1 (1)

Published on June 2016 | Categories: Types, Instruction manuals | Downloads: 91 | Comments: 0 | Views: 2162
of 33
Download PDF   Embed   Report

Comments

Content


RH253
Red Hat Network Services
and Security Administration
Welcome!
2
Objectives

Understanding and Managing NAT Firewall

!"Routing # Router $on%iguration &

NAT Firewall

Understanding and Managing T$! 'ra((ers

Understanding )osts*allow and )osts*deny

A((ling Security using T$! 'ra((ers

Understanding and Managing +inetd daemon

Understanding +inetd daemon

A((ling Security using +inetd daemon

Securing $om(uter using SSH communications

Understanding SSH

Sending and Receiving !u,lic -eys
3
Enabling Routing

Ste( ./ Assign %ollowing !"Address in%ormation on eac) com(uter
4
ROUTER ROUTER
station1 station1
station2 station2
IP-ADDRESS IP-ADDRESS = 10.1.1.2 = 10.1.1.2
SUBNET MASK SUBNET MASK = 255.0.0.0 = 255.0.0.0
DEFAULT G! DEFAULT G! = 10.1.1.1 = 10.1.1.1
IP-ADDRESS IP-ADDRESS = 1"2.1#$.0.2 = 1"2.1#$.0.2
SUBNET MASK SUBNET MASK = 255.255.255.0 = 255.255.255.0
DEFAULT G! DEFAULT G! = 1"2.1#$.0.1 = 1"2.1#$.0.1
IP-ADDRESS IP-ADDRESS = 1"2.1#$.0.1 = 1"2.1#$.0.1
SUBNET MASK SUBNET MASK = 255.255.255.0 = 255.255.255.0
IP-ADDRESS IP-ADDRESS = 10.1.1.1 = 10.1.1.1
SUBNET MASK SUBNET MASK = 255.0.0.0 = 255.0.0.0
Int%&na' Int%&na'
E(t%&na E(t%&na
' '
5
Enabling Routing

Ste( ./ Assign %ollowing !"Address in%ormation on eac) com(uter

Ste( 2/ 0na,le !"Forwarding

vi /etc/sysctl.conf vi /etc/sysctl.conf

net.ipv4.ip_forward = 0 net.ipv4.ip_forward = 0

to to

net.ipv4.ip_forward = 1 net.ipv4.ip_forward = 1

sysctl -p sysctl -p
6
Understanding and anaging
!"# $irewall
7
!"# $irewall%

Network Address Translation #NAT& (laces (rivate ! su,networks
,e)ind one or a small (ool o% (u,lic ! addresses1 mas2uerading all
re2uests to one source rat)er t)an several
8
#ypes of !"# $irewall

&'(#R'U#)!* + (!"# , &'(#R'U#)!* + (!"# ,

&RER'U#)!* + -!"# , &RER'U#)!* + -!"# ,
9
&'(#R'U#)!* + (!"# ,

Source NAT Translates t)e source address o% out,ound (ackets1 and
t)e destination address o% return (ackets

0+am(le/

iptables -t nat -" &'(#R'U#)!* .s 10.1.1./ .p tcp --dport 00 .1 iptables -t nat -" &'(#R'U#)!* .s 10.1.1./ .p tcp --dport 00 .1
(!"# .to-source 12/.130.0.1 (!"# .to-source 12/.130.0.1
10
PREROUTING ) DNAT *

Destination NAT Translates the destination address of
n!o"nd #ac$ets% and the so"rce address of ret"rn #ac$ets

&'am#le(

i+ta,'%s -t nat -A PREROUTING -. 1"2.1#$.0.1 -+ i+ta,'%s -t nat -A PREROUTING -. 1"2.1#$.0.1 -+
t/+ - -.+o&t $0 -0 DNAT -to-.%st 10.1.1.2 t/+ - -.+o&t $0 -0 DNAT -to-.%st 10.1.1.2
11
Understanding and anaging
#4& 5rappers
12
56at is #4& 5rappers %

An im(ortant (art o% maintaining anot)er level o% security com(uter1
wit) T$! 'ra((ers3 you can also restrict access to your system ,y
remote )osts ,y using list o% )osts are ke(t in t)e /etc/6osts.allow
and /etc/6osts.deny %iles*

T$! 'ra((ers stand guard ,etween an incoming re2uest and t)e
re2uested service*
13
4onfiguration $iles

')en a client connects to a 4 tc( wra((ed5 service1 t)e access control
list 6etc6)osts*allow and 6etc6)osts*deny are e+amined* T)e server will
t)en eit)er c)oose to acce(t or dro( t)e connection1 de(ending on t)e
control list con%iguration* !olicies can ,e s(eci%ied %or individual
services and are usually con%igured in terms o% t)e clients !"Address*

