Mysql Developing And Programming, PHP5 Hosting Blog

199Chapter 6Securing Linux# ping www.example.comPING www.example.com (192.0.34.166): from 10.0.0.11: 56(84)bytes of data64 bytes from 192.0.34.166: icmp_seq=1 ttl=62 time=1252 ms64 bytes from 192.0.34.166: icmp_seq=2 ttl=62 time=1218 ms64 bytes from 192.0.34.166: icmp_seq=3 ttl=62 time=1290 ms64 bytes from 192.0.34.166: icmp_seq=4 ttl=62 time=1288 ms64 bytes from 192.0.34.166: icmp_seq=5 ttl=62 time=1241 ms— www.example.com ping statistics — 6 packets transmitted, 5 received, 0% loss, time 5032msrtt min/avg/max/mdev = 1218.059/1258.384/1290.861/28.000 msIn this example, a ping packet took, on average, 1.3 seconds to make the round trip. From the first example to the second example, latency increased by a factor of 31! Adata link that goes from working normally to slowing down by a factor of 31 is aclear sign that link utilization should be investigated. For a more accurate measure of data throughput, a tool such as ttcpcan be used. Totest your connection with ttcp, you must have installed the ttcp package on machinesinside andoutside your network. If you are not sure if the package is installed, sim- ply type ttcpat a command prompt. You should see something like the following: # ttcpUsage: ttcp -t [-options] host [ < in ] ttcp -r [-options > out] Common options: -l ## length of bufs read from or written to network (default 8192) -u use UDP instead of TCP-p ## port number to send to or listen at (default 5001) -s -t: source a pattern to network-r: sink (discard) all data from network-A align the start of buffers to this modulus (default 16384) -O start buffers at this offset from the modulus (default 0) -v verbose: print more statistics-d set SO_DEBUG socket option-b ## set socket buffer size (if supported) -f X format for rate: k,K = kilo{bit,byte}; m,M = mega; g,G = gigaOptions specific to -t: -n## number of source bufs written to network (default 2048) -D don t buffer TCP writes (sets TCP_NODELAY socket option) Options specific to -r: -B for -s, only output full blocks as specified by -l (for TAR) -T touch : access each byte as it s readThe first step is to start up a receiver process on the server machine: # ttcp -rsttcp-r: buflen=8192, nbuf=2048, align=16384/0, port=5001 tcpttcp-r: socket12_

198Part IIRunning the ShowWith the advent of DSL and cable modems, millions of people are enjoying Internetaccess with virtually no speed restrictions. In their rush to get online, many of thosepeople neglect even the most basic security. Because the vast majority of these peo- ple run Microsoft operating systems, they tend to get hit with worms and virusesrather quickly. Until very recently, it was common practice for Microsoft systemstohave many services open to the network of which users were unaware and verylittle emphasis placed on using firewall features to block intruders. After a machine has been infiltrated, quite often the worm or virus installs a programon the victim s machine that instructs it to quietly call home and announce that itisnow ready to do the master s bidding. At the whim of the master, the infectedmachines can now be used to focus a concentrated stream of garbage data at aselected host. In concert with thousands of other infected machines, an attackernow has the power to take down nearly any site on the Internet. Detecting a DDoS is similar to detecting a DoS attack. One or more of the followingsigns are likely to be present: .Sustained saturated data link .No reduction in link saturation during off-peak hours .Hundreds or even thousands of simultaneous network connections .Extremely slow system performancePinging an outside host can tell you a lot about your data link saturation: Muchhigher than usual latency is a dead giveaway. Normal ping latency (that is, thetimeit takes for a ping response to come back from a remote host) looks like thefollowing: # ping www.example.comPING www.example.com (192.0.34.166) from 10.0.0.11: 56(84) bytes of data64 bytes from 192.0.34.166: icmp_seq=1 ttl=49 time=40.1 ms64 bytes from 192.0.34.166: icmp_seq=2 ttl=49 time=42.5 ms64 bytes from 192.0.34.166: icmp_seq=3 ttl=49 time=39.5 ms64 bytes from 192.0.34.166: icmp_seq=4 ttl=49 time=38.4 ms64 bytes from 192.0.34.166: icmp_seq=5 ttl=49 time=39.0 ms— www.example.com ping statistics — 5 packets transmitted, 5 received, 0% loss, time 4035msrtt min/avg/max/mdev = 38.472/39.971/42.584/1.432 msIn this example, the average time for a ping packet to make the round trip wasabout 39 thousandths of a second. A ping to a nearly saturated link will look like the following:

