology.
  • Page 111 Wireless Networks industries. The currently approved IEEE standard is 802.11g for wireless networking, while 802.11a and 802.11b are legacy standards. The 802.11g standard is backwards-compatible with 802.11b, but is incompatible with 802.11a. The 802.11b and 802.11g specifications are actually a group of standards governing wireless communication and access control on the unlicensed 2.4GHz radio-frequency (RF) spectrum (802.11a uses the 5GHz spectrum).

  • Page 112: Network Segmentation And Dmzs

    Appendix A. Hardware and Network Protection crack the VPN or SSH encryption which, depending on the encryption method, can employ up to triple- strength 168-bit DES algorithm encryption (3DES), or proprietary algorithms of even greater strength. Administrators who apply these policies should restrict plain text protocols such as Telnet or FTP, as passwords and data can be exposed using any of the aforementioned attacks.
  • Page 113 Hardware Security Employee workstations, for the most part, are not as likely to be targets for remote attacks, especially those behind a properly configured firewall. However, there are some safeguards that can be implemented to avert an internal or physical attack on individual workstation resources. Modern workstation and home PCs use a BIOS that controls system resources on the hardware level.

  • Page 115: Common Exploits And Attacks

    Appendix B. Common Exploits and Attacks Table B.1, “Common Exploits” details some of the most common exploits and entry points used by intruders to access organizational network resources. Key to these common exploits are the explanations of how they are performed and how administrators can properly safeguard their network against such attacks.
  • Page 116 Appendix B. Common Exploits and Attacks Exploit Description Notes eavesdropping on the connection Remote attacker must have access between the two nodes. to a compromised system on a LAN in order to perform such an attack; usually the cracker has used an active attack (such as IP spoofing or man-in- the-middle) to compromise a system on the LAN.
  • Page 117 Exploit Description Notes administrative privileges on the rest of install unauthorized software or open the network. unsolicited email attachments. Safeguards can be implemented such that email client software does not automatically open or execute attachments. Additionally, the automatic update of workstation software via Red Hat Network or other system management services can alleviate the burdens of multi-seat...

  • Page 119: Common Ports

    Appendix C. Common Ports The following tables list the most common communication ports used by services, daemons, and programs included in Red Hat Enterprise Linux. This listing can also be found in the /etc/services file. For the official list of Well Known, Registered, and Dynamic ports as designated by the Internet Assigned Numbers Authority (IANA), refer to the following URL: http://www.iana.org/assignments/port-numbers Note...
  • Page 120 Appendix C. Common Ports Port # / Layer Name Comment bootps Bootstrap Protocol (BOOTP) services; also used by Dynamic Host Configuration Protocol (DHCP) services bootpc Bootstrap (BOOTP) client; also used by Dynamic Host Configuration Protocol (DHCP) clients tftp Trivial File Transfer Protocol (TFTP) gopher Gopher Internet document search and retrieval netrjs-1...
  • Page 121 Port # / Layer Name Comment cmip-agent Common Management Information Protocol (CMIP) mailq MAILQ email transport queue xdmcp X Display Manager Control Protocol (XDMCP) nextstep NeXTStep window server Border Gateway Protocol prospero Prospero distributed filesystem services Internet Relay Chat (IRC) smux SNMP UNIX Multiplexer at-rtmp...
  • Page 122 Appendix C. Common Ports Port # / Layer Name Comment iiop Internet Inter-Orb Protocol (IIOP) gdomap GNUstep Distributed Objects Mapper (GDOMAP) dhcpv6-client Dynamic Host Configuration Protocol (DHCP) version 6 client dhcpv6-server Dynamic Host Configuration Protocol (DHCP) version 6 Service rtsp Real Time Stream Control Protocol (RTSP) nntps Network News Transport Protocol over Secure Sockets...
  • Page 123 Port # / Layer Name Comment 513/tcp login Remote Login (rlogin) 513/udp who [whod] whod user logging daemon 514/tcp shell [cmd] Remote shell (rshell) and remote copy (rcp) with no logging 514/udp syslog UNIX system logging service printer [spooler] Line printer (lpr) spooler 517/udp talk Talk remote calling service and client...
  • Page 124 Appendix C. Common Ports Port # / Layer Name Comment 1524 ingreslock Ingres Database Management System (DBMS) lock services 1525 prospero-np Prospero non-privileged 1645 datametrics [old- Datametrics / old radius entry radius] 1646 sa-msg-port sa-msg-port / old radacct entry [oldradacct] 1649 kermit Kermit file transfer and management service...
  • Page 125 Port # / Layer Name Comment 2602 discp-server [ripd] discp server; Routing Information Protocol daemon (ripd) 2603 servicemeter Service Meter; RIP daemon for IPv6 [ripngd] 2604 nsc-ccs [ospfd] NSC CCS; Open Shortest Path First daemon (ospfd) 2605 nsc-posa NSC POSA; Border Gateway Protocol daemon (bgpd) 2606 netmon [ospf6d] Dell Netmon;...
  • Page 126 Appendix C. Common Ports Port # / Layer Name Comment 13724 vnetd Veritas network utility 13782 bpcd Veritas NetBackup 13783 vopied Veritas VOPIE authentication daemon 22273 wnn6 [wnn4] Kana/Kanji conversion system 26000 quake Quake (and related) multi-player game servers 26208 wnn6-ds Wnn6 Kana/Kanji server 33434...
  • Page 127 Port # / Layer Name Comment 98/tcp linuxconf Linuxconf Linux administration tool poppassd Post Office Protocol password change daemon (POPPASSD) 465/tcp smtps Simple Mail Transfer Protocol over Secure Sockets Layer (SMTPS) 616/tcp Gated (routing daemon) Interactive Interface omirr [omirrd] Online Mirror (Omirr) file mirroring services 871/tcp supfileserv Software Upgrade Protocol (SUP) server...
  • Page 128 Appendix C. Common Ports Port # / Layer Name Comment 9359 mandelspawn Parallel mandelbrot spawning program for the X Window [mandelbrot] System 10081 kamanda Amanda backup service over Kerberos 10082/tcp amandaidx Amanda index server 10083/tcp amidxtape Amanda tape server 20011 isdnlog Integrated Services Digital Network (ISDN) logging system 20012...

