Upload
hadat
View
232
Download
1
Embed Size (px)
Citation preview
© Michael Hamm, Service Informatique, CRP Henri Tudor page 1 of 52
Linu
xdas
ys20
03: L
inux
Sec
urity
Tut
oria
l10. Firewall
10.1 What is a Firewall10.2 NAT Network Address Translation10.3 Packet Filter10.4 Statefull Packet Filter10.6 Firewall Architectures10.7 how iptables work10.8 using iptable10.9 Exercise iptables
© Michael Hamm, Service Informatique, CRP Henri Tudor page 2 of 52
Linu
xdas
ys20
03: L
inux
Sec
urity
Tut
oria
l10.1 What is a Firewall
What is a Firewall?- a network device for access control;- to deny unauthorized access to an internal network,- work as a single point of access control;
What to protect?- private Data: - confidentiality,
- integrity;- availability;
- resources;- reputation;
What to protect against?- break ins;- Denial of Service;- lost (steal) of information;
© Michael Hamm, Service Informatique, CRP Henri Tudor page 3 of 52
Linu
xdas
ys20
03: L
inux
Sec
urity
Tut
oria
l10.1 What is a Firewall
What a Firewall can do?- very important security measure to roll out the security policy;- log important internet activities,- minimize to point of access for an attacker;
What a Firewall CAN NOT do?- protect against bad-willing internal users,- can not protect other ways into you network;- can not protect against absolutely new dangerous;- can not be setup and be managed on its own;
Problems with Firewalls:- disturb the common way, users access the internet, making usersangry;- internal problem almost are more important than external problems;
© Michael Hamm, Service Informatique, CRP Henri Tudor page 4 of 52
Linu
xdas
ys20
03: L
inux
Sec
urity
Tut
oria
l10.2 NAT Network Address Translation
- static NAT 1:1;- Hidden NAT / Masquerading (*:1);
Internet
10.1.11.210.1.11.3
10.1.11.4
10.1.12.0/24
172.23.20.2
172.23.20.3
172.23.20.4
172.23.20.5
© Michael Hamm, Service Informatique, CRP Henri Tudor page 5 of 52
Linu
xdas
ys20
03: L
inux
Sec
urity
Tut
oria
l10.3 Packet Filter
PhysicalLayer
PhysicalLayer
Router BobAlice
PhysicalLayer
Data LinkLayer
Data LinkLayer
Data LinkLayer
NetworkLayer (IP)
NetworkLayer (IP)
NetworkLayer (IP)
Transport Layer (TCP/UDP)
Transport Layer (TCP/UDP)
Application LayerWebBrowser, eMail Client…
Application LayerWebBrowser, eMail Client…
TCP/
IP
Transport Layer (TCP/UDP)
© Michael Hamm, Service Informatique, CRP Henri Tudor page 6 of 52
Linu
xdas
ys20
03: L
inux
Sec
urity
Tut
oria
l10.4 Statefull Packet Filter
Example:FTP File Transfer Protocoll
FTP Server2021
FTP Client10002 10001
Control
Port 10002OK
TCP ACK
Data Channel
active mode172.23.20.2
10.1.11.100
AHA, I dynamically have to generate a rule:
allow incoming from172.23.20.2:20 to 10.1.11.100:10002
© Michael Hamm, Service Informatique, CRP Henri Tudor page 7 of 52
Linu
xdas
ys20
03: L
inux
Sec
urity
Tut
oria
l10.5 Application Layer Gateway
PhysicalLayer
PhysicalLayer
Router BobAlice
PhysicalLayer
Data LinkLayer
Data LinkLayer
Data LinkLayer
NetworkLayer (IP)
NetworkLayer (IP)
NetworkLayer (IP)
Transport Layer (TCP/UDP)
Transport Layer (TCP/UDP)
Application LayerWebBrowser, eMail Client…
Application LayerWebBrowser, eMail Client…
TCP/
IP
Transport Layer (TCP/UDP)
Application Layer
© Michael Hamm, Service Informatique, CRP Henri Tudor page 8 of 52
