The candidate should be able to install and configure kerberos and perform basic security auditing of source code. This objective includes subscribing to security alerts from Bugtraq, CERT, CIAC or other sources, being able to test for open mail relays and anonymous FTP servers and installing and configuring an intrusion detection system, such as snort or Tripwire. Candidates should also be able to update the IDS configuration as new vulnerabilities are discovered and apply security patches and bugfixes.
Key files, terms and utilities include:
telnet |
nmap |
snort |
fail2ban |
nc |
iptables |
Snort is a lightweight network intrusion detection system capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts and much more. Snort uses a flexible rules language to describe traffic that it should collect or pass, as well as a detection engine that utilizes a modular plugin architecture. Snort has a real-time alerting capability as well, incorporating alerting mechanisms for syslog, a user-specified file, a UNIX socket or WinPopup messages to Windows clients using Samba's smbclient.
Snort has three primary uses. It can be used as a straight packet-sniffer like tcpdump, a packet-logger (useful for network traffic debugging, etc), or as a full blown network-intrusion detection system.
Snort logs packets in either tcpdump binary format or in Snort's decoded ASCII format to logging directories that are named based on the IP address of the “foreign” host.
You can get snort from The Snort Download Center. Since I am using Debian, I used the Debian way to install Snort:
# apt-get install snort
You will then be asked to specify the interface Snort should listen
on. In my case, this is eth0.
Next you will be asked to specify how many IP addresses Snort should listen to. This is done in CIDR form, i.e. 192.168.2.0/24 for a block of 256 IP addresses or 192.168.2.8/32 for just one. I have chosen to only listen to my own IP address, which is 192.168.2.8.
Next you will be asked who should receive the daily statistic mails. The default is root.
To run snort in the sniffer mode, i.e. let snort dump TCP/IP packets to the screen type:
# snort -v
01/07-16:22:12.746540 192.168.2.8:1024 -> 192.168.2.1:53
UDP TTL:64 TOS:0x0 ID:13581 IpLen:20 DgmLen:60 DF
Len: 40
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
01/07-16:22:12.750346 192.168.2.1:53 -> 192.168.2.8:1024
UDP TTL:64 TOS:0x0 ID:58826 IpLen:20 DgmLen:422
Len: 402
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
01/07-16:22:12.751291 192.168.2.8 -> 198.186.203.20
ICMP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:84 DF
Type:8 Code:0 ID:25604 Seq:0 ECHO
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
01/07-16:22:12.940559 198.186.203.20 -> 192.168.2.8
ICMP TTL:235 TOS:0x0 ID:11684 IpLen:20 DgmLen:84
Type:0 Code:0 ID:25604 Seq:0 ECHO REPLY
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
The output shown above is the result of the command ping www.debian.org. The first section shows the outgoing DNS lookup for www.debian.org. The second section shows the reply to the DNS lookup. The third section shows the outgoing ping (which is, in fact, an ICMP message of type ECHO). The fourth section shows the answer to the ping (which is, in fact, an ICMP message of type ECHO REPLY).
To run snort in the sniffer mode and show application data as well, type:
# snort -vd
01/07-16:21:17.979586 192.168.2.8:1024 -> 192.168.2.1:53
UDP TTL:64 TOS:0x0 ID:8105 IpLen:20 DgmLen:60 DF
Len: 40
57 35 01 00 00 01 00 00 00 00 00 00 03 77 77 77 W5...........www
06 64 65 62 69 61 6E 03 6F 72 67 00 00 01 00 01 .debian.org.....
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
01/07-16:21:17.983218 192.168.2.1:53 -> 192.168.2.8:1024
UDP TTL:64 TOS:0x0 ID:58825 IpLen:20 DgmLen:422
Len: 402
57 35 81 80 00 01 00 01 00 09 00 09 03 77 77 77 W5...........www
06 64 65 62 69 61 6E 03 6F 72 67 00 00 01 00 01 .debian.org.....
C0 0C 00 01 00 01 00 00 04 17 00 04 C6 BA CB 14 ................
C0 10 00 02 00 01 00 00 04 17 00 09 06 73 61 6D .............sam
6F 73 61 C0 10 C0 10 00 02 00 01 00 00 04 17 00 osa.............
08 05 73 61 65 6E 73 C0 10 C0 10 00 02 00 01 00 ..saens.........
00 04 17 00 0A 07 6B 6C 65 63 6B 65 72 C0 10 C0 ......klecker...
10 00 02 00 01 00 00 04 17 00 0A 07 70 61 6E 64 ............pand
6F 72 61 C0 10 C0 10 00 02 00 01 00 00 04 17 00 ora.............
