| Chapter 10. Basics of network security | ||
|---|---|---|
|
 |
|
| Chapter 10. Basics of network security | ||
|---|---|---|
|
|
|
|
Table of Contents
What I want to cover now is some basics of security and in covering this; we need to understand some terminology.
A firewall is a router-like device that exists between a trusted network and an untrusted network.
A typical example of an untrusted network is the Internet.
A typical example of a trusted network is your own internal network. Although this is not quite strictly true because most internal networks have been shown to be a source of a lot of security breaches, certainly more breaches than with the Internet.
A firewall is the mechanism that control access in and out of your network.
Almost every network that can be connected to the Internet is restricted through the use of a firewall and that generally blocks people from logging in and doesn't have to block people logging out.
So anybody logging in from the Internet to the Intranet will be blocked at the firewall, people trying to leave via the web browser to surf the net will generally be allowed through the firewall.
A firewall is a packet based device and what that means is that every packet is looked at, considered, weighed up and if meeting the required criteria may be passed through the network.
Many companies believe or have been lead to believe that having a firewall is the beginning and the end of their security set up. In fact, a firewall is only the tip of the iceberg although it is essential because it does block the gremlins from coming in from the outside in many cases.
Certain protocols like ICR for example, are blocked at the firewall whereas HTTP, SMTP (mail) and FTP might well be allowed through.
Protocols that would be blocked from coming in are things like pingsweep or just pings in general, because there's a whole wad of problems that can occur on the network if one allows a ping enter onto your network.
Firewalls offer a degree of protection from the Internet or from an untrusted network.
Often the internal network may have an illegal class address, for example 010.0.1.X, but of course the Internet can only cope with valid addresses, for example 196.7.14.X. As a result, the firewall does a process called NAT, Network Address Translation, where it will translate between the illegal internal address and the legal external address.
This is one of the ways that they've managed to overt the crisis of running out of version 4 (IPv4) IP addresses. Big companies have given back huge stocks of ip addresses for use on the Internet. They use NAT to translate their illegal IP addresses they use on their Intranet to those used in the Internet.
On a Linux machine, Linux can act as both a firewall and a NAT filter and it can also provide all sorts of services like http, sftp and ssh etcetera.
What services is your Linux box providing right now?
One of the ways to see this is to use the netstat command. If you run a "netstat -l"command it will show you what ports are currently listening on your Linux machine.
So you can do a netstat -l and pipe that through "less" and that will show you what ports are currently listening on the Linux machine.
root@debian:/etc# netstat -l
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:printer *:* LISTEN
tcp 0 0 *:1011 *:* LISTEN
tcp 0 0 *:2049 *:* LISTEN
tcp 0 0 *:www *:* LISTEN
tcp 0 0 *:webcache *:* LISTEN
tcp 0 0 *:3128 *:* LISTEN
tcp 0 0 *:ssh *:* LISTEN
tcp 0 0 *:netbios-ssn *:* LISTEN
tcp 0 0 *:nntp *:* LISTEN
tcp 0 0 *:1025 *:* LISTEN
tcp 0 0 *:auth *:* LISTEN
tcp 0 0 *:smtp *:* LISTEN
tcp 0 0 *:ftp *:* LISTEN
tcp 0 0 *:telnet *:* LISTEN
tcp 0 0 *:daytime *:* LISTEN
tcp 0 0 *:discard *:* LISTEN
tcp 0 0 *:1024 *:* LISTEN
tcp 0 0 localhost:953 *:* LISTEN
tcp 0 0 debian.zoo.org.za:domain *:* LISTEN
tcp 0 0 localhost:domain *:* LISTEN
tcp 0 0 *:sunrpc *:* LISTEN
udp 0 0 *:1008 *:*
udp 0 0 *:2049 *:*
udp 0 0 *:icpv2 *:*
udp 0 0 debian.zoo.o:netbios-dgm *:*
udp 0 0 debian.zoo.or:netbios-ns *:*
udp 0 0 *:netbios-dgm *:*
udp 0 0 *:netbios-ns *:*
udp 0 0 *:ntalk *:*
udp 0 0 *:talk *:*
udp 0 0 *:discard *:*
udp 0 0 *:1026 *:*
udp 0 0 localhost:921 *:*
udp 0 0 *:1025 *:*
udp 0 0 *:791 *:*
udp 0 0 *:1024 *:*
udp 0 0 debian.zoo.org.za:domain *:*
udp 0 0 localhost:domain *:*
udp 0 0 *:sunrpc *:*
raw 0 0 *:icmp *:* 7
raw 0 0 *:tcp *:* 7
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node Path
unix 0 [ ACC ] STREAM LISTENING 184 /var/run/news/nntpin
unix 0 [ ACC ] STREAM LISTENING 327 /tmp/.gdm_socket
unix 0 [ ACC ] STREAM LISTENING 234 /tmp/.font-unix/fs7100
unix 0 [ ACC ] STREAM LISTENING 53122 /dev/printer
root@debian:/etc#
|
Looking at the above report, the following services are some of the services available or listening: the torque server, ntorque the network torque server, telnet, ftp, some rpc, netfile session and netfile's name server.
Now the problem with having so much available, is that people might be connecting to these services without us knowing - so a good rule of thumb is to shut down any services that are not being used.
