Linux Network Security 101

Made up at 18:04pm Friday 2000-09-08

ie last night.

Blame can be laid squarely at the feet of

Matthew Wallis (mattw@trinity.unimelb.edu.au)



A more up-to-date version of this document might be found at: http://www.trinity.unimelb.edu.au/~mattw/.


This is just a quick rundown of things you should do when putting a Unix/Linux box onto a network, especially the Internet.


Any services/servers your computer is running, can potentially be exploited, and allow undesireables to use your PC as a platform for attacking others, or just as an attack against yourself.


Unix is an operating system more frequently used for the purpose of providing services than as a desktop PC. Due to this, it usually comes with a lot of those services running by default, and a large proportion of them aren't necessary. What I hope to show you here, is the means for finding out what is running, and how to turn it off, and in some cases, just make it a little more secure.


Nothing I am doing here is permanent, and at a later date, when you've gotten to understand Linux, and what it does, better, you can easily turn them back on, and hopefully, you'll be able to turn them back on in a secure manner.


Once you're up and running, you'll want to go looking for other security information and look into using tools such as SSH or SSL-Telnet, which allow secure connections between PC's. I'll put some recommended reading at the end of the document. This is more or less a Pre-Security-Howto, as that document is rather long and in depth.


This document does not address file or hardware security, nor does it this document pay to much attention to precise technical detail. It's for those people who want to put their Linux box on the 'net, while they read and learn, and not be wide open to attack.


The Security-HOWTO can be found in /usr/doc/Linux-HOWTOs, /usr/share/doc/Linux-HOWTOs, /usr/doc/HOWTO or at http://mirror.aarnet.edu.au/pub/LDP/HOWTO/Security-HOWTO.html




First up, finding out what's running.







Netstat :


From the man page -


netstat - Print network connections, routing tables, interface statistics, masquerade con-

nections, netlink messages, and multicast memberships.


This is the best tool I know of for finding out every service that's running on your Linux box.


nothus 18:18:49 ~ >netstat -a

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address Foreign Address State

tcp 0 0 localhost:1595 localhost:smtp TIME_WAIT

tcp 0 0 nothus.trinity.uni:1594 bill.trinity.unime:pop3 TIME_WAIT

tcp 0 0 nothus.trinity.uni:1582 va.debian.org:www CLOSE_WAIT

tcp 1 0 nothus.trinity.uni:1581 www-su.google.com:www CLOSE_WAIT

tcp 1 0 nothus.trinity.uni:1580 www-su.google.com:www CLOSE_WAIT

tcp 1 0 nothus.trinity.uni:1579 www-su.google.com:www CLOSE_WAIT

tcp 0 0 nothus.trinity.uni:1026 meade.chariot.net.:6667 ESTABLISHED

tcp 0 0 *:6000 *:* LISTEN

tcp 0 0 *:netbios-ssn *:* LISTEN

tcp 0 0 *:smtp *:* LISTEN

tcp 0 0 *:printer *:* LISTEN

tcp 0 0 *:telnet *:* LISTEN

tcp 0 0 *:ftp *:* LISTEN

raw 0 0 *:icmp *:* 7

raw 0 0 *:tcp *:* 7



From the output there we can see


tcp 0 0 localhost:1595 localhost:smtp TIME_WAIT


A pause in my mail being delivered to the mail server on my PC


tcp 0 0 nothus.trinity.uni:1594 bill.trinity.unime:pop3 TIME_WAIT


From the program Fetchmail which just grabbed it from my work's mail server, Bill.

(Hostnames have been truncated somewhat)


tcp 0 0 nothus.trinity.uni:1582 va.debian.org:www CLOSE_WAIT

tcp 1 0 nothus.trinity.uni:1581 www-su.google.com:www CLOSE_WAIT

tcp 1 0 nothus.trinity.uni:1580 www-su.google.com:www CLOSE_WAIT

tcp 1 0 nothus.trinity.uni:1579 www-su.google.com:www CLOSE_WAIT


A few old connections to web servers.


tcp 0 0 nothus.trinity.uni:1026 meade.chariot.net.:6667 ESTABLISHED


That great time waster, IRC.





tcp 0 0 *:6000 *:* LISTEN

tcp 0 0 *:netbios-ssn *:* LISTEN

tcp 0 0 *:smtp *:* LISTEN

tcp 0 0 *:printer *:* LISTEN

tcp 0 0 *:telnet *:* LISTEN

tcp 0 0 *:ftp *:* LISTEN


Now all these ones are the ones we want to pay attention to, the ones that are LISTENING for inbound connections.

raw 0 0 *:icmp *:* 7

raw 0 0 *:tcp *:* 7


Some necessary ones, including ICMP which is what ping works with.