7ot) %iles )ave same ,asic synta+ to allow or deny clients list

(ervice 7ist 8 4lient 7ist (ervice 7ist 8 4lient 7ist
14
4onfiguration $iles

T)ree stages o% access c)ecking

s access e+(licitly (ermitted8

9t)erwise1 is access is e+(licitly denied8

9t)erwise1 ,y de%ault1 (ermit access:

$on%iguration stored in two %iles

!ermissions in /etc/6osts.allow /etc/6osts.allow

;enials in /etc/6osts.deny /etc/6osts.deny
15
4onfiguration $iles

E9a:ples8

ss6d8 .e9a:ple.co: ss6d8 .e9a:ple.co:

ss6d8 "77 E;4E&# .crac<er.org ss6d8 "77 E;4E&# .crac<er.org

ss6d8 "77 E;4E&# .crac<er.org E;4E&# trusted.crac<er.org ss6d8 "77 E;4E&# .crac<er.org E;4E&# trusted.crac<er.org

"77 E;4E&# ss6d8 "77 "77 E;4E&# ss6d8 "77

"77 E;4E&# ss6d8 "77 E;4E&# .crac<er.org "77 E;4E&# ss6d8 "77 E;4E&# .crac<er.org

"77 E;4E&# ss6d8 "77 E;4E&# .crac<er.org E;4E&# trusted.crac<er.org "77 E;4E&# ss6d8 "77 E;4E&# .crac<er.org E;4E&# trusted.crac<er.org
16
#4& 5rappers = 4onnection >anners

;is(laying a suita,le ,anner w)en users connect to a service is a good
way to let (otential attackers know t)at t)e system administrator is
,eing vigilant*

7anner %or vs%t(d* $reate a ,anner %ile* t can ,e anyw)ere on t)e
system1 ,ut it must )ave sa:e na:e as t6e dae:on*
6etc6,anners6vs%t(d and contains t)e %ollowing line/
//0-?ello@ Ac
//0-"ll activity on ftp.e9a:ple.co: is logged.
//0-)nappropriate use will result in your access privileges
being re:oved.

T)e <c token su((lies a variety o% client in%ormation1 suc) as t)e
username and )ostname1 or t)e username and ! address*

For t)is ,anner to ,e dis(layed to incoming connections1 add t)e
%ollowing line to t)e 6etc6)osts*allow %ile/
vsftpd 8 "77 8 banners /etc/banners/
17
#4& 5rappers = "ttac< 5arnings

% a (articular )ost or network )as ,een detected attacking t)e server1 T$!
'ra((ers can ,e used to warn t)e administrator o% su,se2uent attacks %rom
t)at )ost or network using t)e s(awn directive*

2=>*.?2*>?*=62@ network )as ,een detected attem(ting to attack t)e server*
!lace t)e %ollowing line in t)e /etc/6osts.deny %ile to deny any connection
attem(ts %rom t)at network1 and to log t)e attem(ts to a s(ecial %ile/
"77 8 /03.10/.30.0 8 spawn /bin/ BdateB Ac Ad CC /var/log/intruder_alert

T)e <d token su((lies t)e name o% t)e service t)at t)e attacker was trying to
access*

To allow t)e connection and log it1 (lace t)e s(awn directive in t)e
/etc/6osts.allow %ile*
18
#4& 5rappers = En6anced 7ogging

% certain ty(es o% connections are o% more concern t)an ot)ers1 t)e log
level can ,e elevated %or t)at service using t)e severity o(tion*

Anyone attem(ting to connect to (ort 23 #t)e Telnet (ort& on an FT! server
is a cracker* To denote t)is1 (lace an emerg %lag in t)e log %iles instead o%
t)e de%ault %lag1 info1 and deny t)e connection*

To do t)is1 (lace t)e %ollowing line in 6etc6)osts*deny/
in.telnetd 8 "77 8 severity e:erg

T)is uses t)e de%ault aut)(riv logging %acility1 ,ut elevates t)e (riority %rom
t)e de%ault value o% in%o to emerg1 w)ic) (osts log messages directly to t)e
console*
19
Understanding and anaging
xinetd dae:on
20
56at is 9inetd dae:on%

T)e +inetd #w)ic) stands %or 0+tended nternet Services ;aemon&
(rogram can start a num,er o% t)ese server daemons simultaneously*
T)e +inetd (rogram listens %or connection re2uests %or all o% t)e active
servers wit) scri(ts in t)e /etc/9inetd.d directory* T)ereAs a generic
con%iguration %ile %or +inetd services1 /etc/9inetd.conf* T)e scri(ts in t)e
/etc/9inetd.d directory also %unction as service s(eci%ic con%iguration
%iles*
21
*eneric 9inetd 4onfiguration

0ac) %ile in t)e /etc/9inetd.d directory s(eci%ies a (articular service you
want to allow +inetd to manage* 7y de%ault1 scri(ts in t)is directory are
disa,led*

+inetd (rovides its own set o% access control %unctions

6osts based 6osts based

ti:e based ti:e based
22
(a:ple configuration

service telnet service telnet

D D
disable disable = = yes yes
flags flags = = REU(E REU(E
soc<et_type soc<et_type = = strea: strea:
wait wait = = no no
user user = = root root
only_fro: only_fro: = = 12/.130.0./4//4 12/.130.0./4//4
no_access no_access = = 12/.130.0.1 12/.130.0.1
access_ti:es access_ti:es = = 00800-13800 00800-13800
server server = = /usr/sbin/in.telnetd /usr/sbin/in.telnetd
log_on_failure log_on_failure E= E= U(ER)- U(ER)-
F F
23
Understanding and Managing
SSH
24
What is SSH?