09 06 6D 75 72 70 68 79 C0 10 C0 10 00 02 00 01 ..murphy........
00 00 04 17 00 08 05 61 75 72 69 63 C0 10 C0 10 .......auric....
00 02 00 01 00 00 04 17 00 10 03 6E 73 32 07 63 ...........ns2.c
69 73 74 72 6F 6E 02 6E 6C 00 C0 10 00 02 00 01 istron.nl.......
00 00 04 17 00 0E 02 6E 73 05 68 61 6E 64 73 03 .......ns.hands.
63 6F 6D 00 C0 10 00 02 00 01 00 00 04 17 00 0A com.............
03 6E 73 31 03 77 61 77 C0 DF C0 3C 00 01 00 01 .ns1.waw...<....
00 00 04 17 00 04 D1 F9 61 EA C0 51 00 01 00 01 ........a..Q....
00 02 3F A7 00 04 80 65 24 C0 C0 65 00 01 00 01 ..?....e$..e....
00 00 04 17 00 04 C6 BA CB 14 C0 7B 00 01 00 01 ...........{....
00 00 04 17 00 04 84 E5 89 F9 C0 91 00 01 00 01 ................
00 00 04 17 00 04 D8 EA E7 06 C0 A6 00 01 00 01 ................
00 00 04 17 00 04 CE F6 E2 2D C0 BA 00 01 00 01 .........-......
00 01 5E 34 00 04 C3 40 44 1C C0 D6 00 01 00 01 ..^4...@D.......
00 00 32 A0 00 04 C3 E0 35 27 C0 F0 00 01 00 01 ..2.....5'......
00 02 9D 5C 00 04 D5 29 79 FA ...\...)y.
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
01/07-16:21:17.984191 192.168.2.8 -> 198.186.203.20
ICMP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:84 DF
Type:8 Code:0 ID:24836 Seq:0 ECHO
3C 39 BC ED 00 0F 04 6A 08 09 0A 0B 0C 0D 0E 0F <9.....j........
10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F ................
20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F !"#$%&'()*+,-./
30 31 32 33 34 35 36 37 01234567
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
01/07-16:21:18.178454 198.186.203.20 -> 192.168.2.8
ICMP TTL:235 TOS:0x0 ID:665 IpLen:20 DgmLen:84
Type:0 Code:0 ID:24836 Seq:0 ECHO REPLY
3C 39 BC ED 00 0F 04 6A 08 09 0A 0B 0C 0D 0E 0F <9.....j........
10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F ................
20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F !"#$%&'()*+,-./
30 31 32 33 34 35 36 37 01234567
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
The output shown above is the result of the command ping www.debian.org. The first section shows the outgoing DNS lookup for www.debian.org. The second section shows the reply to the DNS lookup. The third section shows the outgoing ping (which is, in fact, an ICMP message of type ECHO). The fourth section shows the answer to the ping (which is, in fact, an ICMP message of type ECHO REPLY).
To run snort in the packet-logger mode, creating directories based on the host, type:
# snort -dev -l ./snortlog
After starting snort and running the commands
ping www.debian.org and
ping www.iaf.nl the contents of the
./snortlog directory is as follows:
# ls -lR snortlog/
snortlog/:
total 4
drwx------ 2 root root 1024 Jan 8 09:56 192.168.2.8
drwx------ 2 root root 1024 Jan 8 09:56 198.186.203.20
drwx------ 2 root root 1024 Jan 8 09:56 80.89.228.10
-rw------- 1 root root 528 Jan 8 09:56 ARP
snortlog/192.168.2.8:
total 8
-rw------- 1 root root 3698 Jan 8 09:56 ICMP_ECHO
-rw------- 1 root root 3295 Jan 8 09:56 UDP:1024-53
snortlog/198.186.203.20:
total 2
-rw------- 1 root root 1609 Jan 8 09:56 ICMP_ECHO_REPLY
snortlog/80.89.228.10:
total 3
-rw------- 1 root root 2138 Jan 8 09:56 ICMP_ECHO_REPLY
To run snort in network-intrusion detection mode, type:
# snort -d -h 192.168.2.0/24 -l ./snortlog -c snort.con
This lets snort run in the most basic network-intrusion detection mode, which logs the same way as the packet-logger mode.
There are quite a few of other possibilities, such as logging in a binary format, which can later be parsed by snort. Please consult the Snort Users Manual for more information.
You can also create a configuration containing rules. To have Snort use these rules, use the “-c <configfile>” option.
