F-Secure FREEDOME VPN 2.36 Activation Code Crack

Also, the Elcomsoft Phone Breaker registration code is an excellent R4 E3 FE GT HYJ T5 R4 E3 E3 F RF GT HY HY GR ED WE E3 R4 T5 T5 T5 ED RE RT EYTGR T R. Appendix: Stress Singularity at Crack Tip. 458. Suggested Reading. 460. Exercises. 460. Chapter 8 Fracture: Microscopic Aspects. F-Secure TOTAL · F-Secure SAFE · F-Secure FREEDOME VPN · F-Secure ID PROTECTION · F-Secure Internet Security · F-Secure Anti-Virus · F-Secure KEY · F-Secure Mobile. F-Secure FREEDOME VPN 2.36 Activation Code Crack

Apple Watch $100 rebate program ‘designed not to pay out’ – Gurman

Mayo’s new laptop has arrived but he’s not quite ready to talk about it yet. Apple surprises everyone with the announcement of a new self-service repair program coming next year. Apple follows up on macro mode for iPhone 13 with much-welcomed refinements in iOS 15.2. And Twitter wants Services revenue, but also opens the floodgates for third-party clients to exist and — possibly — thrive.

Sponsored by Overland: So don’t wait another day to slip into something way more comfortable. Get the best, highest-quality sheepskin slippers on the market at Overland.com/HAPPYHOUR. You’ll get free shipping and free returns.

Sponsored by Headspace: You deserve to feel happier, and Headspace glary utilities pro vs free - Activators Patch meditation made simple. Go to Headspace.com/MAC for a one-month free trial.

Sponsored by BetterHelp: As a listener, you’ll get 10% off your first month by visiting our sponsor at BetterHelp.com/MacHappyHour.

expand full story

Источник: https://9to5mac.com/

F-Secure Freedome VPN Crack 2.42.736.0

F-Secure Freedome VPN’s actual IP address is kept the businesses you visit. Not, in any case, your Internet proficient endeavor can realize what you do on the net.

We do not log your movement. F-Secure Freedome VPN Code squares undesirable pariah following and harmful districts. This will in like way maintain advertising and marketing professionals from benefitting from the weight of your protection.

F Secure Freedom VPN Key is a totally new application for net confirmation and any online well-being game plan. It moreover gives the possibility to change our superior domain to get to items that have a standard bar. Looking via the Internet at the usage of an open WiFi structure, we would ensure that our information is blended regardless of within the period in-between as making use of the unbound get phase to places of work.

F-Secure Freedome VPN Free Download is a removable application VPN through Helsinki. It’s simple to make use of and getting Fundamentals on protection owner F-secure. The key attention of its servicing is on the personal privacy fundamental. Provides an affordable arrangement of 27 jobs from more than more compared to 20 nations around the world with mobile software.

F-Secure Freedome VPN 2.42.736.0 Android

F-Secure Freedome VPN Crack your actual IP address is hidden from the services you visit. Not even your Internet service provider F-Secure FREEDOME VPN 2.36 Activation Code Crack see what you do online. We do not log your traffic. F-Secure Freedome VPN blocks unwanted third-party tracking and malicious sites. This will also stop advertisers from making money at the expense of your privacy. makes a digital non-public machine (VPN) affiliation with the F-Secure Freedome VPN Full Free cloud, which guarantees that…

It makes a digital non-public machine (VPN) affiliation with the-Secure Freedome VPN Full Free cloud, which guarantees that programmers and statistics theft masters cannot take your own statistics whilst you utilize an open Wi-Fi association. scrambles all gadget interest among your device and the F-Secure cloud, so no one can keep a watch on your affiliation. When you go to an online asset or utilize a utility that is attempting to track you. F-Secure Freedome VPN fully shrouds your proper IP cope with, squares following treats, and adware to make certain that the website or utility cannot accumulate individual statistics.

F-Secure Freedome VPN Download With Key

 Is a totally new application for web protection and any online privacy solution. It is associated with cloud security F-Secure and shields the client from information accumulation by organizations and publicists. It likewise offers the capacity to change our virtual area to access benefits that have a provincial barricade. Searching the Internet utilizing an open WiFi system, we can be certain that our information is scrambled notwithstanding when utilizing the unsecured access focuses.

F-Secure Freedome VPN Full Version With Cracked is an absolutely new application for net assurance and any online safety arrangement. It further offers the potential to exchange our digital territory to get to blessings that have a commonplace blockade. Looking thru the Internet the use of an open WiFi framework, we may be sure that our records are blended no matter at the same time as using the unbound get entry to facilities.

Features of F-Secure Freedome VPN 2.42.736.0 Crack

Complete security

  • With a VPN, your genuine IP address has avoided the administrations you visit. Not, in any case, your Internet specialist co-op can perceive miracle box crack 2019 - Free Activators you do on the web. We don’t log your traffic.

Access blocked substance

  • Change your virtual area and you won’t see the content “this video/benefit/site is inaccessible in your nation” once more.

Wi-Fi security

  • Even on unsecured open Wi-Fi, your traffic is encoded and difficult to catch.

Surf safe and unmanaged

  • FREEDOM squares undesirable outsiders following and pernicious destinations. This will likewise prevent publicists from profiting to the detriment of your security.

Repacking Features:

  1. Capacity to reset time confine
  2. Discretionary program pre-placing opportunity amid established order
  3. Discretionary capability to make an initial reset undertaking in Windows Scheduler
  4. Expelled module for sending trojan horse reports.

Virtual area;

  • Discretionary: Choose between pre-setting alternatives before establishment;
  • Discretionary: Ability to make a preliminary reset assignment in Windows Scheduler
F-Secure Freedome VPN Serial Key: DVEFHS-RUFYGB-RFGCVR-RUYGUW WIUWR-FBVRVR-RUVBNC-EUHFRBR ESFGCV-EADGSXC-SFHC-ASFHXB SFHX-WRYSFG-WRYFGVB-RETDHG F-Secure Freedome VPN License Key: DSBSDR-YRGBC-RUYGFNE-RYFUNC DBBBDR-RUHBET-UGYHNC-RFYRHU QEWRF-ESFG-QETRSG-RWYSHFXGBV WRYSFG-RWYSFH-WRSHFD-5WUTEDGH F-Secure Freedome VPN 2021 Key: HBEJGR-RYGFN-TYUVBE-YRGFHJ VBNEYE-YGNUTT-HGJRIV-RGHIRR WERYF-RSYFH-SRYHFV-SRHDVB ARSGFV-SRYFHV-SRYHF-SRYHFD

Key Features:

  • Personal as well as guaranteed. Developers can not take your things and annoying publicists cannot monitor you.
  • Wi-Fi Protection: Link to any kind of hotspot, open up or privately owned and browse happy without having discovered your action
  • Evacuate geo-obstructing: Accessibility geo-restricted material by altering your digital region.
  • Beautiful truthfulness, openness, sincerity, forthrightness, directness: Manage you are on the internet protection as well as protection with the press of a capture
  • Trackers, marketers, or actually your World Wide Web service supplier can not see just what you do on the internet.
  • Modify your digital area and you will not view the text “this movie/ service/ website are inaccessible in your nation” once again.
  • Even on unprotected general public Wi‑Fi, your visitors are protected and difficult to intercept.
  • Your personal VPN canal blocks cyber-terrorist, harmful sites as well as bad programs.
  • Safe all linked points in your house
  • IoT safety for today and in the upcoming
  • Safety around the go for Glass windows, Mac as well as Android gadgets
  • Evacuate geo-obstructing: Accessibility geo-restricted material by altering your digital region.
  • Beautiful truthfulness, openness, sincerity, forthrightness, directness: Manage you are on the internet protection as well as protection with the press of a capture
  • Trackers, marketers, or actually your World Wide Web service supplier can not see just what you do on the internet.
  • Modify your digital area and you will not view the text “this movie/ service/ website are inaccessible in your nation” once again.
  • Even on unprotected general public Wi‑Fi, your visitors are protected and difficult to intercept.
  • Your personal VPN canal blocks cyber-terrorist, harmful sites as well as bad programs.
  • Safe all linked points in your house
  • IoT safety for today and in the upcoming
  • Safety around the go for Glass windows, Mac as well as Android gadgets.

System Requirments:

  • Operating System: Windows 7/8/8.1/10/XP/Vista.
  • RAM: 1.5 GB.
  • HDD: 800 Mb.
  • CPU: 2 GHz.

What’s New?

  • Updated Version:  F-Secure Freedome 2.36.6554.0
  • Add new virtual location with IP address
  • Some minor issues fixed
  • More secure safer.
  • Good connection speed.

How To Crack?

  1. Download F-Secure Freedome VPN Setup from a given button.
  2. Extract files with the help of WinRAR.
  3. Open the folder and copy and paste the patch files into the installation directory.
  4. Restart the system and Enjoy Full Version 2021.
  5. Official
Categories Secure BrowsingTags download freedome vpn for windows 7, f secure antivirus, f secure freedome 3 month trial, f secure login, f secure review, f secure vpn, f-secure download, f-secure free, f-secure internet security, f-secure safe, f-securefreedome vpn apk, freedome download apk, freedome vpn code android, freedome vpn review 2017Источник: https://freecracke.com/f-secure-freedome-vpn/

F-Secure Freedome VPN 2.43.809.0 Crack are certainly one of world’s greatest VPN support supplier for house win/mac pc, and smartphone. It is all the functions allow it to be more effective and it’s a good honor successful VPN. F-Secure Freedome VPN Full Version is completely new softwarefor web safety as well as any on the internet privateness remedy. It’s connected using the cloud protection F-Secure as well as protects the actual client from info build up by businesses. It is not just a worldwide web link protection supplier now a period it is offering also protection to the pc to avoiding hackable info. It is visitors in fog up which means you have no require to be concerned about their information services, all of us understand that fog up is advanced. Today let’s understand about is considered key functions. It offers the capability to modify our digital location to accessibility advantages that have a provincial revenue. We are able to be specific that our info is screwed up when making use of the unprotected access concentrates.

F-Secure Freedome VPN Keygen & Crack

F-Secure FreeDome VPN 2.43.809.0 With Crack [Latest 2022]

The f-secure Freedom key is an effective protection and on the internet privacy remedies that create you’re on the internet, lifeguarded and untracked. F-Secure freedom PC VPN Pro keygen real Internet protocol address has held the companies you check out. Not in any kind of case your Web skillful effort can realize what you need to do online. We tend not to record your motion. Advantages to suit your needs: Safe and personal: Hackers cannot in order to things and beneficiaries cannot monitor you. Wi-Fi Protection: Safe your organizations with VPN as well as software securely to any open up ‘hang-outs’. Discharge geo-obstructing: Accessibility geo-enclosed material by altering your digital area. At the press of a capture, it is possible to remain personal as well as secure online.www.freeprosoftz.com

F-Secure Freedome VPN License key pieces unwanted pariah subsequent and dangerous areas. This can in such as way sustains marketing and advertising experts through benefitting for the bodyweight of your safety. On unbound open Wi-Fi, your enhancement is combined and severe to catch. Security programs are attached to the media program as an additional measure of protection. To connect retailers in the event of an emergency, it is unnecessary to use a worldwide page connection. It is beneficial for all involved if there is steam up. The software protects the privacy of website hackers. Providing weblink protection across the globe, it is this company’s goal to protect PCs against malicious attacks as well. Hide your IP address from web services with this powerful application. Nobody knows what you do online, not even your ISP. No traffic records will be kept. Using it you can avoid unwanted tracking and malicious websites.

F-Secure Freedome VPN Keygen & Crack

F-Secure FreeDome VPN 2.43.809.0 Crack + Activation Code

F-Secure Freedome VPN Free Download is a removable application VPN through Helsinki. It’s simple to make use of and getting Fundamentals on protection owner F-secure. The key attention of its servicing is on the personal privacy fundamental. Provides an affordable arranged of 27 jobs from more than more compared to 20 nations around the world with mobile software. F-Secure Crack is a dependable and successful application remedy for offering on the internet storage space of your anonymousness, creating it hard for anybody with an impairment to maintain monitor of you or your sites from watching as well as monitoring your area. This application can never show your actions to other folks, that you have carried out onto it.

F-Secure Freedome VPN iPhone outstandingly assured its customers to comprehend their protection issues. Secure and protect your online privacy with this wonderful software. All online activities can be protected with this tool. In this way, you can both create and visit services through this tool. It utilizes the system and sets it up as your solution. The same holds true for the removal of content from the website. And it can provide all the websites and the steps to use to get the cost of money. The tool has wonderful features that make it useful to millions of people around the world. One of the easiest programs you can keep on your computer is a VPN. Despite the fact that public Wi-Fi networks are unsecured, your traffic cannot be intercepted.

F-Secure Freedome VPN Keygen & Crack

F-Secure FreeDome VPN Activation Code Full Crack (2022)

Freedom VPN Crack For Pc are completely new software for web safety as well as any on the net privacy remedy. It is connected using the fog up protection F-Secure as well as protects the customer from info build up by businesses and publicists. F-Secure Freedome Activation Code 2022 items harmful sites and apps. Independence will not spare system motion, contacts or customer titles. This particular from an extremely present and easy to make use of software!  It is provides the capability to improve our digital region to access advantages which have a provincial retinue. The Web making use of a WiFi program, also download We are able to be specific that our info is screwed up however when making use of the unprotected accessibility concentrates.

VPN is an option of whenever the client requirements to relate to the Web with protected digital program protection, gone all suggestions of safety, open WiFi programaccessibility, as well as safer. You can conceal your online identity, geographical area, and your Internet Protocol address this way. You will find our response right below. The VPN is definitely one of the most popular VPNs in the world. It is a powerful and decently honorable VPN, encompassing all of these features. It’s the only VPN service provider with an operating system for Windows, Mac, and smartphones. To have a good VPN is an honor since it allows all functions to be more effective. A comprehensive web security software program is the safest way to secure your online activity. Provides page security in a brand-new way. You also won’t get targeted by advertisers who want to take advantage of your privacy. Wondershare video converter

F-Secure Freedome VPN Keygen & Crack

F-Secure Freedome VPN 2.43.809.0 Crack 2022

Applications like this are well known. The service allows you to hide your real IP address from the websites you visit. You cannot even be seen by your ISP. There is no record of your traffic in this program. A number of third-party tracking tools and dangerous websites can be blocked. This means that advertisers are also unable to make money as a result of your privacy. A cloud-based system provides protection to the customer against the misuse of data. This system can be accessed by advertisers and organizations. Our product line includes the most comprehensive VPN holding up, devices for houses, laptops, and smartphones. It does exactly what it was set up to do, and it is actually better than a useful VPN in terms of its usefulness.

F-Secure Freedome PC VPN 2.43.809.0 Features Key:

  • Personal as well as guaranteed. Developers can not take your things and annoying publicists cannot monitor you.
  • Wi-Fi Protection: Link to any kind of hotspot, open up or privately owned and browse happy without having discovered your action
  • Evacuate geo-obstructing: Accessibility geo-restricted material by altering your digital region.
  • Beautiful truthfulness, openness, sincerity, forthrightness, directness: Manage you are on the internet protection as well as protection with the press of a capture
  • Trackers, marketers or actually your World Wide Web service supplier can not see just what you do on the internet.
  • Modify your digital area and you will not view the text “this movie/ service/ website are inaccessible in your nation” once again.
  • Even on unprotected general public Wi‑Fi, your visitors are protected and difficult to eagle pcb design software full version free download crack 64 bit - Free Activators personal VPN canal blocks cyber-terrorist, harmful sites as well as bad programs.
  • Safe all linked points in your house
  • IoT safety for today and in the upcoming
  • Safety around the go for Glass windows, Mac as well as Android gadgets

System Requirements:

  • Operating System: Windows 7/8/8.1/10/XP/Vista
  • RAM: 1.5 GB
  • HDD: 800 Mb
  • CPU: 2 Ghz

F-Secure Freedome VPN 2022 Activation Code:

  • WEWG8-FJRT5-FWRG8-THYE4-EDGY4
  • 634YYU-5YYU5-6UHEY-56RYH-56U54
  • EG445-7JK64-KT779-65YT6-GHJR6

How To Crack:

  • Download F-Secure Freedome PC VPN 2.43.809.0 Full Crack files.
  • Open it as well as pushed to start this application
  • Set up it at a free of charge area
  • Right after that near this and operate keygen Exe
  • Right here you push to Triggered
  • Wait around for the procedure!
  • Lastly, all carried out!
Источник: https://freeprosoftz.com/f-secure-freedome-vpn-keygen-crack/

F-Secure Freedome VPN 2.43.809.0 Crack + Activation Code Latest 2022

F-Secure Freedome VPN 2.43.809.0 Crack

F-Secure Freedome VPN 2.41.6817.0 Crack + Activation Code 2021

F-Secure Freedome VPN Crack is a super-simple security and online privacy solution. Protect yourself from hackers and harmful apps, stop trackers, connect safely to any Wi-Fi hotspot, and set your location virtually with F-Secure Freedome. Protect yourself from hackers, stop trackers, and set your location virtually with the F-Secure Freedome VPN Key.