SSHB #or Secure SHell& is a (rotocol w)ic) %acilitates secure
communications ,etween two systems using a client6server arc)itecture
and allows users to log into server )ost systems remotely* Unlike ot)er
remote communication (rotocols1 suc) as FT! or Telnet1 SSH encry(ts
t)e login session1 rendering t)e connection di%%icult %or intruders to
collect unencry(ted (asswords*
25

After an initial connection, the client can verify that it is connecting
to the same server it had connected to previously.

The client transmits its authentication information to the server
using strong, 128-bit encryption.

All data sent and received during a session is transferred using
128-bit encryption, making intercepted transmissions extremely
difficult to decrypt and read.

The client can forard !11 applications from the server. This
techni"ue, called X11 forwarding, provides a secure means to
use graphical applications over a netork.
Features of SSH
26
Why we should use SSH?
#etork threats can be categori$ed as follos%

Interception Attacker can be somehere on the netork
beteen the communicating parties, copying any information
passed beteen them. The attacker may intercept and keep
the information, or alter the information and send it on to the
intended recipient. This attack can be mounted through the
use of a packet sniffer & a common netork utility.

Impersonation Attacker's system is configured to pose as
the intended recipient of a transmission. (f this strategy orks,
the user's system remains unaare that it is communicating
ith the rong host.
27
!rocedure for SSH
co""unication

))* communication includes folloing series of events to help
protect the integrity of ))* communication beteen to hosts.

A cryptographic handshake is made so that the client can verify
that it is communicating ith the correct server.

The transport layer of the connection beteen the client and
remote host is encrypted using a symmetric cipher.

The client authenticates itself to the server.

The remote client interacts ith the remote host over the
encrypted connection.
28
Using SSH

)tep 1% +reate key pair

ssh-#eygen -t rsa$dsa ssh-#eygen -t rsa$dsa

)tep 2% )end ,ublic -ey to +lient

scp id%dsa&pub root'(&(&(&() scp id%dsa&pub root'(&(&(&()

)tep .% /n second computer copy file into 0$&ssh$authori*ed%#eys

cp id%dsa&pub &ssh$authori*ed%#eys cp id%dsa&pub &ssh$authori*ed%#eys
29
+11 Forwarding

/pening an !11 session over an ))* connection is as easy as
connecting to the ))* server using the -1 option and running an !
program on a local machine.
ssh -, -user.'e(a"ple&co" $ (&(&(&(

2hen an ! program is run from the secure shell prompt, the ))*
client and server create a ne secure channel, and the ! program
data is sent over that channel to the client machine transparently.

!11 forarding can be very useful. 3or example, !11 forarding can
be used to create a secure, interactive session of the !rinter
/onfiguration 0ool. To do this, connect to the server using ssh and
type%
syste"-config-printer 1

After supplying the root passord for the server, the !rinter
/onfiguration 0ool appears and allos the remote user to safely
configure printing on the remote system.
30
!ort Forwarding - SSH

))* can secure insecure T+,4(, protocols via port forarding. 2hen
using this techni"ue, the ))* server becomes an encrypted conduit to
the ))* client.

,ort forarding orks by mapping a local port on the client to a
remote port on the server. ))* can map any port from the server to
any port on the client5 port numbers do not need to match for this
techni"ue to ork.

To create a T+,4(, port forarding channel hich listens for
connections on the localhost, use the folloing command%
ssh -2 local-port)remote-host:remote-port
username'hostname

31
!ort Forwarding - SSH

To check email on a server called mail.example.com using ,/,.
through an encrypted connection, use the folloing command%
ssh -2 1133)"ail&e(a"ple&co")113 "ail&e(a"ple&co"

/nce the port forarding channel is in place beteen the client
machine and the mail server, direct a ,/,. mail client to use port
1166 on the localhost to check for ne mail. Any re"uests sent to
port 1166 on the client system are directed securely to the
mail.example.com server.
32
;-4& . ; -isplay anager 4ontrol
&rotocol
Thank 1ou 777

Sponsor Documents

Or use your account on DocShare.tips

Hide

Forgot your password?

Or register your new account on DocShare.tips

Hide

Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in

Close