Linu
xdas
ys20
03: L
inux
Sec
urity
Tut
oria
l10.5 Application Layer Gateway
2
3
45
172.23.20.1
10.1.11.101
Internet
10.1.11.1
1. Client like to visit 172.23.20.2:80, Proxy is 10.1.11.1:31282. Client open a connection to 10.1.11.1:31283. Proxy open a connection to 172.23.20.2:804. 172.23.20.2 send the answer to 172.23.20.15. Proxy send the answer to 10.1.11.101
1
© Michael Hamm, Service Informatique, CRP Henri Tudor page 9 of 52
Linu
xdas
ys20
03: L
inux
Sec
urity
Tut
oria
l10.6 Firewall Architectures
Unsafe Network
To safe Network
Packet Filter
© Michael Hamm, Service Informatique, CRP Henri Tudor page 10 of 52
Linu
xdas
ys20
03: L
inux
Sec
urity
Tut
oria
l10.6 Firewall Architectures
Unsafe Network
To safe Network
Applicaton
Gateway
Unsafe Network
To safe Network
Applicaton
Gateway
Dua
l -ho
med
App
licat
ion
Gat
eway
Sing
le -
hom
ed A
pplic
atio
n G
atew
ay
© Michael Hamm, Service Informatique, CRP Henri Tudor page 11 of 52
Linu
xdas
ys20
03: L
inux
Sec
urity
Tut
oria
l10.6 Firewall Architectures
Unsafe Network
To safe Network
Applicaton
Gateway
Packet Filter
Unsafe Network
To safe Network
Applicaton
Gateway
Packet Filter
© Michael Hamm, Service Informatique, CRP Henri Tudor page 12 of 52
Linu
xdas
ys20
03: L
inux
Sec
urity
Tut
oria
l10.6 Firewall Architectures
Unsafe Network
To safe Network
Applicaton
Gateway
Packet Filter
Unsafe Network
To safe Network
Applicaton
Gateway
Packet Filter
© Michael Hamm, Service Informatique, CRP Henri Tudor page 13 of 52
Linu
xdas
ys20
03: L
inux
Sec
urity
Tut
oria
l10.6 Firewall Architectures
Screened Subnet (DMZ)De-Militarised Zone: Unsafe
Network
To safe Network
Packet Filter
Packet Filter
LAN
DMZ
© Michael Hamm, Service Informatique, CRP Henri Tudor page 14 of 52
Linu
xdas
ys20
03: L
inux
Sec
urity
Tut
oria
l10.6 Firewall Architectures
DMZ with Singel - Homed or Dual - Homed Application Gateway:
Unsafe Network
To safe Network
Packet Filter
Packet Filter
DMZ
Applicaton
Gateway
Unsafe Network
To safe Network
Packet Filter
Packet Filter
DMZ
Applicaton
Gateway
© Michael Hamm, Service Informatique, CRP Henri Tudor page 15 of 52
Linu
xdas
ys20
03: L
inux
Sec
urity
Tut
oria
l10.6 Firewall Architectures
DMZ with Internet Server:
Unsafe Network
To safe Network
Packet Filter
Packet Filter
DMZ
Applicaton
Gateway
© Michael Hamm, Service Informatique, CRP Henri Tudor page 16 of 52
Linu
xdas
ys20
03: L
inux
Sec
urity
Tut
oria
l10.6 Firewall Architectures
DMZ with Intranet Server:
Unsafe Network
To safe Network
Packet Filter
Packet Filter
DMZ
Applicaton
Gateway
© Michael Hamm, Service Informatique, CRP Henri Tudor page 17 of 52
Linu
xdas
ys20
03: L
inux
Sec
urity
Tut
oria
l10.6 Firewall Architectures
DMZ with a complex Mail and DNS concept:
Unsafe Network
To safe Network
Packet Filter
Packet Filter
DMZ
Applicaton
Gateway
MAIL DNSInternal Server
MAIL DNSExternal Server
© Michael Hamm, Service Informatique, CRP Henri Tudor page 18 of 52
Linu
xdas
ys20
03: L
inux
Sec
urity
Tut
oria
l10.7 how iptables work
1. One packet enters the network interface;2. Interface unpack the Data Link Layer information3. Interface forward the packet to the kernel4. The kernel investigate the packet and choose to reject, drop or accept
© Michael Hamm, Service Informatique, CRP Henri Tudor page 19 of 52
