| Goals for this chapter: | rpm packages covered in this chapter:
|
An Introduction to Internet security
Security means protect from unexpected events. A backup is a measure to prevent from an unexpected event like fire, electro-magnetic problems or similar. This chapter covers Internet security and therefore wants to prevent intrusions and locate system weak points like open ports and other similars.
If your Web Server needs that local or external people access your system via telnet, then your system may run the telnet service. Otherwise is better to close it.
From RedHat 7.X serie, the telnet belong to the xinetd the telnet services, simply run "ntsysv" and choose telnet.
The same is valid for ftp and others like ssh (The Secure sh) that needs the sshd (the Secure Shell daemon).
[root@ftosx1 root]# ssh www
The authenticity of host 'www (192.168.1.63)' can't be established.
RSA key fingerprint is a5:f9:9c:c9:f6:21:e1:3b:99:66:4c:fc:00:5d:f6:09.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'www,192.168.1.63' (RSA) to the list
of known hosts.root@www's password:
Last login: Wed Nov 7 15:53:05 2001 from ftosx1.futuretg.com
[root@www /root]#
This shell offers an encrypted connection using the RSA method. (RSA stand for Rivest, Shamir and Adleman).
A firewall is a method to filter access. In Linux there are different modes to setup a firewall. For example the anaconda in the installation (or reconfiguration) phase may ask for the level of protection and the protection on a specific device.
In Linux the firewall is internal in the kernel from the 2.2.X kernel serie.
The Linux kernel is moving from "ipchains" mode to "netlink" mode.
We advice the firewall setup using the "ipchains". Using this method
After the installation generally, "ipchains" procedure to setup firewalls
is running.
To do that simply run setup.
Then, choose "Firewall configuration" and we will appears the following mask.
Here will be possible to choose a "High", "Medium" or simply "No Firewall"
In "Advanced" we will be possible to firewall basically each port.
After this choice, you need to re-boot your system, or simply launch the firewall chains.
 |
 |
To setup a rule, we need to choose: "New". These rules may be modified at any moment.
If your system, does not support "ipchains", we cover here the instructions to setup.
Simply, follows the following instructions:
[root@www src]# pwd
/usr/src
[root@www src]# cd linux
[root@www src]# make xconfig
Now, you need to choose "Networking options" mask.
All you need to set is included in this mask.
Choose "Network packet filtering (replace ipchains)".
(Replace means a new mode to continuw to use "ipchains"). Then click, "IP: Netfilter Configuration" ... and will appears a mask like this:
You need to run the standard commands to setup the chain:
[root@www /root]#
echo 1 > /proc/sys/net/ipv4/ip_forward
/sbin/ipchains -A forward -j MASQ
[root@www /root]#
"ipchains" is the normal (now old) mode to protect your server and network.
The access to any local network will be not possible and also the possibility
Protecting Web directories with Apache htaccess
Apache offers a simple and innovative mode to protect access to specific dirs.
This is possible using the .htaccess files.
For example we can create a file called .htaccess similar to the following
[root@www modules]# more .htaccess
deny from all
[root@www modules]#
on a public directory available on the Web, and there are no way that someone access the files in this directory.
The scope of these Apache files, is like explain its name protect the access to specific directories; in other words grant and deny access in accord to passwords.
The mode to create these files is very simple.
For example, suppose that you want to protect under password the access on the directory "/mnt/www/FTLinuxCourse.com/FTLC_Private"
Therefore, we need to create the .htaccess file in this directory.
So, we go to the directory.
[root@www FTLC_Private]# cd /mnt/www/FTLinuxCourse.com/FTLC_Private
and run the command!
[root@www FTLC_Private]# htpasswd -c /etc/httpd/LWC_users carl
The '-c' flag is to create the file. Any other user may be added running the command!
htpasswd /etc/httpd/LWC_users mary
You need to run the same command for any new user.
Is also possible to grant or deny access also using CGI or PHP WebMaster techniques that acces a MySQL DB. However this may be a little more complex to implement because is necessary to lock the records to avoid or protect double or simultaneous access.
The .htaccess is the normal solution. May be necessary to protect these files in a more secure mode.
Now, if you want to protect a directory you need to install the file: .htaccess in this directory.
[root@www FTLC_Private]# more .htaccess
AuthName "LinuxWebCampus Access Area"
AuthType Basic
AuthUserFile /etc/httpd/LWC_users
require valid-user
[root@www FTLC_Private]#
With the previous mechanism all the users listed in the passwd file will access the directories (first level) and all its internal levels, if and only if a .htaccess is present.
If you want that the user john access the dir while the user mary does not access the dir, then you need to update the file to:
[root@www FTLC_Private]# more .htaccess
AuthName "LinuxWebCampus Access Area"
AuthType Basic
AuthUserFile /etc/httpd/LWC_users
require john
[root@www FTLC_Private]#
The user "mary" will not access the directory because the .htaccess does not includes it. Only the user "john" will access this directory.