Inetd :


From the man page -


inetd - internet ``super-server''


DESCRIPTION

When running, inetd listens for connections on certain network sockets.

When a connection is found on one of its sockets, it looks up what ser-

vice the socket corresponds to, and invokes a program to service the re-

quest. After the program is finished, it will continue to listen on the

socket, except in some special cases which will be described below. Es-

sentially, inetd allows running one daemon to invoke several others, re-

ducing load on the system.


Inetd is usually where ftp, telnet, finger, daytime, chargen, and a few other internet services are run from. Most of these, with the possible exception of ftp and telnet, do nothing of any practicle use for the average home user, and should be turned off. If you do need ftp, telnet, or any of the other services in inetd, then some security is provided by hosts.allow and hosts.deny, which are part of the tcp-wrappers package.


Inetd is configured by inetd.conf, often found in /etc. It is a plain text file, and can be edited easily.










nothus 15:22:50 /etc >cat inetd.conf

# See "man 8 inetd" for more information.

#

# If you make changes to this file, either reboot your machine or send the

# inetd a HUP signal:

# Do a "ps x" as root and look up the pid of inetd. Then do a

# "kill -HUP <pid of inetd>".

# The inetd will re-read this file whenever it gets that signal.

#

# <service_name> <sock_type> <proto> <flags> <user> <server_path> <args>

#

# The first 4 services are really only used for debugging purposes, so

# we comment them out since they can otherwise be used for some nasty

# denial-of-service attacks. If you need them, uncomment them.

# echo stream tcp nowait root internal

# echo dgram udp wait root internal

# discard stream tcp nowait root internal

# discard dgram udp wait root internal

# daytime stream tcp nowait root internal

# daytime dgram udp wait root internal

# chargen stream tcp nowait root internal

# chargen dgram udp wait root internal

#time stream tcp nowait root internal

#time dgram udp wait root internal

#

# These are standard services.

#

ftp stream tcp nowait root /usr/sbin/tcpd wu.ftpd -l -i -a

telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd

#

#

# Use this one instead if you want to snoop on telnet users (try to use this

# for ethical purposes, ok folks?), and see 'man ttysnoop' and /etc/snooptab

# for further instructions:

# telnet stream tcp nowait root /usr/sbin/tcpd in.telnetsnoopd

#


As you can see, it's a reasonably well commented file. To activate a service, if it's already listed, remove the # from the start of the line. To deactivate the service, add a # to the start of the line.


Once you've finished editing the file, save it, and restart inetd by finding the pid (Process ID) and sending it a restart via the kill command.


nothus 15:22:35 ~ >ps ax

PID TTY STAT TIME COMMAND

1 ? S 0:06 init [3]

2 ? SW 0:05 [kflushd]

3 ? SW 0:52 [kupdate]

4 ? SW 0:00 [kpiod]

5 ? SW 0:08 [kswapd]

16 ? SW 0:00 [kreiserfsd]

17 ? SW 0:07 [kreiserfsd]

18 ? SW 0:00 [kreiserfsd]

19 ? SW 0:17 [kreiserfsd]

20 ? SW 0:00 [kreiserfsd]

21 ? SW 0:00 [kreiserfsd]

72 ? SW 0:00 [rpc.portmap]

76 ? S 0:27 /usr/sbin/syslogd

79 ? D 0:00 /usr/sbin/klogd -c 3

81 ? SW 0:00 [inetd]



nothus 15:47:45 ~ >kill -HUP 81


Had I commented out the telnet and ftp lines in inetd.conf, I could then run netstat again, and find that neither telnet nor ftp were listed.




Restricting access to Inetd services.


hosts.allow and hosts.deny


These files can be used to restrict access to services offered by inetd

In particular they are referenced by tcpd, which is part of tcp_wrappers.

Just adding a service to inetd will not regulate it with hosts.allow and hosts.deny.

To find out if something is being handled by tcp_wrappers, check for /usr/sbin/tcpd in the line refering to that service in inetd.conf.



nothus 16:55:54 /etc >cat hosts.allow

#

# hosts.allow This file describes the names of the hosts which are

# allowed to use the local INET services, as decided by

# the '/usr/sbin/tcpd' server.

#

# Version: @(#)/etc/hosts.allow 1.00 05/28/93

#

# Author: Fred N. van Kempen, <waltje@uwalt.nl.mugnet.org

#

#

ALL:192.168.168.