F-Secure Freedome VPN 2.36.6555.0 Crack + Activation Code 2021

F-Secure Freedome VPN Activation Code

F-Secure Freedome Crack is one of the biggest VPN companies out there. They boast that no other company has aided more European cybercrime investigations. It was founded in 1998 (as Delta Fellows) in Helsinki what proves to be a savvy move because Finland has one of the most strict privacy laws in the world. Today, they are public cybersecurity and privacy company with over 1000 employees. Their team is spread out across 20 offices from Helsinki to Kuala Lumpur in Malaysia.

F-Secure Freedome VPN Keygen is a reliable and efficient software solution created to provide a user with the means of maintaining his anonymity online, being able to prevent ill-intended individuals from stealing user information or websites from tracking and determining user location. F-Secure blocking unwanted third-party malicious sites and shielding a user from phishing sites, malware, and ad trackers. It protects user Public and Private Wi-Fi experience through the secure OpenVPN protocol and relies on state-of-the-art, AES-256 encryption which gives access to geo-blocked content. The OpenVPN tunneling protocol is the default on all Android, Windows, and macOS X products while IKEv2 is offered for iOS. Both protocols are the best of the best and should be used whenever available. It secures users’ everyday online activities like doing taxes, online banking, streaming, and browsing.

F-Secure Freedome VPN Key

F-Secure Freedome VPN Key provides 29 global servers which include nine in North America, three in Asia, 16 across Europe, and a single server in Australia. The application is flanked by stats showing how much of user Web traffic has been protected, how many malicious sites have been blocked, and how many attempts to track user online activity have been thwarted, which is on par with of other apps like Spotflux Premium and Hotspot Shield.

F-Secure Freedome VPN 2.36.6555.0 Crack + Activation Code 2020

Crack Features Of F-Secure Freedome VPN:

Complete privacy

Trackers, advertisers or even your internet service provider can’t see what you do online.

Access blocked content

Change your virtual location and you won’t see the text “This video/​service/​website is unavailable in your country” again.

Wi‑fi security

Even on unsecured public wi‑fi, your traffic is encrypted and impossible to intercept.

Safe surfing

Your own private VPN tunnel blocks hackers, malicious sites, and bad apps.

F-Secure Freedome VPN 2.36.6554.0 Crack + Activation Code 2021

Operating System:

  • Microsoft Windows 10 (64-bit only), 8.1 (32-bit & 64-bit), or 7 SP1 (32-bit & 64-bit)
  • 1 GHz or faster processor
  • RAM, 32-bit: 2 GB, 64-bit: 4 GB
  • Disk space: 4.0 GB
  • 1360 x 768 display resolution with True Color
How To Install?
  • Download F-Secure Freedome VPN Crack from below.
  • Download Crack and Install It.
  • After installation Extract the files as well as Run them.
  • Click on the Crack then close it.
  • Copy the file from Crack Folder and Paste it into the installation folder.
  • Done. For more information visit this site.

F-Secure Freedome VPN 2.36.6555.0 Crack + Activation Code 2020

F-Secure Freedome VPN 2.43.809.0 Crack + Activation Code Latest 2022
Источник: https://vlsoft.net/f-secure-freedome-vpn/
 Patrick T. Lane


59 downloads 971 Views 11MB Size Report

This content was uploaded by our users and we assume good faith they have the permission to share this book. If you own the copyright to this book and it is wrongfully on our website, we offer a simple DMCA procedure to remove your content from our site. Start by pressing the button below!

Report copyright / DMCA form

138_linux_FC

6/20/01

9:56 AM

Page 1

1 YEAR UPGRADE BUYER PROTECTION PLAN



Your Guide to Open Source Security • Step-by-Step Instructions for Deploying Open Source Security Tools • Hundreds of Tools & Traps and Damage & Defense Sidebars, Security Alerts, and Exercises! • Bonus Wallet CD with Configuration Examples, Packet Captures, and Programs James Stanger, Ph.D. Patrick T. Lane Edgar Danielyan Technical Editor

138_linux_FM

6/20/01

9:29 AM

Page i

[email protected] With more than 1,500,000 copies of our MCSE, MCSD, CompTIA, and Cisco study guides in print, we continue to look for ways we can better serve the information needs of our readers. One way we do that is by listening. Readers like yourself have been telling us they want an Internet-based service that would extend and enhance the value of our books. Based on reader feedback and our own strategic plan, we have created a Web site that we hope will exceed your expectations. [email protected] is an interactive treasure trove of useful information focusing on our book topics and related technologies. The site offers the following features: ■ One-year warranty against content obsolescence due to vendor product upgrades. You can access online updates for any affected chapters. ■ “Ask the Author”™ customer query forms that enable you to post questions to our authors and editors. ■



Exclusive monthly mailings in which our experts provide answers to reader queries and clear explanations of complex material. Regularly updated links to sites specially selected by our editors for readers desiring additional reliable information on key topics.

Best of all, the book you’re now holding is your key to this amazing site. Just go to www.syngress.com/solutions, and keep this book handy when you register to verify your purchase. Thank you for giving us the opportunity to serve your needs. And be sure to let us know if there’s anything else we can do to help you get the maximum value from your investment. We’re listening.

www.syngress.com/solutions This Book Is Distributed By http://pdfstore.tk/ Please Make Sure That This E-Book Dont Have Any Or Damage This will cause you Missing Pages And Missing Tutorials.www.pdfstore.tk will automaticly `check. is this book is ready for read Attention :- Before You read this Book Please Visit www.pdfstore.tk and check you can Free Download any kind of Free matirials from www.pdfstore.tk web site

138_linux_FM

6/20/01

9:29 AM

Page ii

138_linux_FM

6/20/01

9:29 AM

Page iii

1 YEAR UPGRADE BUYER PROTECTION PLAN



ty i r u c e S ce r u o S n pe O o t e uid G A : x u

Lin

The Only Way to Stop a Hacker Is to Think Like One

James Stanger Patrick T. Lane

138_linux_FM

6/20/01

9:29 AM

Page iv

Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work. There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is sold AS IS and WITHOUT WARRANTY. You may have other legal rights, which vary from state to state. In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or consequential damages arising out from the Work or its contents. Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you. You should always use reasonable care, including backup and other appropriate precautions, when working with computers, networks, data, and files. Syngress Media®, Syngress®, and “Career Advancement Through Skill Enhancement®,”are registered trademarks of Syngress Media, Inc. “Ask the Author™,”“Ask the Author UPDATE™,”“Mission Critical™,” and “Hack Proofing™” are trademarks of Syngress Publishing, Inc. Brands and product names mentioned in this book are trademarks or service marks of their respective companies. KEY 001 002 003 004 005 006 007 008 009 010

SERIAL NUMBER NFKA4UR934 DFTGEGHFG6 9456VMPDSP MKC8EWR535 ZL94V343BB AS56J89HGE MJTY3D29H6 ADQW9UU6NN 5TGBXDQ7TN KRF4W2F6P9

PUBLISHED BY Syngress Publishing, Inc. 800 Hingham Street Rockland, MA 02370 Hack Proofing Linux: A Guide to Open Source Security

Copyright © 2001 by Syngress Publishing, Inc. All rights reserved. Printed in the United States of America. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication. Printed in the United States of America 1 2 3 4 5 6 7 8 9 0 ISBN: 1-928994-34-2 Technical Editors: Edgar Danielyan and Larry Karnis Freelance Editorial Manager: Maribeth Corona-Evans Co-Publisher: Richard Kristof Cover Designer: Michael Kavish Acquisitions Editor: Catherine B. Nolan Page Layout and Art by: Shannon Tozier Developmental Editor: Kate Glennon Copy Editor: Beth A. Roberts and Darren Meiss CD Production: Michael Donovan Indexer: Jennifer Coker Distributed by Publishers Group West in the United States.

138_linux_FM

6/20/01

9:29 AM

Page v

Acknowledgments We would like to acknowledge the following people for their kindness and support in making this book possible. Richard Kristof and Duncan Anderson of Global Knowledge, for their generous access to the IT industry’s best courses, instructors, and training facilities. Ralph Troupe, Rhonda St. John, and the team at Callisma for their invaluable insight into the challenges of designing, deploying and supporting world-class enterprise networks. Karen Cross, Lance Tilford, Meaghan Cunningham, Kim Wylie, Harry Kirchner, Bill Richter, Kevin Votel, and Kent Anderson of Publishers Group West for sharing their incredible marketing experience and expertise. Mary Ging, Caroline Hird, Simon Beale, Caroline Wheeler,Victoria Fuller, Jonathan Bunkell, and Klaus Beran of Harcourt International for making certain that our vision remains worldwide in scope. Anneke Baeten, Annabel Dent, and Laurie Giles of Harcourt Australia for all their help. David Buckland,Wendi Wong, Daniel Loh, Marie Chieng, Lucy Chong, Leslie Lim, Audrey Gan, Charlotte Chan, and Joseph Chan of Transquest Publishers for the enthusiasm with which they receive our books. Kwon Sung June at Acorn Publishing for his support. Ethan Atkin at Cranbury International for his help in expanding the Syngress program. Joe Pisco, Helen Moyer, Paul Zanoli, Alan Steele, and the great folks at InterCity Press for all their help. Philip Allen at Brewer & Lord LLC for all his work and generosity.

v

138_linux_FM

6/20/01

9:29 AM

Page vi

138_linux_FM

6/20/01

9:29 AM

Page vii

Contributors

Patrick T. Lane (MCSE, MCP+I, MCT, Network+, i-Net+, CIW) is a Content Architect for ProsoftTraining.com, a leading Internet skills training and curriculum development company. He is the author of more than 20 technical courses and is the Director of the CIW Foundations and CIW Internetworking Professional series.While at ProsoftTraining.com, Patrick helped create the Certified Internet Webmaster (CIW) program and the i-Accelerate program for Intel, Novell, and Microsoft professionals. Patrick consults as a mail, news, FTP, and Web Administrator for several organizations, including jCert Initiative Inc. and ProsoftTraining.com. He is also a network security consultant and writer who specializes in TCP/IP internetworking, LAN/WAN solutions, network and operating system security, and the Linux and Windows NT/2000 platforms. He has consulted for the University of Phoenix/Apollo Group, Novell, Intel, NETg,WAVE technologies, KT Solutions, SmartForce, and Futurekids. Patrick is a member of the CompTIA Network+ Advisory Committee, and co-author of Syngress Publishing’s E-mail Virus Protection Handbook (ISBN: 1-928994-23-7). His work has been published in eight languages and he has been a featured speaker for the SmartForce Seminar Series on E-Business, the Internet World PING Series on Internet Protocol version 6, and the Information Technology Association of America (ITAA). He holds a master’s degree in education. James Stanger (Ph.D., MCSE, MCT) directs the Linux, Security, and Server Administrator certification tracks for ProsoftTraining.com. Since receiving his Ph.D. in 1997, he has focused on auditing Internet servers and writing courseware, books, and articles about administering and securing Internet servers. James has consulted for IBM, Symantec, Evinci vii

138_linux_FM

6/20/01

9:29 AM

Page viii

(www.evinci.org), Pomeroy (www.pomeroy.com), Securify (www.securify.com), Brigham Young University, and California State, San Bernardino. He specializes in troubleshooting firewalls, intrusion detection, DNS, e-mail, and Web server implementations. James was the Technical Editor of Syngress Publishing’s E-mail Virus Protection Handbook (ISBN: 1-928994-23-7) and has been an instructional designer of security and A+ courses for NetG,Thompson/WAVE learning, and ComputerPREP. Active in the Linux community, James sits on the Linux Professional Institute (www.lpi.org), SAIR (www.linuxcertification.org), and CompTIA Linux+ (www.comptia.org) advisory boards, each of which is dedicated to creating and maintaining industry-respected certifications. As the Vice Chair of the Linux Professional Institute (LPI) Advisory Council, he acts as liaison between the LPI and companies such as IBM, Compaq, and Intel.

viii

138_linux_FM

6/20/01

9:29 AM

Page ix

Technical Editors Edgar Danielyan (CCNA) is a self-employed developer specializing in GCC, X Window,Tcl/Tk, logic programming, Internet security, and TCP/IP; as well as having with BSD, SVR4.2, FreeBSD, SCO, Solaris, and UnixWare. He has a diploma in company law from the British Institute of Legal Executives as well as a paralegal certificate from the University of Southern Colorado. He is currently working as the Network Administrator and Manager of a top-level Armenian domain. He has also worked for the United Nations, the Ministry of Defense of the Republic of Armenia, and Armenian national telephone companies and financial institutions. Edgar speaks four languages, and is a member of ACM, IEEE CS, USENIX, F-Secure FREEDOME VPN 2.36 Activation Code Crack, ISOC, and IPG. Larry Karnis (RHCE, Master ACE, CITP), is a Senior Consultant for Application Enhancements, a Unix, Linux, and Internet consulting firm located in Toronto, Canada. His first exposure to Unix was over 20 years ago where he used Unix Version 6 while completing a bachelor’s degree in computer science and mathematics. Larry deploys and manages Linuxbased solutions such as Web and file and print servers, and Linux firewalls.

ix

138_linux_FM

6/20/01

9:29 AM

Page x

About the CD This book is accompanied by a CD containing files and open source programs used throughout the book.The files include configuration examples, packet captures, and additional resources.We have included the specific open source programs used in the book so you can follow the chapter demonstrations step-by-step on your own systems. Each file on the CD is discussed in detail and referenced throughout the book with the CD icon below.When a specific file or program is required, it directs you to the accompanying CD.The book also directs you to the Web site where you can download the most current version, and find additional resources relating to that program. For instance, you can download Free Secure Wide Area Network (FreeS/WAN) at www.freeswan.org, or use the version located on the CD. It is recommended that you use the version included on the CD because this will increase the chances that the book demonstrations will be successful, as some of the programs may have changed since this book was printed. The book is written to Red Hat Linux 7.x.Therefore, most of the CD files are Red Hat Package Manager (.rpm) files.There are also many Tape Archive (.tar) files and GNU Zip (.gzip) files. Instructions for unpacking and installing these files are included in their respective locations throughout the book.To mount the CD onto your Linux system, you would issue the following command (for Red Hat systems): mount -t iso9660 /dev/cdrom /mnt/cdrom

And to unmount: umount /mnt/cdrom

It is recommended that you copy the CD files to your hard drive before working with them. If you use other versions of Linux, you may need to modify the demonstrations, or download a portable version of the open source programs to work with your version of Linux.

