CS197U: A Hands on Introduction to Unix

Transcription

1 CS197U: A Hands on Introduction to Unix Lecture 10: Security Issues and Traffic Monitoring Tian Guo University of Massachusetts Amherst CICS 1

2 Reminders Assignment 5 is due Thursday (Oct. 22) Part 1 (tracking webpage update): Hints cronbab -e for editing cron table, default editor is emacs make sure there is one new empty line at the bottom of cron table Crtl+X then S to save, Ctrl+X then C to quit In the script, save command output string to a variable update=`command` Check the inequality of two strings: $update and (no changes) You get full points when you and I (the $CC ) receive 10 s from edlab server at the exact time. Assignment 6 is posted. Due next Thursday (Oct. 29) You will need A LOT of piping and awk in a line (mostly the same format) <COMMAND> grep <KEYWORD> awk F : {print $n } prints out your target answer/string field separator is : (default is space) 2

3 Last time Your network configurations : your own machine ifconfig, iwconfig, iwlist, dhclient Can not connect to a remote site? ping, host The site seems to be alive, but the connection is slow traceroute

4 ARP: Address Resolution Protocol Question: how to determine MAC address of B from IP address? F7-2B LAN A-2F-BB AD D7-FA-20-B0 Each IP node (host, router) on LAN has ARP table ARP table: IP/MAC address mappings for some LAN nodes < IP address; MAC address; TTL> TTL (Time To Live): time after which address mapping will be forgotten (typically 20 min) C-C4-11-6F-E3-98

5 Demo arp address resolution protocol Broadcast your own address when first joining the network/lan arp n : list the table of all IP addresses ß à hardware MAC mapping arp d <hostname> : delete a host s hardware address from ARP table arp s <hostname> <HW> : add an mapping of an IP/MAC Wireshark Sniffing all the packets passing through the shared media Ethernet LANs or wireless LANs Various of TCP and UDP connections Packet headers and the contents

6 Security Issues LAN is based on a broadcast system Know who your neighbors are Know their MAC/IP addresses mapping When a packet arrives your LAN Look at the destination IP address of the packet header If not your packets, dump them Otherwise, receive and respond to the packet Can I take a look at someone else s packet in my LAN? Their s, their passwords, and their conversations

7 Traffic Monitoring: ifstat ifstat: real-time throughput of each interface ifstat t : with timestamps with 1 second interval Example 1: Display every 5 second ifstat -t 5 Example 2: Display loopback device ifstat -i lo Example 3: Display eth0 every 10 seconds ifstat -t 5 -i eth0

8 Traffic Monitoring: iftop iftop: detailed bandwidth information Example 1: sudo iftop: 2, 10 and 40 second intervals; Example 2: sudo iftop -P: display by port number Example 3: sudo iftop -c configfile (or specify in ~/.iftoprc)

9 Bad guys can sniff packets packet sniffing : broadcast media (shared ethernet, wireless) promiscuous network interface reads/records all packets (e.g., including passwords!) passing by A C src:b dest:a payload B

10 Wireshark Packet Sniffer Capture packets being sent/received from/to your computer Install Wireshark on your Virtual Machine: sudo get-apt install wireshark

11 Running Wireshark with sudo sudo wireshark

12 Running Wireshark as non-root wirehark

13 Running wireshark securely Step 1: sudo dpkg-reconfigure wireshark-common Step 2: Select yes to enable non-superusers capture Step 3: Add candidate user to the wireshark group sudo usermod -a -G wireshark tian Step 4: Log out and log back in to run wireshark as non-root user

14 Wireshark

15 tshark: terminal based wireshark Install by: sudo apt-get install tshark After configuring wireshark to run as non-superuser, you should be able to do: tshark Benefit: Allows you to script the network analysis

16 tshark examples Capture traffic from host tshark -f src host capture traffic to host tshark -f dst host Capture traffic between host tshark -f "dst host and src host ??? tshark -f "dst host or src host AND tshark -f host

17 tshark examples Only capture HTTP traffic in verbose tshark -f tcp port 80 -V Ignore SSH traffics in traditional way tshark -f not port 22

18 Unsecure vs. Secure Network Connections ssh vs. telnet Secure Shell (SSH) for secure remote login vs. plain text interaction scp vs. ftp Secure CoPy based on SSH vs. File Transfer Protocol vs. Secure HyperText Transfer Protocol wget: a short for World wide web and Get Supports HTTP, FTP, and HTTPS

19 Summary Command Description arp Address resolution protocol (IP vs. MAC) ifstat Real time bandwidth monitoring on all interfaces iftop Monitoring details of specific interface ftp/scp (Un)secure file transport wireshark Packet sniffing