Ensurepass

33. Security
33.1 TCP Wrappers
1. Provides host based security.
2. Configuration files: /etc/hosts.allow & /etc/hosts.deny.
o hosts.allow is checked first. If access isn’t explicitly permitted, then hosts.deny is checked. If access isn’t explicitly denied, then access is granted.
o Configuration File Format:
o : [:options]
o
o Special keywords
1. ALL – Can be used to represent all clients and/or all services. For example, to deny access to every service from all clients, place the following in /etc/hosts.deny
2. ALL:ALL
3.
4. EXCEPT – Can be used with ALL to provide exceptions. For example, to deny access to all services except sshd and vsftp from all clients, place the following in /etc/hosts.deny
5. ALL EXCEPT sshd EXCEPT vsftp:ALL
6.
7. LOCAL – Can be used to represent all hosts without a dot in their name.
8. UNKNOWN – All hosts or users that can’t be looked up.
9. KNOWN – All hosts or users that can be resolved.
10. PARANOID – All hosts where the forward and reverse lookups do not match.
3. tcpd
o The tcpd program checks permissions and launches the specified service if access is permitted.
o tcpd is typically used with inetd type services.
4. libwrap
o Programs compiled against libwrap can use tcp wrappers configuration files for determining access without having to use the ‘tcpd’ program.
o Many programs in Red Hat Linux are compiled against libwrap. These include:
o sendmail
o slapd
o sshd
o stunnel
o tcpd
o xinetd # This includes all services executed by xinetd
o gdm
o gnome-session
o ORBit
o portmap
o
5. Options
o Can be used to execute a command when a rule match occurs. For example, to e-mail root a warning message every time someone tries to telnet in from cracker.org, put the following in /etc/hosts.deny:
o in.telnetd: .cracker.org : spawn echo
o “login attempt from %c to %s”
o mail -s “Telnet login warning” root
o
o Variable replacements:
o %c – client information (user@host)
o %s – service information (service@host)
o %h – client’s hostname or IP address if hostname is unavailable
o %p – The server process id
o
o See hosts_options man page for more information.
6. Example Setup
o /etc/hosts.allow
o # Allow all clients in the 192.168.1.0/24 network and the client at 63.21.45.2 access
o # to sshd and imapd.
o
o sshd, imapd:192.168.1. 63.21.45.2
o
o # For a multi-homed host, you can specify the interface. This allows all hosts
o # in the 192.168.1.0/24 to access in.ftpd, but only if it’s through the 192.168.1.10 interface.
o
o in.ftpd@192.168.1.10:192.168.1.
o
o # Allow access to pop3d by all hosts in the somedomain.com domain.
o
o pop3d:.somedomain.com
o
o # Another way to specify network netmasks
o
o vsftp:192.168.1.0/255.255.255.0
o
o # Allow access to telnet from the ‘research’ network (specified in /etc/networks or NIS)
o
o in.telnetd:@research
o
o /etc/hosts.deny
o # Deny access to all services that aren’t explicitly permitted in /etc/hosts.allow
o
o ALL:ALL
o
33.2 xinetd based security
1. Overview
o xinetd has it’s own host based access controls built-in.
o TCP Wrappers are checked first. If TCP Wrappers permits access, then xinetd’s access controls are checked.
o Provides some additional restrictions that TCP Wrappers doesn’t provide: time, max # of instances, and number of instances per source allowed.
2. Access Controls
o only_from – Specifies which hosts are allowed to access this service.
o only_from 192.168.1.0/24
o
o no_access – Specifically deny a host or hosts.
o no_access = 192.168.1.20
o
NOTE: – If both only_from and no_access are specified, the one that is more specific wins. In this case no_access wins because it specifies a specific host within the 192.168.1.0/24 network.
o access_times – Specifies a time period where access is allowed.
o access_times 07:30-17:30
o
o instances – Specifies the maximum number of instances of this service that may be launched.
o instances = 100
o
o per_source – Specifies the maximum number of instances that can be initiated per IP address
o per_source 3
o
33.3 IPCHAINS
1. Overview
o Ipchains is the packet filter provided in the 2.2 kernels.
o Also supported by 2.4 kernels with the ipchains compatibility module.
o Format:
o ipchains [action] [chain] [options] [target]
o ipchains -A input -i eth0 -p tcp -s 192.168.1.20 -d 0.0.0.0 -j ACCEPT
o
2. Capabilities
o Actions
o -A = Append rule to end of chain
o -I = Insert rule at beginning of chain
o -D = Delete existing rule in chain
o -N = Create new chain
o -X = Delete a chain (user defined only)
o -P = Set default policy for chain (ACCEPT, DENY, or REJECT)
o -F = Flush all rules in a chain
o -L = List existing rules (can specify a specific chain)
o
o Chains – 3 Built-in chains. Names in lower case.