Look for this CD icon when obtaining files used in the book demonstrations. x

138_linux_ToC

6/20/01

9:27 AM

Page xi

Contents

Foreword Using the GNU General Public License The GNU General Public License (GPL) is the basis of the open source movement. This license is provided by the Gnu is Not Unix (GNU) organization, which develops various software packages. The most important element of this license is that instead of protecting a particular person or company, it protects the software code that creates the application.

xxvii

Chapter 1 Introduction to Open Source Security Introduction The Tools Used in This Book Using the GNU General Public License Fee-Based GPL Software Can I Use GPL Software in My Company? Soft Skills: Coping with Open Source Quirks General Lack of Installation and Configuration Support Infrequent or Irregular Update Schedules Command-Line Dominance Lack of Backward Compatibility and No Regular Distribution Body Inconvenient Upgrade Paths Conflicts in Supporting Libraries and Limited Platform Support Interface Changes Partially Developed Solutions Should I Use an RPM or Tarballs? Tarball Red Hat Package Manager Debian Obtaining Open Source Software SourceForge Freshmeat Packetstorm

1 2 3 3 5 5 6 6 6 6 7 7 7 8 8 10 10 11 11 12 12 13 14 xi

138_linux_ToC

xii

6/20/01

9:27 AM

Page xii

Contents

SecurityFocus Is That Download Safe? A Brief Encryption Review Symmetric Key Encryption Asymmetric Key Encryption Public Key and Trust Relationships One-Way Encryption GNU Privacy Guard Deploying GNU Privacy Guard Skipping Public Key Verification Using GPG to Verify Signatures on Tarball Packages Using Md5sum Auditing Procedures Locking Down Your Network Hosts Securing Data across the Network Protecting the Network Perimeter Summary Solutions Fast Track Frequently Asked Questions

Chapter 2 Hardening the Operating System Introduction Updating the Operating System Red Hat Linux Errata and Update Service Packages Handling Maintenance Issues Red Hat Linux Errata: Fixes and Advisories Bug Fix Case Study Manually Disabling Unnecessary Services and Ports Services to Disable The xinetd.conf File Locking Down Ports Well-Known and Registered Ports Determining Ports to Block

15 16 16 17 18 19 20 21 21 29 30 30 31 31 32 33 35 35 38

41 42 42 42 43 44 46 47 47 48 50 50 52

138_linux_ToC

6/20/01

9:27 AM

Page xiii

Contents

Determining Which Ports to Block When determining which ports to block on your server, you must first determine which services you require. In most cases, block all ports that are not exclusively required by these services. This is tricky, because you can easily block yourself from services you need, especially services that use ephemeral ports. F-Secure FREEDOME VPN 2.36 Activation Code Crack your server is an exclusive e-mail server running SMTP and IMAP, you can block all TCP ports except ports 25 and 143, respectively. If your server is an exclusive HTTP server, you can block all ports except TCP port 80.

Blocking Ports 53 Xinetd Services 53 Stand-Alone Services 54 Hardening the System with Bastille 55 Bastille Functions 55 Bastille Versions 63 Implementing Bastille 64 Undoing Bastille Changes 74 Controlling and Auditing Root Access with Sudo 77 System Requirements 79 The Sudo Command 79 Downloading Sudo 80 Installing Sudo 82 Configuring Sudo 86 Running Sudo 90 No Password 92 Sudo Logging 93 Managing Your Log Files 96 Using Logging Enhancers 97 SWATCH 97 Scanlogd 100 Syslogd-ng 101 Summary 103 Solutions Fast Track 104 Frequently Asked Questions 107

Chapter 3 System Scanning and Probing Introduction Scanning for Viruses Using the AntiVir Antiviru Application Understanding Linux Viruses Using AntiVir Key Mode and Non-Key Mode Licensing AntiVir Exercise: Updating AntiVir Using TkAntivir Required Libraries and Settings

109 110 110 110 112 114 114 114 116 117

xiii

138_linux_ToC

xiv

6/20/01

9:27 AM

Page xiv

Contents

Learn How to Set Preferences For TkAntivir

Scanning Systems for Boot Sector and E-Mail Viruses Additional Information Exercise: Using TkAntivir Scanning Systems for DDoS Attack Software Using a Zombie Zapper How Zombies Work and How to Stop Them When Should I Use a Zombie Zapper? What Zombie Zapper Should I Use? What Does Zombie Zapper Require to Compile? Exercise: Using Zombie Zapper Scanning System Ports Using the Gnome Service Scan Port Scanner Required Libraries Why Use a Port Scanner? Exercise: Using Gnome Service Scanner Using Nmap Isn’t Nmap Just Another Port Scanner? Acquiring and Installing Nmap Common Nmap Options Applied Examples Scanning Entire Networks and Subnets Selective Scanning Adding More Stealth Saving to Text and Reading from Text Testing Firewalls and Intrusion Detection Systems Example: Spoofing the Source Address of a Scan Timing Your Scan Speeds Example: Conducting a Paranoid Scan Exercise: Using Nmap Using Nmap in Interactive Mode Exercise: Using Nmap in Interactive Mode

117 120 120 123 124 125 125 127 127 129 130 131 131 133 134 136 136 137 138 139 139 140 141 142 142 143 143 144 144

138_linux_ToC

6/20/01

9:27 AM

Page xv

Contents

Using NmapFE as a Graphical Front End Exercise: Using NmapFE Using Remote Nmap (Rnmap) as a Central Scanning Device Exercise: Scanning Systems with Rnmap Deploying Cheops to Monitor Your Network How Cheops Works Obtaining Cheops Required Libraries The Cheops Interface Mapping Relations between Computers Cheops Monitoring Methods Connectivity Features Exercise: Installing and Configuring Cheops Deploying Nessus to Test Daemon Security The Nessus Client/Server Relationship Windows Nessus Clients Required Libraries Order of Installation Configuring Plug-Ins Creating a New Nessus User The Rules Database Exercise: Installing Nessus and Conducting a Vulnerability Scan Updating Nessus Understanding Differential, Detached, and Continuous Scans Exercise: Conducting Detached and Differential Scans with Nessus Summary Solutions Fast Track Frequently Asked Questions

146 147 147 148 151 153 154 154 155 157 157 159 160 165 167 169 169 170 173 174 174 175 179 180 182 185 185 189

xv

138_linux_ToC

xvi

6/20/01

9:27 AM

Page xvi

Contents

SECURITY ALERT! Although Tripwire has a “file integrity mode,” Tripwire is not really an integrity checker in the classic sense. It does not, for example, test the file’s stability or inode number or any other aspect in regards to file storage. Tripwire simply compares a file’s new signature with that taken when the database was created. Other tools may be used to check the integrity of a file’s permissions and ownership information.

Chapter 4 Implementing an Intrusion Detection System Introduction Understanding IDS Strategies and Types IDS Types Host-Based IDS Applications Network-Based IDS Applications IDS Applications and Fault Tolerance What Can an IDS Do for Me? Which IDS Strategy Is Best? Network-Based IDS Applications and Firewalls IDS Applications Installing Tripwire to Detect File Changes on Your Operating System Tripwire Dependencies Availability Deploying Tripwire Tripwire Files Tripwire Installation Steps Configuring the Tripwire Policy File Creating the Tripwire Policy File Database Initialization Mode Testing E-Mail Capability Integrity Checking Mode Specifying a Different Database Reading Reports Updating Tripwire to Account for Legitimate Changes in the OS Updating the Policy What Do I Do if I Find a Discrepancy? Configuring Tripwire to Inform You Concerning Changes Exercise: Installing Tripwire Exercise: Securing the Tripwire Database Exercise: Using Cron to Run Tripwire Automatically

191 192 194 195 196 196 197 200 203 203 204 206 207 208 208 208 209 209 212 212 214 214 215 215 215 216 217 217 217 219 220

138_linux_ToC

6/20/01

9:27 AM

Page xvii

Contents

Deploying PortSentry to Act as a Host-Based IDS Important PortSentry Files Installing PortSentry Configuring PortSentry to Block Users Optimizing PortSentry to Sense Attack Types Exercise: Installing and Configuring PortSentry Exercise: Clearing Ipchains Rules Exercise: Running an External Command Using PortSentry Installing and Configuring Snort Availability Supporting Libraries Understanding Snort Rules Snort Variables Snort Files and Directories Snort Plug-Ins Starting Snort Logging Snort Entries Running Snort as a Network-Based IDS Ignoring Hosts Additional Logging Options:Text files,Tcpdump, and Databases Configuring Snort to Log to a Database Controlling Logging and Alerts Getting Information Exercise: Installing Snort Exercise: Using Snort as an IDS Application Exercise: Configuring Snort to Log to a Database Exercise: Querying a Snort Database from a Remote Host Identifying Snort Add-Ons SnortSnarf

220 221 222 222 223 224 227 227 229 229 229 230 230 231 232 233 236 236 237 237 238 239 240 240 241 243 251 251 252

xvii

138_linux_ToC

xviii

6/20/01

9:27 AM

Page xviii

Contents

Exercise: Using SnortSnarf to Read Snort Logs Analysis Console for Intrusion Databases Summary Solutions Fast Track Frequently Asked Questions

Learn the Flags Used in TCP Connections

Flag

Description

SYN

Synchronize sequence numbers. Used for connection establishment. The sender is finished with the connection. Used for connection termination. Reset the connection. Push the data. Acknowledgment Urgent

FIN

RST PSH ACK URG

Chapter 5 Troubleshooting the Network with Sniffers Introduction Understanding Packet Analysis and TCP Handshakes TCP Handshakes Establishing a TCP Connection Terminating a TCP Connection Creating Filters Using Tcpdump Tcpdump Options Tcpdump Expressions Boolean Operators Installing F-Secure FREEDOME VPN 2.36 Activation Code Crack Using Tcpdump Configuring Ethereal to Capture Network Packets Ethereal Options Ethereal Filters Configuring Ethereal and Capturing Packets Viewing Network Traffic between Hosts Using EtherApe Configuring EtherApe and Viewing Network Traffic Summary Solutions Fast Track Frequently Asked Questions Chapter 6 Network Authentication and Encryption Introduction Understanding Network Authentication

252 252 254 254 258

261 262 264 265 265 266 268 268 271 275 276 279 281 283 283 288 289 293 294 296

299 300 300

138_linux_ToC

6/20/01

9:27 AM

Page xix

Contents

Answer Your Questions about Kerberos

Q: I wish to remove a principal from the keytab of one of my Kerberos clients. How do I do this?

A: Enter kadmin as an administrative user on the Kerberos client (not the KDC) and use the ketremove option. For example, if you wanted to remove the principal for the user named james, you would do the following: terminal$/usr/ kerberos/sbin/kadmin kadmin: ktremove –p james kadmin: quit terminal$

Attacking Encrypted Protocols Creating Authentication and Encryption F-Secure FREEDOME VPN 2.36 Activation Code Crack Implementing One-Time Passwords (OTP and OPIE) What Files Does OPIE Replace? How Does OPIE Work? OPIE Files and Applications opiepasswd Password Format Using opiekey Using opieinfo and opiekey to Generate a List Installing OPIE Configuration Options Installation Options Uninstalling OPIE Exercise: Installing OPIE Exercise: Installing the OPIE Client on a Remote Server Exercise: Using opie-tk and Allowing Windows Users to Deploy OPIE. Exercise: Installing opieftpd Implementing Kerberos Version 5 Why Is Kerberos Such a Big Deal? Kerberos Terms Kerberos Principals The Kerberos Authentication Process How Information Traverses the Network Creating the Kerberos Database Using kadmin.local Using kadmin Using kadmin on the Client Using kadmin and Creating Kerberos Client Passwords Setting Policies Using Kinit

301 303 305 305 305 306 307 308 309 310 310 310 311 312 312 315 316 318 319 320 321 322 323 324 325 325 326 328 329 330 330

xix

138_linux_ToC

xx

6/20/01

9:27 AM

Page xx

Contents

The kinit Command and Time Limits Managing Kerberos Client Credentials The kdestroy Command Exercise: Configuring a KDC Establishing Kerberos Client Trust Relationships with kadmin Additional Daemon Principal Names Logging On to a Kerberos Host Daemon Common Kerberos Client Troubleshooting Issues and Solutions Kerberos Client Applications Kerberos Authentication and klogin Exercise: Configuring a Kerberos Client Summary Solutions Fast Track Frequently Asked Questions

Secure E-Commerce Transactions If hackers were alerted to an unsecure server, IceCream PDF Converter Pro License key could capture packets going in and out of the server to gain the data they sought. For example, if an e-commerce server does not use any type of network encryption for transactions, there is a great deal of data to be gained by a hacker. Unfortunately, many small companies or entrepreneurs set up their own Web servers, unaware of potential security problems, and set up simple scripts to process payment forms.

332 333 333 334 337 339 340 340 341 342 342 345 345 348

Chapter 7 Avoiding Sniffing Attacks through Encryption 353 Introduction 354 Understanding Network Encryption 354 Capturing and Analyzing Unencrypted Network Traffic 355 Using OpenSSH to Encrypt Network Traffic between Two Hosts 361 The OpenSSH Suite 362 Installing OpenSSH 364 Configuring SSH 367 How SSH Works 368 Insecure r-command Authentication 368 Secure SSH Authentication 371 Implementing SSH to Secure Data Transmissions over an Insecure Network 373 Distributing the Public Key 376 Capturing and Analyzing Encyrpted Network Traffic 381 Summary 385

138_linux_ToC

6/20/01

9:27 AM

Page xxi

Contents

Solutions Fast Track Frequently Asked Questions

Secure Tunneling with Virtual Private Networks (VPNs) VPNs provide a private data network over public telecommunication infrastructures, such as the Internet, by providing authentication and encryption through a data “tunnel” between devices. All data transmitted between the devices through the tunnel is secure, regardless of what programs the devices are running.

386 388

Chapter 8 Creating Virtual Private Networks 391 Introduction 392 Secure Tunneling with VPNs 392 Telecommuter VPN Solution 392 Router-to-Router VPN Solution 394 Host-to-Host VPN Solution 395 Tunneling Protocols 395 Explaining the IP Security Architecture 396 Using IPSec with a VPN Tunneling Protocol 400 Internet Key Exchange Protocol 401 Creating a VPN by Using FreeS/WAN 402 Downloading and Unpacking FreeS/WAN 404 Compiling the Kernel to Run FreeS/WAN 407 Recompiling FreeS/WAN into the New Kernel 417 Configuring FreeS/WAN 420 Testing IP Networking 420 Configuring Public Key Encryption for Secure Authentication of VPN Endpoints 424 Starting the Tunnel 434 Capturing VPN Tunnel Traffic 436 Closing the VPN Tunnel 438 Summary 439 Solutions Fast Track 440 Frequently Asked Questions 441 Chapter 9 Implementing a Firewall with Ipchains and Iptables Introduction Understanding the Need for a Firewall Building a Personal Firewall Understanding Packet Filtering Terminology

445 446 447 449 450

xxi

138_linux_ToC

xxii

6/20/01

9:27 AM

Page xxii

Contents

Understand Essential Linux Firewall Functions ■

IP address conservation and traffic forwarding



Network differentiation



Protection against denial-of-service, scanning, and sniffing attacks



IP and port



Content filtering



Packet redirection



Enhanced authentication and encryption



Supplemented logging



452 452 453 456 458 460 460 461 462 463 464 467 468 468 470 471 471 472 472 473 475 477 478 478 479 483 484 484 486 488

138_linux_ToC

6/20/01

9:27 AM

Page xxiii

Contents

Firewall Works in Progress Exercise: Using Firestarter to Create a Personal Firewall Exercise: Using Advanced Firestarter Features Summary Solutions Fast Track Frequently Asked Questions

Configure Squid with the /etc/squid/ squid.conf file

Chapter 10 Deploying the Squid Web Proxy Cache Server Introduction Benefits of Proxy Server Implementation Proxy Caching Network Address Translation Differentiating between a Packet Filter and a Proxy Server Implementing the Squid Web Proxy Cache Server System Requirements Specific to Proxy Caching Installing Squid Configuring Squid The http_port Tag The Cache_dir Tag The acl Tag The http_access Tag Starting and Testing Squid Configuring Proxy Clients Configuring Netscape Navigator and Lynx Configuring Netscape Navigator Configuring Lynx Configuring Internet Explorer (Optional) Summary Solutions Fast Track Frequently Asked Questions

490 490 498 500 500 505

507 508 508 508 510 512 513 516 517 520 522 523 525 526 528 529 530 530 532 533 535 536 538

xxiii

138_linux_ToC

xxiv

6/20/01

9:27 AM

Page xxiv

Contents

See How to Use the Firelogd Program Firelogd (Firewall Log Daemon) is a relatively simple program that can either be run as an application or (you might have guessed) as a daemon. It does two things: ■

It reads the kernel log entries and passes them into a "first in, first out" (FIFO) pipe, which Firelogd can then process.



Once its buffer is full, it e-mails a report of suspicious traffic to an account of your choosing. You can have it mailed to a local account, or to a remote system of your choice.

