Mysql Developing And Programming, PHP5 Hosting Blog

209Chapter 6Securing LinuxTo view a particular log file, click the log name in the left column. If you are lookingfor a particular message or problem, type a keyword into the Filter For box, and clickFilter. Only lines containing that keyword are displayed. Case matters, so searchingfor Mem won t find mem when you use the filter. Click Reset to display the wholefile again. Table 6-3 contains a listing of log files displayed in the System Logs window, alongwith other files in the /var/logdirectory that may interest you. Many of these filesare included with most Linux systems. Table 6-3Log Files in the /var/log DirectorySystem Logs FilenameDescriptionNameBoot Logboot.logContains messages indicating which systemsservices have started and shut down successfullyand which (if any) have failed to start or stop. Themost recent bootup messages are listed near theend of the file. Cron LogcronContains status messages from the crond, adaemon that periodically runs scheduled jobs, such as backups and log file rotation. Kernel Startup dmesgA recording of messages printed by the kernel Logwhen the system boots. FTP LogxferlogContains information about files transferred usingthe wu-ftpd FTP service. Apache Access httpd/access_logLogs requests for information from your Apache LogWeb server. Apache Error httpd/error_logLogs errors encountered from clients trying to Logaccess data on your Apache Web server. Mail LogmaillogContains information about addresses to whichand from which e-mail was sent. Useful fordetecting spamming. MySQL Server mysqld.logIncludes information related to activities of the LogMySQL database server (mysqld). News LogspoolerDirectory containing logs of messages from theUsenet News server if you are running one. RPM PackagesrpmpkgsContains a listing of RPM packages that areinstalled on your system. Continued12_

208Part IIRunning the Showto grant universal access to a particular service may be easier than typing in a longlist of subnets or domains, but better a few minutes spent on proper security mea- sures than many hours recovering from a break-in. You can further restrict access to services by using various options within the /etc/ xinetd.conffile, even to the point of limiting access to certain services to spe- cific times of the day. Read the manual page for xinetd (by typing man xinetdat acommand prompt) to learn more about these options. Detecting Intrusions from Log FilesIf you make use of good firewalling practices as described in Chapter 17, you will bewell prepared to mitigate and prevent most cracker attacks. If your firewall shouldfail to stop an intrusion, you must be able to recognize the attack when it is occur- ring. Understanding the various (and numerous) log files in which Linux recordsimportant events is critical to this goal. The log files for your Linux system can befound in the /var/logdirectory. Most Linux systems make use of log-viewing tools, either provided with the desktopenvironment (such as GNOME) or as a command you can execute from a terminalwindow. Fedora Core and Red Hat Enterprise Linux come with a System Logs window(system-logviewercommand) that you can use to view and search critical systemlog files from the GUI. To open the System Logs window in Fedora, from the maindesktop menu, select System Tools.System Logs. Figure 6-1 shows an example ofthe System Logs window. Figure 6-1:Display system log files in the System Logs window. Tip12_

207Chapter 6Securing Linuxmatches the address of nearly every host on the Eindhoven University ofTechnology network (131.155.x.x). .A string that begins with an at sign (@)is treated as an NIS (formerly YP) net- group name. A host name is matched if it is a host member of the specifiednetgroup. Netgroup matches are not supported for daemon process namesorfor client user names. .An expression of the form n.n.n.n/m.m.m.mis interpreted as a net/maskpair. A host address is matched if netis equal to the bitwise andof the address andthe mask. For example, the net/mask pattern 131.155.72.0/255.255.254.0matches every address in the range 131.155.72.0through 131.155.73.255. The example host.allowcontains the first two types of client specification. Theentry 199.170.177.will match any IP address that begins with that string, suchas199.170.177.25. The client entry .linuxtoys.netwill match host namessuchas jukebox.linuxtoys.netor picframe.linuxtoys.net. Take a look at what happens when a host named jukebox.linuxtoys.net(with IPaddress 199.170.179.18) connects to your Linux system using the Telnet protocol: 1.Xinetd receives the connection request. 2.Xinetd begins comparing the address and name of jukebox.linuxtoys.netto the rules listed in /etc/hosts.allow. It starts at the top of the file andworks its way down the file until finding a match. Both the daemon (the pro- gram handling the network service on your Linux box) and the connectingclient s IP address or name must match the information in the hosts.allowfile. In this case, the second rule that is encountered matches the request: in.telnetd: 199.170.177., .linuxtoys.net3.The jukebox host is not in the 199.170.177subnet, but it is in the linuxtoys. netdomain. Xinetd stops searching the file as soon as it finds this match. What if jukebox connects to your box using the IMAP protocol? Requests from juke- box for the IMPA service matches none of the rules in hosts.allow; the only linethat refers to the imapd daemon does not refer to the 199.170.179subnet or tothe linuxtoys.netdomain. Xinetd continues on to the hosts.denyfile. The entryALL: ALLmatches anything, so tcpd denies the connection. The ALLwildcard was also used in the hosts.allowfile, telling xinetd to permitabsolutely any host to connect to the FTP service on the Linux box. This is appro- priate for running an anonymous FTP server that anyone on the Internet can access. If you are not running an anonymous FTP site, you probably should not use theALLflag. A good rule of thumb is to make your hosts.allowand hosts.denyfiles as restric- tive as possible and to explicitly enable only those services that you really need. Also, grant access only to those systems that really need access. Using the ALLflag12_