o input – All packets that come into the interface pass through this chain. Even packets that
o are being routed to another interface pass through this chain.
o forward – All packets that come in one interface and leave on another pass through this chain.
o output – All packets leaving an interface pass through this chain. Even packets that are
o being routed from another interface pass through this chain.
o
o Options
o -i = Interface (eth0, eth1, lo)
o -p = Protocol (udp,tcp,icmp, or the protocol number)
o -s = Source address of packet (192.168.1.20, 192.168.1.0/24, etc.)
o Can also include the source port for tcp/udp (192.168.1.20 80)
o -d = Same as -s, only for the destination address
o -y = Matches a packet that has only the SYN flag set (First step in TCP handshake)
o -l = Log the packet
o
o –source-port = Specify a source port without a source address
o –destination-port = Specify a destination port without a destination address
o
o Targets
o DENY = Drop packet without sending any sort of response to the source
o REJECT = Drop packet, but send the source an ICMP error message
o ACCEPT = Accept the packet
o = Specify a user defined chain to jump to for further processing
o
3. Examples
4. # Set the default Policies to DENY
5. ipchains -P input DENY
6. ipchains -P output DENY
7. ipchains -P forward DENY
8.
9. # Allow all incoming tcp connections on interface eth0 to port 80 (www)
10. ipchains -A input -i eth0 -p tcp -s 0.0.0.0 1024: –destination-port 80 -j ACCEPT
11.
12. # We must also allow packets back out in order for the connection to work
13. ipchains -A output -i eth0 -p tcp –source-port 80 -d 0.0.0.0 1024: -j ACCEPT
14.
15. # Allow outgoing connections to other web servers
16. ipchains -A output -i eth0 -p tcp –source-port 1024: -d 0.0.0.0 80 -j ACCEPT
17. ipchains -A output -i eth0 -p tcp –source-port 1024: -d 0.0.0.0 81 -j ACCEPT
18. ipchains -A output -i eth0 -p tcp –source-port 1024: -d 0.0.0.0 443 -j ACCEPT
19.
20. # We must now allow TCP packets back in on ports >= 1024 to complete the connection. However,
21. # we don’t want to allow any packet through with the SYN flag set since that would indicate
22. # someone is trying to make a connection to us.
23. ipchains -A input -i eth0 -p tcp ! -y -s 0.0.0.0 80 –destination-port 1024: -j ACCEPT
24. ipchains -A input -i eth0 -p tcp ! -y -s 0.0.0.0 81 –destination-port 1024: -j ACCEPT
25. ipchains -A input -i eth0 -p tcp ! -y -s 0.0.0.0 443 –destination-port 1024: -j ACCEPT
26.
27. # Allow external access to our DNS services.
28. ipchains -A input -i eth0 -p udp –destination-port 53 -j ACCEPT
29. ipchains -A output -i eth0 -p udp –source-port 53 -j ACCEPT
30.
31. # If you leave out a source (-s) or destination(-d) address it’s like specifying 0.0.0.0
32. # for it.
33.
34. #
35. # MASQUERADING
36. #
37. # In these examples, eth0 is the external interface on the firewall, and eth1 is the
38. # internal interface.
39.
40. # Set Masquerade Timeouts
41. # Set a 2 hour (7200 sec) time out for TCP session timeouts
42. # Set a 15 second timeout for TCP/IP traffic after a FIN is received
43. # Set a 3 minute (180 sec) time out for UDP traffic
44. /sbin/ipchains -M -S 7200 15 180
45.
46. # Set up the Masquerading
47. # Remember that the default policy is set to DENY above. Otherwise we would set it here.
48. /sbin/ipchains -A forward -i eth0 -s $INTERNAL_LAN -j MASQ
33.4 IPTABLES (Netfilter)
1. Overview
o 2.4 kernels only.
o Many benefits over ipchains:
1. Connection Tracking.
2. Rate Limiting.
3. Support for true NAT.
4. Many more filtering options: All TCP flags, MAC addresses, user, etc.
5. Improved logging.
o Format
o iptables [table] [action] [chain] [options] [target]
o iptables -t filter -A INPUT -m state –state NEW -p tcp -s 192.168.1.0/24 -j ACCEPT
o
2. Capabilities
o Table – Specifies which table the chain applies to: nat, filter, or mangle/
o Action – See IPCHAINS actions above.
o Chains – 5 Built-in chains. Names capitalized unlike IPCHAINS.
