LINUX SECURITY COOKBOOK. DanieIJ. Barren, Richard E Silverman, and Robert G. Byrnes

Size: px

Start display at page:

Download "LINUX SECURITY COOKBOOK. DanieIJ. Barren, Richard E Silverman, and Robert G. Byrnes"

Joshua Kelly
8 years ago
Views:

1 LINUX SECURITY COOKBOOK DanieIJ. Barren, Richard E Silverman, and Robert G. Byrnes ORELLY Beijing " Cambridge " Farnham " Koln " Paris " Sebastopol " Taipei - Tokyo

2 Table of Contents Preface , A 1. System Snapshots with Tripwire Setting Up Tripwire Displaying the Policy and Configuration Modifying the Policy and Configuration Basic Integrity Checking Read-Only Integrity Checking Remote Integrity Checking Ultra-Paranoid Integrity Checking Expensive, Ultra-Paranoid Security Checking Automated Integrity Checking Printing the Latest Tripwire Report Updating the Database Adding Files to the Database Excluding Files from the Database Checking Windows VFAT Filesystems Verifying RPM-Installed Files Integrity Checking with rsync Integrity Checking Manually firewalls with iptahles and ipchains Enabling Source Address Verification Blocking Spoofed Addresses Blocking All Network Traffic Blocking Incoming Traffic Blocking Outgoing Traffic 30

7 Ultra-Paranoid Integrity Checking 11 1.8 Expensive, Ultra-Paranoid Security Checking 13 1.9 Automated Integrity Checking 13 1.10 Printing the Latest Tripwire Report 14 1.

3 2.6 Blocking Incoming Service Requests Blocking Access from a Remote Host Blocking Access to a Remote Host Blocking Outgoing Access to All Web Servers on a Network Blocking Remote Access, but Permitting Local Controlling Access by MAC Address Permitting SSH Access Only Prohibiting Outgoing Telnet Connections Protecting a Dedicated Server Preventing pings Listing Your Firewall Rules Deleting Firewall Rules Inserting Firewall Rules Saving a Firewall Configuration Loading a Firewall Configuration 43 2,21 Testing a Firewall Configuration Building Complex Rule Trees Logging Simplified Network Access Control Listing Your Network Interfaces Starting and Stopping the Network Interface Enabling/Disabling a Service (xinetd) Enabling/Disabling a Service (inetd) Adding a New Service (xinetd) Adding a New Service (inetd) Restricting Access by Remote Users Restricting Access by Remote Hosts (xinetd) Restrictin~Access by Remote Hosts (xinetd with libwrap) Restricting Access by Remote Hosts (xinetd with tcpd) Restricting Access by Remote Hosts (inetd) Restricting Access by Time of Day Restricting Access to an SSH Server by Host Restricting Access to an SSH Server by Account Restricting Services to Specific Filesystem Directories Preventing Denial of Service Attacks Redirecting to Another Socket Logging Access to Your Services Prohibiting root Logins on Terminal Devices 71 vi I Table of tontents

14 Protecting a Dedicated Server 38 2.15 Preventing pings 39 2.16 Listing Your Firewall Rules 39 2.17 Deleting Firewall Rules 41 2.1.8 Inserting Firewall Rules 42 2.

4 4. Authentication Techniques and Infrastructures Creating a PAM-Aware Application Enforcing Password Strength with PAM Creating Access Control Lists with PAM Validating an SSL Certificate Decoding an SSL Certificate Installing a New SSL Certificate Generating an SSL Certificate Signing Request (CSR) Creating a Self-Signed SSL Certificate Setting Up a Certifying Authority Converting SSL Certificates from DER to PEM Getting Started with Kerberos Adding Users to a Kerberos Realm Adding Hosts to a Kerberos Realm Using Kerberos with SSH Using Kerberos with Telnet Securing IMAP with Kerberos Using Kerberos with PAM for System-Wide Authentication Authorization Controls Running a root Login Shell Running X Programs as root Running Commands as Another User via sudo Bypassing Password Authentication in sudo Forcing Password Authentication in sudo Authorizing per Host in sudo Granting Privileges to a Group via sudo Running Any Program in a Directory via sudo Prohibiting Command Arguments with sudo Sharing Files Using Groups Permitting Read-Only Access to a Shared File via sudo Authorizing Password Changes via sudo Starting/Stopping Daemons via sudo Restricting root's Abilities via sudo Killing Processes via sudo Listing sudo Invocations Logging sudo Remotely Sharing root Privileges via SSH 11.8 Table of Contents ( v[l

7 Generating an SSL Certificate Signing Request (CSR) 81 4.8 Creating a Self-Signed SSL Certificate 83 4.9 Setting Up a Certifying Authority 84 4.10 Converting SSL Certificates from DER to PEM 87 4.