Is also convenient to offers a secure access to: https://www.futuretg.com, so no one can read the data. The data in transit with a https (using the necessary filter) may be readed and accessible.Don't ask me how ?
Internet is a great thing but disaster may happen in any moment. The liberty and the bad use of know-how may create bad people.
The GPG is a remedy, available for free to protect documents and Websites. Generally the most common use is to protect or encrypt documents that will not be readed by others unathorized people. The protection also may be made by a company to sign its RPM Packages.
There are two mayor Public Keys; PNG and GPG, while the first is the commercial version and do not available for Linux, the second is the GNU version and run also on Linux systems.
We list here the commands to generate and preserve the keys and also how to apply to protect documents.
The command to generate the keys is:
gpg --gen-key
As soon as we generate we need to protect is and create a revoke key. Doing that we protect the key itself.
gpg --output revoke.asc --gen-revoke gorlando
Now, we export the key
gpg --armor --export www.futuretg.com
To print the classical keys, or generate the RPM-GPG-KEYS we need to run:
gpg --list-keys > RPM-PGP-KEY
gpg --armor --export gorlando@futuretg.com >> RPM-PGP-KEY
For example, the public key for FTOSX, is the following:
------------------------
pub 1024D/191E2E06 2002-03-06 Future Technologies Inc
(The TOTAL Linux company) <thunder@futuretg.com>
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
mQGiBDyFdz0RBACYbvH4lhWYX/PgkyFxhIPT89IloE3JtTdcoV82Cd/xR7Z2dZGn
wNVj4cF4i/TAsbXuROLPN2ah3fsC3pwaEt8WMIZaADpmAuQP08QgnxCcM/qlaia7
nO/Yl4JbV1Jk9OmBAzUK2c4uQJh3CTvHnlyNsxkNrtRZWSMYp6reJUOopwCg42Xy
Ngekf3hVd0QqpiHyRmIUxHED/3zhHxXlDWLfXp+aBIaUf9S5mLnXRCu07ObCQNhm
T8tdbzCra0FVzMe8LMP/4L5YpV9X1JltVstUhA+dUu6ShdaX3v9JnqZb8ffSJ+Fn
vDkRAoBMTjAp/XluL2KbKGC/8qh9WjP7zuDByQ9qy9v/EIFb4/eWYOBxid+aXqAH
j0IdA/9FM4hf+Y+2qgR6U5eSOCIQljdVmVh3XVWF0NxiJm0BuCW1tL6SJS6j91r7
sMlBKbZ5dkL3fJQNFJL1X3OdrMya5b2+l9Sk12xv9G3wdbaUdhlTLwv4GDdmlDi0
x2BbgKrd7raQkK3xStRJruhmf5Es45vG+Dzt4hGgCLqehdaxT7RIRnV0dXJlIFRl
Y2hub2xvZ2llcyBJbmMgKFRoZSBUT1RBTCBMaW51eCBjb21wYW55KSA8dGh1bmRl
ckBmdXR1cmV0Zy5jb20+iFcEExECABcFAjyFdz0FCwcKAwQDFQMCAxYCAQIXgAAK
CRBHCMp/GR4uBo9wAJ9CuFKOJwMzdd8kCv+eUyKWthr7yQCgpSA+mjDot7NfovYB
ujfqdGN9EKy5Ag0EPIV3TBAIALtbbvGrT7b9wxa1d/zQa4YKKfyeTJr5o2AhmTqX
Wt4i/ihJWLKvJiNqxJhn4FIjSzd+oCU9WGEDEcXvHaAAcGkIEGWpE+HHKtUL/5K0
6navXFIqKujTJoaAYeOl6W/REDHXdD51Hw7PaAUXK7cfM94pjFB6ixyr+y1WhYll
tQuDs/jy5ZOewh8gXUnRDuxE2RO/SuEa1kaneQ36kD/OhUODNG2ZycZLKJ7kb7js
AKd7G6fmtJSo+ONvUmS5YCPUEx9Q2vkOYI2nitkcfD4cCkhFoXsXydm6RRKOwFwv
/QHNApyY/RvNiCnTFS82gS4y6qQmNYcLOYrVibmjwRnU58cAAwUH+QHwXr0qDWSl
PNeT6/+FWImR8aH7VJeS/+xd0JsnrurEQPkfOtDwdju97gKD9Rm/M1Be60GINtI9
P8KyrD0lkgjOyzf17vR8wKosIrV+Yr/pqAltrP/tVCzmgNXf6+jbALGnMAHWJ1jh
oMWBfiryBfh7wFpO97xO9jJZ0NqerXMhemwwS4fhdc2u9Lilzt7omoAtMJsYOpEK
RcnNgJnwPtNtHyuUw8YWr8VlooY9wiYiHLTC5bh3WZeXe7fYVs8J5bMlmcKGiQtv
QkXVMWs/P/MAog1FacJsD2h+eBfOd6DK+ZVMChpA3+GN1tGuz/5Anvx5h+oURoE0
UoOS+YRRq0iIRgQYEQIABgUCPIV3TAAKCRBHCMp/GR4uBlpnAJ9Z+j4n4BkD4bNt
p+emDXy+eOMJrACgzSzK/a1LYfzszaKye8vS0QtW5VU=
=BiSa
-----END PGP PUBLIC KEY BLOCK-----
If possible to encrypt and decrypt documents using the parameters:
For example to encrypt the document we can use:
[root@ftosx1 root]# gpg --output mydoc.gpg --encrypt --recipient gorlando@futuretg.com araguaney.doc
This decrypt the document uses:
[root@ftosx1 root]# gpg --output doc --decrypt mydoc.gpg
Not all people want to respect the established rules that generate a society. There are persons that for some strange reason wants to enter in your Web-server. Generally these persons are called "Hackers".