ALL:127.0.0.1

# End of hosts.allow.



nothus 16:57:44 /etc >cat hosts.deny

#

# hosts.deny This file describes the names of the hosts which are

# *not* allowed to use the local INET services, as decided

# by the '/usr/sbin/tcpd' server.

#

# Version: @(#)/etc/hosts.deny 1.00 05/28/93

#

# Author: Fred N. van Kempen, <waltje@uwalt.nl.mugnet.org

#

#

ALL:ALL

# End of hosts.deny.


These allow you to specify what computers/networks get access to what services provided.


Generally, upon receiving a connection, tcpd scans hosts.allow for a specific rule to allow that connection to go ahead, say an ftp connection from 192.168.168.23. Under my current setup, this would be allowed, as I am allowing all connections from the 192.168.168 network.

If no specific rule is found, say a telnet connection from 192.168.1.40, then tcpd moves on to hosts.deny, which in my case, will reject any other forms of connection.


Allowing or denying specific services to specific hosts, is mostly a matter of adding a line like :


23:192.168.168.100


To the appropriate file. This would block or allow telnet access from any computer connected with the IP 192.168.168.100, as telnet operates off port 23.



Services not handled by Inetd.


For the others, smtp is generally related to mail servers such as sendmail, printer is lpd, 6000 is X-Windows, and netbios-ssn is from the Samba server.


Sendmail, lpd and Samba are a little bit more difficult to remove. They are generally started by the rc scripts your Linux box runs on startup. Unfortuantly these scripts are different for practically each Linux distribution.




lsof :


From the man page


NAME

lsof - list open files


DESCRIPTION

An open file may be a regular file, a directory, a block special

file, a character special file, an executing text reference, a

library, a stream or a network file (Internet socket, NFS file or

UNIX domain socket.) A specific file or all the files in a file

system may be selected by path.


Another way of finding out what programs are listening on what ports, is to use the program lsof.










From netstat we got


tcp 0 0 *:6000 *:* LISTEN


If we use lsof like so


nothus 13:47:50 ~ >lsof |grep :6000

X 4416 root 0u IPv4 66724 TCP *:6000 (LISTEN)



We find that X is listening on 6000. X is usually relatively secure. It is usually set up in such a way as to accept connections only from the local computer by default.



Redhat users can also check linux-conf or the control-panel for turning services on and off and checking run levels.


First up is to check /etc/inittab for the default runlevel :


nothus 16:58:17 /etc >cat inittab

#

# inittab This file describes how the INIT process should set up

# the system in a certain run-level.

#

# Version: @(#)inittab 2.04 17/05/93 MvS

# 2.10 02/10/95 PV

# 3.00 02/06/1999 PV

#

# Author: Miquel van Smoorenburg, <miquels@drinkel.nl.mugnet.org>

# Modified by: Patrick J. Volkerding, <volkerdi@ftp.cdrom.com>

#

# Default runlevel. (Do not set to 0 or 6)

id:3:initdefault:


Then check the various rc scripts to find out what it started in that default runlevel.


Redhat will have something along the lines of /etc/rc.d/rc3.d, with symbolic links to various scripts in /etc/rc.d/init.d. Find the symbolic link for the service you want to stop from starting, and change it from an S to a K.


ie.


[Kyle@Gate rc3.d]$ ls

K10pulse K25netfs S05kudzu S35smb S55sshd S99local

K11portmap K45pcmcia S10network S40atd S95auth2.init

K20rstatd K50snmpd S20random S40crond S95update.init

K20rusersd K75keytable S25squid S45named S96codasrv.init

K20rwhod K80sendmail S30syslog S50inet S99linuxconf


To stop smb or samba from starting, I would


[root@Gate rc3.d]$ mv S35smb K35smb







For Slackware, it's /etc/rc.d then find the file rc.samba, and either make it non-

executable, chmod a-x rc.samba, or comment out the contents with #'s as we did in inetd.conf.


nothus 18:04:47 /etc/rc.d >cat rc.samba

#

# rc.samba: Start the samba server

#

#if [ -x /usr/sbin/smbd -a -x /usr/sbin/nmbd ]; then

# echo "Starting Samba..."

# /usr/sbin/smbd -D

# /usr/sbin/nmbd -D

#fi

nothus 18:07:10 /etc/rc.d >





Things to read :


Security-HOWTO


Maximum Security and Maximum Linux Security by Anonymous, published by SAMS


Practical Unix and Internet Security by Garfinkel and Spafford, Published by O'Reilly.