Snort rules are divided into two logical sections, the rule header and the rule options. The rule header contains the action, protocol, source and destination IP addresses and netmasks, and the source and destination ports information. The rule option section contains alert messages and information on which parts of the packet should be inspected to determine if the rule action should be taken.
alert tcp any any -> 192.168.1.0/24 111 (content:"|00 01 86 a5|";
msg: "mountd access";)
The text up to the first parenthesis is the rule header and the section enclosed in parenthesis is the rule options. The words before the colon in the rule options section are called option keywords. Note that the rule options section is not specifically required by any rule, they are just used for the sake of making tighter definitions of packets to collect or alert on (or drop, for that matter). All of the elements in that rule must be true for the indicated rule action to be taken. When taken together, the elements can be considered to form a logical AND statement. At the same time, the various rules in a Snort rules library file can be considered to form a large logical OR statement.
Again, there are a lot of possibilities which are explained in the Snort Users Manual. There is no point in learning the possibilities by heart but I advise you to look at the manual to get a global idea of what is possible.
The Snort rule header contains information about the action a rule is going to take. It also contains the standard for matching a rule against network data packets. The options part of the Snort rule header consists of additional criteria for matching a rule against data packets. A Snort rule is used to detect one or more types of intrusion attacks. The structure of the Snort rule header is as follows:
| Action | Protocol | Address | Port | Direction | Address | Port |
Netcat (nc) is a very versitaile network tool. Netcat is a computer networking service for reading from and writing network connections using TCP or UDP. Netcat is designed to be a dependable “back-end” device that can be used directly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and investigation tool. Netcat's features are numerous; Netcat can for instance be used as a proxy or portforwarder. It can use any local source port, use loose source-routing. It is commonly referred to as the TCP/IP swiss army knife.
Some of the major features of netcat are:
Outbound or inbound connections, TCP or UDP, to or from any ports
Full DNS forward/reverse checking, with appropriate warnings
Ability to use any local source port
Ability to use any locally-configured network source address
Built-in port-scanning capabilities, with randomizer
Built-in loose source-routing capability
Can read command line arguments from standard input
Slow-send mode, one line every N seconds
Hex dump of transmitted and received data
Optional ability to let another program service establish connections
Optional telnet-options responder
Because netcat does not make any assumptions about the protocol used across the link, it is better suited to debug connections than telnet.
nmap is a network exploration tool and security scanner. It can be used to scan a network, determine which hosts are up and what services they are offering.
nmap supports a large number of scanning techniques such as: UDP, TCP connect(), TCP SYN (half open), ftp proxy (bounce attack), Reverse-ident, ICMP (ping sweep), FIN, ACK sweep, Xmas Tree, SYN sweep, IP Protocol and Null scan.
If you have built a firewall, and you check that no ports are open that you do not want open, nmap is the tool to use.
Assuming we have got a host fictitious.test and we want to see what tcp ports this host is listening to, this is done as follows:
# nmap -sT fictitious.test
Starting nmap V. 2.54BETA30 ( www.insecure.org/nmap/ )
Note: Host seems down. If it is really up, but blocking our ping probes, try -P0
Nmap run completed -- 1 IP address (0 hosts up) scanned in 30 seconds
As you can see, this didn't work and since I'm very sure that the host is up, I can connect to it by means of ssh, I will issue the command again with the -P0 option:
# nmap -sT -P0 fictitious.test
Starting nmap V. 2.54BETA30 ( www.insecure.org/nmap/ )
Interesting ports on fictitious.test (ip address):
(The 1545 ports scanned but not shown below are in state: filtered)
Port State Service
22/tcp open ssh
137/tcp closed netbios-ns
138/tcp closed netbios-dgm
139/tcp closed netbios-ssn
Nmap run completed -- 1 IP address (1 host up) scanned in 304 seconds
After this command, the ports are only tested for accessibility by means of the TCP protocol. Let's try the same command on the Microsoft web-site:
# nmap -sT www.microsoft.com
Starting nmap V. 2.54BETA30 ( www.insecure.org/nmap/ )
Interesting ports on microsoft.com (207.46.197.102):
(The 1544 ports scanned but not shown below are in state: filtered)
Port State Service
80/tcp open http
137/tcp closed netbios-ns
138/tcp closed netbios-dgm
139/tcp closed netbios-ssn
443/tcp open https
Nmap run completed -- 1 IP address (1 host up) scanned in 383 seconds
Note the difference: the machine fictitious.test is not running a webserver and Microsoft is (ports 80 and 443).