If your "/var/log/message" file includes lines like:
Apr 2 08:07:41 www kernel: eth0: Setting promiscuous mode.
Apr 2 08:07:41 www kernel: device eth0 entered promiscuous
mode
... someone "try" to enter in your system.
If the "hacker" complete the destruction, generally you cannot enter in your system, and will be "necessary" to re-install the WebServer. In some cases only a local telnet, or a "single" user session is possible. Generally they removes its tracks and remove the "/var/log" directory, removing in this mode the logs.
This intrusion open a new chapter on the company. You and your company will understand that there are a danger. Not only taxes, not only employees problems ... but also hackers that may hijack your system without previous notice.
Protect your system from the un-authorized persons is a "mission" or job, fundamental for the company survival.
Authorities, like Police in any country may help you to locate these persons and stop them. Of course, they are your "personal" and "company" enemy.
The real problem is that in the Internet age, these problems are everyday
How they enter ?
They enter generally using "sniff" programs. Network programmers may also write a "sniff" program and there are thousand of these programs on the Web.
Using the sniff program they can check what ports are open.
After this they change the "eth0" device and activate the promiscuous mode. Working in this mode, they are logged as "root" and sit on a soft chair in your Web Server.
They can enter using "telnet" port.
Of course, if the "telnet" port is open ... they using another program, may discover the password and enter.
Check if your telnet port is open running the command.
[root@ftosx1 root]# telnet www.futuretg.com
Connected to www.futuretg.com (192.168.1.63).
Escape character is '^]'.
Red Hat Linux release 7.2 (Enigma)
Kernel 2.4.7-10 on an i686
login:
Using "xinetd" is possible to accept telnet connections only internally, that is for 192.168.X.Y IP address.
To close the "telnet" service you may "disable" it. Simply add the line "disable = yes" on the "telnet" service in xinetd.d directory. On "inetd.conf" you may comment the telnet line.
# default: on
# description: The telnet server serves telnet sessions; it
uses \
# unencrypted username/password
pairs for authentication.
service telnet
{
disable = yes
flags
= REUSE
socket_type
= stream
wait
= no
user
= root
server
= /usr/sbin/in.telnetd
log_on_failure
+= USERID
only_from
= 192.168.1.93
}
In any case is necessary to re-start the system.
[root@www xinetd.d]# /etc/rc.d/init.d/xinetd restart
Stopping xinetd:
[ OK ]
Starting xinetd:
[ OK ]
[root@www xinetd.d]#
After you close the session, the port will be closed.
[root@ftosx1 root]# telnet www.futuretg.com
telnet: Unable to connect to remote host: Connection refused
[root@ftosx1 root]#
However, this is not sufficient, because the promiscous mode is equivalent to a telnet session on the port. Therefore is important that the file: "/etc/securetty" is present.
This file have the following format:
[root@www root]# more /etc/securetty
vc/1
vc/2
vc/3
vc/4
vc/5
vc/6
vc/7
vc/8
vc/9
vc/10
vc/11
tty1
tty2
tty3
tty4
tty5
tty6
tty7
tty8
tty9
tty10
tty11
[root@www root]#
If present, it is allow sessions: ftp, login and telnet sessions only from the console.
This simple file is the better protection you can offer.
Of course, generally the "xinetd.conf" file is compiled with libwrap; check your "/var/log/messages"
Apr 6 09:16:13 www xinetd[5791]: xinetd Version 2.3.3 started with libwrap options compiled in.
In this case, you can use or close connections from specific hosts, using "hosts.allow" and "host.deny" files. But the solution is imcomplete.