Chapter 11 Maintaining Firewalls 543 Introduction 544 Testing Firewalls 544 IP Spoofing 546 Open Ports/Daemons 546 Monitoring System Hard Drives, RAM, and Processors 547 Suspicious Users, Logins, and Login Times 547 Check the Rules Database 548 Verify Connectivity with Company Management and End Users 548 Remain Informed Concerning the Operating System 549 Port Scans 549 Using Telnet, Ipchains, Netcat, and SendIP to Probe Your Firewall 550 Ipchains 551 Telnet 551 Using Multiple Terminals 552 Netcat 552 Sample Netcat Commands 554 Additional Netcat Commands 555 Exercise: Using Netcat 557 SendIP:The Packet Forger 558 SendIP Syntax 558 Exercise: Using SendIP to Probe a Firewall 560 Understanding Firewall Logging, Blocking, and Alert Options 563 Firewall Log Daemon 563 Obtaining Firelogd 563 Syntax and Configuration Options 563 Message Format 564 Customizing Messages 566 Reading Log Files Generated by Other Firewalls 568

138_linux_ToC

6/20/01

9:27 AM

Page xxv

Contents

Exercise: Configuring and Compiling Firelogd Fwlogwatch Fwlogwatch Modes Fwlogwatch Options and Generating Reports Exercise: Generating an HTML-Based Firewall Log with Fwlogwatch Automating Fwlogwatch The Fwlogwatch Configuration File Notification Options Response Options Exercise: Configuring Fwlogwatch to Send Automatic Alerts and Block Users Using Fwlogwatch with CGI Scripts Obtaining More Information Viewing the Results Exercise: Using Cron and Fwlogwatch CGI Scripts to Generate an Automatic HTML Report Additional Fwlog Features Obtaining Additional Firewall Logging Tools Summary Solutions Fast Track Frequently Asked Questions

568 569 570 572 575 575 576 579 581 583 584 586 587

588 590 590 593 593 597

Appendix A Bastille Log

599

Appendix B Hack Proofing Linux Fast Track

605

Index

637

xxv

138_linux_ToC

6/20/01

9:27 AM

Page xxvi

138_linux_pref

6/20/01

9:28 AM

Page xxvii

Preface

Hack Proofing Linux: A Guide to Open Source Security is designed to help you deploy a Linux system on the Internet in a variety of security roles.This book provides practical instructions and pointers concerning the open source security tools that we use every day. First, we show you how to obtain the software; and then, how to use the Bastille application to “harden” your Linux operating system so that it can function securely as it fulfills a specific role of your choice (e.g., as a Web server, as an E-mail server, and so forth).You will also learn how to use your Linux system as an auditing tool to scan systems for vulnerabilities as well as create an Intrusion Detection System (IDS), which enables your Linux system to log and respond to suspicious activity. From virus protection to encrypting transmissions using Gnu Privacy Guard and FreeSWAN, you will be able to configure your system to secure local data as well as data that will be passed along the network. After reading this book, you will be able to identify open source and “for-fee” tools that can help you further secure your Linux system. We have also included chapters concerning ways to sniff and troubleshoot network connections and how to implement strong authentication using One Time Passwords (OTP) and Kerberos.Tools such as Squid proxy server and Ipchains/Iptables will help you use your Linux system so that it can act as a firewall.With the tools on the accompanying CD as well as the advice and instructions given in this book, you will be able to deploy your Linux system in various roles with confidence. We decided to focus on profiling the most commonly used security tools found on the Linux platform.We also decided to emphasize the real-world implementation of these tools, as opposed to just providing conceptual overviews. Finally, we decided to describe the steps you should take when things go wrong. As a result, we have created a book that is a valuable resource that helps you use your Linux system as efficiently as possible. xxvii

138_linux_pref

xxviii

6/20/01

9:28 AM

Page xxviii

Preface

One of the most exciting things about this book is that it provides hands-on instructions for implementing security applications. From Gnu Privacy Guard (GPG) and Bastille to FreeSWAN, Kerberos, and firewall troubleshooting utilities, this book shows you how to use your Linux skills to provide the most important security services such as encryption, authentication, access control, and logging. While writing the book, we had the following three-part structure in mind: ■

Locking Down the Network (Chapters 1 through 4)



Securing Data Passing Across the Network (Chapters 5 through 8)



Protecting the Network Perimeter with Firewalls (Chapters 9 through 11)

Each of these sections is designed to help you find the best solution for your particular situation. Although the book itself isn’t explicitly divided into sections, as you are reading remember this rough division because it will help you to implement security measures in your own environment. Chapter 1 discusses open source concepts, including the GNU General Public License, as presented by the www.gnu.org people (the Free Software Foundation), and then moves on to showing how you can use GPG and Pretty Good Privacy (PGP) to encrypt transmissions and also to check the signatures of files that you download from the Web. It also provides information concerning the steps to take when auditing a network. Chapter 2 shows you how to lock down your operating system so that it provides only those Internet services that you desire. Chapter 3 shows you how to use applications such as AntiVir, Gnome ServiceScan, Nmap, Rnmap, and Nessus to scan for vulnerabilities. In Chapter 4, you will learn about host and network-based IDS applications such as Snort,Tripwire, and PortSentry. Chapter 5 explains how to use network sniffers such as Tcpdump, Ethereal, and EtherApe to their full advantage.With this knowledge, auditing a network and truly understanding what is going on “beneath the hood” will make you a much more effective network security administrator. By the time you finish Chapter 6, you will know how to deploy One Time Passwords and Kerberos, and in Chapter 7, you will understand how to avoid sniffing attacks, and in Chapter 8, you will enable IPSec by deploying FreeSWAN. Chapter 9 empowers you to create personal firewalls as well as packet filtering firewalls using either Ipchains or Iptables. Chapter 10 shows you how to implement Squid so that you can more carefully monitor and process packets. Finally, Chapter 11 provides you with tools that test your firewall implementation.

www.syngress.com

138_linux_pref

6/20/01

9:28 AM

Page xxix

Preface

xxix

The open source community has fulfilled the need for a powerful, free system that allows you to conduct audits, serve up Web pages, provide e-mail services, or any other Internet service you wish to provide. Once you are able to take advantage of the security software provided by the open source community, you will receive the benefit of having a huge pool of developers working for you.You will gain more freedom because you will be able to choose widely tested security tools provided by a variety of skilled developers.You can even choose (at your own risk) to use rather obscure tools that have been recently created. It is up to you. Open source operating systems and security tools are both a blessing and a curse: You are blessed with (usually) free software, but you are then cursed with having to spend time working with the software’s idiosyncrasies. By reading this book and implementing the tools and practices we’ve described, you should be able to minimize the “curse.” It is also our hope that as you read this book you will also become further involved in the open source software movement, which has begun to fulfill its promise of creating powerful, useful software.

—James Stanger, Ph.D., MCSE, MCT

www.syngress.com

138_linux_pref

6/20/01

9:28 AM

Page xxx

138_linux_01

6/20/01

9:25 AM

Page 1

Chapter 1

Introduction to Open Source Security

Solutions in this chapter: ■

Using the GNU General Public License



Soft Skills: Coping with Open Source Quirks



Should I Use an RPM or Tarballs?



Obtaining Open Source Software



A Brief Encryption Review



Public Key and Trust Relationships



Auditing Procedures

; Summary ; Solutions Fast Track ; Frequently Asked Questions 1

138_linux_01

2

6/20/01

9:25 AM

Page 2

Chapter 1 • Introduction to Open Source Security

Introduction In spite of the ups and downs of the dot-com industry, open source software has become a viable alternative to commercial companies such as Microsoft, Sun, and IBM. Although open source software has its quirks and its problems, the open source movement has made its niche in the networking market. As a networking professional, it is in your best interest to understand some of the more important security applications and services that are available. This book is designed to provide experienced systems administrators with open source security tools. Although we have made every effort to include as many people and as many skill sets as possible, this book assumes a fundamental knowledge of Linux.This book focuses on open source Linux applications, daemons, and system fixes. In the book’s first chapters, you will learn how to lock down your network. Chapter 2 discusses ways to secure and monitor the operating system, and ways to scan local and remote networks for weaknesses.You will receive detailed Razer Cortex Game Booster 9.15.19.1412 Crack + Activation Key Free on how to ensure that your system’s services and the root account are as secure as possible. In Chapter 3, you will learn how to deploy antivirus and scanning programs for your local system. By using these scanning programs, you will be able to mitigate risk and learn more about the nature of services on your network. Scanners such as nmap and nessus will help you learn about the open ports on your network, and how these open ports might pose a threat to your system. Chapter 3 gives you detailed information about practical ways to implement intrusion detection on your local system and on your network. Using applications such as Tripwire, Portsentry, and Snort, you will be able to precisely identify system anomalies and detect inappropriate logins. Chapter 5 shows how you can use open source tools such as tcpdump, Ethereal, EtherApe, and Ntop to inspect and gauge traffic on the network. The second part of the book focuses on ways to enhance authentication using open source software. In Chapter 6, you will learn about One Time Passwords (OTP) and Kerberos as ways to ensure that malicious users won’t be able to obtain your passwords as they cross the network. Chapter 7 discusses ways to use Secure Shell (SSH) and Secure Sockets Layer (SSL), which are ways to enable on-the-fly encryption to protect data. In Chapter 8, you will learn about how to enable IPSec on a Linux system so that you can implement a virtual private network (VPN). As you learn more about the primary VPN product called Free Secure Wide Area Network (FreeS/WAN), you will see how it is possible to protect network traffic as it passes through your own network, and over the Internet. www.syngress.com

138_linux_01

6/20/01

9:25 AM

Page 3

Introduction to Open Source Security • Chapter 1

The final part of the book focuses on ways to create an effective network perimeter. Chapter 9, shows how to install and configure Ipchains and Iptables on a Linux system. Kernels earlier than 2.3 can use Ipchains, whereas kernel versions 2.3 and later use Iptables. Regardless of the way you do it, you will learn to filter traffic with these two packet filtering tools. In Chapter 10, you will learn how a proxy server can further enhance your control over your network perimeter. Specifically, you will use the Squid proxy server to control client access to the Internet.You will also learn how to configure Linux clients to access the proxy server. Finally, Chapter 11, shows how to troubleshoot and counteract problems with your network perimeter.You will learn how to maintain, test, and log the firewall so that you have a functional barrier between you and the outside world. It is our intention to create a book that gives you practical information and advice about the most common open source security tools.

The Tools Used in This Book This book was written using version 7.0 of the Red Hat Linux operating system. Although it may not be the “best” Linux distribution (there are at least 100 versions in the world), it is the most popular.We have tried to ensure that the skills and tools you obtain in this book will be portable to other Linux versions, and even other open source operating systems such as FreeBSD (www.freebsd.org). However, each Linux flavor has its own quirks, and you may find it necessary to deviate from some of the instructions in this book.

Using the GNU General Public License The GNU General Public License (GPL) is the basis of the open source movement.This license is provided by the Gnu is Not Unix (GNU) organization, which develops various software packages. Begun in 1984 by Richard Stallman, GNU has worked to create a license designed to ensure that the open source movement continues to thrive.You can learn more about GNU at the www.gnu.org Web site, shown in Figure 1.1. The most important element of this license is that instead of protecting a particular person or company, it protects the software code that creates the application.Traditionally, copyrights have enabled individuals to lay claim to a particular piece of software and then sell it for profit. In addition, the copyright enables that individual to then take action against anyone else who uses that code to create

www.syngress.com

3

138_linux_01

4

6/20/01

9:25 AM

Page 4

Chapter 1 • Introduction to Open Source Security

similar functionality. For better or for worse, Richard Stallman, Eric Raymond, and others helped found and popularize the concept of an open software license called the Gnu General Public License (often referred to as the GPL).You can read the GPL at www.gnu.org/copyleft/gpl.html. Figure 1.1 The GNU Web Site

This license is part of the “copyleft” movement, which considers itself an alternative to traditional copyright laws.The GPL essentially allows anyone who develops code to ensure that the code remains open, meaning that GPL-licensed code can be taken and improved upon by anyone, as long as the improved code is given to the original writer and the software writing community. Consequently, a piece of code protected by the GPL will, by law, always remain accessible by anyone who wants to read or modify it.Without the GPL license, another person can take the code that you invent, and make it closed and proprietary. The GNU GPL is not the only free software license in existence. Figure 1.2 shows the GNU page dedicated to understanding additional licenses. If you wish, you can read about additional licenses that are similar to the GPL at www.gnu.org/philosophy/license-list.html. For more information about the open source movement, one of the more revealing books is Erik Raymond’s The Cathedral and the Bazaar (O’Reilly &

www.syngress.com

138_linux_01

6/20/01

9:25 AM

Page 5

Introduction to Open Source Security • Chapter 1

Associates, 2001). Although somewhat overly enthusiastic, it is a very helpful book in understanding the mindset of many open source code writers. Figure 1.2 Viewing GNU’s Licenses Comment Section

Fee-Based GPL Software Contrary to what you might think, open source code protected by the GPL is not necessarily free. Under the terms of the GPL, any person or corporation can take GPL software, modify it, and then package it for sale. However, this person or corporation must make this software freely available for anyone to read or modify.

Can I Use GPL Software in My Company? The GNU GPL does not ask companies to supply licensing agreements or otherwise register the programs. However, other licenses, which you can read at GNU’s comparative forum, may invoke restrictions that you may have to consider as you implement the software.The software covered in this book is, in one way or another, open software, which means it can be used by any organization.

www.syngress.com

5

138_linux_01

6

6/20/01

9:25 AM

Page 6

Chapter 1 • Introduction to Open Source Security

Soft Skills: Coping with Open Source Quirks You should consider, however, that open source software can present challenges. Consider them before you delve into the open source world. It is likely that using open source software will require you to use your “soft skills,” such as how to overcome objections and manage constant change.The more important challenges to your soft skills are discussed in the following sections.

General Lack of Installation and Configuration Support Although many of the applications you will use are written by clever, knowledgeable coders, most of these people create this code on their own time.Thus, no formal support structure exists for the software you use. As a result, you will be forced to rely on knowledgeable individuals to implement and maintain your open source applications.

Infrequent or Irregular Update Schedules Many closed-source companies update their software at regular periods. Usually, a for-profit company’s desire to keep sales high by requiring constant for-fee upgrades is tempered by its need to maintain the product’s reputation for stability, ease of use, and longevity.Thus, upgrades will happen at regular intervals. However, the open source community is not held in check by this desire. Generally, software is frequently upgraded.You may, therefore, find that you will have to spend considerable time upgrading the open source products you use. It is also quite unlikely that you will be notified of any problems that have been discovered in the specific version of your application. For example, many for-profit companies spend time publicizing problems and even contacting licensed users to notify them of a security problem. If you use an open source security application, the burden is placed on you: it is assumed that you will take the time to keep current about any developments concerning the application you are using.

Command-Line Dominance Many open source applications use command-line interfaces. In the past several years, the trend has been to create a graphical user interface (GUI) for commandwww.syngress.com

138_linux_01

6/20/01

9:25 AM

Page 7

Introduction to Open Source Security • Chapter 1

line applications. Generally, however, these GUI interfaces are not as portable between operating systems. In some cases, the GUI interface, unless superbly written, does not provide the same functionality (that is, you can’t do the same thing with the GUI that you can at the command line).

Lack of Backward Compatibility and No Regular Distribution Body When you upgrade an operating system, it is possible that the applications you have been using no longer work, or behave differently. Although the open source community is remarkably well coordinated, you F-Secure FREEDOME VPN 2.36 Activation Code Crack consider this possibility. Furthermore, it is possible that the software you use may become unavailable, or may become fee based.While discovering that a Web site URL has changed is inconvenient, discovering that an upgrade for your favorite application will now cost you money can raise serious issues about your continued use of the product.

Inconvenient Upgrade Paths Many open source applications change their coding rather radically. As a result, a previous version may not be upgradeable, and you may have to reinstall it. Even then, it is possible that a simple reinstallation is not possible. Hitman pro 3.8 product key - Crack Key For U open source applications provide their own versions of a Windows-style configuration wizard, but when you upgrade, you may have to install the new files manually.