5 5.19 Running root Commands via SSH 120 5,20 Sharing root Privileges via Kerberos su Protecting Outgoing Network Connections Logging into a Remote Host 125 6,2 Invoking Remote Programs Copying Piles Remotely Authenticating by Public Key (OpenSSH) Authenticating by Public Key (OpenSSH Client, SSH2 Server, OpenSSH Key) Authenticating by Public Key (OpenSSH Client, SSH2 Server, SSH2 Key) Authenticating by Public Key (SSH2 Client, OpenSSH Server) Authenticating by Trusted Host Authenticating Without a Password (Interactively) Authenticating in cron jobs Terminating an SSH Agent on Logout Tailoring SSH per Host Changing SSH Client Defaults Tunneling Another TCP Session Through SSH Keeping Track o Passwords Protecting files Using File Permissions Securing a Shared Directory Prohibiting Directory Listings Encrypting Files with a Password Decrypting Files Setting Up GnuPG for Public-Key Encryption Listing Your Keyring Setting a Default Key Sharing Public Keys Adding Keys to Your Keyring Encrypting Files for Others Signing a Text File Signing and Encrypting Files, Creating a Detached Signature File Checking a Signature Printing Public Keys 162 vill I Table of{ontents

5 Authenticating by Public Key (OpenSSH Client, SSH2 Server, OpenSSH Key) 131 6.6 Authenticating by Public Key (OpenSSH Client, SSH2 Server, SSH2 Key) 133 6.

6 7.17 Backing Up a Private Key Encrypting Directories Adding Your Key to a Keyserver Uploading New Signatures to a Keyserver Obtaining Keys from a Keyserver Revoking a Key Maintaining Encrypted Files with Emacs Maintaining Encrypted Files with vim Encrypting Backups Using PGP Keys with GnuPG Protecting i;mail Encrypted Mail with Emacs Encrypted Mail with vim Encrypted Mail with Pine Encrypted Mail with Moxilla Encrypted Mail with Evolution Encrypted Mail with mutt Encrypted Mail with elm Encrypted Mail with MH Running a POPAMAP Mail Server with SSL Testing an SSL. Mail Connection Securing POP/IMAP with SSL and Pine Securing POP/IMAP with SSL and mutt Securing POP/IMAP with SSL and Evolution Securing POP/IMAP with stunnel and SSL Securing POPAMAP with SSH Securing POP/IMAP with SSH and Pine Receiving Mail Without a Visible Server Using an SMTP Server from Arbitrary Clients Testing and Monitoring Testing Login Passwords (John the Ripper) Testing Login Passwords (CrackLib) Finding Accounts with No Password Finding Superuser Accounts Checking for Suspicious Account Use Checking for Suspicious Account Use, Multiple Systems Testing Your Search Path 211 TableofContents J ix

................................................. 175 8.1 Encrypted Mail with Emacs 175 8.2 Encrypted Mail with vim 177 8.3 Encrypted Mail with Pine 178 8.4 Encrypted Mail with Moxilla 179 8.

7 9.8 Searching Filesystems Effectively Finding setgid (or setgid) Programs Securing Device Special Files Finding Writable Files Looking for Rootkits Testing for Open Ports Examining Local Network Activities Tracing Processes Observing Network Traffic Observing Network Traffic (GL3I) Searching for Strings in Network Traffic Detecting Insecure Network Protocols Getting Started with Snort Packet Sniffing with Snort Detecting Intrusions with Snort Decoding Snort Alert Messages Logging with Snort Partitioning Snort Logs Into Separate Files Upgrading and Tuning Snort's Ruleset Directing System Messages to Log Files (syslog) Testing a syslog Configuration Logging Remotely Rotating Log Files Sending Messages to the System Logger Writing Log Entries via Shell Scripts Writing Log Entries via Perl Writing Log Entries via C Combining Log Files Summarizing Your Logs with logwatch Defining a logwatch Filter Monitoring All Executed Commands Displaying All Executed Commands Parsing the Process Accounting Log Recovering from a Hack Filing an Incident Report 280 Index Table of Contents

18 Searching for Strings in Network Traffic 240 9.19 Detecting Insecure Network Protocols 243 9.20 Getting Started with Snort 247 9.21 Packet Sniffing with Snort 248 9.

NETWORK SECURITY HACKS *

NETWORK SECURITY HACKS * Andrew %pckhart Ji O'REILLY* Beijing Cambridge Farnham Koln Paris Sebastopol Taipei Tokyo Contents Credits Preface ix xi Chapter 1. Unix Host Security 1 1. Secure Mount Points