Archive for the 'Security' Category

SBDavid
May 21st, 2009

The TCP wrappers

The TCP wrappers implements access control through the use of two files, /etc/hosts.allow and /etc/hosts.deny.

Note that the hosts.allow file takes precedence over the hosts.deny file.

A recommended security-strategy is to block all incoming requests by default, but allow specific hosts or networks to connect.

To deny everything by default, add the following line to /etc/hosts.deny:

ALL: ALL

To accept incoming SSH connections from e.g. nodes host1, host2 and host3, add the following line to /etc/hosts.allow:

sshd: host1 host2 host3

To accept incoming SSH connections from all servers from a specific network, add the name of the subnet to /etc/hosts.allow. For example:

sshd: host1 host2 host3 .subnet.host1.com

To accept incoming portmap connections from IP address 192.168.0.1 and subnet 192.168.5, add the following line to /etc/hosts.allow:

portmap: 192.168.0.1 192.168.5.
SBDavid
May 21st, 2009

Using lsof to list all of the TCP and UDP listening sockets

Using lsof to list all of the TCP and UDP listening sockets.

lsof - list open files

# lsof -i -n | egrep ‘COMMAND|LISTEN|UDP|TCP’
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
avahi-dae 3220 avahi 13u IPv4 7403 UDP *:mdns
avahi-dae 3220 avahi 14u IPv4 7408 UDP *:58607

SBDavid
May 21st, 2009

Detecting Listening Network Ports

Detecting Listening Network Ports

One of the most important tasks is to detect and close network ports that are not needed.

To get a list of listening network ports (TCP and UDP sockets), you can run the following command:

netstat -tulp

Running a port scan from another server. (make sure that you have permissions to probe a machine):

# nmap -sTU
SBDavid
May 13th, 2009

Linux Security Audit Tools

Linux Security Audit Tools

Chkrootkit - Scan system for trojans, worms and exploits.

Root kit detection tools:

checkps - detect rootkits by detecting falsified output and similar anomalies. The ps check should work on anything with /proc. Also uses netstat.

Rootkit hunter - scans for rootkits, back doors and local exploits

Rkdet - root kit detector daemon. Intended to catch someone installing a rootkit or running a packet sniffer.

fsaudit - Perl script to scan filesystems and search for suspicious looking directories.

SBDavid
May 12th, 2009

Find all SUID/SGID programs on your system

Find all SUID/SGID programs on your system, and keep track of what they are, so you are aware of any changes which could indicate a potential intruder. Use the following command to find all SUID/SGID programs on your system:

root# find / -type f \( -perm -04000 -o -perm -02000 \)


Example

#find / -type f \( -perm -04000 -o -perm -02000 \)

/usr/bin/wall
/usr/bin/newgrp
/usr/bin/chage
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/expiry
/usr/bin/gpasswd
/usr/bin/passwd
….
….
……..

You can remove the SUID or SGID permissions on a suspicious program with chmod, then restore them back if you absolutely feel it is necessary.

« Prev - Next »