Conflicts in Supporting Libraries and Limited Platform Support Even though you find a piece of software that you really find interesting, it is possible that you will have to take rather intricate steps to make your operating system ready for the application. Most of these steps involve updating system libraries, which are sets of routines and helper applications. Examples of libraries include the Tool Command Language/Tool Kit (tcl/tk) and the Gnome libraries (gnome-lib). Often, steps for upgrading these libraries are poorly documented and rather difficult to follow. Additionally, operating systems such as Linux are loosely integrated, which means that no central “brain,” such as a Windows 2000 registry, exists to coordinate library usage. So, even though you may be able to enable your system to accept your cool new application, you may end up causing incompatibilities that cause other applications to fail. www.syngress.com

7

138_linux_01

8

6/20/01

9:25 AM

Page 8

Chapter 1 • Introduction to Open Source Security

Another problem with software that isn’t quite “ready for prime time” is that it may be developed for only one Linux flavor, or even only one version of a specific Linux flavor. If you upgrade your system (or one of the libraries), it is possible that the application will stop working

Interface Changes Coders and end users rarely want radical changes in a GUI interface to occur. Changing an interface requires more coding work on the part of coders, and it could result in an application losing popularity. However, due to changes in the open source libraries and in coding practices, you may find that commands and interfaces are radically changed from one version to the next.

Partially Developed Solutions Sometimes, the code you want to use promises to do things it just can’t deliver. Some expected or advertised features may be missing, or may not be implemented yet. Sometimes, this happens because the open source application’s development team has the best of intentions and is working to complete Glary Utilities Pro 5.145.0.171 Crack License key Free project. Other times, the development team runs out of gas, and you end up wishing that the application had delivered on its potential. In such cases, your options are rather limited, unless you have the means at your disposal to deploy your own development team and take up the project where your predecessors left off.

Developing & Deploying… Open Source as Malware? Thus far, you have learned about technical issues concerning open source software. However, there are business and security issues as well. If you are a manager, make sure you carefully consider the use of open source software. There may be times when open source software is not appropriate for a certain task. Consider the following questions: ■

Aren’t these hacker programs?



Do I have time to train my employees on this software? Continued

www.syngress.com

138_linux_01

6/20/01

9:25 AM

Page 9

Introduction to Open Source Security • Chapter 1



Is the software stable enough to use?



Have I had the code reviewed to ensure it is safe?



How will I explain the use of open source software to my management?



How will I explain the use of open source software to customers and business partners?

The first question is significant. Many open source security applications have been written as proof of concept exploits. A proof of concept exploit is basically an application meant to prove that a theoretical or much-discussed weakness in an operating system really does exist. Other applications are provided to allow hackers to gain information about a network or network host. However, just because an application was created for malicious intent does not necessarily mean that it has to be used maliciously. In fact, many open source applications have been created with the best of intentions, only to have them used to cause problems. Therefore, as a manager, you should ensure that all parties involved in maintaining your network understand that simple use of a particular application does not necessarily mean that the user has become a hacker. As you choose the software, make sure that you actually take some time to educate your IT employees so that they use it properly. Have them consider how using the application can affect the network. If used at certain times, using a network probing application may cause too much network traffic and thus impact end-user communication. In addition, when you choose this application, consider that KeepVid Music 8.2.4 Crack + Registration Key Full Download may still be in beta development, and that certain features are bound to change. Because it is difficult to verify that this code is in fact safe, take the time to review it. If you cannot do it yourself, contact a reliable source to verify that the code does not contain an element, such as a Trojan horse, that can erode your network’s security. Finally, it is possible that you may have to explain why your company uses open source applications. Increasingly, business partners and insurance companies are interested in knowing exactly how you audit your systems. In some situations, you may find yourself having to explain why using open source applications is appropriate. In other cases, you may find that using open source software is wholly inappropriate.

www.syngress.com

9

138_linux_01

10

6/20/01

9:25 AM

Page 10

Chapter 1 • Introduction to Open Source Security

Should I Use an RPM or Tarballs? In regard to Linux, open source software generally comes in three flavors: source tarball, Red Hat Package Manager (RPM), and Debian. A source tarball is a group of files and directories that usually must be compiled. Generally, tarballs come with a special file called a makefile, which contains instructions that tell the source code where the supporting libraries are for the application you are installing. Many will argue passionately that one is better than the other (or, that one operating system—such as the Debian operating system—is better than all the rest).The best approach to take is to use the right tool for the right job. In some cases, tarballs will work best. In other cases, using RPMs is the best way, as long as the RPM was created by a person who really understands the operating system, and that you have chosen the correct RPM for your operating system version.

Tarball When using source tarballs, the most portable and extensible format, the code usually comes in packages that are first run through the tar application, which creates archives of files and directories that can then be easily transported from one system to another. Sometimes, the tarball contents are precompiled binaries, which means that all you have to do is decompress and install the application. Other times, the code comes as C or (less often) C++ “source code,” which must then be compiled using, for example, the makefiles and the Gnu CC (gcc) or Gnu C++ gc++ compilers.These tarball packages are then compressed by using any number of applications.The most common (de)compression programs are GNU Zip (gzip, gunzip, gzcat) programs, which create compressed tarball archives with a tar.gz. tgz, or tar.Z ending.The gzip command creates the tar.gz ending. The .tgz extension is also created in gzip by those who know that their files may be downloaded by Microsoft-oriented browsers, which often have difficulty downloading files with the tar.gz ending.The .Z extension is created by the Unix command called compress. Slackware systems often use the .tgz tarball ending. The bzip program has also become popular. Compressed bzip files have a .bz ending. Generally, you install a gzipped tarball by using the tar -zxvf command. The source code that comes in source code tarballs can be edited to conform to your own system. Perhaps more importantly, source tarballs allow you to specify compile options that can greatly extend the usefulness of the application or daemon you wish to install.You will be given explicit instructions whenever this is necessary. Also note that tarballs can contain pre-compiled binary applications and supporting files rather than source code. www.syngress.com

138_linux_01

6/20/01

9:25 AM

Page 11

Introduction to Open Source Security • Chapter 1

Tarballs often require editing of a special file called a makefile. However, this is not necessarily all that difficult. It simply requires that you know where your supporting applications and libraries are. In addition, most open source software will contain instructions concerning how to edit the makefile. Most well-known operating systems, such as Red Hat Linux and Slackware, do not require makefile modification.

Red Hat Package Manager Originally developed by Red Hat, Red Hat Package Manager (RPM) files have become more universal.TurboLinux, Mandrake, and Kondara, for example, all support this format. RPMs come in either precompiled binary format, or as source RPMs. Make sure that you obtain the correct RPM for your distribution and hardware.You can then install an RPM (barring library and resource conflicts) by using the rpm -ivh command.These packages usually contain precompiled binary files, but it is possible to install source RPMs (.srpm) that will deposit source code that you must then compile using make and the appropriate gcc and g++ compilers. RPMs are installed using the RPM utility.To install an RPM, you could enter the following command: host# rpm –ivh packagename.versionnumber.i386.rpm

This command uses the -I option, which simply means install.The -vh options have the RPM utility go into verbose mode and report the installation progress using hash marks.You can learn more about the RPM facility by consulting the rpm man page. As you will see in later sections, tarball, RPM, and Debian packages can pose threats to your system—after all, they are designed to automatically place code onto your system. Many times, this code is precompiled and “ready to go.” It is possible for malicious users to place code into these packages.You must be extremely careful whenever installing any of these packages. Later in this chapter, you will see how you can at least partially protect yourself by using digital signatures.

Debian Debian (.deb) Linux uses .deb packages in a similar way that Red Hat, for example, uses RPMs. Debian packages are installed by using the dpkg -i command. As with tarballs and RPM files, these packages can also contain source files, rather than precompiled binaries.

www.syngress.com

11

138_linux_01

12

6/20/01

9:25 AM

Page 12

Chapter 1 • Introduction to Open Source Security

Obtaining Open Source Software Now that you have considered some of the more pressing open source issues, it’s time to learn where to get open source security software. As you might suspect, there is no single source. Some of the best Web sites for open source security software include the following (many other sources exist): ■

SourceForge www.sourceforge.com



Freshmeat www.freshmeat.net



Packetstorm http://packetstorm.securify.com



RPMFind www.rpmfind.net



LinuxLinks www.linuxlinks.com



Tucows www.tucows.com



Startplaza www.startplaza.nu



SecurityFocus www.securityfocus.com



AtStake www.atstake.com

SourceForge SourceForge, shown in Figure 1.3, is an especially rich source for security content. From here, you can download applications such as EtherApe, Ethereal, and many others. One of the primary benefits of obtaining software from SourceForge is that you can learn about the development history, learn about the developers of an application, and even send the developers e-mail (good luck getting answers!). You can also learn about what language the program was developed in, and what operating systems the application was specifically developed for. In many ways, this site does much of the research for you. Finally, SourceForge provides a login feature that allows you to: ■

Participate in open discussions concerning software.



Register an open source project.



Learn about top projects.



Obtain information about various topics, including the latest Linux kernel development updates.

www.syngress.com

138_linux_01

6/20/01

9:25 AM

Page 13

Introduction to Open Source Security • Chapter 1

Figure 1.3 The SourceForge Web Site

Freshmeat The Freshmeat Web site, shown in Figure 1.4, derives its name from its primary function, which is to provide the latest and greatest software from the open source community. Like SourceForge, this site is not completely devoted to security. Nevertheless, you should spend time at this site to learn about the latest applications, most of which are created for Linux. By just typing security in the search field, you can learn about the latest applications meant to increase security, as well as those meant to defeat existing security measures. This site also provides a login feature. One of the benefits of logging in is the ability to catch up on the latest projects that have been registered on the site. In less than a week, several hundred new projects can be registered, many of them having to do with security. Another benefit is the ability to search for articles written about the applications in which you are interested.The search feature includes filtering mechanisms designed to help you drill down to the most relevant information.

www.syngress.com

13

138_linux_01

14

6/20/01

9:25 AM

Page 14

Chapter 1 • Introduction to Open Source Security

Figure 1.4 The Freshmeat Web Site

Figure 1.5 The Packetstorm Web Site

Packetstorm Packetstorm is specifically devoted to security, and has an extensive collection of files. At this site, shown in Figure 1.5, you can download both “white hat” and “black hat” applications; in other words, you can download applications that help

www.syngress.com

138_linux_01

6/20/01

9:25 AM

Page 15

Introduction to Open Source Security • Chapter 1

detect and/or stop intrusions, or you can download applications specifically designed to break into systems.The developers of the site spend a great deal of time surfing the top Internet sites (including SourceForge and Freshmeat) for the “latest and greatest” files. One of the many convenient features of this site is its listing of the most recent tools, exploits, and warnings the site has obtained. Another is its Forums feature, which allows you to converse with others interested in security.The site also lists the most current advisories, so you can see if anyone has discovered a problem in any of the open source applications you are using.

SecurityFocus The SecurityFocus site is a well-organized repository of security files. Its home page is shown in Figure 1.6. As well organized as it is, its collection of files, found in the Tools section, is not as extensive. Still, the site provides informative news about the latest security developments, and does a good job archiving the latest security files. Figure 1.6 The SecurityFocus Web Site

www.syngress.com

15

138_linux_01

16

6/20/01

9:25 AM

Page 16

Chapter 1 • Introduction to Open Source Security

Is That Download Safe? Another problem with open source code is that you spend a great deal of time downloading files from untrusted sites. As a security professional, you have to consider the possibility that some of these files may have been tampered with. Many in the open source community have encountered files that contain Trojan horses, which are stealthy programs meant to thwart security.Trojan code hides legitimate code. Sometimes, the Trojan can wait to activate, or it can activate itself when you install what appears to be a perfectly legitimate program. Examples of Trojan horses include: ■

Illicit servers Hidden servers that open ports that allow a malicious user (usually) root access to the server.



Root kits Programs, such as ps, ls, or su, which will still work, but also thwart security by, for example, key logging the administrator’s password and then sending it to an anonymous FTP.The malicious user can then download the password and log in to the system.

So, how can you determine if this download is secure? One of the best ways is to obtain a digital signature for the software package. A digital signature is a small piece of code generated by an encryption algorithm. A signature allows you to determine two things. First, you can learn if the file has been tampered with in any way. Second, you can use the key to verify that the software was in fact authored by the person who claims authorship. Before you learn more about checking signatures, it is important that you first understand the basic encryption principles involved.

A Brief Encryption Review One of the most important things you can understand in terms of open source security is how encryption operates on networks. Feel free to skip this section if you already understand these terms. If you don’t, then read on.They will be implied throughout this book. Why is encryption important? At one time, Microsoft’s old LANmanager product (a precursor to Windows NT and 2000) did not encrypt its passwords as it communicated with other hosts. As a result, this particular operating system fell out of favor, forcing Microsoft to improve its product. One of those improvements was the use of encrypted transmissions. Encryption is not a foolproof solution. It is possible to misconfigure your encryption tools, and even properly encrypted www.syngress.com

138_linux_01

6/20/01

9:25 AM

Page 17

Introduction to Open Source Security • Chapter 1

transmissions are not completely safe. Nevertheless, encryption does tend to raise the bar enough to make most hackers search for other systems to attack. Before we continue, it is important to understand the three types of encryption in general use: ■

Symmetric The use of one key to encrypt and decrypt information. This is a common type of encryption, but can be easily defeated if you misplace the key, or if a malicious user intercepts the key in transit. If a malicious user is able to intercept the key, he or she can then use it to decrypt your secret messages.



Asymmetric This type of encryption uses a mathematically related key pair to encrypt and decrypt information. It is commonly used on the Internet and on LANs, because it reduces the likelihood that the key can be learned by a malicious user, and aids in authentication.



One way The use of an algorithm to encrypt information so that it is, mathematically speaking, impossible to unencrypt it. One-way encryption is also used to read a file and then create a hash of that file.The resulting hash value is said to be mathematically unrecoverable.

You should understand that in regard to networking, the “information” discussed in this section can include a file, or a series of network packets emanating from a network host. Many encryption applications, such as GNU Privacy Guard (GPG) and Pretty Good Privacy (PGP) employ all three of these types of encryption, as you will see later.

Symmetric Key Encryption Your car key is a crude, although helpful, example of symmetric encryption. Consider that most people use the same physical key to lock, unlock, and start their cars. If you lose your key, anyone who finds it can locate your car, insert your key in the door and the ignition, and then drive it away. Suppose, now, if you tried to pass this key to another person in a crowded room, and someone you do not trust was to intercept it.You would probably then have a problem: the only thing keeping this untrusted person out of your car is that person’s honesty and his or her knowledge of what your car looks like. If that person wanted to, he or she could find your car, open it, and drive away. The use of symmetric encryption across an untrusted network such as the Internet (or, really, your LAN or enterprise network) presents the same problem

www.syngress.com

17

138_linux_01

18

6/20/01

9:25 AM

Page 18

Chapter 1 • Introduction to Open Source Security

as the use of a single car key: anyone who intercepts your symmetric key with a packet sniffer can decrypt your messages.This type of attack is a sniffing attack. A sniffing attack is a type of man-in-the-middle attack, where a host that resides in the middle of a connection is able to obtain and then manipulate data.You will learn more about this type of attack in Chapter 7. The obvious response to this analogy and the threat of sniffing attacks would be, “Well, I guess I just won’t send my passwords across the Internet or my network.” However, it has traditionally been very difficult to get your job done without sending passwords across the Internet.The ability to communicate securely is the backbone of e-commerce and network communication. So, how will you get that password to a person? Even if you use a telephone (a very slow, awkward option), you are not guaranteed safety. After all, your friend who receives this password could write it down on a sticky note, exposing it to anyone passing by. Besides, what if you needed to get a password not to a person, but to a network host? Another problem with the use of symmetric encryption is that if someone sniffs your symmetrically encrypted message, it is possible for this person to use a password-cracking program to guess the password (the key) you used to encrypt the message.This type of application effectively reverse-engineers the password creation process by taking multiple guesses to try and find the answer. Such applications include L0phtCrack (www.atstake.com/research/redirect.html) and John the Ripper (available at various sites, including http://packetstorm.securify.com). Using such applications, a suitably powerful computer, and enough time, a person can guess the right password.This type of attack is called a brute-force attack.