Linu
xdas
ys20
03: L
inux
Sec
urity
Tut
oria
l10.7 how iptables work
© Michael Hamm, Service Informatique, CRP Henri Tudor page 20 of 52
Linu
xdas
ys20
03: L
inux
Sec
urity
Tut
oria
l10.8 using iptables
To view all rules presently loaded into netfilter, we use this command: iptables –list
We can also specify a single chain to view, rather than viewing all chains at once: iptables --list INPUT
To see numbered rules (by default, they're listed without numbers), use the --line-numbers option: iptables --line-numbers --list INPUT
To remove all rules from all chains, we use:iptables –flush
The basic syntax for writing iptables rules is:iptables -I [nsert] chain_name rule_# rule_specific
-D [elete]-R [eplace]-A [ppend]
© Michael Hamm, Service Informatique, CRP Henri Tudor page 21 of 52
Linu
xdas
ys20
03: L
inux
Sec
urity
Tut
oria
l10.8 using iptables
Examples:to delete the third rule in the OUTPUT chain, we'd use the command: iptables -D OUTPUT 3
To append a rule to the bottom of the INPUT chain:iptables -A INPUT -p tcp --dport 80 -j ACCEPT -m state --state NEW
Options:-s sourceIP-d destinationIP-p tcp ¦ udp ¦ icmp ¦ all-- dport destinationPort--sport sourcePort--tcp-flags mask mask #SYN,ACK,PSH,URG,FIN,RST,ALL,NONE--icmp-type type-m state –state statespec-j accept ¦ drop ¦ log ¦ reject ¦ [chain_name]# Load state module, and match packet if packet's state # matches statespec. statespec is a comma-delimited list# containing some combination of NEW, ESTABLISHED, INVALID, # or RELATED.
© Michael Hamm, Service Informatique, CRP Henri Tudor page 22 of 52
Linu
xdas
ys20
03: L
inux
Sec
urity
Tut
oria
l10.9 Exercise iptables
touch my_iptables.shchmod 700 my_iptables.shvi my_iptables.sh
#!/bin/bash
# Flush old rulesiptables –-flushiptables –-delete-chain
# set default deny policyiptables –P INPUT DROPiptables –P FORWARD DROPiptables –P OUTPUT DROP
# loopback deviceiptables –A INPUT –i lo –j ACCEPTiptables –A OUTPUT –o lo –j ACCEPT
© Michael Hamm, Service Informatique, CRP Henri Tudor page 23 of 52
Linu
xdas
ys20
03: L
inux
Sec
urity
Tut
oria
l10.9 Exercise iptables
# Do some rudimentary anti-IP-spoofing dropsiptables -A INPUT -s 255.0.0.0/8 -j LOG --log-prefix "Spoofed source IP! »iptables -A INPUT -s 255.0.0.0/8 -j DROP
iptables -A INPUT -s 0.0.0.0/8 -j LOG --log-prefix "Spoofed source IP!«iptables -A INPUT -s 0.0.0.0/8 -j DROP
iptables -A INPUT -s 127.0.0.0/8 -j LOG --log-prefix "Spoofed source IP!«iptables -A INPUT -s 127.0.0.0/8 -j DROP
iptables -A INPUT -s 192.168.0.0/16 -j LOG --log-prefix "Spoofed source IP!«iptables -A INPUT -s 192.168.0.0/16 -j DROP
iptables -A INPUT -s 172.16.0.0/12 -j LOG --log-prefix " Spoofed source IP!«iptables -A INPUT -s 172.16.0.0/12 -j DROP
iptables -A INPUT -s 10.0.0.0/8 -j LOG --log-prefix " Spoofed source IP!«iptables -A INPUT -s 10.0.0.0/8 -j DROP
iptables -A INPUT -s 192.168.0.??? -j LOG --log-prefix "Spoofed localhost!«iptables -A INPUT -s 192.168.0.??? -j DROP
© Michael Hamm, Service Informatique, CRP Henri Tudor page 24 of 52
Linu
xdas
ys20
03: L
inux
Sec
urity
Tut
oria
l10.9 Exercise iptables
# the INPUT chain# Anti-stealth-scanning ruleiptables -A INPUT –p tcp ! Syn –m state –-state NEW
–j LOG –-log-refix « Stealth Scann Attemp? »iptables -A INPUT –p tcp ! Syn –m state –-state NEW –j DROP