206Part IIRunning the ShowIt is not necessary (or even possible) to list every single address that may connectto your computer. The hosts.allowand hosts.denyfiles enable you to specifyentire subnets and groups of addresses. You can even use the keyword ALLto spec- ify all possible addresses. You can also restrict specific entries in these files so theyonly apply to specific network services. Take a look at an example of a typical pairof hosts.allowand hosts.denyfiles. Here s the /etc/hosts.allowfile: # # hosts.allow This file describes the names of the hosts which are# allowed to use the local INET services, as decided# by the /usr/sbin/tcpd server. # cups-lpd: 199.170.177. in.telnetd: 199.170.177., .linuxtoys.netvsftpd: ALLHere s the /etc/hosts.denyfile: # # hosts.deny This file describes the names of the hosts which are# *not* allowed to use the local INET services, as# decided by the /usr/sbin/tcpd server. # ALL: ALLThis example is a rather restrictive configuration. It allows connections to the cups- lpd and telnet services from certain hosts, but then denies all other connections. Italso allows connections to the FTP service (vsftp) to all hosts. Let s examine thefiles in detail. As usual, lines beginning with a #character are comments and are ignored by xinetdwhen it parses the file. Each noncomment line consists of a comma-separated list ofdaemons followed by a colon (:) character and then a comma-separated list of clientaddresses to check (for example, tftpd,fingerd: .linuxtoys.net, .fedoratrouble.com.) In this context, a client is any computer that attempts to access anetwork service on your system. A client entry can be a numeric IP address (such as 199.170.177.25) or a hostname (such as jukebox.linuxtoys.net) but is more often a wildcard variationthat specifies an entire range of addresses. A client entry can take four differentforms. The online manual page for the hosts.allowfile describes them as follows: .A string that begins with a dot character (.). A host name is matched if thelast components of its name match the specified pattern. For example, thepattern .tue.nlmatches the host name wzv.win.tue.nl. .A string that ends with a dot character (.). A host address is matched if itsfirst numeric fields match the given string. For example, the pattern 131.155.12_

205Chapter 6Securing LinuxThe rsync service is a nice one to turn on if your machine is an FTP server. It enablespeople to use an rsync client (which includes a checksum-search algorithm) todownload files from your server. With that feature, users can restart a disrupteddownload without having to start from the beginning. Because most services are disabled by default, your computer is only as insecureas you make it. You can double-check that insecure services, such as rlogin and rsh(which are included in the rsh-server package), are also disabled by making surethat disabled = yesis set in the /etc/xinetd.d/rloginand rshfiles. You can make the remote login service active but disable the use of the /etc/ host.equivand .rhostsfiles, requiring rloginto always prompt for a pass- word. Rather than disabling the service, locate the server line in the rshfile(server = /usr/sbin/in.rshd) and add a space followed by -Lat the end. You now need to send a signal to the xinetd process to tell it to reload its configura- tion file. The quickest way to do that is to restart the service. As the root user, typethe following from a shell: # service xinetd restartStopping xinetd: [ OK ] Starting xinetd: [ OK ] That s it you have enabled the ipop3 service. Provided that you have properlyconfigured your mail server, clients should now be able to get their mail from yourcomputer. Using TCP WrappersCompletely disabling an unused service is fine, but what about the services thatyou really need? How can you selectively grant and deny access to these services? With most current Linux distributions, TCP wrapper support has been integratedinto the xinetd daemon. Xinetd will look at the /etc/hosts.allowand /etc/hosts. denyfiles to determine when a particular connection should be granted or refusedfor services such as rlogin, rsh, telnet, finger, and talk. When a service that relies on TCP wrappers is requested, the hosts.allowandhosts.denyfiles are scanned and checked for an entry that matches the IP addressof the connecting machine. The following checks are made when connection attemptsoccur: .If the address is listed in the hosts.allowfile, the connection is allowed, andhosts.denyis not checked. .Otherwise, if the address is in hosts.deny, the connection is denied. .Finally, if the address is in neither file, the connection is allowed. TipTip12_