Asymmetric Key Encryption One of the answers to sniffing and brute-force attacks is the use of a pair of keys. Asymmetric encryption allows you to do two things: ■

Encrypt transmissions



Authenticate users and hosts

For example, suppose that the car key you had in the earlier example concerning symmetric encryption was only part of the key necessary to unlock and start the car. Suppose further that this physical key, which you can now publicly distribute, was related to another key locked in your car, and that this locked key then had a way to ask any holder of your public key to further authenticate him-

www.syngress.com

138_linux_01

6/20/01

9:25 AM

Page 19

Introduction to Open Source Security • Chapter 1

self before he gained access to use your car.This is basically how asymmetric key encryption works. The public key can be distributed to anyone. It can be placed on public key servers all over the Internet or to anyone you know (or don’t know, for that matter). However, the private key must be kept, as you might have already guessed, private.The easiest way to understand public key encryption is to understand the relationship between each key pair. Each pair is generated at the same time.The algorithm that creates the key pair ensures that this pair is so related that one half of this pair can decrypt the other half.

Public Key and Trust Relationships Let’s say that you have generated a key pair.The private key is (hopefully) stored safely on your hard drive, and you are ready to distribute your public key.Your friend has done the same: she has created her private key and is ready to give you her public key. Before both of you can use asymmetric key encryption, you must give each other your public keys. Giving your public key to another person (or host) is often called establishing a trust relationship. Once you have given each other your public keys, you both can then engage in asymmetric key encryption. How? You compose a message, and then you encrypt this message to your friend’s public key. Once this message is encrypted, no one but your friend can read this message. Even though you created the message, you cannot read it either, because you encrypted it to your friend’s public key. So, all you have to do now is find a way to get this message to your friend. Once you use e-mail or FTP to do this, your friend receives a bunch of garbled text that means nothing.This is the encrypted message.Your friend can then take this message and then decrypt it using her private key. Once this message is decrypted, your friend can read it.With any luck, your friend won’t still think that she received a bunch of garbled text that means nothing. Figure 1.7 illustrates this process. In Figure 1.7, User A on System A encrypts his message to User B’s public key. In order to encrypt the message to User B’s public key, User A must first enter a password to use his public key to sign the message.The encrypted and signed message is then sent across the Internet, where User B uses her private key to decrypt the message. How has this process solved the symmetric encryption problem? First, the only way that your message can be unencrypted is by using your friend’s private key. www.syngress.com

19

138_linux_01

20

6/20/01

9:25 AM

Page 20

Chapter 1 • Introduction to Open Source Security

Figure 1.7 Using Public Keys to Encrypt Transmissions User A's Private Key

System A User B's Public Key

User A's Public Key The Internet

System B

User B's Private Key

As long as this key remains private, then chances are, so will your letter. Second, notice that you and your friend did not have to distribute the whole password in some way.You only distributed half of the password (the public key). And, usually, it is extremely difficult to guess the private key from the public key. It is, of course, mathematically possible to use the public key to guess the private key, but it would take many million-dollar-plus supercomputers several months to do this. Only state-run organizations such as Scotland Yard and the CIA are likely to devote such resources to your little old message. As far as authentication is concerned, asymmetric encryption accomplishes this by verifying the owner of the public key.You will learn more about this as you learn about IPSec and VPNs later in this book.

One-Way Encryption You may ask yourself why anyone would want to irretrievably encrypt a piece of information. After all, doing this makes the information, well, irretrievable—it can’t be used anymore. One-way encryption is not useful for encrypting and www.syngress.com

138_linux_01

6/20/01

9:26 AM

Page 21

Introduction to Open Source Security • Chapter 1

unencrypting files. It is, however, useful for obtaining a file’s signature. A signature is obtained by running a one-way encryption algorithm on the file.The resulting value, called a hash, is closely related to the contents of the file.This value is so related that if even the slightest change is made to the file’s contents, the hash value will not match. Many applications use one-way encryption to ensure that information is not altered as it passes over the network.

GNU Privacy Guard GNU Privacy Guard (GPG) is one of the primary open source tools in use today.You can download it from www.gnupg.org.You can download binaries and source code for all Unix versions. For Linux, g-zipped archives and RPM files are both available. Most distributions (TurboLinux, Red Hat, Caldera, Slackware, etc.) include GPG in their source files. Using GPG, you will be able to encrypt files and e-mail messages.You will also be able to import and export public keys in order to verify PGP- and GPG-generated keys from the tarballs and RPM files you download.

Deploying GNU Privacy Guard Although many GUI interfaces are in the planning stage for GPG, the following steps focus on using GPG with the command line.The steps assume that you already have GPG installed on your system.Verify this by using the whereis command: zemana anti malware lifetime license - Free Activators gpg gpg: /usr/bin/gpg

If you do not have GPG installed, you can download GPG from www.rpmfind.net, from www.gnupg.org/download.html, or from the CD that accompanies this book (gnupg-1.0.4-11.i386.rpm or the equivalent gnupg-1.0.5.tar.gz). Now that you know the program is installed, your first step is to secure how it allocates memory to nonroot users. GPG requires that most Linux systems run it as SUID root. Any application allocates pages of memory from the system, and GPG wants this memory to be secure. Otherwise, an illicit user could capture this memory and then gain access to the information you are going to encrypt. In order to secure these memory pages, GPG locks this memory before using it. It needs to run as root to lock the memory. As soon as this is done, GPG then runs under the permissions of the owner.

www.syngress.com

21

138_linux_01

22

6/20/01

9:26 AM

Page 22

Chapter 1 • Introduction to Open Source Security

NOTE Running an application as SUID root means that the application is run as root, even though the owner who starts it is a nonroot user.

By default, however, GPG is not installed as Overloud th-u - Activators Patch root.To make it setuid root, do the following: 1. Find the application (in Red Hat Linux, GPG is at /usr/bin/gpg). 2. If you are not already root, become root with the command su. 3. Issue the command chmod u+s /usr/bin/gpg. If you cannot do this on your own system for some reason, or do not wish to, you can enter the following line into the ~/.gnupg/options file of any nonroot user: /usr/bin/gpg --gen-key

This command will create the necessary directories and files for GPG to work. Once you create these directories, generate a key pair for the user you are logged in as.You do this by issuing the gpg --genkey command again. GPG will then ask you to select a key type.You will have the option of choosing Digital Signature Algorithm (DSA) and ElGamal (the default) DSA, or ElGamal (sign and encrypt). Each of these options defines different types of signature and encryption algorithms.The first uses both the standard ElGamal key distribution method and the DSA, which is used to sign and encrypt data. DSA is a nonproprietary algorithm, unlike the RSA algorithm, which was previously used. If you only wish to sign and encrypt documents, you can just use DSA. Most people use the first option, which is to both sign and encrypt information.Traditionally, the first choice (the default) is the best. You are then given the choice of the keysize.The default keysize of 1024 bits is actually quite sufficient for most purposes. Selecting anything higher can significantly slow your application. So, select 1, and then press ENTER. Enter 1y to make your key expire one year from now, and then press ENTER. Press y to confirm this choice. Enter your name in the Real name: field.

www.syngress.com

138_linux_01

6/20/01

9:26 AM

Page 23

Introduction to Open Source Security • Chapter 1

WARNING You should write down the e-mail address that you use. You will use this address to refer to your public and private key often, when using GPG or PGP.

Next, enter your e-mail address. In the Comment: field, enter GPG signature, or any text you wish, and then press ENTER. You will then be asked to confirm your settings. If you are happy with what you entered, press O (that’s the letter O, not the digit 0), and then press ENTER. Enter a passphrase for your private key.This passphrase should be sufficiently long (at least six passwords), but should also be something you will remember. Press ENTER, confirm the passphrase, and press ENTER again. After doing this, GPG will generate a new key. Move your mouse and/or enter text into the keyboard so that the machine has enough entropy to generate a good private key. Once GPG is finished, you will receive a message that your key is created and signed. Now, verify that GPG correctly created and signed keys for your account with the following commands: gpg --list-secret-key gpg --list-public-key gpg --list-sig

These commands list your secret key, your public key, and your signature, respectively. Once you do this, you should create a revocation certificate in case you need to publish the fact that your private key is no longer valid.You do this by following the sequence outlined here: gpg --output revoke.asc --gen-revoke [email protected] sec

1024D/3B386145 2000-07-01

jamesroot (root) <[email protected]>

Create a revocation certificate for this key? y Please select the reason for the revocation: 1 = Key has been compromised 2 = Key is superseded 3 = Key is no longer used 0 = Cancel (Probably you want to select 1 here)

www.syngress.com

23

138_linux_01

24

6/20/01

9:26 AM

Page 24

Chapter 1 • Introduction to Open Source Security Your decision? 1 Enter an optional description; end it with an empty line: > For my keats system root account > Reason for revocation: Key has been compromised For my keats system root account Is this okay? y You need a passphrase to unlock the secret key for user: "jamesroot (root) <[email protected]>" 1024-bit DSA key, ID 3B386145, created 2000-07-01 ASCII armored output forced. Revocation certificate created. Please move it to a medium which you can hide away; if Mallory gets access to this certificate he can use it to make your key unusable. It is smart to print this certificate and store it away, just in case your media become unreadable.

But have some caution:

The print system

of your machine might store the data and make it available to others!

After verifying that you have keys and a revocation certificate, you are now able to import and export keys.To export your key, use the following command: gpg --export --armor > yourname.asc

This command will create a file that contains your public key.You can then distribute this key to anyone and establish a trust relationship. With this capability, you now can use the RPM command to check the signatures and public keys generated by others. For example, suppose you wish to update your version of Red Hat Linux due to a security alert.To help you verify that this package has not been tampered with, and that it has truly originated from Red Hat, you can obtain Red Hat’s signature. Go to www.redhat.com and obtain the public key for the site and the RPM-based download you want. Figure 1.8 shows Red Hat’s public key. As of this writing, the key is located at www.redhat.com/about/contact/redhat2.asc. Now that you have created your own key ring, which is where you will store the public keys of the people with whom you wish to communicate, you can now import the Red Hat public key into GPG using the following GPG command: gpg --import redhat2.asc

www.syngress.com

138_linux_01

6/20/01

9:26 AM

Page 25

Introduction to Open Source Security • Chapter 1

Figure 1.8 The Red Hat Linux Public Key

It is possible that the public key you wish to import has a different extension. Now, sign this key. Failure to sign this key will cause it to return error messages when you try to use it. Make sure that you have made absolutely no changes to this key file. Once this key is imported, you need to sign it. Remember, you just downloaded it from a trusted source, and are reasonably sure that you can trust this key.You can sign it using the gpg --sign command, or you can use GPG’s interactive mode, shown in the following sequence: gpg --edit-key [email protected] gpg (GnuPG) 1.0.2; Copyright (C) 2000 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. pub

1024D/DB42A60E

created: 1999-09-23 expires: never

sub

2048g/961630A2

created: 1999-09-23 expires: never

(1)

Red Hat, Inc <[email protected]>

trust: -/f

Command> sign Are you really sure that you want to sign this key with your key: "yourkey (key) "

www.syngress.com

25

138_linux_01

26

6/20/01

9:26 AM

Page 26

Chapter 1 • Introduction to Open Source Security

Really sign? y You need a passphrase to unlock the secret key for user: "jamesroot (root) <[email protected]>" 1024-bit DSA key, ID 3B386145, created 2000-07-01 Command> q Save changes y

Now, you can issue the following command to check the latest GNU GPG Skype 8.72.76.29 Crack+ License Key 2021 - Free Activators file: rpm -Kv your_rpm.i386.rpm

You will receive a message that both the MD5 signature and the PGP signature are acceptable: rpm -Kv your_rpm.i386.rpm your_rpm.i386.rpm: MD5 sum OK: fc28444c7c7dee7d59671ac5e27b2ad0 gpg: Signature made Wed 30 Aug 2000 03:16:54 PM PDT using DSA key IDDB42A60E gpg: Good signature from "Red Hat, Inc <[email protected]>"

NOTE Two major ways exist to create and verify signatures. The open source alternative is GPG. The older, but now proprietary, method is through the use of Pretty Good Privacy (PGP). The latest versions of GPG are compatible with PGP versions 5.0 and later. However, if a signature was made using PGP 2.6 or earlier, GPG will not be able to read it. PGP version 2.6 and earlier used the IDEA algorithm, which is patented.

If you do not find a message similar to this, but instead find a message that reads public key not found, then you know that this public key is not valid for this RPM.You will either have to find the right public key, or find another RPM. You can, of course, use GPG to verify any public key you wish.You have now configured and used GPG to help ensure that the file you are installing is safe.

www.syngress.com

138_linux_01

6/20/01

9:26 AM

Page 27

Introduction to Open Source Security • Chapter 1

NOTE If, while working with GPG, you receive a message that reads gpg: waiting for lock, then a previous instance of GPG had a problem while working with either the public or the private key. As a result, the public and/or private key ring in the hidden ~./.gnupg directory is locked. Go to the ~./.gnupg directory and remove any file that ends in a .lock extension.

Installing PGP Although GPG has become a standard, you can also use the PGP program, which behaves rather differently.You can download PGP from the Massachusetts Institute of Technology Web site at http://web.mit.edu/network/pgp-form.html.You will then have to repeat many of the earlier steps to create a public and private key, and then import the site’s key. Because PGP (and GPG, for that matter) enables powerful encryption, MIT will ask you questions concerning your intentions for PGP. Answer these according to your intentions. If you enter the right answers, you will be able to download PGP. Choose the correct file for your distribution. 1. MIT uses gzip to compress the RPM files. If you are using Red Hat Linux, the RPM package works best. Use tar to unzip and un-tar the RPM package: tar -zxvf pgprpmfile.tar.gz. 2. This process will deposit an RPM file. Run RPM to install it: rpm -ivh pgprpmfile. 3. Once you have installed PGP, issue the following command to create a key pair: pgp -kg. 4. Choose the DSS/DH option, which is the default. 5. Choose 1 to generate a new signing key. 6. You will be asked to choose the size of your key. Enter 1024, and then press ENTER. 7. Enter a user ID for your public key. Enter your name and e-mail address. This will become your PGP username. This is important, as you will see later when it comes time to edit the RPM configuration file. 8. Enter 0 to keep the key forever. Don’t worry, you can revoke it and generate a new key pair later. www.syngress.com

27

138_linux_01

28

6/20/01

9:26 AM

Page 28

Chapter 1 • Introduction to Open Source Security

9. Enter a passphrase. Make sure this is a solid passphrase (over eight characters, containing at least one capital letter and one nonstandard character), but also one that you can remember. Confirm your password by entering it again. 10. You will be asked if you need an encryption key. Press y, and then press ENTER. 11. The choice of key size is up to you. Just remember that the larger the key size, the slower information will be processed. Most people choose either 1024 or 2048. 12. Enter 0 as the “validity period.” As before, this value means that the key is valid forever. 13. PGP will ask you to press random keys on the keyboard so that it can generate enough entropy. 14. When PGP is finished, it will ask you if you want to make this key the default signing key. Press y to indicate yes. 15.

Now, you need to enter the public key of the GNU GPG RPM.You do this with the following command: pgp --ka gnugpg.publickey.

16. You will see a list of keys. Indicate that you wish to add these keys to your key ring by pressing y. 17. You will see that several new keys and signatures have been added. 18. Now, you must edit the macros file for your version of RPM. In Red Hat 7.0, this file is in //usr/lib/rpm/macros. Find the following values and change the values according to your own information: %_pgp_name your PGP user name %_pgp_path The path to your public key. For example, /root/.pgp/

Instead of taking this second step, you can set the PGPPATH variable in your bash_profile file. 19. You can now use RPM to verify your RPM: rpm -Kv your_rpm.i386.rpm your_rpm.i386.rpm: MD5 sum OK: fc28444c7c7dee7d59671ac5e27b2ad0 gpg: Signature made Wed 30 Aug 2000 03:16:54 PM PDT using DSA key IDDB42A60E

www.syngress.com

138_linux_01

6/20/01

9:26 AM

Page 29

Introduction to Open Source Security • Chapter 1 gpg: Good signature from "Red Hat, Inc <[email protected]>"

If you want to learn more about PGP, read the man pages, or issue the following commands: pgp –h pgp -k

This book focuses on using GPG.