197Chapter 6Securing LinuxYou can allow specific hosts or domains to relay mail through your system byadding those senders to your /etc/mail/accessfile with keyword RELAY. Bydefault, relaying is allowed only from the local host. Refer to the sendmail docu- mentation for more information. One package you might consider using to filter out spam on your mail server isspamassassin, which examines the text of incoming mail messages and attemptsto filter out messages that it determines to be spam. Spamassassin is described inChapter 24. Smurf Amplification AttackSmurfingrefers to a particular type of Denial of Service attack aimed at floodingyour Internet connection. It can be a difficult attack to defend against because itisn t easy to trace it back to the attacker. The attack makes use of the ICMP protocol, a service intended for checking thespeed and availability of network connections. Using the pingcommand, you cansend a network packet from your computer to another computer on the Internet. The remote computer recognizes the packet as an ICMP request and echoes a replypacket to your computer, which can then print a message revealing that the remotesystem is up and telling you how long it took to reply to the ping. A smurfing attack uses a malformed ICMP request to bury your computer in net- work traffic. The attacker bounces a ping request off an unwitting third party insuch a way that the reply is duplicated dozens or even hundreds of times. An orga- nization with a fast Internet connection and a large number of computers is used asthe relay. The destination address of the ping is set to an entire subnet instead of asingle host. The return address is forged to be your machine s address instead ofthe actual sender s. When the ICMP packet arrives at the unwitting relay s network, every host on that subnet replies to the ping! Furthermore, they reply to your com- puter instead of to the actual sender. If the relay s network has hundreds of comput- ers, your Internet connection can be quickly flooded. The best fix is to contact the organization being used as a relay, informing it of theabuse. That organization usually need only reconfigure its Internet router to stopany future attacks. If the organization is uncooperative, you can minimize the effectof the attack by blocking the ICMP protocol on your router, which at least keeps thetraffic off your internal network. It helps even more if you can persuade your ISP toblock ICMP packets aimed at your network. Protecting Against Distributed DoS AttacksA DDoS attack is much harder to initiate and nearly impossible to stop. It begins withthe penetration of hundreds or even thousands of weakly secured machines. Thesemachines are then directed to attack a single host based on the desire of the attacker. Tip12_

196Part IIRunning the ShowAs with most Linux configuration files, lines that begin with a #pound sign are com- ments. The list of blocked spammers is at the end of this example file. Note that theaddress to block can be a complete e-mail address, a full host name, a domain only, an IP address, or a subnet. To block a particular e-mail address or host from mailbombing you, log in to yoursystem as root, edit the /etc/mail/accessfile, and add a line to DISCARDmailfrom the offending sender. After saving the file and exiting the editor, you must convert the access file into ahash-indexed database called access.db. The database is updated automaticallythe next time sendmail starts. Or you can convert the database immediately, as follows: # cd /etc/mail# makeSendmail should now discard e-mail from the addresses you added. Spam RelayingAnother way in which your e-mail services can be abused is by having your systemused as a spam relay. Spamrefers to the unsolicited junk e-mail that has become acommon occurrence on the Internet. Spammers often deliver their annoying mes- sages from a normal dial-up Internet account. They need some kind of high-capacitye-mail server to accept and buffer the payload of messages. They deliver the spamto the server all in one huge batch and then log off, letting the server do the work ofdelivering the e-mail to the many victims. Naturally, no self-respecting Internet service provider (ISP) cooperates with thisaction, so spammers resort to hijacking servers at another ISP to do the dirty work. Having your mail server hijacked to act as a spam relay can have a devastating effecton your system and your reputation. There are even Internet blacklists that areused to ban communications with servers that allow open relay. If your system is used to forward mass mailing, you could find your mail serverunable to deliver e-mail to some other e-mail servers because you have been black- listed. On many Linux installations, open mail relay is disabled by default. You caneither upgrade to the latest build of sendmail, which does not allow open mail relayby default, or you can simply disable sendmail if you are not using it for host e-mailservices. Open mail relaying is typically one security issue that you will not have toworry about with a recent distribution of Linux. Abuse of open mail relays is not limited to small businesses and home users. Onecable Internet provider in my area had several of its mail servers added to a black- list. I contacted my ISP, and it was totally unaware that the abuses were going onlet alone that it had been blacklisted. Note12_

