Linux Network Security

[RedZot]

Network security is becoming increasingly important because the time of connection to the Internet is increasing. Compromising network security is often much easier than compromising physical or local security, and is much more common. There are a number of good tools to assist in network security and many new ones are included in Linux distributions. At present a security problem of systems plays a huge role for Internet users, which, together with their ample opportunities brought new dangers, such as computer crime, identity theft, and malicious damage to systems that did not previously exist. Need to clearly understand the nature of potential threats to computer security, and it does not matter whether you are a system or network administrator for a large organization or an ordinary user.

The main types of attacks are the following, unauthorized access, i.e. attacker who is not allowed to use the services your host will be able to connect and work with them using the "bugs" in the network services that are vulnerable from the external network; Denial of Service (DoS) v such attacks lead to failure of hardware and / or host software, resulting in a system becomes unavailable to users in the attack on the service goal of the attacker simply v beat host of the network; hoax v when the attacker simulates the connection to the host, credible, plays traffic v attacker configures a network interface such as to obtain all the packets passing the network, not just his system in order to extract user names and passwords.

Reliable ways to combat such attacks are: improving the safety of the kernel and IP-stack, building a firewall (firewall); identification scan, determine the type and version of operating system, invasion, logging, the maximum level of detail, protection from eavesdropping, a complete shutdown of all unsafe services or replacement alternatives. In a series of articles "ensure the safety of OS Linux distribution network for example Red Hat Linux 7.0" to try to figure out ways of struggle against the destructive actions towards intruders.

Assumed that the computer network security, threats mainly from hackers and viruses, has two aspects. Why are so often able to hack it? The main reason for many people, especially many network administrators without, at least on network security, there is no point for a network operating system, to take effective security policy and security mechanisms for hackers. We know that the network operating system used to manage computer networks in a variety of hardware and software resources, sharing resources and users across the network to provide services to ensure the normal functioning of the type of network software system. How to ensure that the network operating system security, network security lies. Only safe and reliable network operating system can guarantee the security of the entire network. Thus, a detailed analysis of system security mechanisms in Linux, you can identify potential security issues, taking into account the relevant security policies and protective measures are needed.

Basic Security

Linux network operating system provides the user accounts, file system permissions and system log files and other basic security mechanisms, if these security mechanisms are configured incorrectly, it will make the system a threat to security. Thus, the network administrator of the system must be careful to set these security mechanisms. Linux is an excellent workstation alone, but usually every Linux machine is connected to a network and is also providing network services. The system has an obligation to ensure the services provided.

Linux system user account

On Linux, the user accounts the user's identity logo, which consists of a user name and password composition. The system Linux, the system will enter a user name stored in / etc / Password file, which will enter the password in encrypted form stored in / etc / Shadow file. Under normal circumstances, these passwords and other information that is protected by operating system and can visit their privileged user (root), and the operating system for some applications. However, if configured incorrectly, or, in some cases, the operating system error, such information may be obtained by ordinary users. In addition, attackers can use a class called "password cracking" tools to get the password before encryption

Linux file system permissions

Linux file system security, mainly through setting file permissions to achieve. Each file or directory Linux, there are 3 sets of attributes, defined file or directory owner, user groups and other permissions (read-only, write, executable, allowing the SUID, SGID, etc. allowed). Particular attention, SUID and SGID permissions on an executable file to start the process, the process will give the owner permission, if hackers found and used for the system will not cause harm.

Type of Attack on Linux

DDoS

The so-called "denial of service attack hacker devastating to block network resources in a network temporary or permanent paralysis, making Linux web server cannot for ordinary users. For example, hackers may use fake source address and other areas controlled by multiple computers simultaneously sent to the target computer a lot, a permanent TCP / IP requests to the target server system is paralyzed.

Password Hack

Password security system to protect their own safety first line of defense. "Password cracking" attacks aimed at breaking the user's password, which you can get the information resources, have been encrypted. For example, a hacker can use high-speed computers, the dictionary database, try different combination of a password until you find a password to log into the system, open network shares.

Trick Users

To trick users refers to the network hacker attacks under the guise of a company or a computer network service provider of engineering and technical personnel, access to the user, and in the prescribed manner require the user to enter a password, this is the hardest attack users when a password has been compromised, the hacker can use user account in the system.

Network Monitor

Many network intrusion begins with the scanning by scanning hackers can find a host to a variety of loopholes and use the attack on the system. Network monitoring the overall method of hacking, when successfully logged into the network host, and made a lot of control the super-user, an attacker can use network monitoring to collect confidential information or authentication information in the future other hosts to seize control over the network right.

Linux Network Security

Throughout the history of this network, we see that the attack on the network may come from illegal users may also be from a legitimate user. Therefore, as a Linux network administrator, we must always guard against attacks by hackers, as well as strengthening the internal management network users and education, in particular, take the following security policy.