On a well-configured network, the server generally uses the console only for particular administrative tasks. All the packets travel from the server to the clients, emails, ftp files, etc.
Of course, may be necessary to open the telnet port, but as soon you
enter you need to close it: Closing the service and copying the "/etc/securetty"
in "etc".
They can enter using "ftp" port.
FTP as described in the Networking Course, the FTLinuxCourse course dedicated to Networks, is a little universe. However, hackers may also moves or copy "strange" file for different reasons or secondary re-hacking.
The file that allow FTP access is: "/etc/ftpusers"
Any user listed will not access the system.
# The ftpusers file is deprecated. Use deny-uid/deny-gid in ftpaccess.
root
bin
daemon
adm
lp
sync
shutdown
halt
mail
news
uucp
operator
games
nobody
[root@www root]#
Therefore, is fundamental, also in this case that "root" is present in this file. If for some reason "root" is not present, this may be only a temporary moment.
How to protect ?
For a real protection the better mode is to concentrate and think like a hacker, and therefore activate all the necessary procedures to prevent problems. Any ... Any Linux Services haves vulnerable points and need protection. This is valid for telnet, ftp and other tasks.
We list before the most fundamental modes. In some cases also a hardware firewall may prevent problems. But a sufficient and efficient administration will prevent and save money.
A constant check on "/var/log/messages", "/etc/ftpusers" and check the presence of the file "/etc/securetty" is very convenient. Is better to update check and test, that admit that the system "is fine".
Evaluating choices to protect your system.
The Security is actually a subject. To understand this matter we includes the "Know your Enemy" papers.
The SANS.ORG Website offers an excellent introduction.
An important but obvious protection is to prevent that search engine programs looks for files:
For example, you can disallow some secret root directory:
#robots.txt
User-agent *
Disallow: /
The first step is to contact the Police in your country.
The second is be sure that the system ports are closed: telnet, ftp and others. However also working on this is possible to enter in the system and create "hidden" files and directories.
My be possible that your Kernel presents some fails, in this case may be necessary to patch it, or upgrade it to a new more secure version.
Now, that you know that there are a problem, you need to solve it.
To do that you need to thing how this person works, or what changes the person apply to enter.
For example, you can start to get the filesize for each file in your system.
Check inmmediately: "ps".
To do that you need to install a second system with the same distribution ... and compare file size in both system.
If for example, the "ps" program have a different size, remove old package and install the "original" package. Apply this strategy for each file that is different.
Take a look, on one example:
[root@www bin]# ls -al /usr/bin/killall
-rwxr-xr-x 1 root root
10532 Apr 5 19:07 /usr/bin/killall
[root@www bin]#
[root@ftosx1 bin]# ls -al killall
-rwxr-xr-x 1 root
root 12096 Jul 21 2001
killall
[root@ftosx1 bin]#
Yes, you can update or overwrite the files. However is better that to have a clear and secure system and therefore use the RPM system. Superflous files once located may be removed.
In the case of "killall", locate the package, remove and re-install the original package.
[root@www bin]# ls -al /usr/bin/killall
-rwxr-xr-x 1 root root
10532 Apr 5 19:07 /usr/bin/killall
[root@www bin]#
[root@www bin]# rpm -qf /usr/bin/killall
psmisc-20.1-2
[root@www bin]#
[root@www xinetd.d]# rpm -ql psmisc
/sbin/fuser
/usr/bin/killall
/usr/bin/pstree
/usr/share/man/man1/fuser.1.gz
/usr/share/man/man1/killall.1.gz
/usr/share/man/man1/pstree.1.gz
[root@www xinetd.d]# cd
[root@www root]# cd Solving/
[root@www Solving]# rpm -e --nodeps psmisc
[root@www Solving]# rpm -i --nodeps psmisc-20.1-2.i386.rpm
[root@www Solving]# ls -al /usr/bin/killall
-rwxr-xr-x 1 root root
12096 Jul 21 2001 /usr/bin/killall
[root@www Solving]#
Of course, now the filedate is the same.
In the same sense a "hacker" is a dedicated people to destroy your system or to show you that your system is vulnerable. In this sense you need, working professionally, protect and re-activate the system to secure arena.
Of course, you can also remove some files like "chattr" that may be used to create strange directories, or some other modified version.
Once, the "/usr/bin", "/sbin", and all the binaries directories have the same filesize in a fresh system and the "hacked" system. The hacked system had beed re-stated to a normal security.
Is clear that "more strong" security measures must be taken to avoid that "any other hacker" attempt to enter in your system.
Another important task is to comment (or remove) the un-used "users" entry, like:
news
nobody
gopher
games
operator
uucp
Commeting these line hackers will have bad days.
Close the ftp and telnet ports to avoid un-athorized system access.
Internet Resources for this Chapter.