  • Page 129: Revision History

    Appendix D. Revision History Revision 1.0 Wed Sep 17 2008 Don Domingo ddomingo@redhat.com migrated to new automated build system...

  • Page 131: Index

    Index administrative, 8 physical, 7 technical, 8 cracker Symbols black hat hacker, 9 802.11x, 98 crackers and security, 98 definition, 9 cupsd, 34 Apache HTTP Server cgi security, 47 directives, 46 collecting evidence with, 92 introducing, 46 file auditing using, 92 attackers and risks, 9 Demilitarized Zone, 69 Denial of Service (DoS)
  • Page 132 Index vsftpd, 47 Snort, 88 RPM Package Manager (RPM), 84 Tripwire, 84 types, 83 grep ip6tables, 70 file auditing using, 92 IPsec, 53 grey hat hacker (see hackers) configuration, 58 host-to-host, 54 host-to-host, 54 hacker ethic, 9 installing, 54 hackers network-to-network, 58 black hat (see cracker) phases, 54...
  • Page 133 Netfilter, 64 password security, 23 additional resources, 71 aging, 27 Netfilter 6, 70 and PAM, 27 netstat, 50 auditing tools, 27 Network Address Translation, 67 Crack, 27 with iptables, 67 John the Ripper, 27 network services, 33 Slurpie, 27 buffer overflow enforcement, 27 ExecShield, 34 in an organization, 26...
  • Page 134 Index and intrusion detection, 84 monitoring, 50 importing GPG key, 16 Sendmail, 49 verifying signed packages, 16, 17 and NFS, 50 limiting DoS, 50 TCP wrappers, 39 attack warnings, 40 security considerations banners, 39 hardware, 97 logging, 40 network transmission, 98 xinetd, 41 physical networks, 97 managing resources with, 41...
  • Page 135 assessing with VLAD the Scanner, 79 assessment, 75 defining, 76 establishing a methodology, 77 testing, 76 white hat hacker (see hackers) Wi-Fi networks (see 802.11x) wireless security, 98 802.11x, 98 workstation security, 21 BIOS, 21 boot loaders passwords, 22 evaluating administrative control, 21 BIOS, 21 boot loaders, 21...

Table of Contents