Firewall Subnet

If the internal network to access the Internet, internal network and external network interfaces to set the firewall to the internal network to ensure data security. For the internal network itself, in order to facilitate the management and rational allocation of resources, IP-address should be divided into several subnets on the network, it will also help prevent or delay the attackers seized the entire internal network.

[RedZot]

Interface of a Network

IP Address

Imagine that machines in a network of buildings completely uniform, and they form a small town. To get from one building to another, the only way available to you then to know the exact address. In France, for example, we use a system of streets associated with a number, which allows year after year, finding more or less by chance his destination. United States by cons, the organization of cities is generally in a grid pattern which identifies buildings with a combination of numbers avenues / streets, which is a bit more practical. In our network, each machine has an IP address, which identifies it uniquely. This address is composed of 4 digits numbered from 0 to 255 separated by dots. The most important element of IP is that in the same network, both machines should not have the same IP address, otherwise it could not communicate properly with them.

A machine can have multiple IP addresses. To contact a machine of a network, it is imperative to know its IP address. But as it is not very convenient to remember these places, a system called DNS (Domain Name Server) to associate a hostname a little easier to remember to an IP address. Of all the available IP addresses, there are 3 classes of IP addresses very specific. These are private IP classes. In a private network, such as a business or an individual home, we can use these classes of IP addresses freely, without being accountable to anyone. The only condition is that the machines with an IP address of a private class cannot directly connect to the Internet.

Finally any machine using the IP protocol has a default private IP address range, usable only by the machine itself. Thus, any machine can apply to itself using IP addresses between 127.0.0.1 and 127.255.255.255. That is what is called loopback addresses. Note that we only talking about IP addresses from IPv4. A new version of the protocol (IPv6) is actually unfold, which should eventually replace IPv4. The operating principle of this new version is basically the same, but adds many features that make it more interesting.

Ports

A machine operating on an IP network connection has 65535 ports (numbered 1 to 65535), equivalent to the shops and windows of our building. All these ports are interchangeable, meaning that each can be used to:

• Transmit data.
• Receive data.
• Transmit and receive data in turn.

When a client device software will want to access information from a server machine, this program will:

• Open a port (as an inhabitant would open a window of his apartment building).
• Send a request to the server machine on the port that hosts the information he wants.
• Receive this information via the port he had previously opened (*).
• Close its port.

With some specific protocols such as FTP, the information requested will arrive by a 2nd open port on the client. Unluckily there is no way a port of one machine can be used by two different software. By analogy, we cannot have two people simultaneously using the same window to talk with his neighbors across the street. Ports whose number is less than 1024 will be used to receive information. In fact, behind these ports is the type of server software (and will be called later simply server) which will wait for requests from other computers, to provide certain information. Similarly, just because a port is active on a machine acting as server that it necessarily serves a specific purpose. We can very well declare a software HTTP server machine on port 21 instead of 80. Simply, it will have software that connects to this machine knows that if he wants to have HTTP, it should contact the port 21, not port 80.

A mistake that is commonly made about the ports, is to assume that client software must use a port symmetrical about the server it contacts. For example one can think that a web browser (HTTP so) should open its own port 80 to access the web server to a remote machine (always on port 80). As seen above, this is completely false! Indeed, to connect to port 80 of the server, the client can open a different port, e.g. 80. And he will receive the HTML page that asked this same port.

In fact, it is very logical because:

The software client may well want to access a server software that is on the same machine. And in this case, port 80 cannot be used for both server software and client software.

On a single machine, several programs can access multiple servers simultaneously, using identical services. For example, you can very well do a search on Google while reading information of Linux site and downloading the latest version of Debian.

Subnets Mask

Put, the machines an IP network are grouped together in mini-networks. But how does one determine the size of the network, and whether or not a machine is part of the same network as us? The answer is simple: The subnet mask, also called IP mask, or simply mask. Like the IP address, subnet mask consists of 4 numbers separated by dots. But unlike the figures of IP addresses, IP numbers of the mask can only have certain values: 0, 128, 192, 224, 240, 248, 252, 254, 255. But in most cases, we find that the values 0 and 255. For example: 255.0.0.0 or 255.255.255.0.

As noted above, each machine connected to a network must have a unique IP address in the network. In addition, all machines on a subnet mask have a subnet identical. The torque that IP address / subnet mask that allows each machine to identify, and identify machines on its own subnet. In fact, the same IP mask that will determine the maximum number of machines that may be in a subnet.

IP Network

Each machine had an IP address and subnet mask, to define the limits of the network. This brings us naturally to the rating of IP network. The IP defines a set of IP addresses terraced, exactly like the edge of a city such as described above. The IP network consists of 2 sets of 4 numbers separated by /. The first series is the smallest network IP address, minus one. For example, for a network whose machines have an IP address range from 192.168.0. 1 to 192.168.0. 254, this figure will be 192.168.0. The second series is just the subnet mask: In our example, this will be 255.255.255.0.