Many of these services are started as inet services.
Now in Debian there's a file called /etc/inetd.conf which configures a lot of these services, it's a case of editing this file and commenting out using a #, those services that you don't want to be used.
I encourage you now to look through the netstat -l report to determine which of the services that you do not want to use (such as telnet), and to comment these entries out of your inetd.conf file.
root@debian:/etc# cat inetd.conf
# /etc/inetd.conf: see inetd(8) for further informations.
#
# Internet server configuration database
#
#
# Lines starting with "#:LABEL:" or \
"#<off>#" should not
# be changed unless you know what you are doing!
#
# If you want to disable an entry so it isn't touched during
# package updates just comment it out with a single \
'#' character.
#
# Packages should modify this file by using update-inetd(8)
#
# <service_name> <sock_type> <proto> \
<flags> <user> \
<server_path> <args>
#
#:INTERNAL: Internal services
#echo stream tcp nowait root internal
#echo dgram udp wait root internal
#chargen stream tcp nowait root internal
#chargen dgram udp wait root internal
discard stream tcp nowait root internal
discard dgram udp wait root internal
daytime stream tcp nowait root internal
#daytime dgram udp wait root internal
#time stream tcp nowait root internal
#time dgram udp wait root internal
#:STANDARD: These are standard services.
telnet stream tcp nowait telnetd.telnetd \
/usr/sbin/tcpd
/usr/sbin/in.telnetd
ftp stream tcp nowait root \
/usr/sbin/tcpd
/usr/sbin/in.ftpd
#:BSD: Shell, login, exec and talk are BSD protocols.
talk dgram udp wait nobody.tty
/usr/sbin/in.talkd in.talkd
ntalk dgram udp wait nobody.tty
/usr/sbin/in.ntalkd in.ntalkd
#:MAIL: Mail, news and uucp services.
smtp stream tcp nowait mail \
/usr/sbin/exim exim -bs
#pop-3 stream tcp nowait root \
/usr/sbin/tcpd
/usr/sbin/in.qpopper -f \
/etc/qpopper.conf
#imap2 stream tcp nowait root \
/usr/sbin/tcpd \
/usr/sbin/imapd
#imap3 stream tcp nowait root \
/usr/sbin/tcpd /usr/sbin/imapd
#:INFO: Info services
ident stream tcp wait identd \
/usr/sbin/identd identd
#finger stream tcp nowait nobody \
/usr/sbin/tcpd
/usr/sbin/in.fingerd
#:BOOT: Tftp service is provided primarily for booting. Most sites
# run this only on machines acting as "boot servers."
#:RPC: RPC based services
#:HAM-RADIO: amateur-radio services
#:OTHER: Other services
#<off># netbios-ns dgram udp wait root
/usr/sbin/tcpd /usr/sbin/nmbd -a
#<off># netbios-ssn stream tcp nowait root
/usr/sbin/tcpd /usr/sbin/smbd
#<off># swat stream tcp nowait.400 root
/usr/sbin/tcpd /usr/sbin/swat
391002/1-2 stream rpc/tcp wait root /usr/sbin/famd fam
root@debian:/etc#
|
In addition to commenting out lines in inetd.conf, you would need to restart your inetd server and the easiest way to do this is to use the "/etc/init.d/inetd restart "command, or to send a kill -SIGHUP to the inetd process.
root@debian:/home# /etc/init.d/inetd restart
Restarting Internet superserver: inetd
.
root@debian:/home#
|
Once you kill the inetd services that you're not using like telnet, time and finger, you then want to have a look at other services.
Look at my netstat - l report again, I see that there are other processes like SMTP and ftp that are currently running and I want to disable these so that people don't connect to me without me knowing.
So once you've shut down on the unnecessary services you can go into your /etc/init.d directory and you can see in the init.d directory there are a whole lot of files that would take the start-up or the shut-down services command.
This means that you could say for example, "/etc/init.d/ftp stop" and that would then stop the ftp server. Debian stops services permanently using the rcconfig.d
Inetd is the "old" way of doing things - the SysVR4 way. Now there is a newer superdaemon - xinetd. It has lots of additional security enhancements and is able to be configured in many different ways, but essentially it offers the same services that inetd did before. It is configured using two sets of files:
/etc/xinetd.conf - the configuration file for xinetd defaults and
/etc/xinetd.d/<service-config-name>
In xinetd, each service has an individual configuration file. Thus, POP3 will have a file containing configuration information for the pop3d daemon. Finger, telnet, rsync, Etc. all have configuration files here. Included below is a copy of the rsync configuration file:
# default: off
# description: The rsync server is a good addition to \
am ftp server, as it \
# allows crc checksumming Etc.
service rsync
{
disable = yes
socket_type = stream
wait = no
user = root
server = /usr/bin/rsync
server_args = --daemon
log_on_failure += USERID
}
|
The configuration is fairly straightforward. Options such as disable=yes are specified in the {} for the service. Additionally, xinetd configuration files can include the hosts that are/aren't allowed to connect to this service, what times of the day/night clients may/may not connect, Etc. For more information on configuration of you superdaemon processes, consult the manpage for xinetd.conf (man 5 xinetd.conf).
|
|
 |
|
| Summary |  |
Chapter 11. Network, System and Service Security |