ITS 2330 - Linux III

Chapter 12: Setting Up System Security

Objectives:

This lesson takes place in week 13. Objectives important to this lesson:

  1. Server examination
  2. Routers
  3. SSH
  4. OpenVPN
  5. Resources
Concepts:

Chapter 12 begins with a discussion about checking your server for basic vulnerabilities.

  • port scanning - for resources that are located on a server, scan for open ports that could be used to establish access; reducing the number of open ports and limiting the number of protocols allowed on those ports reduces the size of your risk
  • telnet - it is unlikely that your devices will use telnet service any longer: it is considered a security risk; the chapter describes some of the information a telnet connection request can provide to an attacker
  • netstat - you should learn to use this utility to probe your network; the text lists two commands to illustrate useful commands
    • netstat --tcp --listening
      This looks for ports listening for TCP packets.
    • netstat --tcp
      This one looks for ports that have open TCP connections. Note that this is different from the first example, and not specified in the command.
  • nc - Netcat provides port scanning functions, and also allows copying of material from a server to a network-connected device. Scanning with just the -z switch allows you to scan a range of ports on the named host, and it returns a value of 0 if one or more are open. To see a verbose listing for the ports, add the -v switch.
    Example: nc -vz localhost 20-40
  • nmap - nmap needs a switch to specify a port range (-p), as well as an indicator of the function to perform (-s for scan, -A to look for open applications) and the protocol to look for (-sT to scan for TCP openings, and the name of a host to scan
    Example: nmap -sT -p 1-65535 localhost
    The text warns that nmap can be detected by intrusion detection systems.
  • OpenVAS - Open Vulnerability Assessment System is an open source scanning tool included in the default software for Debian systems. It was developed by some of the developers of Nessus when the other developers changed Nessus to a for-profit venture. This link goes to the home page for OpenVAS. It can be used to scan your network for known vulnerabilities.

Have we seen this video from Network Chuck? (We can see it again.)


The next topic in the chapter is Intrusion Detection Systems. Two are discussed:

  • fail2ban - This is a system log monitor. It reads log files and can block connections from a host that appears to have multiple failed login attempts. It can also read log files for individual applications.
  • Snort - The text tells us that Snort does not watch a server as much as it watches traffic being sent to a server. However, to make that work, the illustration on page 629 shows that the server running Snort needs to see all traffic passing into the network, like a firewall. The good thing about that is that it can watch the entire network for traffic into it and out of it.

Let's hear from another hacking advisor:


The text mentions other techniques that can help security:

  • using private addressing and Network Address Translation, which almost everyone does
  • using firewalls
  • using iptables, which includes esoteric features on page 634; the text discusses this for several pages.

The chapter lists routing as one of the objectives, but it spends only half of page 639 on it. This amounts to another esoteric feature that you may want to browse for a book question.

The next topic is Secure Shell (SSH), which is used to connect to a server instead of telnet if you care about a secure connection. It can be implemented with any of several packages, but the text tells us that the most popular version of SSH is OpenSSH, which is a very Linuxy name. The text lists the file types associated with the product:

  • sshd - OpenSSH server daemon
  • ssh - client software
  • sshd_conf - server configuration file
  • ssh_conf - client configuration file
  • certificates for encryption

Page 641 lists eight options that can be configured in the server configuration file. That page also shows the syntax for making a secure connection to a server on a command line:

userID@servername -$ ssh remote_device_IP_address


On page 643, the text discusses OpenVPN, an open source program for providing VPN access to a device across a public data channel. Like OpenSSH, Open VPN can be installed on RHEL or Debian based systems. The text discusses installing and using it.

This short video shows how to install an official version of the product.