Finally, there is a second notation for IP networks, also used as the first, but more convenient because faster to write. It is to replace the scoring of the subnet mask (in this example, 255.255.255.0) by the number of bits to 1 numbers that each comprises. So use binary notation to find that number. For those too lazy to calculate, or do not have a calculator handy, here is the number of bits to 0 and 1 for different values of the numbers making up the subnet mask.

Bridge

Now that we have discussed the concepts of IP Mask and IP network , the gateway is only a formality. Using our analogy of a small town surrounded by a fence , we will now consider that this barrier is impenetrable, and it has only a single exit point, closed by a gate keeper.

When an inhabitant of a building wants to exchange information with that of another building, then:

• Or the building in question is in the same area, and in this case the head will directly exchange information.
• Are the inhabitants will give information to the guard gate that will have to scramble to find the property of destination. The details of what happens after is not too important. What matters is the response of the guard barrier capita. Either it has succeeded in transmitting information, and therefore he will report to the resident's response. Either he failed to convey this information within a reasonable time, in which case he will tell the user, who will take the necessary decisions.

A gateway is nothing but a machine with a certain IP address. Usually it is the last available address in a network, but this is not an obligation. For example for a network 192.168.0.0 / 255.255.255.0, usually the IP address of the gateway is 192.168.0. 254.

[RedZot]

Physical Network

The cable itself can be an optical fiber, a pair of copper son, RJ-45 cable or a coaxial cable. Well, it's just a piece of connector, so we will not talk about it more than that.

The network adapter it is much more interesting. This is actually an electronic element that can be either:

• A network card, plugged into the computer case.
• An internal or external modem, type (PSTN Public Switched Telephone Network) or ISDN, interacting with the machine via a serial interface (COM 1, 2, 3, 4 for example).
• ADSL modem internal or external, reciprocal dialogue with the machine via the PCI bus or USB interface.
• A virtual interface.

Linux, because that is what interests us here, we can talk through these network adapters:

For a network adapter, the interface ethX, or X is a number. For example, eth0, eth1, eth2, ... In general, a machine has a single NIC, so we only find eth0.

For a modem, regardless of type, pppx interface, or X is a number. For example, ppp0, ppp1, ppp2 ... Again, usually a machine has only one modem, so there are only ppp0.

Finally, even if a machine uses the IP but it has no network card, it has a special network interface called the loopback. We already talked about earlier , about the network 127.0.0.0 / 8. And yes, for such a network exists, it must based on a network interface, and it is the role of the loopback interface, called simply lo. Apart from a utility that may seem perfectly cosmetics, this network interface is paramount, and you use it probably sometimes without realizing it. If for example you have a machine whose IP address is 192.168.0.1 on the network interface eth0, and since this machine is you made a ping 192.168.0.1, this is not your physical network interface eth0 you'll use, but the interface lo. Indeed, the system will use local, but leave you thinking you've actually used "eth0". We will see later the importance of this auto login.

Terms to fix Network Security

Recompile the kernel

By default, the kernel performs inadequate security. Includes all kernel options firewall.

• CONFIG_FIREWALL = y
• CONFIG_NET_ALIAS = y
• CONFIG_INET = y
• CONFIG_SYN_COOKIES = y
• CONFIG_RST_COOKIES = y
• CONFIG_IP_FIREWALL = y
• CONFIG_IP_FIREWALL_VERBOSE = y
• CONFIG_IP_ALWAYS_DEFRAG = y
• CONFIG_IP_ACCT = y
• CONFIG_IP_ALIAS = m

Edit the sysctl.conf

These settings increase the stability of IP-stack to Denial Of Service attacks, reduce the time TCP / IP connection to be able to handle more connections over the same interval. Will also reduce the time that Linux expects to close the connection and the time after which the Linux breaks the outdated link. These settings will disable some extensions to the protocol TCP / IP, which we do not need.

• net.ipv4.icmp_ignore_bogus_error_responses = 1
• net.ipv4.conf.all.log_martians = 1
• net.ipv4.conf.all.accept_source_route = 0
• net.ipv4.tcp_syncookies = 1
• net.ipv4.conf.all.send_redirects = 0
• net.ipv4.conf.all.accept_redirects = 0
• net.ipv4.tcp_fin_timeout = 30
• net.ipv4.tcp_keepalive_time = 1800
• net.ipv4.tcp_window_scaling = 0
• net.ipv4.tcp_sack = 0
• net.ipv4.tcp_timestamps = 0
• net.ipv4.tcp_max_syn_backlog = 1280
• net.ipv4.conf.all.forwarding = 0
• net.ipv4.icmp_echo_ignore_broadcasts = 1

IP Chains

Filtering IP v mechanism, which means the network level, i.e. he knows nothing about the applications that use network connections, determines what to do with the decision taken or sent packets: handle normal or ignore. IP filtering ruleset is made up of a combination of criteria that define the packets to be filtered: the protocol type TCP, UDP, ICMP, etc. socket number, the type of packet (flags, data, echo-request, and the sender and receiver package . As part of Red Hat 7.0 includes administration program ipchains, for building and managing a firewall. It has a simplified syntax of commands as compared with ipfwadm, flexibility, and the clutch mechanism that allows creating sets of rules and their associations.