195Chapter 6Securing LinuxTo enable Procmail for your user account, create a .procmailrcfile in your homedirectory. The file should be mode 0600(readable by you but nobody else). Typethe following, replacing evilmailerwith the actual e-mail address that is mail- bombing you. # Delete mail from evilmailer:0* ^From.*evilmailer/dev/nullThe Procmail recipe looks for the Fromline at the start of each e-mail to see if itincludes the string evilmailer. If it does, the message is sent to /dev/null(effectively throwing it away). Blocking Mail with SendmailThe Procmail e-mail tool works quite well when only one user is being mailbombed. If, however, the mailbombing affects many users, you should probably configureyour sendmaildaemon to block all e-mail from the mailbomber. Do this by addingthe mailbomber s e-mail address or system name to the accessfile located in the/etc/maildirectory. Each line of the accessfile contains an e-mail address, host name, domain, or IPaddress followed by a tab and then a keyword specifying what action to take whenthat entity sends you a message. Valid keywords are OK, RELAY, REJECT, DISCARD, and ERROR. The REJECTkeyword causes a sender s e-mail to be bounced back withan error message. The keyword DISCARDcauses the message to be silently droppedwithout sending an error back. You can even return a custom error message byusing the ERRORkeyword. Here s an example /etc/mail/accessfile: # Check the /usr/share/doc/sendmail/README.cf file for a description# of the format of this file. (search for access_db in that file) # The /usr/share/doc/sendmail/README.cf is part of the sendmail-doc# package. # # by default we allow relaying from localhost… localhost.localdomain RELAYlocalhost RELAY127.0.0.1 RELAY# # Senders we want to Block# evilmailer@yahoo.com REJECTstimpy.glaci.com REJECTcyberpromo.com DISCARD199.170.176.99 ERROR: 550 Die Spammer Scum! 199.170.177 ERROR: 550 Email Refused

194Part IIRunning the ShowAlthough DoS attacks are disruptive, intrusion-type attacks are the most damaging. The reasons are varied, but the result is always the same: An uninvited guest takesup residence on your machine and uses it in a way over which you have no control. To remotely use the resources of a target machine, an attacker must first look foranopening to exploit. In the absence of inside information such as passwords orencryption keys, he must scan the target machine to see what services are offered. Perhaps one of the services is weakly secured, and the attacker can use someknown exploit to finagle his way in. A tool called nmapis generally considered the best way to scan a host for services. Once the attacker has a list of the available services running on his target, he needsto find a way to trick one of those services into letting him have privileged accessto the system. This is usually done with a program called an exploit,which usesknown vulnerabilities in a service to ask the service to run an alternate program, change a configuration file, or give out information about the system. Besides being used as an intrusion tool, nmap can be used by a computer s ownsystem administrator to check the security of the machine. You can use nmap onyour own machine to see what an attacker would see if he scanned your system, enabling you to fill potential security holes. Protecting Against Denial of Service AttacksAs explained earlier, a Denial of Service attack attempts to crash your computer orat least degrade its performance to an unusable level. There are a variety of DoSexploits. Most try to overload some system resource, such as your available diskspace or your Internet connection. Some common attacks and defenses are dis- cussed in the following sections. MailbombingMailbombingis the practice of sending so much e-mail to a particular user or systemthat the computer s hard drive becomes full. There are a couple of ways to protectyourself from mailbombing: Use the Procmail e-mail-filtering tool or configure yoursendmail daemon. Blocking Mail with ProcmailThe Procmail e-mail-filtering tool is available in many Linux distributions and istightly integrated with the sendmail e-mail daemon. This integration allows Procmailto selectively block or filter out specific types of e-mail. You can learn more about itat www.procmail.org. Note12_

