Section 42.7. System Security (Topic 2.212)

Previous page
Table of content
Next page

42.7. System Security (Topic 2.212)

42.7.1. Review Questions

  1. Which file is considered first by TCP wrappers, hosts.allow or hosts.deny?

  2. Why is it a good idea to store the Tripwire database on a read-only medium, such as a CD-ROM disk?

  3. You have configured an internal network to use the 192.168.2.0/24 block of IP addresses. You have also configured a Linux system with two NICs and have enabled IP address forwarding. However, no users can access the Internet. You have decided not to use a proxy server. What else can you do to allow Internet access through your Linux router?

  4. Consider the following line in the /etc/ssh/ssh_config file. What does it instruct sshd to do?

     Protocol 2

  5. You have been asked to use the iptables command to configure a system to automatically drop all connections from systems that attempt to access TCP ports 21 through 80 on your local system. Your supervisor wants this rule to be the first rule processed. Write in the command that will accomplish this.

  6. Why do many FTP servers contain their own copies of files such as ls, passwd, and chmod?

  7. You wish to use public-key authentication for an SSH session with a remote user. What must you first place into your ~/.ssh/authorized_keys or ~/.ssh/ authorized_keys2 file?

42.7.2. Answers

  1. The hosts.allow file is considered first. Then TCP wrappers reads the contents of the hosts.deny file.

  2. Because storing the database on a read-only medium helps make you reasonably sure that the database has not been changed.

  3. Use iptables to enable Network Address Translation (NAT) using the MASQUERADE target.

  4. It instructs sshd to always use Version 2 of the SSH protocol, and never to use Version 1.

  5. The command is:

     # iptables -I INPUT -p tcp --dport 20:80 -j REJECT

  6. Many FTP servers contain their own copies because many administrators choose to place FTP server daemon files inside of a chroot jail for added security.

  7. The public key generated by the remote user.

42.7.3. Exercises

  1. The SSH daemon is likely installed by default. If it is not, install it using your package manager or from the source files located at http://www.openssh.org. Familiarize yourself with the configuration files. Start sshd, then conduct a simple session. When you have done this, configure sshd to accept only clients that can use SSH Version 2, as it is by far the more secure protocol. Configure it also to forbid non-root logins, which is a way to keep the system secure during maintenance

  2. Use SSH's port forwarding capabilities to protect an unencrypted protocol such as FTP, standard HTTP, or standard email traffic. To do this, you will need two systems that support SSH.

  3. Use tcpdump or Ethereal to sniff SSH default transactions. Note that, by default, all transactions are encrypted. However, by default, you must still provide your username and password. Even though authentication information is strongly encrypted by SSH in most cases, it is not a good idea to allow authentication information to exist on a network connection. Use the ssh-keygen command to generate a key pair for your user account. Configure the necessary identification files in your ~/.ssh directory, and exchange public keys with a remote user. Then experiment with conducting key-based authentication, as opposed to password-based authentication

  4. Use the iptables command (or the ipchains command in older systems) to create and list rules. Consider enabling the following settings:

    • Block all traffic destined for local port 23 (Telnet).

    • Block all traffic destined for a remote system that you deem objectionable.

    • Log all traffic to port 80 to the /var/log/messages file.

  5. Now that you understand iptables, find a system with two NICs and enable both IP forwarding and masquerading. (iptables uses the term masquerading rather than Network Address Translation or NAT). To do this, simply use the nat table and enable masquerading for your public interface.

  6. The networking system in Linux systems is capable of thwarting various types of attacks. You have already seen how you can use the /proc/sys/net/ipv4/icmp_echo_ignore_all file or the /etc/sysctl.conf file to protect a system against ICMP packets. You can also protect your system against SYN floods by changing the value of 0 to 1 in the /proc/sys/net/ipv4/tcp_syncookies file. You can also configure the /etc/sysctl.conf file to do this automatically. Experiment with these changes.

  7. Install and configure an FTP daemon. Once it is working well, experiment with the ftpaccess file. Limit bandwidth and the number of connections. Also, experiment with creating settings for both anonymous users and those that supply actual usernames and passwords. Consider how using anonymous FTP is more secure than using standard FTP, which encrypts neither the initial authentication session nor the ensuing data transfer.

  8. Download and install the Snort intrusion detection application, which is available via the Snort home page (http://www.snort.org) or via your operating system's package management application. Configure the snort.conf file to reflect your network. You are also given a choice of several preprocessors. Some of these preprocessors will help detect port scans. Others help detect suspicious network traffic.

  9. Experiment with the preprocessors. Some will create false positives, in which legitimate traffic is mistaken for an attack. You will also find that actual attacks may be ignored, which in some cases can be seen as a false negative. Also, Snort ships with many signatures, which can help you identify and react to attacks. Your chances of receiving false positives increases with each signature you enable. It is up to you to determine the sensitivity level of your intrusion detection system.

  10. Remember that Snort will not detect traffic on a switch-based network. You can configure your switch to go into monitor mode.

  11. Download and install the open source version of Tripwire from the following URL: http://sourceforge.net/projects/tripwire. Once you have downloaded the package, install it, then configure Tripwire to protect only the most important sources. While it is best to install Tripwire on a brand-new system that has never been connected to a network, it is important to get practical experience configuring Tripwire and running reports before you take the LPI Exam.

  12. Experiment with the /etc/hosts.allow and /etc/hosts.deny files. As root, edit the /etc/hosts.allow file and enter the following:

     ALL: .testsystem.yourdnsdomain.com EXCEPT testsystem.yourdnsdomain.com

    Then edit the /etc/hosts.deny file to contain the following entry:

     ALL: ALL

    The result of this use of /etc/hosts.allow and /etc/hosts.deny is that all systems from your network will be able to connect to daemons controlled by TCP wrappers, except for the host named testsystem.yourdnsdomain.com.

    Remember that /etc/hosts.deny is considered after /etc/hosts.allow. So this configuration helps lock down all applications controlled by TCP wrappers. Some applications, such as Sendmail and Apache, may not use TCP wrappers. So don't let that confuse you.


Previous page
Table of content
Next page
LPI Linux Certification in a Nutshell
LPI Linux Certification in a Nutshell (In a Nutshell (OReilly))
ISBN: 0596005288
EAN: 2147483647
Year: 2004
Pages: 257
Authors: Steven Pritchard, Bruno Gomes Pessanha, Nicolai Langfeldt, James Stanger, Jeff Dean
BUY ON AMAZON
High-Speed Signal Propagation[c] Advanced Black Magic
Image Processing with LabVIEW and IMAQ Vision
Cisco IOS Cookbook (Cookbooks (OReilly))
Microsoft Office Visio 2007 Step by Step (Step By Step (Microsoft))
Quartz Job Scheduling Framework: Building Open Source Enterprise Applications
Python Programming for the Absolute Beginner, 3rd Edition
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy