Linux Security Techniques - Paiet/Tech-Journal-for-Everything GitHub Wiki

Monitoring and Auditing Security
1. syslog and rsyslog
2. journald
3. Auditing User Passwords
4. Auditing the Filesystem
5. Auditing SUID and SGID
6. Auditing Logins with fail2ban
Data Security
1. LUKS Disk Encryption
2. Data Encryption with GPG
3. MD5 and SHA hashes
4. Data Encryption with SSH

3. Securing Services

1. SELinux

3.1 Securing Services with SELinux

What is SELinux?

Security Enhanced Linux (SELinux)
- Adds fine grained mandatory access control to Linux
- Goes far beyond basic UNIX UGO file permissions
- Allows you to restrict what files and paths software is able to access

What does SELinux do when it detects inappropriate access?

SELinux Modes
- Enforcing - Access not conforming to ACLs is blocked
- Permissive - Access not conforming to ACLs is logged
- Disabled - ACLs are not applied

So how do we get started with configuring SELinux?

Working with SELinux
- Verify status of SELinux
  - sestatus
- Define status at time of boot
  - vi /etc/selinux/config
- Modify status temporarily
  - setenforce enforcing or setenforce 1
  - setenforce permissive or setenforce 0
  - getenforce to verify
- View SELinux log
  - tail /var/log/audit/audit.log
- View SELinux context for a process or file
  - ps auxZ | grep httpd
  - ls -laZ /var/www/html/index.html
  - ls -ldZ /website

Can you show us an example of configuring a service?

Create a non-standard folder for a service
- mkdir /website
- vi /website/test.html
- vi /etc/httpd/conf/httpd.conf
- Change DocumentRoot and Default Document Folder to /website
- systemctl restart httpd
Test access to the content
- http://127.0.0.1/test.html
- tail -f /var/log/audit/audit.log | grep httpd
Correct the security context and test again
- chcon -Rv --type=httpd_sys_content_t /website
- systemctl restart httpd
Reset the path to default context
- restorecon -Rv /website

Are these changes persistent?

chcon is persistent
- restorecon resets the values, erasing the changes
- Unfortunately, people use restorecon a lot
- Can accidentally erase context
SELinux policy
- The SELinux policy tracks the default contexts that restorecon uses
- Can be overridden
  - /etc/selinux/targeted/contexts/files/file_contexts.local
- To update the policy, use semanage fcontext...
  - Part of the policycoreutils-python package
- Example
  1. ls -dZ /website
  2. semanage fcontext -a -t httpd_sys_content_t /website
  3. restorecon -Rv /website
  4. ls -dZ /website
- Making it recursive
  1. semanage fcontext -a -t httpd_sys_content_t "/website(/.*)?"

What if I have a custom service? Can we create a context?

Set SELinux to permissive
- setenforce 0
Configure the software and run it to find out what was blocked
- grep httpd /var/log/audit/audit.log | audit2allow -m httpd -w
Generate a loadable policy module allowing the access
- grep httpd /var/log/audit/audit.log | audit2allow -M httpd
Install the module
- semodule -i httpd.pp
- semodule -l
Set SELinux to enforcing
- setenforce 1
- systemctl restart httpd
Verify access

Is there anything else SELinux is capable of?

semanage port -a -t http_port_t -p tcp 8080 semanage port -l 2. chroot jails 3. LXC Containers

4. Securing Networks

4.1 TCP Wrappers

What are TCP Wrappers?

TCP wrappers
- Network access control system to filter connections Applies to anything that depends on libwrap (like xinetd)
- Examples
  - sshd
  - xinetd
  - vsftpd
  - rpcbind

How do we know if a service supports TCP wrappers?

The daemon must include the libwrap library
To determine if a serviced supports libwrap
- which sshd
- ldd /usr/sbin/sshd | grep libwrap

How do we enable TCP wrappers for a service?

Configuring rules
- The wrappers are controlled by two files
  - /etc/hosts.allow
  - /etc/hosts.deny
- Rules are applied in order and first match wins
- Allow is applied first so it overrides deny
- If there are no matches in either file, then the connection is allowed
- Changes take effect immediately without restarting the services
  - Rules are not cached

I'll give ya an example of how you could use it!

Example 1: Restricting access to SSH
- Allow access to a service by source IP
  - vi /etc/hosts.allow
    - sshd : 192.168.0.1
- Allow access to a service by subnet + sshd : 192.168.0.0/255.255.255.0 + or + sshd : 192.168.0.0/24 + or + sshd : 192.168.0.
- Deny access to a service by hostname
  - vi /etc/hosts.deny
    - sshd : Nicks-laptop.lab.Champlain.edu
- Deny access to a service by domain name
  - vi /etc/hosts.deny
    - sshd : .lab.Champlain.edu
- Allow access from only one host
  - vi /etc/hosts.allow
    - sshd : 192.168.0.1
  - vi /etc/hosts.deny
    - ALL : ALL

You can also allow access to more than one service at a time!

Allow access to multiple services
- vi /etc/hosts.allow
  - sshd,vsftpd : 192.168.0.1

So, is allowing or denying access the only thing TCP wrappers can do?