o # Filter Table:
o INPUT – All packets entering an interface that are destined for a local process use this
o chain. Note that packets that are being routed from one interface to another
o do NOT go through this chain as is the case with IPCHAINS.
o FORWARD – Only packets routed from one interface to another pass through this chain.
o OUTPUT – All packets leaving an interface that originated from a local process use this
o chains. Note that packets that are being routed from one interface to another
o do NOT go through this chain as is the case with IPCHAINS.
o
o # Nat Table:
o PREROUTING – Rules in this chain occur before it is determined whether the packet will
o use the INPUT or FORWARD chain. Destination NAT (DNAT) is configured
o using this chain.
o POSTROUTING – Rules in this chain occur after the OUTPUT and FORWARD chains. Source NAT
o (SNAT) is configured using this chain.
o
o Options
o -i = Input interface (eth0, eth1, lo)
o -o = Output interface (eth0, eth1, lo)
o -p = Protocol (udp,tcp,icmp, or the protocol number)
o -s = Source address of packet (192.168.1.20, 192.168.1.0/24, etc.)
o -d = Same as -s, only for the destination address
o -m = Specify an extension module to load (e.g. -m state). This must be the first option
o specified if it is used
o
o –sport = Source port
o –dport = Destination port
o
o Targets
o # 3 Default Targets
o DROP = DROP the packet without returning an indication that it was dropped to the source
o ACCEPT = Accept the packet
o = A user defined chain
o
o # Additional Targets provided by modules:
o LOG = Log the packet
o REJECT = Reject the packet and send the source a user defined response (defaults to an icmp
o error message)
o
o Connection Tracking
1. Requires state module (-m state).
2. Packet STATES:
3. NEW = A new connection
4. ESTABLISHED = Packet is part of an existing connection
5. RELATED = Packet is related to an existing connection (e.g. ICMP error messages)
6. INVALID = Packet doesn’t belong to any other connection
7.
8. Tracking FTP Connections:
Because of the nature of the FTP protocol, tracking ftp connections requires a special kernel module: ip_conntrack_ftp. If you wish to use NAT with ftp connection tracking, you must also load the ip_nat_ftp kernel module
3. Examples
4. # Set the default Policies to DENY
5. iptables -P INPUT DENY
6. iptables -P OUTPUT DENY
7. iptables -P FORWARD DENY
8.
9. # Allow all incoming tcp connections on interface eth0 to port 80 (www)
10. iptables -A INPUT -i eth0 -p tcp -s 0.0.0.0 –sport 1024: –dport 80 -j ACCEPT
11.
12. # We must also allow packets back out in order for the connection to work since we aren’t
13. # using connection tracking
14. iptables -A OUTPUT -o eth0 -p tcp –sport 80 -d 0.0.0.0 –dport 1024: -j ACCEPT
15.
16. # Allow outgoing connections to all ports, and use connection tracking so
17. # we don’t have to create rules to allow us to receive the packets coming back.
18. iptables -A OUTPUT -m state –state NEW,ESTABLISHED,RELATED
19. -o eth0 -p tcp –sport 1024: -j ACCEPT
20. iptables -A INPUT -m state –state ESTABLISHED,RELATED
21. -i eth0 -p tcp –dport 1024: -j ACCEPT
22.
23. # Allow external access to our DNS services, and keep state on the connection.
24. iptables -A INPUT -m state –state NEW,ESTABLISHED,RELATED
25. -i eth0 -p udp –dport 53 -j ACCEPT
26. iptables -A OUTPUT -m state –state ESTABLISHED,RELATED
27. -o eth0 -p udp –sport 53 -j ACCEPT
28.
29. # Redirect all incoming traffic that hits port 8080 to port 80 on a web server
30. # in our internal LAN
31. iptables -t nat -A PREROUTING
32. -p tcp -i eth0 –dport 8080
33. -j DNAT –to 192.168.1.10:80
34.
35. # Source NAT
36. iptables -t nat -A POSTROUTING
37. -o eth0 -s 192.168.1.0/24
38. -j SNAT –to-source $EXTERNAL_IP_ADDRESS
39.
40. # Allow ICMP echo requests, but limit them to 1 per second. A burst of 3 will allow
41. # a burst of up to 3 ICMP packets before the rate limiting kicks in.
42. iptables -A INPUT -i eth0 -p icmp –icmp-type 8
43. -m state –state NEW,ESTABLISHED
44. -m limit –limit 1/s –limit-burst 3
45. -j ACCEPT
46.
47. iptables -A OUTPUT -o eth0 -p icmp -m state –state ESTABLISHED -j ACCEPT

Download the Ensurepass Latest 2013 RHCE EX300 Practise Test PDF to pass RHCE EX300 exam.

Comments are closed.