NOTE Thus far, you have learned how to use GPG with the RPM package. Of course, GPG has many other uses. Once you have engaged in a trust relationship with the recipient, you can encrypt files to this person. The following command can encrypt a file named managerreport.txt: gpg --encrypt --r public_keyname_of_recipient managerreport.txt. You will have to enter the password of your private key. Hopefully, you can remember it; otherwise, you will have to generate a new private/public key pair. After you enter your passphrase, GPG will create a file named managerreport.txt.gpg. You can then send this key to the intended recipient, who can then decrypt it with the following command: gpg --decrypt managerreport .txt.gpg > managerreport.txt. The recipient will, of course, have to enter his or her passphrase to decrypt the message and read it. To create a signature file, you can create an empty file named yourname, and then enter the following command: host# gpg --clearsign yourname. You will then be asked to enter your password. After this sequence is completed, you will see a new file named yourname.asc, which has your signature in it.

Skipping Public Key Verification If you want to check a signature to ensure that the contents haven’t been changed, and don’t really wish to verify the original author’s public key, enter the following command: rpm -K --nopgp rpmfile.i386.rpm rpmfile.i386.rpm: md5 gpg OK

www.syngress.com

29

138_linux_01

30

6/20/01

9:26 AM

Page 30

Chapter 1 • Introduction to Open Source Security

Using GPG to Verify Signatures on Tarball Packages Follow these steps to verify the signature of a gzipped tarball: 1. Add the public key of the person or organization that created the package. 2. Sign the public key using GPG.You can either use GPG’s --sign command, or you can enter GPG’s interactive mode. 3. Once you have added and signed the public key of the person who owns the package, enter the following command: gpg --verify signaturefile.tar.gz taballpackage.gz. You will then receive a message either that the signature is good, or that the public key cannot be found. If the public key cannot be found, you must obtain another public key, or you will not be able to verify who owns the package.

Using Md5sum Sometimes, a developer will use the md5sum command to generate a hash of the file.You can use this hash and the md5sum command to ensure that the file has not been altered.The easiest way to do this is to read the hash that the developer generated, download the binary in question, and then run md5sum against it. For example, suppose that you learn that the wu-ftpd daemon (the daemon responsible for providing FTP on many sites) has a security problem.You wish to install the latest secure version. After downloading it, you run md5sum against the file: md5sum wu-ftpd-2.8.1-6.i386.rpm t412cfhh5bf1376cia9da6c5dd86a463

wu-ftpd-2.6.1-6.i386.rpm

However, you notice that the developer’s md5sum value for the same program reads as follows: y415cfgz5bf1356cib8da6c5dd8da0k5

You should then delete the file and find another source where you can verify the md5sum hash.

www.syngress.com

138_linux_01

6/20/01

9:26 AM

Page 31

Introduction to Open Source Security • Chapter 1

Auditing Procedures As you use the software discussed in this book, you will generally be deploying it assuming three major roles, which we discuss in the next sections: ■

Locking down your network



Securing data across the network



Protecting the network perimeter

Locking Down Your Network Hosts As you lock down your network, you will have to focus on individual hosts. As shown in Figure 1.9, you will audit the daemons that this host runs. For example, you will use scanners to determine what ports are open, and if those daemons present a danger to your system. An auditor also seeks to enhance login security, to enhance logging, and to discover what, if any, virus protection measures are present. Figure 1.9 System Aspects to Audit

Daemons (Web, FTP, and so forth)

Login Security

Enhanced Logging Audited System Virus Protection and Intrusion Detection

Another part of scanning local systems is enabling ways to detect unauthorized login. As you approach your systems using the open source tools in this book, you will find that many are geared to help you enhance the security in each of these areas.

www.syngress.com

31

138_linux_01

32

6/20/01

9:26 AM

Page 32

Chapter 1 • Introduction to Open Source Security

Securing Data across the Network Figure 1.10 shows how it is possible to create an auditing station on a network. This station can monitor the transmissions from other hosts.The auditing host has the following responsibilities: ■

Obtain relevant data concerning the network without affecting the performance of the network.



Provide remote administration capabilities.



Generate logs so that information can be carefully scanned.

Figure 1.10 Auditing Network Transmissions Auditing Station

Network Host

Network Host

Network

Network Host

Network Host

Intrusion detection systems can use this structure, although structures that are more complex exist. For example, it is possible to divide the tasks of the auditing host among multiple hosts.The chief benefit of dividing tasks is redundancy—if one element of the network goes down, the network can still be monitored and protected. The structure outlined previously can be responsible for passive monitoring or active monitoring. Passive monitoring is simply the ability to listen to network traffic and log it. Active monitoring involves the ability to either:

www.syngress.com

138_linux_01

6/20/01

9:26 AM

Page 33

Introduction to Open Source Security • Chapter 1 ■

Monitor traffic and then send alerts concerning the traffic that is discovered.



Actually intercept and forbid this traffic.

You will learn more about intrusion detection in later chapters.

Protecting the Network Perimeter As you configure your firewall to establish a network perimeter, you will have to take the following actions: ■

Logging



Firewall reconfiguration



Troubleshooting



Enabling and disabling traffic emanating from inside the network



Enabling and disabling traffic emanating from outside the network

Figure 1.11 shows two networks communicating over the Internet. Each uses a firewall to monitor, log, and forbid traffic. As you audit, you will have to perform the following tasks: ■

Use tools to send packets that traverse the firewall.These packets will help you determine just how well your firewall limits traffic.



Determine which internal services require access outside of the firewall.



Redirect packets from a proxy server to your firewall.



Scan logs to determine if any break-ins have occurred.

www.syngress.com

33

138_linux_01

34

6/20/01

9:26 AM

Page 34

Chapter 1 • Introduction to Open Source Security

Figure 1.11 Auditing a Firewall Host

Host

Ethernet

Host

Host

Firewall

Internet

Firewall

Host

Host

Ethernet

Host

www.syngress.com

Host

138_linux_01

6/20/01

9:26 AM

Page 35

Introduction to Open Source Security • Chapter 1

Summary This introduction provided practical knowledge of the open source community, and how it can help you with your security concerns.You learned about several key open source sites, how the open source movement protects software instead of individuals and corporations, and you reviewed your knowledge of encryption. You learned how F-Secure FREEDOME VPN 2.36 Activation Code Crack verify the integrity of the files you download from people you don’t know. Using GPG (and, if you wish, PGP), you can verify RPM and tarball packages. This book is designed to deploy open source tools in three key areas (host security, network security, and perimeter security).We hope that this book will be of practical importance to you. It is designed to give you advice concerning troubleshooting Linux using open source tools.

Solutions Fast Track Using the GNU General Public License ; The GPL protects the software code, not a corporation or an individual. ; Protecting code rather than individuals is a radical change, because it

allows code to be improved upon without being made completely proprietary. ; Open source code does not necessarily have to be free. For example,

companies such as Red Hat and Caldera sell their products, which are based on the open source Linux kernel.

Soft Skills: Coping with Open Source Quirks ; As you use open source code, remember that this code may represent a

work in progress. ; Sometimes, open source code changes radically, forcing you to retrain

users.You may find that updates happen irregularly, and that it is sometimes more challenging to update open source code. Furthermore, once you upgrade the code, you may be presented with an application that behaves very differently, or has a radically different interface.

www.syngress.com

35

138_linux_01

36

6/20/01

9:26 AM

Page 36

Chapter 1 • Introduction to Open Source Security

; Before installing open source software, make sure that your operating

system contains all of the necessary supporting applications and libraries.

Should I Use an RPM or Tarballs? ; RPMs sometimes offer convenience. However, precompiled RPMs often

do not have all of the features necessary to implement a truly useful product. ; Tarballs often require editing of a special file called a makefile. However,

this is not necessarily all that difficult. It simply requires that you know where your supporting applications and libraries are. Also, most open source software will contain instructions concerning how to edit the makefile. Most well-known operating systems, such as Red Hat Linux and Slackware, do not require makefile modification. ; RPMs often contain useful startup scripts that are not found elsewhere.

Sometimes, it is useful to install the RPM, then the tarball version, and then combine elements from the two for a complete solution.

Obtaining Open Source Software ; Sites such as SourceForge (www.sourceforge.com), RPMFind

(www.rpmfind.net), and SecurityFocus (www.securityfocus.com) are valuable software sources. ; Be especially careful when downloading any source code, regardless of

format. Digital signatures can help you determine the author of a package, as well as whether a package has been altered. ; The Gnu Privacy Guard (GPG) and Pretty Good Privacy (PGP) pack-

ages are available to help you verify signatures.They do not stop the execution of malicious code, however.They simply inform you about the nature of the code’s author, and of any changes that may have occurred to the code.

www.syngress.com

138_linux_01

6/20/01

9:26 AM

Page 37

Introduction to Open Source Security • Chapter 1

A Brief Encryption Review ; Symmetric encryption is the use of one key to encrypt and decrypt

information. If a malicious user is able to intercept the key, he or she can then use it to decrypt your secret messages. ; Asymmetric encryption uses a mathematically related key pair to encrypt

and decrypt information.This type of encryption is commonly used on the Internet and on LANs, because it reduces the likelihood that the key can be learned by a malicious user, and aids in authentication. ; One-way encryption is the use of an algorithm to encrypt information

so that it is, mathematically speaking, impossible to unencrypt. One-way encryption is also used to read a file and then create a hash of that file. The resulting hash value is said to be mathematically unrecoverable. Hash code is often used to compare one value to another during the login process: the person logging in enters a username and password, and the authentication mechanism creates a hash of these two values and compares it to the hash values generated from the /etc/passwd and /etc/shadow databases. If the values match, access is allowed.

Public Key and Trust Relationships ; You must generate a key pair to begin using your public key to authen-

ticate yourself or to encrypt network transmissions. ; Establishing a trust relationship involves exchanging public keys.

Sometimes, individual users must give public keys. At other times, public keys are exchanged between network hosts. ; Never reveal your private key. If your private key is made available to a

third party, this person will be able to read all of your encrypted files.

Auditing Procedures ; As an auditor, your job is to lock down your network, which means that

you must consider the security of each host using tools that allow you to determine changes in files and directories, and who has scanned and accessed your system.You must also monitor network transmission and

www.syngress.com

37

138_linux_01

38

6/20/01

9:26 AM

Page 38

Chapter 1 • Introduction to Open Source Security

configure your firewall to establish an effective network perimeter that separates your network from all others. ; An Intrusion Detection System (IDS) acts as an auditing host or series of

auditing hosts that allow you to monitor and secure data as it passes across the network. ; Protecting the network perimeter involves proper firewall and proxy

server configuration, logging, and monitoring.

Frequently Asked Questions The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www.syngress.com/solutions and click on the “Ask the Author” form.

Q: Copyright has been around a long time. I don’t understand all of the fuss people are making about the GPL. Can’t people just create code and not provide a license at all?

A: The GPL protects the source code of an application so that it always remains public. No one person can then patent this code and make it his or her own. If you were to create a piece of software and not license it, then very quickly, this code could become proprietary.The creators of the GPL hope that as more and more people view the same piece of code, it will improve, and everyone will benefit.

Q: When verifying a signature with GPG, I keep getting a message that the public key can’t be found, even though I know that I loaded the public key into GPG.What is wrong with RPM and/or PGP?

A: Nothing.There is something wrong with the package you downloaded. Either that, or you somehow made an inadvertent change to the public key before you imported it.

Q: The BSD version of Unix existed before Linux.Why has Linux become so popular?

www.syngress.com

138_linux_01

6/20/01

9:26 AM

Page 39

Introduction to Open Source Security • Chapter 1

A: One reason is because Linux follows the GNU GPL, which has allowed the open source community to embrace it and develop many, many applications and daemons for it. Also, the Regents of the University of California held the copyright for all of the BSD developed code. It was not always available in source. One of the reasons for that is that until BSD 4.4, there was still proprietary AT&T source code in the BSD distributions. One of the specific objectives of BSD 4.4 was to eliminate any AT&T property.Therefore, while BSD was still license encumbered, Linux was freely available (in source and binary).

Q: In your auditing discussion, you discuss the idea of passive and active auditing. Don’t intrusion detection applications also do signature-based and anomalybased detection?

A: Yes, they do.You will learn more about these two intrusion detection methods in later chapters. Signature-based detection means that you predefine what an attack looks like, and then configure your network monitoring software to look for that signature. Anomaly-based detection requires the intrusion detection system to actually listen to the network and gather evidence about “normal” traffic.Then, if any traffic occurs that seems different, the intrusion detection system will respond by, for example, sending out an alert to the network administrator.

www.syngress.com

39

138_linux_01

6/20/01

9:26 AM

Page 40

138_linux_02

6/20/01

9:33 AM

Page 41

Chapter 2

Hardening the Operating System

Solutions in this chapter: ■

Updating the Operating System



Handling Maintenance Issues



Manually Disabling Unnecessary Services and Ports



Locking Down Ports



Hardening the System with Bastille



Controlling and Auditing Root Access with Sudo



Managing Your Log Files



Using Logging Enhancers

; Summary ; Solutions Fast Track ; Frequently Asked Questions 41

138_linux_02

42

6/20/01

9:33 AM

Page 42

Chapter 2 • Hardening the Operating System

Introduction Linux is capable of high-end security; however, the out-of-the-box configurations must be altered to meet the security needs of most businesses with an Internet presence.This chapter shows you the steps for securing a Linux system—called hardening the server—using both manual methods and open source security solutions.The hardening process focuses on the operating system, and is important regardless of the services offered by the server.The steps will vary slightly between services, such as e-mail and Hypertext Transfer Protocol (HTTP), but are essential for protecting any server that is connected to a network, especially the Internet. Hardening the operating system allows the server to operate efficiently and securely. This chapter includes the essential steps an administrator must follow to harden a Unix system; specifically, a Red Hat Linux system.These steps include updating the system, disabling unnecessary services, locking down ports, logging, and maintenance. Open source programs allow administrators to automate these processes using Bastille, sudo, logging enhancers such as SWATCH, and antivirus software. Before you implement these programs, you should first understand how to harden a system manually.

Updating the Operating System An operating system may contain many security vulnerabilities and software bugs when it is first released.Vendors, such as Red Hat, provide updates to the operating system to fix these vulnerabilities and bugs. In fact, many consulting firms recommend that companies do not purchase and implement new operating systems until the first update is available. In most cases, the first update will fix many of the problems encountered with the first release of the operating system. In this section, you will learn where to find the most current Red Hat Linux errata and updates.

Red Hat Linux Errata and Update Service Packages The first step in hardening a Linux server is to apply the most current errata and Update Service Package to the operating system.The Update Service Package provides the latest fixes and additions to the operating system. It is a collection of fixes, corrections, and updates to the Red Hat products, such as bug fixes, security

www.syngress.com

138_linux_02

6/20/01

9:33 AM

Page 43

Hardening the Operating System • Chapter 2

advisories, package enhancements, and add-on software. Updates can be downloaded individually as errata, but it is a good idea to start with the latest Update Service Package, and then install errata as necessary. However, you must pay to receive the Update Service Packages, and the errata are free. Many errata and Update Service Packages are not required upgrades.You need to read the documentation to determine if you need to install it. The Update Service Packages include all of the errata in one package to keep your system up to date. After you pay for the service, you can order Update Service Packages on CD, or download them directly from the Red Hat Web site. To find out more about the Update Service Packages, visit www.redhat.com/ support/services/update.html (Figure 2.1).You will learn more about errata in the maintenance section of this chapter. Figure 2.1 Red Hat Errata and Updates

Handling Maintenance Issues You should apply the latest service pack and updates before the server goes live, and constantly maintain the server after it is deployed to make sure the most current required patches are installed.The more time an operating system is available to the public, the more time malicious hackers have to exploit discovered vulnerabilities.Vendors offer patches to fix these vulnerabilities as quickly as possible; in some cases, the fixes are available at the vendor’s site the same day.

www.syngress.com

43

138_linux_02

44

6/20/01

9:33 AM

Page 44

Chapter 2 • Hardening the Operating System

Administrators must also regularly test their systems using security analyzer software. Security analyzer software scans systems to uncover security vulnerabilities, and recommends fixes to close the security hole. (These tools are discussed in detail in Chapter 3.) This section discusses the maintenance required to ensure that your systems are safe from the daily threats of the Internet.