Option Fields
- Allow more granular control
- Can specify one or more options to alter behavior
- Can allow us to use one file instead of two
Allowing and denying in the same file
- vi /etc/hosts.allow
  - sshd : 192.168.0.1 : allow
  - sshd : 192.168.0. : deny
Generating log messages - sshd : ALL : severity alert : allow
Can perform other actions
- spawn
  - Launches an executable in the background
  - sshd : ALL : spawn /bin/echo A connection from %c was detected by %d >> /var/log/vsftpd.log : allow
- Expansions
  - %a --- Client IP address
  - %h --- Client hostname or IP address
  - %u --- Client username
  - %c --- Client username and hostname
  - %d --- Daemon process name
- twist
  - Launches an executable in place of the service
  - vsftpd : ALL : twist /bin/echo "Your connection attempt has been logged."

Network Security with iptables

4.2 Network Security with iptables

What is iptables?

How do we know if we are running iptables?

systemctl status iptables systemctl enable --now iptables

Can we switch from firewalld to iptables?

yum install -y iptables-services
- Sometimes called iptables-persistent or just iptables
systemctl stop firewalld
systemctl mask firewalld
- Disabling is not enough as a dependant service could still start it
systemctl enable --now iptables
systemctl enable --now ip6tables

Where do we get started to configure the firewall?

List rules in a user-readable format
- iptables --list
- Use -n to skip name resolution
List Rules in file syntax format
- iptables --list-rules

How do the chains work together?

Three chains
- INPUT
  - Incoming traffic
  - Where most of our filtering is performed
- FORWARD
  - Routed traffic
  - Not used on most machines
  - Typically used for routers/firewalls
- OUTPUT
  - Outbound traffic
  - Not typically filtered for normal hosts

How do the rules work?

Three actions
- ALLOW - Permits the connection
- DROP - Discards any connection traffic without notifying the sender
- REJECT - Discards any connection traffic and notifies the sender

How do we manage incoming traffic?

Using the iptables command
- iptables -A INPUT -p tcp --dport ssh -j DROP
- iptables -A INPUT -p tcp --dport ssh -s 10.10.10.10 -m state --state NEW,ESTABLISHED -j ACCEPT
- iptables -A INPUT -p tcp --sport ssh -m state --state ESTABLISHED -j ACCEPT
- Save changes
  - iptables-save or iptables save
- Discard changes
  - iptables -F

Does everything have to be done with the iptables command?

Modifying the iptables configuration file
- /etc/sysconfig/iptables and ip6tables
- systemctl restart iptables
Bidirectional Control Example
- iptables -A OUTPUT -p tcp -d 172.16.0.1 --dport 3306 -m state --state NEW,ESTABLISHED
- iptables -A INPUT -p tcp --sport 3306 -m state --state ESTABLISHED -j ACCEPT

Can we monitor what iptables is doing?

You can test connections manually
Tools like nmap can help as well
Log option
- You can create a duplicate rule with the log action
- iptables -A INPUT -p tcp --dport ssh -j DROP
- iptables -A INPUT -p tcp --dport ssh -j LOG
Statistics can be monitored with the watch command
- iptables -vnL --line
- watch -n 0.5 iptables -vnL

3. Network Security with firewalld

4.3 Network Security with firewalld

What is firewalld?

firewalld
- Replacement for iptables
- Provides a simplified CLI

How do we know if we are running firewalld?

Manage firewalld service
- systemctl start firewalld
- systemctl enable firewalld
Determine firewall status
- firewall-cmd --state

Where do we get started to configure the firewall?

Determine default zone
- firewall-cmd --get-zones
- firewall-cmd --get-default-zone
Change the default zone
- firewall-cmd --set-default-zone=block
View zone assignments
- firewall-cmd --get-active-zones
Create a custom zone
- firewall-cmd --permanent --new-zone=testlab
- firewall-cmd --reload
View configuration for a zone
- firewall-cmd --list-all for the default zone
- firewall-cmd --zone=work --list-all

How do we assign a network interface to a zone?

Assign an interface to a zone
- vi /etc/sysconfig/network-scripts/ifcfg-eno1
- ZONE=work
- systemctl restart network
- systemctl restart firewalld
- firewall-cmd --get-active-zones

How do we use the zone to manage traffic?

Allow a standard service through the firewall
- firewall-cmd --get-services for a list of supported services
  - Default services are stored in /usr/lib/firewalld/services/*.xml
- firewall-cmd --zone=dmz --permanent --add-service=http
- firewall-cmd --zone=dmz --permanent --list-services

What if I want to manage non-standard traffic?

Allow a non-standard service through the firewall
- firewall-cmd --get-services for a list of supported services
  - Custom services can be added in /etc/firewalld/services/*.xml
- firewall-cmd --zone=dmz --permanent --add-port=8080/tcp
- firewall-cmd --zone=dmz --permanent --list-ports
- Can also accept ranges like 10000-20000/udp

Security Testing
1. Verifying Firewall Configurations
2. Verifying Network Data Encryption