# Accept inbound packets that are part of previously-OK'ed sessionsiptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
# Accept inbound packets which initiate SSH sessionsiptables -A INPUT -p tcp -j ACCEPT –s 192.168.0.0/8 --dport 22 -m
state --state NEW
# Accept inbound packets which initiate FTP sessionsiptables -A INPUT -p tcp -j ACCEPT --dport 21 -m state --state NEW
# Accept inbound packets which initiate HTTP sessionsiptables -A INPUT -p tcp -j ACCEPT --dport 80 -m state --state NEW
# Log anything not accepted aboveiptables -A INPUT -j LOG --log-prefix "Dropped by default:"
© Michael Hamm, Service Informatique, CRP Henri Tudor page 25 of 52
Linu
xdas
ys20
03: L
inux
Sec
urity
Tut
oria
l10.9 Exercise iptables
# the OUTPUT chain:
# If it's part of an approved connection, let it outiptables -I OUTPUT 1 -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow outbound ping (comment-out when not needed!)iptables -A OUTPUT -p icmp -j ACCEPT --icmp-type echo-request
# Allow outbound DNS queries, e.g. to resolve IPs in logs
iptables -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
# Log anything not accepted above - if nothing else, for t-shooting
iptables -A OUTPUT -j LOG --log-prefix "Dropped by default:"
© Michael Hamm, Service Informatique, CRP Henri Tudor page 26 of 52
Linu
xdas
ys20
03: L
inux
Sec
urity
Tut
oria
l11. IDS – Intrusion Detection System
11.1 What is ID11.2 Host Based IDS11.3 Tripwire11.4 Network Based IDS11.5 Snort
© Michael Hamm, Service Informatique, CRP Henri Tudor page 27 of 52
Linu
xdas
ys20
03: L
inux
Sec
urity
Tut
oria
l11.1 What is ID
“the art of detecting inappropriate, incorrect, or anomalous activity”
- IDS provides:-- Monitoring and analysis of user and system activity;-- Auditing of system configurations and vulnerabilities;-- Assessing the integrity of critical system and data files; -- Operating system audit ;
- Classify by operation mode:- Host Intrusion Detection Systems - HIDS;- Network Intrusion Detection Systems - NIDS;- Network Node intrusion Detection Systems - NNIDS;
- Classify by how they work:- Knowledge Based Intrusion Detection Systems;- Behavior ( Anomalous ) Based Intrusion Detection Systems:
© Michael Hamm, Service Informatique, CRP Henri Tudor page 28 of 52
Linu
xdas
ys20
03: L
inux
Sec
urity
Tut
oria
l11.1 What is ID
An IDS CAN provide the following:- add an additional layer of security to your infrastructure;- trace user activity from point of entry to point of impact;- recognize and report alterations of data;- detect when your system is under attack;- detect errors in your system configuration;
The IDS CAN NOT provide:- be the answer to all security problems;- compensate for a weak identification and authentication mechanisms;- compensate a weak security policy;- conduct investigations of attacks without human intervention;- compensate for weaknesses in network protocols;- compensate for problems in the quality or integrity of
information the system provides;
© Michael Hamm, Service Informatique, CRP Henri Tudor page 29 of 52
Linu
xdas
ys20
03: L
inux
Sec
urity
Tut
oria
l11.2 Host Based IDS
- protocoll analyzer-- Logsurfer-- Fwlogwatch-- Logwatch-- Logsentry (ex. Logcheck)
- file integrity -- Tripwire