204Part IIRunning the ShowDisabling Network ServicesAlthough there are hundreds of services potentially available and subject to attackon your Linux system, in reality only a few dozen services are installed, and only ahandful of those are on by default. Most network services are started by either thexinetd process (named inetd on some Linux distributions) or by a startup script inthe /etc/init.ddirectory. Xinetd is a daemon that listens on a great number of network port numbers. Whena connection is made to a particular port number, xinetd automatically starts theappropriate program for that service and hands the connection to it. The configuration file /etc/xinetd.confis used to provide default settings forthexinetd server. (If the daemon is called inetd, look for an /etc/inetd.conffileinstead.) The directory /etc/xinetd.dcontains files telling xinetdwhat ports tolisten on and what programs to start. Each file contains configuration informationfor a single service, and the file is usually named after the service it configures. Forexample, to enable the rsync service, edit the rsyncfile in the /etc/xinetd.ddirectory and look for a section similar to the following: service rsync{ disable = yessocket_type = streamwait = nouser = rootserver = /usr/bin/rsyncserver_args = –daemonlog_on_failure += USERID} The first line of this example identifies the service as rsync, which exactly matchesthe service name listed in the /etc/servicesfile, causing the service to listenonport 873 for TCP and UDP protocols. You can see that the service is off bydefault (disable = yes). To enable the rsync services, change the line to readdisable = no: service rsync{ disable = nosocket_type = streamwait = nouser = rootserver = /usr/bin/rsyncserver_args = –daemonlog_on_failure += USERID}

203Chapter 6Securing Linux# /etc/services: # service-name port/protocol [aliases …] [# comment] chargen 19/tcp ttytst sourcechargen 19/udp ttytst sourceftp-data 20/tcpftp-data 20/udp# 21 is registered to ftp, but also used by fspftp 21/tcpftp 21/udp fsp fspdssh 22/tcp # SSH Remote Login Protocolssh 22/udp # SSH Remote Login Protocoltelnet 23/tcptelnet 23/udp# 24 - private mail systemsmtp 25/tcp mailThere are three columns of information after comment lines. The left column con- tains the name of each service, the middle column defines the port number andprotocol type used for that service, and the right column contains an optionalaliasor list of aliases for the service. The last entry in this example, for instance, describes the SMTP (Simple Mail Transfer Protocol) service, which is the serviceused for delivering e-mail over the Internet. The middle column tells you that theSMTP protocol uses port 25 and uses the Transmission Control Protocol (TCP) asits protocol type. What exactly is a port number? It is a unique number that s been set aside for a particular network service. It allows network connections to be properly routedtothe software that handles that service. For example, when an e-mail message isdelivered from some other computer to your Linux box, the remote system mustfirst establish a network connection with your system. Your computer receivestheconnection request, examines it, sees it labeled for port 25, and knows that theconnection should be handed to the program that handles e-mail (which happensto be sendmail). A program that runs quietly in the background handling service requests (such assendmail) is called a daemon. Daemons are usually started automatically when yoursystem boots up, and they keep running until your system is shut down. Daemonsmay also be started on an as-needed basis by xinetd, a special daemon that listenson a large number of port numbers, and then launches the service that is registeredwith that port number. SMTP uses the TCP protocol; some other services use UDP, the User DatagramProtocol. For this security discussion, all you really need to know about TCP andUDP is that they provide different ways of packaging the information sent over anetwork connection. A TCP connection provides error detection and retransmis- sion of lost data. UDP doesn t check to ensure that the data arrived complete andintact; it is meant as a fast way to send noncritical information. Note12_