Have a look at nmap's manual page, there are a lot of command line options.
Security alerts are warnings about vulnerabilities in certain pieces of software. Those vulnerabilities can result in a decrease of your service level because certain individuals are very good at misusing those vulnerabilities. This can result in your system being hacked or blown out of the water.
Most of the time there is already a solution for the problem or someone is already working on one, as will be described in the rest of this section.
BugTraq is a full disclosure moderated mailing-list for the detailed discussion and announcement of computer security vulnerabilities: what they are, how to exploit them and how to fix them.
On the website SecurityFocus there is a link to mailing lists, one of which is Bugtraq. There also is a Bugtraq FAQ.
You can subscribe to the Bugtraq mailing-list by sending an e-mail message to bugtraq-subscribe@securityfocus.com. The content of the subject or message body do not matter. You will receive a confirmation request to which you will have to answer.
Send an e-mail message to bugtraq-unsubscribe@securityfocus.com from the subscribed address. The content of the subject or message body do not matter. You will receive a confirmation request to which you will have to answer.
If your email address has changed email listadmin@securityfocus.com and ask to be manually removed.
The CERT Coordination Center (CERT/CC) is a center of Internet security expertise, at the Software Engineering Institute, a federally funded research and development center operated by Carnegie Mellon University. They study Internet security vulnerabilities, handle computer security incidents, publish security alerts, research long-term changes in networked systems and develop information and training to help you improve security at your site.
CERT maintains a website called The CERT Coordination Center.
CIAC is the U.S. Department of Energy's Computer Incident Advisory Capability. Established in 1989, shortly after the Internet Worm, CIAC provides various computer security services free of charge to employees and contractors of the DOE, such as: Incident Handling consulting, Computer Security Information, On-site Workshops, White-hat Audits.
There is a CIAC Website.
CIAC has several self-subscribing mailing lists for electronic publications:
CIAC-BULLETIN for Advisories, highest priority - time critical information, and Bulletins, important computer security information.
CIAC-NOTES for Notes, a collection of computer security articles.
SPI-ANNOUNCE for official news about Security Profile Inspector (SPI) software updates, new features, distribution and availability.
SPI-NOTES, for discussion of problems and solutions regarding the use of SPI products.
The mailing lists are managed by a public domain software package called ListProcessor, which ignores E-mail header subject lines. To subscribe (add yourself) to one of the mailing lists, send requests of the following form: subscribe list-name LastName, FirstName, PhoneNumber as the E-mail message body, substituting CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE or SPI-NOTES for “list-name” and valid information for “LastName” “FirstName” and “PhoneNumber.” Send to: ciac-listproc@llnl.gov.
You will receive an acknowledgment containing address and initial PIN, and information on how to change either of them, cancel your subscription or get help.
An open mail relay is a mail server that accepts SMTP connections from anywhere. This means that everyone can connect to port 25 on that mail server and send mail to whomever they want. If you are unlucky, other system administrators might add your server's IP address to their DENY/REJECT or equivalent list.
Testing if your mail daemon is an open mail relay is in fact quite easy. Telnet from a machine that should not be able to use your mail server as a relay to your mail server's port 25 and try to send an e-mail as shown below:
charon:~# telnet mail.home.nl 25
Trying 213.51.129.253...
Connected to mail.home.nl.
Escape character is '^]'.
220 mail2.home.nl ESMTP server (InterMail vM.4.01.03.00 201-229-121) ready Fri,
11 Jan 2002 17:19:14 +0100
HELO
250 mail2.home.nl
MAIL FROM: willem@test.bla.bla.bla
250 Sender <willem@test.bla.bla.bla> Ok
RCPT TO: willem@snow.nl
250 Recipient <willem@snow.nl> Ok
DATA
354 Ok Send data ending with <CRLF>.<CRLF>
FROM: willem@test.bla.bla.bla
TO: willem@snow.nl
Hahaha, open mail relay test
.
250 Message received: 20020111162325.GOJI8897.mail2.home.nl@snow.castel.nl
QUIT
221 mail2.home.nl ESMTP server closing connection
Connection closed by foreign host.
This worked because this is my ISP and I _do_ belong to the right domain. I tried it from a wrong domain, and I got no response whatsoever. You could use IPCHAINS, IPTABLES or some other sort of firewall software to tell your firewall to only forward the SMTP protocol packets to your mail server if they are coming from a certain range of IP addresses (for instance, the dynamic ones you have reserved for your PPP users). Also, most mail servers allow configuration settings to avoid acting as an open relay. Nowadays, this is the default behaviour for most mail server implementations.