- right management / Kernel + Process Level-- LIDS – Linux Intrusion Detection-System-- SNARE
© Michael Hamm, Service Informatique, CRP Henri Tudor page 30 of 52
Linu
xdas
ys20
03: L
inux
Sec
urity
Tut
oria
l11.3 Tripwire
Tripwire File Hierarchy
/user/sbin/tripwire Binaries/etc/tripwire/ Configuration Files/var/lib/tripwire/$(HOSTNAME) DF File/var/lib/tripwire/report/$(HOSTNAME) Report Files
Installing- RH9.0 CDROM 3- use rpm- cd /etc/tripwire- ./twinstall.sh
© Michael Hamm, Service Informatique, CRP Henri Tudor page 31 of 52
Linu
xdas
ys20
03: L
inux
Sec
urity
Tut
oria
l11.3 Tripwire
Tripwire Configuration twcfg.txt --> tw.cfg
ROOT =/usr/sbinPOLFILE =/etc/tripwire/tw.polDBFILE =/var/lib/tripwire/$(HOSTNAME).twdREPORTFILE =/var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twrSITEKEYFILE =/etc/tripwire/site.keyLOCALKEYFILE =/etc/tripwire/$(HOSTNAME)-local.keyEDITOR =/bin/viLATEPROMPTING =falseLOOSEDIRECTORYCHECKING =falseMAILNOVIOLATIONS =trueEMAILREPORTLEVEL =1REPORTLEVEL =3MAILMETHOD =SENDMAILSYSLOGREPORTING =trueMAILPROGRAM =/usr/lib/sendmail -oi -t
© Michael Hamm, Service Informatique, CRP Henri Tudor page 32 of 52
Linu
xdas
ys20
03: L
inux
Sec
urity
Tut
oria
l11.3 Tripwire
Tripwire Configuration twpol.txt --> tw.pol############################################
# ############################################## ## # ## Global Variable Definitions # ## ##############################################
@@section GLOBALTWDOCS="/usr/doc/tripwire";TWBIN="/usr/sbin";TWPOL="/etc/tripwire";TWDB="/var/lib/tripwire";TWSKEY="/etc/tripwire";TWLKEY="/etc/tripwire";TWREPORT="/var/lib/tripwire/report";# HOSTNAME=dumpstar;# HOSTNAME=arthur;
ADMIN1=“root@localhost";
© Michael Hamm, Service Informatique, CRP Henri Tudor page 33 of 52
Linu
xdas
ys20
03: L
inux
Sec
urity
Tut
oria
l11.3 Tripwire
Tripwire Configuration twpol.txt --> tw.pol
@@section FS
SEC_CRIT = $(IgnoreNone)-SHa ; # Critical files that cannot change
SEC_SUID = $(IgnoreNone)-SHa ; # Binaries with the SUID or SGID flags
SEC_BIN = $(ReadOnly) ; # Binaries that should not change
SEC_CONFIG = $(Dynamic) ; # Config files that changed infrequenty# but accessed often
SEC_LOG = $(Growing) ; # Files that grow, but that should never# change ownership
SEC_INVARIANT = +tpug ; # Directories that should never change# permission or ownership
SIG_LOW = 33 ; # Non-critical files that are of minimal # security impact
SIG_MED = 66 ; # Non-critical files that are of# significant security impact
SIG_HI = 100 ; # Critical files that are significant# points of vulnerability
© Michael Hamm, Service Informatique, CRP Henri Tudor page 34 of 52
Linu
xdas
ys20
03: L
inux
Sec
urity
Tut
oria
l11.3 Tripwire
Tripwire Configuration twpol.txt --> tw.pol
########################### Tripwire Binaries(rulename = "Tripwire Binaries",emailto = $(ADMIN1),severity = $(SIG_HI)
){$(TWBIN)/siggen -> $(SEC_BIN) ;$(TWBIN)/tripwire -> $(SEC_BIN) ;$(TWBIN)/twadmin -> $(SEC_BIN) ;$(TWBIN)/twprint -> $(SEC_BIN) ;
}
© Michael Hamm, Service Informatique, CRP Henri Tudor page 35 of 52
Linu
xdas
ys20
03: L
inux
Sec
urity
Tut
oria
l11.3 Tripwire
Tripwire Configuration twpol.txt --> tw.pol
########################### Tripwire Data Files (rulename = "Tripwire Data Files",emailto = $(ADMIN1),severity = $(SIG_HI)
){
