CS197U: A Hands on Introduction to Unix Lecture 10: Security Issues and Traffic Monitoring Tian Guo University of Massachusetts Amherst CICS 1
Reminders Assignment 5 is due Thursday (Oct. 22) Part 1 (tracking webpage update): Hints cronbab -e for editing cron table, default editor is emacs make sure there is one new empty line at the bottom of cron table Crtl+X then S to save, Ctrl+X then C to quit In the script, save command output string to a variable update=`command` Check the inequality of two strings: $update and (no changes) You get full points when you and I (the $CC email) receive 10 emails from edlab server at the exact time. Assignment 6 is posted. Due next Thursday (Oct. 29) You will need A LOT of piping and awk in a line (mostly the same format) <COMMAND> grep <KEYWORD> awk F : {print $n } prints out your target answer/string field separator is : (default is space) 2
Last time Your network configurations : your own machine ifconfig, iwconfig, iwlist, dhclient Can not connect to a remote site? ping, host The site seems to be alive, but the connection is slow traceroute
ARP: Address Resolution Protocol Question: how to determine MAC address of B from IP address? 137.196.7.23 71-65-F7-2B-08-53 LAN 137.196.7.78 1A-2F-BB-76-09-AD 137.196.7.14 58-23-D7-FA-20-B0 Each IP node (host, router) on LAN has ARP table ARP table: IP/MAC address mappings for some LAN nodes < IP address; MAC address; TTL> TTL (Time To Live): time after which address mapping will be forgotten (typically 20 min) 137.196.7.88 0C-C4-11-6F-E3-98
Demo arp address resolution protocol Broadcast your own address when first joining the network/lan arp n : list the table of all IP addresses ß à hardware MAC mapping arp d <hostname> : delete a host s hardware address from ARP table arp s <hostname> <HW> : add an mapping of an IP/MAC Wireshark Sniffing all the packets passing through the shared media Ethernet LANs or wireless LANs Various of TCP and UDP connections Packet headers and the contents
Security Issues LAN is based on a broadcast system Know who your neighbors are Know their MAC/IP addresses mapping When a packet arrives your LAN Look at the destination IP address of the packet header If not your packets, dump them Otherwise, receive and respond to the packet Can I take a look at someone else s packet in my LAN? Their emails, their passwords, and their conversations
Traffic Monitoring: ifstat ifstat: real-time throughput of each interface ifstat t : with timestamps with 1 second interval Example 1: Display every 5 second ifstat -t 5 Example 2: Display loopback device ifstat -i lo Example 3: Display eth0 every 10 seconds ifstat -t 5 -i eth0
Traffic Monitoring: iftop iftop: detailed bandwidth information Example 1: sudo iftop: 2, 10 and 40 second intervals; Example 2: sudo iftop -P: display by port number Example 3: sudo iftop -c configfile (or specify in ~/.iftoprc)
Bad guys can sniff packets packet sniffing : broadcast media (shared ethernet, wireless) promiscuous network interface reads/records all packets (e.g., including passwords!) passing by A C src:b dest:a payload B
Wireshark Packet Sniffer Capture packets being sent/received from/to your computer Install Wireshark on your Virtual Machine: sudo get-apt install wireshark
Running Wireshark with sudo sudo wireshark
Running Wireshark as non-root wirehark
Running wireshark securely Step 1: sudo dpkg-reconfigure wireshark-common Step 2: Select yes to enable non-superusers capture Step 3: Add candidate user to the wireshark group sudo usermod -a -G wireshark tian Step 4: Log out and log back in to run wireshark as non-root user
Wireshark
tshark: terminal based wireshark Install by: sudo apt-get install tshark After configuring wireshark to run as non-superuser, you should be able to do: tshark Benefit: Allows you to script the network analysis
tshark examples Capture traffic from host 1.2.3.4 tshark -f src host 1.2.3.4 capture traffic to host 1.2.3.4 tshark -f dst host 1.2.3.4 Capture traffic between host 1.2.3.4 tshark -f "dst host 1.2.3.4 and src host 1.2.3.4??? tshark -f "dst host 1.2.3.4 or src host 1.2.3.4 AND tshark -f host 1.2.3.4
tshark examples Only capture HTTP traffic in verbose tshark -f tcp port 80 -V Ignore SSH traffics in traditional way tshark -f not port 22
Unsecure vs. Secure Network Connections ssh vs. telnet Secure Shell (SSH) for secure remote login vs. plain text interaction scp vs. ftp Secure CoPy based on SSH vs. File Transfer Protocol https:// vs. http:// Secure HyperText Transfer Protocol wget: a short for World wide web and Get Supports HTTP, FTP, and HTTPS
Summary Command Description arp Address resolution protocol (IP vs. MAC) ifstat Real time bandwidth monitoring on all interfaces iftop Monitoring details of specific interface ftp/scp (Un)secure file transport wireshark Packet sniffing