Previous Next Contents

5. Network Security

Network security is becoming more and more important as people spend more and more time connected. Compromising network security is often much easier than physical or local, and is much more common.

There are a number of good tools to assist with network security, and more and more of them are shipping with linux distributions.

5.1 Packet Sniffers

One of the most common ways intruders gain access to more systems on your network is by employing a packet sniffer on a already compromised host. This "sniffer" just listens on the Ethernet port for things like "Password" and "Login" and "su" in the packet stream and then logs the traffic after that. This way, attackers gain passwords for systems they are not even attempting to break into. Clear text passwords are very vulnerable to this attack.

EXAMPLE: host A has been compromised. Attacker installs a sniffer. Sniffer picks up admin logging into host B from Host C. It gets the admins personal password as they login to B. Then, the admin does a 'su' to fix a problem. They now have the root password for Host B. Later the admin lets someone telnet from his account to host Z on another site. Now the attacker has a password/login on host Z.

In this day and age, the attacker doesn't even need to compromise a system to do this, they could also bring a laptop or pc into a building and tap into your net.

Using ssh or other encrypted password methods thwarts this attack. Things like APOP for pop accounts also prevents this attack. (Normal pop logins are very vulnerable to this, as is anything that sends clear text passwords over the wire.)

5.2 System services and tcp_wrappers

As soon as you put your linux system on ANY network the first thing to look at is what services you need to offer. Services that you do not need to offer should be disabled so that you have one less thing to worry about and attackers have one less place to look for a hole.

There are a number of ways to disable services under linux. You can look at your /etc/inetd.conf file and see what services are being offered by your inetd. Disable any that you do not need by commenting them out (# at the beginning of the line), and then sending your inetd process a SIGHUP.

You can also remove (or comment out) services in your /etc/services file. This will mean that local clients will also be unable to find the service (ie, if you remove ftp, and try and ftp to a remote site from that machine it will fail with an unknown service message). It's usually not worth the trouble to remove services, since it provides no additional security. If a local person wanted to use ftp even tho you had commented it out, they would make their own client that use the common ftp port and would still work fine.

If you know you are not going to use some particular package, you can also delete it entirely. rpm -e under the redhat distribution will erase an entire package. Under debian dpkg likely does the same thing.

You should check your /etc/rc.d/rcN.d, where N is your systems run level and see if any of the servers started in that directory are not needed. Simply remove the unneeded script(s) and they will not be started on your next reboot. If you have BSD style rc files, you will want to check /etc/rc* for programs you don't need.

Most linux distributions ship with tcp_wrappers "wrapping" all your tcp services. A tcp_wrapper (tcpd) is invoked from inetd instead of the real server. tcpd then checks the host that is requesting the service and either launches the program or denies access from that host. tcpd allows you to restrict access to your tcp services. You should make a /etc/hosts.allow and add in only those hosts that need to have access to your machines services. If you are a home dialup user, I would suggest you deny ALL. tcpd also logs failed attempts to access services, so this can give you an idea that you are under attack. If you add new services, you should always tcp wrapper them if they are tcp based.

5.3 SATAN , ISS, and other network scanners

There are a number of different software packages out there that do port and service based scanning of machines or networks. SATAN and ISS are two of the more well known ones. This software connects to the target machine (or all the target machines on a network) on all the ports it can, and tries to determine what service is running there. Based on this information, you could find out the machine is vulnerable to a specific exploit on that server.

SATAN (Security Administrators Tool for Analyzing Networks) is a port scanner with a web interface. It can be configured to do light, medium, or strong checks on a machine or a network of machines. It's a good idea to get SATAN and scan your machine or network, and fix the problems it finds. Make sure you get the copy of SATAN from sun-site or a reputable FTP or web site. There was a Trojan copy of SATAN that was distributed out on the net.

ISS (Internet Security Scanner) is another port based scanner. It is faster than Satan, and thus might be better for large networks. However, SATAN tends to provide more information.

Detecting Port scans.

There are some tools designed to alert you to probes by Satan and ISS and other scanning software, However liberal use of tcp_wrappers and making sure to look over your log files regularly, you should be able to notice such probes. Even on the lowest setting, Satan still leaves traces in the logs on a stock Redhat system.

5.4 pgp and public key cryptography

pgp (pretty good privacy) is well supported on linux. versions 2.62 and 5.0 are known to work well. For a good primer on pgp and how to use it, take a look a the pgp FAQ.

5.5 ssh and stelnet

ssh (secure shell) and stelnet are programs that allow you to login to remote systems and have a encrypted connection.

Ssh will prevent host spoofing attacks (It expects a specific key back from a host it's connected to before), it does compression and X11 forwarding in addition to encrypting all your communications with the remote machines. This is very good to defeat packet sniffer attacks (The packet sniffer gets a bunch of encrypted packets). ssh is free for personal use, so I would recommend you install it and use it if you are at a personal site.