$(TWDB) -> $(SEC_CONFIG) -i ;$(TWPOL)/tw.pol -> $(SEC_BIN) -i ;$(TWPOL)/tw.cfg -> $(SEC_BIN) -i ;# $(TWLKEY)/$(HOSTNAME)-local.key -> $(SEC_BIN) ;$(TWSKEY)/site.key -> $(SEC_BIN) ;
#don't scan the individual reports$(TWREPORT) -> $(SEC_CONFIG)
(recurse=0) ;}
© Michael Hamm, Service Informatique, CRP Henri Tudor page 36 of 52
Linu
xdas
ys20
03: L
inux
Sec
urity
Tut
oria
l11.3 Tripwire
Tripwire Configuration twpol.txt --> tw.pol
########################### Commonly accessed directories that should remain static # with regards to owner and group(rulename = "Invariant Directories",emailto = $(ADMIN1),severity = $(SIG_MED)
){/ -> $(SEC_INVARIANT) (recurse = 0) ;/home -> $(SEC_INVARIANT) (recurse = 0) ;/usr -> $(SEC_INVARIANT) (recurse = 0) ;/usr/local -> $(SEC_INVARIANT) (recurse = 0) ;/etc -> $(SEC_CONFIG) ;/etc/mtab -> $(SEC_CONFIG) -i ; # Inode number
# changes on any mount/unmount/etc/issue.net -> $(SEC_CONFIG) -i ; # Inode number
# changes}
© Michael Hamm, Service Informatique, CRP Henri Tudor page 37 of 52
Linu
xdas
ys20
03: L
inux
Sec
urity
Tut
oria
l11.3 Tripwire
Tripwire Configuration twpol.txt --> tw.pol
########################### File System and Disk Administration Programs# OS Utilities# User Binaries(rulename = "File System and OS Utilities",emailto = $(ADMIN1),severity = $(SIG_HI)
){/sbin -> $(SEC_CRIT) ;/bin -> $(SEC_CRIT) ;/usr/sbin -> $(SEC_CRIT) ;/usr/bin -> $(SEC_CRIT) ;/usr/local/sbin -> $(SEC_BIN) (recurse = 1) ;/usr/local/bin -> $(SEC_BIN) (recurse = 1) ;
}
© Michael Hamm, Service Informatique, CRP Henri Tudor page 38 of 52
Linu
xdas
ys20
03: L
inux
Sec
urity
Tut
oria
l11.3 Tripwire
Tripwire Configuration twpol.txt --> tw.pol
########################### Temporary directories(rulename = "Temporary directories",emailto = $(ADMIN1),recurse = false,severity = $(SIG_LOW)
){/var/tmp -> $(SEC_INVARIANT) ;/tmp -> $(SEC_INVARIANT) ;
}
© Michael Hamm, Service Informatique, CRP Henri Tudor page 39 of 52
Linu
xdas
ys20
03: L
inux
Sec
urity
Tut
oria
l11.3 Tripwire
Tripwire Configuration twpol.txt --> tw.pol
########################### ReadOnly(rulename = "ReadOnly",emailto = $(ADMIN1),severity = $(SIG_MED)
){/lib -> $(SEC_BIN) ;/var -> $(SEC_LOG) ;/var/log -> $(SEC_LOG) -il ;/var/spool -> $(SEC_INVARIANT) ;
}
© Michael Hamm, Service Informatique, CRP Henri Tudor page 40 of 52
Linu
xdas
ys20
03: L
inux
Sec
urity
Tut
oria
l11.3 Tripwire
Tripwire Configuration twpol.txt --> tw.pol
########################### Libraries(rulename = "Libraries",emailto = $(ADMIN1),severity = $(SIG_MED)
){/var/lib -> $(SEC_BIN) ;/usr/lib -> $(SEC_BIN) ;/usr/local/lib -> $(SEC_BIN) ;
}
© Michael Hamm, Service Informatique, CRP Henri Tudor page 41 of 52
Linu
xdas
ys20
03: L
inux
Sec
urity
Tut
oria
l11.3 Tripwire
Tripwire Configuration twpol.txt --> tw.pol
########################### Critical System Boot Files(rulename = "Critical system boot files",emailto = $(ADMIN1),severity = $(SIG_HI)
){
/boot -> $(SEC_CRIT) ;# /sbin/lilo -> $(SEC_CRIT) ;!/boot/System.map ;!/boot/module-info ;
}
© Michael Hamm, Service Informatique, CRP Henri Tudor page 42 of 52
Linu
xdas
ys20
03: L
inux
Sec
urity
Tut
oria
l11.3 Tripwire
Tripwire Configuration twpol.txt --> tw.pol########################### These files change every time the system boots(