Disabling nonessential services :

It is necessary to determine which targets will be the hosts. By default, OS Linux boots many services, such as sendmail, pop3, wu-ftpd, finger, nfs, rpc, R services, telnet, SMB, and others. The distribution is Red Hat Linux is a handy software ntsysv for load control services. The only downside: for each mode of operation will need to download ntsysv. You must define a destination host, to evaluate the usefulness, benefits and risks of downloadable services.

Demons Servers

Samba : Samba v is a set of programs for implementing the protocol Session Message Block in Nixa. Allows you to share filesystems in * nix and Windows FAT filesystem in * nix, as well as printers connected to either the computers running * nix, or to computers with the WindowsX system. It is better to take latest version of the package 2.2.1a, where fixed bugs with security, improved compatibility with Win2000 and much more are all different.

Apache : Apache v is a free Web-server, designed on the principle of the open source model. Currently, the review of the various companies is the most popular Apache web server on the Internet. By default, the Apache server is installed with optimum protection options. So, for example, to enable the CGI and SSI will have a / usr / local / apache / conf / httpd.conf to register.

wu-ftpd : FTP v File Transfer Protocol. Standard method of transferring files from one system to another. In the Red Hat Linux uses a free server wu-ftpd.

Secure Shell : SSH v is a secure registration system that comes to replace telnet, rlogin, rsh, and others. Authentication and encryption session runs invisibly to the user, and the initialization is almost as easy as with telnet. Setting the standard ssh distribution: tar,. / Configure, make, make install. When you first start automatically, create the necessary keys. Edit / etc / ssh / sshd_config. Early versions of ssh had significant problems with the protection (tendency to buffer overflows, etc.). The use of ssh versions up to and including SSH-1.5-OpenSSH-1.2.3 should refuse because of the interception and decoding by an attacker using packet analyzers through the methods of man in the middle and decrypt your encrypted passwords. Always use the latest version of ssh.

Install a New Kernel

Moving from 02/02/1916 to 2.4.8 necessary? You decide. Here's a short list (with full can be found at www.kernel.org ) fixes, improvements and innovations: support for new hardware, optimization, improved security, bug fixes, improved support for SMP, ports to other architectures, support for different file systems, iptables and etc.

Use the encryption keys

For many, this is a nuisance. By logging in, your machine performs requests to connect to a network (or an LDAP server, etc), you'll be prompted to enter the encryption key in your "keychain key (or keyring). There is a huge temptation to turn this feature, giving a blank password and dismiss the warning and that the information will be transmitted unencrypted (including their own passwords!). This is not a good idea. Although it is really a nuisance, this feature is there for a reason - to encrypt sensitive passwords when sent through our network.

Force users to change their passwords

In any multi-user environment (like Linux), you have to make sure your users change their passwords periodically. It uses the chage command. You can check the password expiration for a user with sudo chage-l USERNAME (where USERNAME is the username you want to check). To do this, you can run the command sudo chage-E-mM FECHA_EXPIRACION EDAD_MINIMA PERIODO_INACTIVIDAD DIAS_ANTES_DE_EXPIRAR EDAD_MAXIMA-IW (in which case all options must be defined by the user). For more information about this command, see the manual page (type the command man change).

Do not disable SELinux

Like the key keychain (keyring), SELinux is there for a reason. SE stands for Enhanced Security and the Mechanism That Provides it controls access to applications. Enhanced security means SE (Security Enhanced) and provides the mechanism that controls access to applications. I read a series of "solutions" to various problems that are recommended to disable SELinux. In fact, rather than a solution, this step ends up creating more problems. If a particular program is not working properly, you should consider a modification of SELinux policies that best suit your needs instead of to disable SELinux altogether. If it seems cumbersome to do through the command line, you might want to play with an interface called polgengui.

Install the security updates quickly

There is a huge difference between how Linux and Windows handle updates. While Windows normally performs a bulk update once in a while, Linux makes smaller frequent updates. Ignoring these updates can be disastrous if the proper security hole is patched on your system. Never forget that some of those updates are security patches must be applied immediately. For that reason, it never ignore the icon indicating the availability of new updates. Stay up to date and at the end of the day, you'll have a safer system