Security Administration - Paiet/Tech-Journal-for-Everything GitHub Wiki

  • Audit system for files with suid/sgid bit set
    • Set user ID bit allows a program to run as the owner of the file instead of the current user
    • passwd is an example as it is allowed to write to /etc/passwd whereas a user cannot
      • User:
        • find / -perm +4000
        • find / -perm -u+s
      • Group:
        • find / -perm +2000
        • find / -perm -g+s
      • Both:
        • find / -perm +6000
  • Use nmap and netstat to discover open ports
    • View listening ports
      • netstat -tp
      • netstat -atp
    • Actively scan with nmap
      • yum install nmap
      • Basic scan nmap <host>
      • Reserved port scan nmap -v <host>
      • Stealth SYN and OS Detection nmap -sS -O 192.168.0.1/24
  • Setup limits on user logins, processes and memory usage
    • View limits
      • ulimit -a Can temporarily set limits
    • To persistently set limits
      • /etc/security/limits.conf
  • Sudo configuration and usage
    • sudo
      • Executes command as root
      • Password cached for five minutes by default
      • User must be authorized to run sudo
        • In some distros (like Ubuntu) simply add 'sudo' group as a secondary group
        • In others (like RedHat) you must create your own group and add it to /etc/sudoers
      • visudo <user/group> <machine>=<commands>
      • dpezet ALL=(ALL)
      • %techsupport localhost=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom
  • Turn off network services not in use
    • Extended Internet Daemon (xinetd) /etc/xinetd.conf (If present) yum install xinetd /etc/xinietd.d/*
  • TCP wrappers
    • Network access control system to filter connections Applies to anything that depends on libwrap (like xinetd)
      • ldd /usr/sbin/sshd | grep wrap
      • /etc/hosts.allow
      • `/etc/hosts.deny
      • sshd : 192.168.0.1
      • OR sshd : 192.168.0.0/255.255.255.0
      • ALL : ALL Deny is checked first, then allow overrides it

Security Administration

  • Sudo configuration and usage
    • sudo
      • Executes command as root
      • Password cached for five minutes by default
      • User must be authorized to run sudo
        • In some distros (like Ubuntu) simply add 'sudo' group as a secondary group
        • In others (like RedHat) you must create your own group and add it to /etc/sudoers
      • visudo <user/group> <machine>=<commands>
      • dpezet ALL=(ALL)
      • %techsupport localhost=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom
  • Turn off network services not in use
    • Extended Internet Daemon (xinetd) /etc/xinetd.conf (If present) yum install xinetd /etc/xinietd.d/*
  • TCP wrappers
    • Network access control system to filter connections Applies to anything that depends on libwrap (like xinetd)
      • ldd /usr/sbin/sshd | grep wrap
      • /etc/hosts.allow
      • `/etc/hosts.deny
      • sshd : 192.168.0.1
      • OR sshd : 192.168.0.0/255.255.255.0
      • ALL : ALL Deny is checked first, then allow overrides it

Securing Data with GPG

  • GPG Installation (Sender and Recipient)
    • GNU Privacy Guard is open source product similar to PGP (Pretty Good Privacy)
    • Usually pre-installed
    • yum install gpg
  • GPG configuration (Recipient)
    1. Create private key
      • gpg --gen-key
      • Creates keyring files
      • Starts a setup wizard
      • Run it from console if possible
    2. In another TTY run high activity command to generate entropy
      • md5sum /dev/sda
      • ls -laR /
      • dd if=/dev/sda of=/dev/zero
      • To see available entropy
        • cat /proc/sys/kernel/random/entropy_avail
        • Generally around 2000
        • VMs could be lower
        • Entropy normally comes from /dev/hwrandom which is hardware
        • A TPM is the best source of entropy
        • VMs can substitute a psuedo-random number generator
      • OPTIONAL: Changing your Random Number Generator (RNG)
        1. yum install rng-tools
        2. vi /etc/sysconfig/rngd
        3. Insert: EXTRAOPTIONS="-r /dev/urandom"
        4. service rngd start
        5. chkconfig rngd on
    3. Exchange keys with sender
      • gpg --export --output <directory> <filename>
      • Send public key file to sender
  • GPG Encryption (Sender)
    1. Import the recipients public key
      • gpg --import <directory_containing_key>
      • gpg --list-key
    2. Encrypt the file
      • gpg --encrypt -r <dest_user> <filename>
      • Creates <filename>.gpg
    3. Send *.gpg file to the recipient
  • GPG Decryption (Recipient)
    • Decrypt the file
    • gpg <filename>
    • Enter private key's passkey
    • Output is unencrypted <filename>

Securing Data with SSH

  • OpenSSH client configuration and usage
    • ssh <username>@<hostname>
    • ssh -l <username> <hostname>
    • Configuration file is /etc/ssh/ssh_config
    • Options
      • -1 v1 Only
      • -2 v2 Only
      • -4 IPv4 Only
      • -6 IPv6 Only
      • -b <address> Specify the source address
      • -F <file> Overrides system wide configuration
      • who command will show a psuedo tunnel (pts#)
      • Must accept public key on first connection
  • OpenSSH server host keys
    • Cached in ~/.ssh/known_hosts for individual users
    • Cached in /etc/ssh/ssh_known_hosts for the entire system
    • If you receive a key before hand you can pre-load it
      • ssh-keyscan <host>
      • ssh-keyscan 192.168.0.100 >> ~/.ssh/known_hosts
    • Can require key to pre-exist in /etc/ssh/ssh_config using the StrictHostKeyChecking option
    • Server keys are stored in /etc/ssh
  • Generating new keys
    1. Delete the 6 key files (rm -f /etc/ssh/*key*)
    2. ssh-keygen -t rsa1 -f /etc/ssh/ssh_host_key
    3. ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key
    4. ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key

Example

| File 					| Description 			|
|-----------------------|-----------------------|
|ssh_host_key 			|SSHv1 Private Key 		|
|ssh_host_key.pub 		|SSHv1 Public Key 		|
|ssh_host_rsa_key 		|SSHv2 RSA Private Key 	|
|ssh_host_rsa_key.pub 	|SSHv2 RSA Public Key 	|
|ssh_host_dsa_key 		|SSHv2 DSA Private Key 	|
|ssh_host_dsa_key.pub 	|SSHv2 DSA Public Key 	|
  • SSH port tunnels
    • Send any port's traffic over an SSH tunnel
    • Useful for encrypting any traffic regardless of protocol
    • Telnet example setup
      1. yum install telnet-server
      2. vi /etc/xinetd.d/telnet disable=no
      3. service xinetd start
      4. chkconfig telnet on
      5. chkconfig xinetd on
      6. vi /etc/sysconfig/iptables
        • -A INPUT -m state --state NEW -m tcp -p tcp --dpport 23 -j ACCEPT
      7. service iptables restart
    • Telnet example lab
      1. Establish the SSH tunnel
        • ssh -f <username>@<hostname> -L <localport>:<hostname>:<remoteport> -N
        • The -N means do not execute any commands on the remote system
        • ssh -f [email protected] -L 65023:172.16.116.129:23 -N
      2. Telnet through the tunnel
        • telnet 127.0.0.1 65023
⚠️ **GitHub.com Fallback** ⚠️