193Chapter 6Securing Linux .Get security updates regularly. All major Linux distributions offer tools andsoftware repositories for getting fixes for security vulnerabilities to you asthey are discovered and patched. Getting those critical patches is often assimple as running a single command that downloads and installs the patches. Several Web sites provide excellent vulnerability, outbreak, and mitigation infor- mation including www.isc.sans.org(general Internet attack information), www. sarc.com(virus outbreak information), www.cert.org(software security infor- mation), and www.securityfocus.com(general security Web site). .Disable network services you do not need. Any service that isn t activelybeing used is just a liability. Shut it down and rest easier knowing that there sone less route of entry into your systems. Understanding Attack TechniquesAttacks on computing systems take on different forms, depending on the goal andresources of the attacker. Some attackers want to be disruptive, while others want toinfiltrate your machines and utilize your resources for their own nefarious purposes. Still others are targeting your data for financial gain or blackmail. Some commonattacks that are described in this section include Denial of Service, DistributedDenial of Service, and intrusion attacks. Denial of Service (DoS) attacks are the easiest to perpetrate. The primary purposeof these attacks is to disrupt the activities of a remote site by overloading it withirrelevant data. DoS attacks can be as simple as sending thousands of page requestsper second to a Web site. These types of attacks are fairly easy to resolve: after youget a handle on where the attack is coming from, a simple phone call to the perpe- trator s ISP gets the problem solved. Advanced DoS attacks are called Distributed Denial of Service (DDoS) attacks. Theyare much harder to execute and nearly impossible to stop. The attacker takes controlof hundreds or even thousands of weakly secured Internet-connected computers andthen directs them in unison to send a stream of irrelevant data to a single Internethost. The result is that the power of one attacker is magnified thousands of times. Instead of an attack coming from one direction, as in the usual DoS, it comes fromthousands of directions at once. The best defense against a DDoS attack is to con- tact your own ISP to see if it can filter traffic at its border routers. Many people use the excuse I have nothing on my machine anyone would want toavoid considering security. The problem with this argument is that attackers have alot of reasons to use your machine. The attacker can turn your machine into an agentfor later use in a DDoS attack. More than once, authorities have shown up at thedoor of a dumbfounded computer user asking questions about threats originatingfrom the user s computer. By ignoring security, owners have opened themselves upto a great deal of liability. Tip12_

192Part IIRunning the ShowProtecting Your ComputerJust as closing and locking the doors and windows of your house helps keep burglarsfrom wandering in off the street, so will some basic security precautions keep mostintruders out of your computer system. There are also some simple techniques formonitoring your system (like watching system log files and checking for people scan- ning your ports) that enable you to take an active role in responding to intrusions. If you think that nobody will break into your computer because there s nothing onit worth stealing, think again. Often, a system is broken into solely to gain use of itas a jumping-off point to launch further attacks on other systems. And crackers mighttry to hijack your computer to serve up copyrighted materials or pornography fromyour system. Linux (and similar UNIX and BSD systems) were designed to give you the tools toprotect your computers from intruders. Your job is to learn a bit about those toolsand utilize them in ways to keep your computer safe. You can start by applying afew rules for your own personal computer use: .Use strong passwords (discussed later in this chapter). Simple dictionaryword passwords (even those using number-to-letter substitution) are woe- fully easy to crack with freely available automated tools. .Be skeptical of unsolicited e-mail. Don t open and run executable files thatcome to you in e-mail attachments that you don t know to be trustworthy. Ifan e-mail comes in telling you that you need a critical update (and tells you click here to get it ), make sure that the message came from a valid source. .Know the source of the software you allow on your computer. Download soft- ware only from valid mirror sites associated with the Linux distribution you useor from a reputable project site. Be sure to check the md5sum of iso images youdownload to be sure the image isn t corrupted or hasn t been tampered with. The following tips will help you as the network administrator (which you are if youconnect your computer to the Internet) prevent the majority of malicious networkactivity from taking you out of order: .Always place a firewall between your systems and public or unsecured net- works such as the Internet. Ideally this should be a standalone device, but thatis not essential. If your Linux system is directly connected to the Internet, thefirewall features covered in detail in Chapter 17 will help you configure Linuxto only allow requests for services you want to provide to the Internet and filterout other traffic trying to get into your system. .Keep tabs on the kinds of activity to which your system is exposed. Regularlymonitoring your log files helps make you better able to identify the beginningsof suspicious activity. You can even monitor network ports on your systemtowatch for attempts by intruders to scan those ports to find vulnerabilities. (Refer to the Syslog and Portsentry sections later in this chapter for informa- tion on tools for watching your system.)