202Part IIRunning the ShowTable 6-2(continued) StateDescriptionLAST_ACKThe remote end has shut down, and the socket is closed, waiting foracknowledgment. LISTENSocket is waiting for an incoming connection. CLOSINGBoth sides of the connection are shut down, but not all of your datahas been sent. UNKNOWNThe state of the socket is unknown. During a DoS attack, the foreign address is usually the same for each connection, inwhich case it s a simple matter of typing the foreign IP address into the search format www.arin.net/whois/so you can alert your ISP. During a DDoS attack, the foreign address is likely to be different for each connec- tion, which makes it impossible to track down all the offenders because there areprobably thousands of them. The best way to defend yourself is to contact your ISPto see if it can filter the traffic at its border routers. Protecting Against Intrusion AttacksCrackers have a wide variety of tools and techniques to assist them in breaking intoyour computer. Intrusion attacks focus on exploiting weaknesses in your security, socrackers can take more control of your system (and potentially do more damage) than they could from the outside. Fortunately, there are many tools and techniques for combating intrusion attacks. Let s explore some of the most common break-in methods and the tools available toprotect your system. Evaluating Access to Network ServicesLinux systems provide many network services and therefore many avenues forcracker attacks. You should know these services and how to limit access to them. What is a network service? Basically, it s any task that the computer performs thatrequires it to send and receive information over the network using some predefinedset of rules. Routing e-mail is a network service. So is serving Web pages. Your Linuxbox has the potential to provide thousands of services. Many of them are listed inthe /etc/servicesfile. Look at a snippet of that file:

201Chapter 6Securing LinuxThe following is an example of what the output might look like: Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program nametcp 0 0 65.213.7.96:22 13.29.132.19:12545 ESTABLISHED 32376/sshdtcp 0 224 65.213.7.96:22 13.29.210.13:29250 ESTABLISHED 13858/sshdtcp 0 0 65.213.7.96:6667 13.29.194.190:33452 ESTABLISHED 1870/ircdtcp 0 0 65.213.7.96:6667 216.39.144.152:42709 ESTABLISHED 1870/ircdtcp 0 0 65.213.7.96:42352 67.113.1.99:53 TIME_WAIT - tcp 0 0 65.213.7.96:42354 83.152.6.9:113 TIME_WAIT - tcp 0 0 65.213.7.96:42351 83.152.6.9:113 TIME_WAIT - tcp 0 0 127.0.0.1:42355 127.0.0.1:783 TIME_WAIT - tcp 0 0 127.0.0.1:783 127.0.0.1:42353 TIME_WAIT - tcp 0 0 65.213.7.96:42348 19.15.11.1:25 TIME_WAIT - The output is organized into columns defined as follows: .Proto Protocol used by the socket. .Recv-Q The number of bytes not yet copied by the user program attachedto this socket. .Send-Q The number of bytes not acknowledged by the host. .Local Address Address and port number of the local end of the socket. .Foreign Address Address and port number of the remote end of the socket. .State Current state of the socket. Table 6-2 provides a list of socket states. .PID/Program name Process ID and program name of the process that ownsthe socket. Table 6-2Socket StatesStateDescriptionESTABLISHEDSocket has an established connection. SYN_SENTSocket actively trying to establish a connection. SYN_RECVConnection request received from the network. FIN_WAIT1Socket is closed and the connection is shutting down. FIN_WAIT2Socket is waiting for remote end to shut down. TIME_WAITSocket is waiting after closing to handle packets still in the network. CLOSEDSocket is not being used. CLOSE_WAITThe remote end has shut down, waiting for the socket to close. Continued12_

200Part IIRunning the ShowThe rflag denotes that the server machine will be the receiver. The sflag, in con- junction with the rflag, tells ttcpto ignore any received data. Have someone outside your data link, with a network link close to the same speedas yours, set up a ttcp sending process: # ttcp -ts server.example.comttcp-t: buflen=8192, nbuf=2048, align=16384/0, port=5001 tcp-> server.example.comttcp-t: socketttcp-t: connectLet the process run for a few minutes and then press Ctrl+C on the transmittingside to stop the testing. The receiving side will then take a moment to calculate andpresent the results: # ttcp -rsttcp-r: buflen=8192, nbuf=2048, align=16384/0, port=5001 tcpttcp-r: socketttcp-r: accept from 64.223.17.21ttcp-r: 2102496 bytes in 70.02 real seconds = 29.32 KB/sec +++ ttcp-r: 1226 I/O calls, msec/call = 58.49, calls/sec = 17.51ttcp-r: 0.0user 0.0sys 1:10real 0% 0i+0d 0maxrss 0+2pf 0+0cswIn this example, the average bandwidth between the two hosts was 29.32 kilobytesper second. On a link suffering from a DDoS, this number would be a fraction of theactual bandwidth for which the data link is rated. If the data link is indeed saturated, the next step is to determine where the con- nections are coming from. A very effective way of doing this is with the netstatcommand. Type the following to see connection information: # netstat tupnTable 6-1 describes each of the netstatparameters used here. Table 6-1netstat ParametersParameterDescription-t, –tcpShows TCP socket connections. -u, –udpShows UDP socket connections. -p, –programShows the PID and name of the program to which each socket belongs. -n, –numericShows numerical address instead of trying to determine symbolichost, port, or usernames.