Stelnet is a secure telnet replacement that does encryption over a telnet connection.

5.6 sendmail, qmail and MTA's.

One of the most important services you can provide is a mail server. Unfortunately, it is also one of the most vulnerable to attack, simply due to the number of tasks it must perform and the privileges it typically needs.

If you are using sendmail it is very important to keep up on current versions. Sendmail has a long long history of security exploits. Always make sure you are running the most recent version.

If you are tired of upgrading your version of sendmail every week, you might consider switching over to qmail. qmail was designed with security in mind from the ground up. It's fast and stable and secure.

5.7 Denial of service attacks.

A Denial of service attack is one where the attacker tries to make some resource too busy to answer legitimate requests, or to deny legitimate users access to your machine.

Denial of service attacks have increased greatly in recent years. Some of the more popular and recent ones are listed below. Note that new ones show up all the time, so this is just a few examples. Read the linux security lists for more current information.

SYN flooding. SYN flooding is a network denial of service attack. It takes advantage of a "loophole" in the way TCP connections are created. The newer linux kernels (2.0.30 and up) have several configurable options to prevent SYN flood attacks from denying people access to your machine or services. CONFIG_SYN_COOKIES and CONFIG_RST_COOKIES. Rebuild your kernel with these options to reduce your susceptibility to SYN flood attacks.

Pentium "F00F" bug. It was recently discovered that a series of assembly codes send to a genuine Intel Pentium processor would lock the machine up totally. This affects every machine with a Pentium processor (not clones, not Pentium Pro or PII), no matter what operating system it's running. Linux kernel 2.0.32 and up contain a work around for this bug, preventing it from locking your machine. If you are running on a pentium, you should upgrade now!

Ping flooding. Ping flooding is a simple brute force denial of service attack. Your attacker send a "flood" of ICMP packets to your machine. If they are doing this from a host with better bandwidth than yours, your machine will be unable to send anything on the network. A variation on this attack "smurfing" sends ICMP packets to a host with _your_ machines return IP, allowing them to flood you less detectably. If you are under a ping flood attack, use a tool like tcpdump to determine where the packets are coming from (or appear to be coming from), then contact your provider with this information. Ping floods can most easily be stopped at the router level.

5.8 NFS (Network File System) security.

NFS is a very widely used file sharing protocol. It allows servers running nfsd and mountd to "export" entire filesystems to other machines with nfs filesystem support builtin to their kernels (or some other client support if they are non linux machines). Mountd keeps track of mounted filesystems in /etc/mtab, and can display them with 'showmount'.

Many sites use NFS to serve home directories to users, so that no matter what machine in the cluster they login to, they will have all their home files.

There is some small amount of "security" allowed in exporting filesystems. You can make your nfsd map the remote root user (uid=0) to the nobody user, denying them total access to the files exported. However, since individual users have access to their own (or at least the same uid) files, the remote superuser can login or su to their account and have total access to their files. This is only a small hindrance to an attacker that has access to mount your remote filesystems.

If you must use NFS, make sure you export to only those machines that you really need to export only. Never export your entire root directory, export only directories you need to export.

See the NFS HOWTO for more information on NFS: NFS HOWTO

5.9 NIS (Network Information service) (formerly YP).

Network Information service (formerly YP) is a means of distributing information to a group of machines. The NIS master holds the information tables and converts them into NIS map files. These maps are then served over the network, allowing NIS client machines to get login, password, home directory and shell information (all the information in a standard /etc/passwd file). This allows users to change their password once and have it take affect on all the machines in the NIS domain.

NIS is not at all secure. It was never meant to be. It was meant to be handy and usefull. Anyone that can guess the name of your NIS domain (anywhere on the net) can get a copy of your passwd file, and use crack and john the ripper against your users passwords. Also, it is possible to spoof NIS and do all sorts of nasty tricks. If you must use NIS, make sure you are aware of the dangers.

There is a much more secure replacement for NIS, called NIS+. Check out the NIS HOWTO for more information:

5.10 Firewalls

Firewalls are a means of restricting what information is allowed into and out of your local network. Typically the firewall host is connected to the Internet and your local lan, and the only access from your lan to the Internet is through the firewall. This way the firewall can control what passes back and forth from the Internet and your lan.

There are a number of types and methods of setting up firewalls. Linux machines make pretty good low cost firewalls. firewall code can be built right into 2.0 and higher kernels. The ipfwadm user space tool allows you to change what types of network traffic you allow on the fly. You can also log particular types of network traffic.

Firewalls are a very usefull and important technique in securing your network. It is important to realize that you should never think that because you have a firewall, you don't need to secure the machines behind it. This is a fatal mistake. Check out the very good Firewall-HOWTO at your latest sun-site archive for more information on firewalls and linux.

Previous Next Contents