rulename = "System boot changes",emailto = $(ADMIN1),severity = $(SIG_HI)
){
!/var/run/ftp.pids-all ; # Comes and goes on reboot.!/root/.enlightenment ;/dev/log -> $(SEC_CONFIG) ;/dev/console -> $(SEC_CONFIG) -u ; /dev/tty0 -> $(SEC_CONFIG) ; # tty devices/dev/tty1 -> $(SEC_CONFIG) ; # tty devices/dev/tty2 -> $(SEC_CONFIG) ; # tty devices/dev/tty3 -> $(SEC_CONFIG) ; # are extremely/dev/tty4 -> $(SEC_CONFIG) ; # variable/dev/tty5 -> $(SEC_CONFIG) ;/dev/tty6 -> $(SEC_CONFIG) ;/dev/urandom -> $(SEC_CONFIG) ;/dev/initctl -> $(SEC_CONFIG) ;/var/run -> $(SEC_CONFIG) ; # daemon PIDs/var/lock -> $(SEC_CONFIG) ;/lib/modules -> $(SEC_CONFIG) ;
}
© Michael Hamm, Service Informatique, CRP Henri Tudor page 43 of 52
Linu
xdas
ys20
03: L
inux
Sec
urity
Tut
oria
l11.3 Tripwire
Tripwire Configuration twpol.txt --> tw.pol
########################### These files change the behavior of the root account(rulename = "Root config files",emailto = $(ADMIN1),severity = 100
){
/root -> $(SEC_CRIT) -amc ; # Catch all# additions to /root
/root/.bashrc -> $(SEC_CONFIG) ;/root/.profile -> $(SEC_CONFIG) ;/root/.bash_history -> $(SEC_CONFIG) ;
}
© Michael Hamm, Service Informatique, CRP Henri Tudor page 44 of 52
Linu
xdas
ys20
03: L
inux
Sec
urity
Tut
oria
l11.3 Tripwire
Tripwire Configuration twpol.txt --> tw.pol########################### Critical devices (
rulename = "Critical devices",emailto = $(ADMIN1),severity = $(SIG_HI),recurse = false
){
/dev/kmem -> $(Device) ;/dev/mem -> $(Device) ;/dev/null -> $(Device) ;/dev/zero -> $(Device) ;/proc/devices -> $(Device) ;
/proc/ksyms -> $(Device) ;/proc/loadavg -> $(Device) ;/proc/uptime -> $(Device) ;/proc/locks -> $(Device) ;/proc/version -> $(Device) ;/proc/meminfo -> $(Device) ;/proc/cmdline -> $(Device) ;/proc/misc -> $(Device) ;
}
© Michael Hamm, Service Informatique, CRP Henri Tudor page 45 of 52
Linu
xdas
ys20
03: L
inux
Sec
urity
Tut
oria
l11.3 Tripwire
running tripwire for the first time:
Create tw.cfg databasetwadmin –m F –S site.key twcfg.txt
Create tw.pol databasetwadmin –m P –S site.key twpol.txt
Initializing Tripwire Databasetripwire –init
running tripwire manually on a frequently basetripwire –m c –I
running tripwire by crontab and receive the email-reporttripwire –m c –M > /dev/null
© Michael Hamm, Service Informatique, CRP Henri Tudor page 46 of 52
Linu
xdas
ys20
03: L
inux
Sec
urity
Tut
oria
l11.4 Network Based IDS
- A network-based ID system monitors the traffic on its network segment as a data source;
- placing the network interface card in promiscuous mode to capture all network traffic;
- looking at the packets on the network as they pass by some sensor;
- sensor can only see the packets that happen to be carried on the network segment it’s attached to;
- Packets are considered to be of interest if they match a signature;
- Three primary types of signatures are string signatures, port signatures, and header condition signatures;
© Michael Hamm, Service Informatique, CRP Henri Tudor page 47 of 52
Linu
xdas
ys20
03: L
inux
Sec
urity
Tut
oria
l11.4 Network Based IDS
String signatures look for a text string that indicates a possible attack.- "cat "+ +" > /.rhosts“cause a UNIX system to become extremely vulnerable ;
Port signatures simply watch for connection attempts to well-known, frequently attacked ports.