Securing LinuxSince the dawn of interconnected networks, some userhas been trying to break into other users systems. Asthe Internet has grown and broadband Internet access hasspread, the problem has only become more severe. A homecomputer running an insecure configuration can be used as apowerful mail relay, storage for traffic in pirated data, allowthe user s personal information to become compromised, orany number of other such horrors. Once upon a time network attacks required some effort andskill on the part of the attacker. Today automated tools canget even the most novice user up and running trying to com- promise network-attached systems in an alarmingly shorttime. Additionally, worms have the capability to turn largenumbers of insecure Win32 systems into an army of zombies usable for massive coordinated Denial of Service attacks. Why should you care about security? According to the InternetStorm Center (http://isc.sans.org), a computer connectedto the Internet has 16 minutes before it falls under some formof attack. Securing any computer system is not hugely difficult; it simply requires some common sense and careful applicationof good security practices. In many cases, good practices for setting and protecting pass- words, monitoring log files, and creating good firewalls willkeep out many would-be intruders. Sometimes, more proac- tive approaches are needed to respond to break-ins. Use thischapter to familiarize yourself, as a Linux administrator, withthe security dangers that exist and the tools necessary to pro- tect your system. 66CHAPTER …In This ChapterProtecting againstDenial of Service(DoS) attacksPreventing networkbreak-insUsing log files todetect intrusionsImproving securitywith strong passwordsUsing encryptiontechniquesSecurity auditing toolsGuarding yourcomputer withPortSentry …

190Part IIRunning the ShowChecking Your PPP ConnectionThe following information will help you debug your PPP connection or simply bet- ter understand how it works. It is possible that your modem is not supported under Linux. If that is the case, your PPP connection might be failing because the modem was not detected at all. To scan your serial ports to see where your modem might be, type the following(asroot user): $ wvdialconf /etc/wvdial.conf.newThe wvdialconfcommand is really to build a configuration file (the /etc/wvdial. conffile) that is used by the dialer command (wvdial). (You only need this file ifyou use wvdialto do your dial-up.) Its first action, however, is to scan the serialports on your computer and report where it finds modems. If it tells you that nomodem was detected, it s likely that either your modem isn t connected properlyor no driver is available to support the modem. If the modem wasn t detected, you should determine whether it is a modem sup- ported in Linux. You can do this by finding out what type of chip set is used in themodem. This is even more important than finding out the manufacturer of themodem because the same manufacturer can use chips from different companies. (This applies primarily to internal modems because most external serial modemsand many USB modems are supported in Linux.) After you have determined the chip set being used, check the Linmodems.org Website (www.linmodems.org), which contains information on so-called Winmodemsthat have only recently begun to be supported in Linux. Search for the chip set onyour modem from this site. In many cases, the site tells you if there is a driver avail- able for your modem. SummaryMany different tools are available for configuring network connections in the variousLinux distributions. Fedora and other Red Hat Linux systems use a graphical NetworkConfiguration. SUSE Linux uses its YaST administrative interface to configure net- work equipment. For dial-up networks, the KDE desktop includes the KPPP GUI toolfor configuring modems. If your network connection doesn t start up automatically(as it does in many cases), this chapter explains how to use some of these networkconfiguration tools to configure it manually. By adding your computer to a public network, such as the Internet, you open it topossible intruders. The next chapter describes ways in which you can secure your11_