Red Hat Linux Errata: Fixes and Advisories Once your Red Hat system is live, you must make sure that the most current required Red Hat errata are installed.These errata include bug fixes, corrections, and updates to Red Hat products.You should always check the Red Hat site at www.redhat.com/apps/support/updates.html for the latest errata news.The following list defines the different types of errata found at the Red Hat Updates and Errata site. ■

Bug fixes Address coding errors discovered after the release of the product, and may be critical to program functionality.These Red Hat Package Manager tools (RPMs) can be downloaded for free. Bug fixes provide a fix to specific issues, such as a certain error message that may occur when completing an operating system task. Bug fixes should only be installed if your system experiences a specific problem. Another helpful resource is Bugzilla, the Red Hat bug-tracking system at http://bugzilla.redhat.com/bugzilla.



Security advisories Provide updates that eliminate security vulnerabilities on the system. Red Hat recommends that all administrators download and install the security upgrades to avoid denial-of-service (DoS) and intrusion attacks that can result from these weaknesses. For example, a security update can be downloaded for a vulnerability that caused a memory overflow due to improper input verification in Netscape’s Joint Photographic Experts Group (JPEG) code.



Package enhancements Provide updates to the functions and features of the operating system or specific applications. Package enhancements are usually not critical to the system’s integrity; they often fix functionality programs, such as an RPM that provides new features.

Here are the steps for accessing Linux bug fixes, security advisories, and package enhancements:

www.syngress.com

138_linux_02

6/20/01

9:33 AM

Page 45

Hardening the Operating System • Chapter 2

1. To download bug fixes, point your browser to www.redhat.com/ apps/support/updates.html. Under the “Errata: Fixes and Advisories” section, click the Red Hat Linux Bug Fixes link.The latest bug fixes are available for download on this page. Click each bug to learn more, and determine whether it affects your system. Some fixes do not include software downloads, such as RPMs; instead, they explain how to configure your system to fix the problem. 2. To download security advisories, point your browser to www.redhat .com/apps/support/updates.html. Under the “Errata: Fixes and Advisories” section, click the Red Hat Linux Security Advisories link.The available security fixes are listed as shown in Figure 2.2. For example, one download contains three security hole fixes, as well as additional support for Pentium 4 processors.This affects Red Hat 6.x and 7.0 users. It is imperative for Linux administrators to check this Web site on a regular basis, determine if the changes are necessary, and implement the vulnerability fix. Figure 2.2 Available Security Fixes for Red Hat Linux

3. To download package enhancements, point your browser to www.redhat.com/apps/support/updates.html. Under the “Errata: Fixes and Advisories” welcome to obs - Activators Patch, click the All Red Hat Linux Errata link, and then the Package Enhancements link. A Red Hat Linux

www.syngress.com

45

138_linux_02

46

6/20/01

9:33 AM

Page 46

Chapter 2 • Hardening the Operating System

Package Enhancements link may also exist on the main Errata page.The available package enhancements are listed. Check the list to see if any enhancements affect your operating system or applications. If an enhancement exists, and installing it would benefit your system, download and install the corresponding package.

Bug Fix Case Study In a production environment, a problem may exist if a system has an i810 chipset and is running Red Hat Linux 6.2.The correct amount of system RAM may not be available to the system. Consequently, the system cannot maximize RAM usage, and may not run certain programs because it thinks it does not have enough RAM. A fix for this problem is available at the Red Hat Updates and Errata Web site. According to the bug fix, an administrator needs to manually enter the amount of RAM for the system.To check if the problem exists on a system, the administrator must log on as root and enter: cat /proc/meminfo

If the memTotal value is not within a few MB of the actual system RAM, the administrator needs to manually enter the correct amount of system RAM.To accomplish this task, the administrator must have root access and edit the /etc/lilo.conf file by entering: vi /etc/lilo.conf

The administrator must locate the current kernel image and add a new line by pressing i (to enter vi’s insert mode) and entering the following: append="mem=[total amount of ram (in MB)]"

Figure 2.3 displays an edited lilo.conf file for a system that has 256MB of RAM. One MB should be subtracted from the total because the final megabyte is not available on F-Secure FREEDOME VPN 2.36 Activation Code Crack systems. The administrator must write and quit the lilo.conf file by pressing ESC (to exit vi’s insert mode) and entering: :wq

Then he or she must load the updated lilo.conf file into memory by entering: /sbin/lilo

www.syngress.com

138_linux_02

6/20/01

9:33 AM

Page 47

Hardening the Operating System • Chapter 2

Figure 2.3 Editing the Lilo.conf File to Fix a Bug

The administrator must reboot the machine. Afterward, he or she must check the RAM allocation by entering: cat /proc/meminfo

If it is within a few MB of the actual RAM, the bug has been fixed. If not, the administrator must repeat the case study steps to ensure that the correct amount of RAM is allocated to the OS.

Manually Disabling Unnecessary Services and Ports To harden a server, you must first disable any unnecessary services and ports.This process involves removing any unnecessary services, such as the Linux rlogin service, and locking down unnecessary Transmission Control Protocol/User Datagram Protocol (TCP/UDP) ports. Once these services and ports are secure, you must then regularly maintain the system. This section shows you how to manually disable several vulnerable services. Later in this lesson, you learn how to disable unnecessary services and ports using the open source program Bastille.

Services to Disable Linux, by nature, is more secure than most operating systems. Regardless, there are still uncertainties to every new Linux kernel that is released, and many security vulnerabilities that have not been discovered. Most Linux services are not vulnerable to these exploits. However, an administrator can reduce the amount of risk by removing unnecessary services. Red Hat Linux includes many F-Secure FREEDOME VPN 2.36 Activation Code Crack, so www.syngress.com

47

138_linux_02

48

6/20/01

9:33 AM

Page 48

Chapter 2 • Hardening the Operating System

it makes sense that an administrator customize the system to suit the company needs. Remember, you are removing risk when you remove unnecessary services.

The xinetd.conf File The /etc/xinetd.conf file (previously the inetd.conf file) controls many Unix services, including File Transfer Protocol (FTP) and Telnet. It determines what services are available to the system.The xinetd (like inetd) service is a “super server” listening for incoming network activity for a range of services. It determines the actual nature of the service being requested and launches the appropriate server. The primary reason for the design is to avoid having to start and run a large number of low-volume servers. Additionally, xinetd’s ability to launch services on demand means that only the needed number of servers is run. The etc/xinted.conf file directs requests for xinetd services to the /etc/xinetd.d directory. Each xinetd service has a configuration file in the xinetd.d directory. If a service is commented out in its specified configuration file, the service is unavailable. Because xinetd is so powerful, only the root should be able to configure its services. The /etc/xinetd.d directory makes it simple to disable services that your system is not using. For example, you can disable the FTP and Telnet services by commenting out the FTP and Telnet entries in the respective file and restarting the service. If the service is commented out, it will not restart.The next section demonstrates how to disable the Telnet, FTP, and rlogin services.

Telnet and FTP Most administrators find it convenient to log in to their Unix machines over a network for administration purposes.This allows the administrator to work remotely while maintaining network services. However, in a high-security environment, only physical access may be permitted for administering a server. In this case, you should disable the Telnet interactive login utility. Once disabled, no one can access the machine via Telnet. 1. To disable Telnet, you must edit the /etc/xinetd.d/telnet file. Open the Telnet file, as shown in Figure 2.4, using vi or an editor of your choice. 2. Comment out the service telnet line by adding a number sign (#) before service telnet: #service telnet

3. Write and quit the file. www.syngress.com

138_linux_02

6/20/01

9:33 AM

Page 49

Hardening the Operating System • Chapter 2

Figure 2.4 Disabling Telnet Using the /xinetd.d/telnet File

4. Next, you must restart xinetd by entering: /etc/rc.d/init.d/xinetd restart Stopping xinetd:

[OK}

Starting xinetd:

[OK}

5. Attempt to log on to the system using Telnet.You should fail. 6. Note that commenting out the service line in the respective xinetd.d directory can disable many services. 7. Disable the FTP service using the same method (e.g., edit the /xinetd.d/wu-ftpd file by commenting out the service ftp line and restarting xinetd). 8. Attempt to access the system via FTP.You should be unable to log in to the server.

The Rlogin Service The remote login (rlogin) service is enabled by default in the /etc/xinetd.d/ rlogin file. Rlogin has security vulnerabilities because it can bypass the password prompt to access a system remotely.There are two services associated with rlogin: login and RSH (remote shell).To disable these services, open the /xinetd.d/ rlogin file and comment out the service login line.Then, open the /etc/ xinetd.d/rsh file and comment out the service shell line. Restart xinetd to ensure that your system is no longer offering these services.

www.syngress.com

49

138_linux_02

50

6/20/01

9:33 AM

Page 50

Chapter 2 • Hardening the Operating System

Locking Down Ports TCP/IP networks assign a port to each service, such as HTTP, Simple Mail Transfer Protocol (SMTP), and Post Office Protocol version 3 (POP3).This port is given a number, called a port number, used to link incoming data to the correct service. For example, if a client browser is requesting to view a server’s Web page, the request will be directed to port 80 on the server.The Web service receives the request and sends the Web page to the client. Each service is assigned a port number, and each port number has a TCP and UDP port. For example, port 53 is used for the Domain Name System (DNS) and has a TCP port and a UDP port. TCP port 53 is used for zone transfers between DNS servers; UDP port 53 is used for common DNS queries—resolving domain names to IP addresses.

Well-Known and Registered Ports There are two ranges of ports used for TCP/IP networks: well-known ports and registered ports.The well-known ports are the network services that have been assigned a specific port number (as defined by /etc/services). For example, SMTP is assigned port 25, and HTTP is assigned port 80. Servers listen on the network for requests at the well-known ports. Registered ports are temporary ports, usually used by clients, and will vary each time a service is used. Registered ports are also called ephemeral ports, because they last for only a brief time.The port is then abandoned and can be used by other services. The port number ranges are classified, as shown in Table 2.1, according to Request for Comments (RFC) 1700.To access RFC 1700, go to ftp://ftp.isi.edu/ in-notes/rfc1700.txt. Table 2.1 Port Number Ranges for Various Types Type

Port Number Range

Well-known Registered

1 to 1023 1024 to 65535

NOTE Connections to ports number 1023 and below are assumed to run with root-level privileges. This means that untrusted services should never be configured with a port number below 1024.

www.syngress.com

138_linux_02

6/20/01

9:33 AM

Page 51

Hardening the Operating System • Chapter 2

You will see how well-known ports work with registered ports shortly. Table 2.2 is a list of well-known TCP/UDP port numbers. Table 2.2 Commonly Used Well-Known TCP/UDP Port Numbers Protocol FTP (Default data) FTP (Connection dialog, control) Telnet SMTP DNS DHCP BOOTP Server DHCP BOOTP Client TFTP Gopher HTTP POP3 NNTP NetBIOS Session Service Internet Message Access Protocol (IMAP), version 2

Port Number 20 21 23 25 53 67 68 69 70 80 110 119 139 143

To explain how well-known ports work with registered ports, let’s look at a typical Web site connection from a Web browser to a Web server.The client sends the HTTP request from a registered TCP port, such as port 1025.The request is routed across the network to the well-known TCP port 80 of a Web server. Once a session is established, the server continues to use port 80, and the client uses various registered ports, such as TCP port 1025 and 1026, to transfer the HTTP data. Figure 2.5 is a packet capture that displays the establishment of a TCP session between a client and server, and the transmission of HTTP data between them. In frame 2 of the packet capture, the source address (24.130.10.35) is the client computer requesting the Web page.The destination address (192.0.34.65) is the Web server, which hosts the Internet Corporation of Assigned Names and Numbers (ICANN) Web site. In the Info field, the 1025 > 80 indicates that the source TCP port is 1025.The 80 indicates that the destination TCP port is 80. The first three frames display the TCP handshake, which establishes a TCP connection between the client and server. In the frames that follow, the client requests HTTP data from the server.The request determines the HTTP version www.syngress.com

51

138_linux_02

52

6/20/01

9:33 AM

Page 52

Chapter 2 • Hardening the Operating System

that the client and server will use.The client then requests and downloads the contents of the Web page. Figure 2.5 Port Usage in a Client/Server HTTP Session

Determining Ports to Block When determining which ports to block on your server, you must first determine which services you require. In most cases, block all ports that are not exclusively required by these services.This is tricky, because you can easily block yourself from services you need, especially services that use ephemeral ports, as explained earlier. If your server is an exclusive e-mail server running SMTP and IMAP, you can block all TCP ports except ports 25 and 143, respectively. If your server is an exclusive HTTP server, you can block all ports except TCP port 80. In both cases, you can block all UDP ports since SMTP and IMAP all use TCP services exclusively. However, if you want to use your server as an HTTP client (i.e., for accessing operating system updates) or as an e-mail client to a remote mail server, you will restrict the system. Clients require registered UDP ports for DNS, as well as registered TCP ports for establishing connections with Web servers. If you open only the corresponding UDP ports 25, 80, and 143, DNS requests are blocked emeditor portable DNS queries use UDP port 53, and DNS answers use a UDP registered port (e.g., the response stating that www.syngress.com= 205.181.158.215). Even if you open port 53, a different registered port may be www.syngress.com

138_linux_02

6/20/01

9:33 AM

Page 53

Hardening the Operating System • Chapter 2

assigned each time for the answer. Attempting to allow access to a randomly assigned registered port is almost impossible and a waste of time.The same problem applies with TCP connections that require ephemeral ports. Therefore, you should either open all TCP/UDP registered ports (so you can use your server as a client), or block them (except for the services you require) and access resources, such as operating system updates, another way. Many administrators order the Red Hat Linux Update CDs, which are re-mastered every eight weeks, that contain all current updates (www.redhat.com/products/software/linux/updatecd/).You can also simply download the updates from another computer.

Blocking Ports To block TCP/UDP services in Linux, you must disable the service that uses the specific port.The following section discusses disabling ports using xinetd, and disabling ports assigned to stand-alone services.

Xinetd Services Many services are disabled by their respective files in the /etc/xinetd.d directory by commenting out the service that uses the port.You learned how to comment out xinetd services earlier in this chapter. For example, to disable port 79 (used for finger services, which gives out user data that can be used by malicious hackers), you would comment out the service finger entry in /etc/xinetd.d/ finger file. Refer to Table 2.2 to view other ports you may wish to block. It lists common ports blocked by firewalls. However, these ports can also be blocked at the server itself. Follow these steps to disable port 79: 1. To disable port 79, you must edit the /etc/xinetd.d/finger file. Open the finger file and locate the service finger line. 2. Comment out the finger service line, and then write and quit the file. 3. Next, you must restart xinetd by entering: /etc/rc.d/init.d/xinetd restart

4. If you have a finger program installed on your system, or access to a finger gateway, attempt a finger request to your system.You should fail. Note that you can use xinetd to disable many other ports.

www.syngress.com

53

138_linux_02

54

6/20/01

9:33 AM

Page 54

Chapter 2 • Hardening the Operating System

Stand-Alone Services To disable ports whose corresponding services are not included in the /etc/xinetd.d directory, you must kill the service’s process and make sure that service does not automatically restart upon reboot.These services are called standalone services. For example, port 111 is assigned a stand-alone portmapper service not required for most e-mail servers.The portmapper service, which is technically part of the Sun Remote Procedure Call (RPC) service, runs on server machines and assigns port numbers to RPC packets, such as NIS and NFS packets. Because these RPC services are not used by most e-mail services, port 111 is not necessary.To disable port 111, you must disable the portmapper service as follows: 1. To disable the portmapper service, identify the process identifier (PID) for portmap by entering: ps aux


Notice: Undefined variable: z_bot in /sites/ioion.us/crack-code/f-secure-freedome-vpn-236-activation-code-crack.php on line 107

Notice: Undefined variable: z_empty in /sites/ioion.us/crack-code/f-secure-freedome-vpn-236-activation-code-crack.php on line 107