- telnet (TCP port 23), FTP (TCP port 21/20), SUNRPC (TCP/UDP port 111), and IMAP (TCP port 143)If any of these ports aren’t used by the site, then incoming packets to these ports are suspicious;
© Michael Hamm, Service Informatique, CRP Henri Tudor page 48 of 52
Linu
xdas
ys20
03: L
inux
Sec
urity
Tut
oria
l11.4 Network Based IDS
© Michael Hamm, Service Informatique, CRP Henri Tudor page 49 of 52
Linu
xdas
ys20
03: L
inux
Sec
urity
Tut
oria
l11.5 Snort
Snort File Hierarchy/usr/sbin/ Binary Files/etc/snort Config Files/var/log/snort Log Files
Installationpre install libpcap from CD-ROM 2use the tar.gz
cat /etc/passwdcat /etc/shadowcat /etc/groupls –ld /var/log/snortgrep snort /etc/init.d/snortd
© Michael Hamm, Service Informatique, CRP Henri Tudor page 50 of 52
Linu
xdas
ys20
03: L
inux
Sec
urity
Tut
oria
l11.5 Snort
Invoking snort as a sniffer
bash-# snort -dvi eth0
03/22-22:25:26.041707 192.168.100.20:1052 -> 10.10.117.13:80TCP TTL:63 TOS:0x10 ID:10528 IpLen:20DgmLen:60 DF******S* Seq: 0x8651A4AB Ack: 0x0 Win:0x16D0 TcpLen: 40TCP Options (5) => MSS: 1460 SackOK TS:1805707 0 NOP WS:0
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+03/22-22:25:26.046576 10.10.117.13:80 -> 192.168.100.20:1052TCP TTL:64 TOS:0x0 ID:33016 IpLen:20 DgmLen:60 DF***A**S* Seq: 0x6D4A1B04 Ack: 0x8651A4AC Win: 0x7D78 TcpLen: 40TCP Options (5) => MSS: 1460 SackOK TS: 63072524 1805707 NOPTCP Options => WS: 0
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
© Michael Hamm, Service Informatique, CRP Henri Tudor page 51 of 52
Linu
xdas
ys20
03: L
inux
Sec
urity
Tut
oria
l11.5 Snort
Using Snort as a Packet Loggerbash-# snort -d -l ./snort/ -h 10.10.20.0/24
-d decode packets-h soecify the homenetwork
To "replay" the file (convert it to ASCII and display it) with Snort, use the -r flagbash-# snort -dv -r /var/log/snort/snort-0324\@2146.log
© Michael Hamm, Service Informatique, CRP Henri Tudor page 52 of 52
Linu
xdas
ys20
03: L
inux
Sec
urity
Tut
oria
l11.5 Snort
Configuring and Using Snort as an IDS
snort.conf usually takes this form- Variable definitions- Preprocessor plug-in statements- Output (postprocessor) statements- Rules (in practice, usually include statementsreferring to rule files)
Variable definitionsvar HOME_NET 33.22.11.0/24,10.9.0.0/16,etc. var DNS_SERVERS 33.22.11.1 33.22.11.32 etc
Preprocessor plug-in statementsoutput database: log, mysql, user=root dbname=snort
host=localhost
Rulesinclude bad-traffic.rules
© Michael Hamm, Service Informatique, CRP Henri Tudor page 53 of 52
Linu
xdas
ys20
03: L
inux
Sec
urity
Tut
oria
l11.5 Snort
Starting snort in IDS mode
invoke snort with the -T flag to test your configurationbash-# snort -T -c /etc/snort/snort.conf
When you and Snort are both happy bash-# snort -Dd -z est -c /etc/snort/snort.conf
Review your log files:
- Port-scan entries in /var/log/snort/alert- Some packet headers logged to /var/log/snort/portscan.log