Man pages:

  • ssh – secure shell client (remote login program)
  • sshd – secure shell daemon (server)
  • ssh-keygen – Used to create RSA keys (host keys and user authentication keys)
  • ssh-keyscan – gather ssh public keys
  • ssh-add – adds identities for the authentication agent Used to register new keys with the agent.
  • scp – secure copy (remote file copy program)
  • slogin
  • sftp – secure file transfer program client.
  • sftp-server – secure file transfer program server.
  • ssh-agent – Authentication agent. This can be used to hold RSA keys for authentication.
  • telnet – user interface to the TELNET protocol

Documentation:

  • /usr/share/doc/openssh-XXX/
  • /usr/share/doc/openssh-askpass-XXX/
  • /usr/share/doc/openssl-0.XXX/

Test:

The network sniffer Ethereal (now Wireshark) was used to sniff network transmissions between the client and server for both telnet and ssh with the following results:

  • Test telnet clear text login: (port 23)  The text sent by the client is green text on a black background. The rest of the text was transmitted by the server. Note that both the login (“JoeUser”) and password (“super-secret-password”) were captured.
  • Test ssh encrypted login: (port 22)  Note that the entire login and password exchange was encrypted.

 

rssh: Restricted shell for use with OpenSSH sftp

FTP uses clear text access to your server. This is fine if all systems in the datacenter are secure and no one can sniff the network. Router and switch configurations make it almost impossible to sniff most networks these days, but a security comprimises at the datacenter on another server can cause potential problems for your servers if you allow open un-encryped passwords used by FTP.

VsFTPd also allows one to limit the user’s view of the filesystem to their own directories. This is good. OpenSSH “sftp” does not provide this capability (until version 4.9. RHEL/CentOS 5 use OpenSSH 4.3). The “sftp” file transfer does encypt the passwords (good) but also requires shell access (bash, csh, …) for the account which allows full access to the filesystem (bad). The rssh shell can be used with sftp, scp, cvs, rsync, and rdist and can chroot users to their own directories and limit function to sftp access only (deny full shell access).

For newer systems (RHEL6/CentOS6/Fedora 11) with OpenSSH 4.9+ see the preferred chrooted sftp configuration for OpenSSH 4.9+.

The solution is to use rssh as your shell with OpenSSH “sftp”:

  • rssh Home Page
  • rssh RPMs – Dag Wieers

Installation: rpm -ivh rssh-2.3.2-1.2.el5.rf.x86_64.rpm

This installs:

  • /usr/bin/rssh
  • /etc/rssh.conf
  • also support program /usr/libexec/rssh_chroot_helper and man pages

Check installed configuration: rssh -vConfiguration:

  1. OpenSSH configuration: /etc/ssh/sshd_config… PermitUserEnvironment no … Subsystem sftp /usr/libexec/openssh/sftp-server … Security note: Also be aware of the setting AllowTcpForwarding which controls port forwarding.
  2. Add shell to list of usable shells: /etc/shells/bin/sh /bin/bash /sbin/nologin /bin/tcsh /bin/csh /bin/ksh /bin/zsh /opt/bin/ftponly /usr/bin/rssh Ubuntu: You can use the command: add-shell /usr/bin/rssh
  3. Change the user’s shell to rssh (choose one method)
    • chsh -s /usr/bin/rssh user1
    • usermod -s /usr/bin/rssh user1
    • Assign shell when creating user: useradd -m -s /usr/bin/rssh user1
    • Edit /etc/passwduser1:x:504:504::/home/user1:/usr/bin/rssh
  4. Allow execution to su: chmod u+s /usr/libexec/rssh_chroot_helper This prevents the following error in /var/log/messagesDec 20 00:23:44 nodex rssh_chroot_helper[27450]: chroot() failed, 2: Operation not permitted
  5. Set access for rssh: /etc/rssh.conflogfacility = LOG_USER allowsftp umask = 022 #chrootpath = /users/chroot user=”user1:022:00010:/home/user1” Global security allowable options include: allowscp, allowcvs, allowrdist, allowrsync Specify global chroot or omit for none. Specific user security:
    1. User login id
    2. First set of three number represent the umask
    3. Second set of five number represent the bitmask to allow1 1 1 1 1 rsync rdist cvs sftp scp
    4. Specify the global chrooted directory for all using rssh. If omitted, then not chrooted. Can be overwritten by user configuration.

    Note: User configuration overrides the shared chroot settings. Omitted user settings do not default to shared chroot settings.

  6. Configuring the chrooted directory: This is true for a global user chroot or individual chroot. In this example we will show a user chrooted to thier own home directory /home/user1. When chrooted, the user does not have access to the rest of the filesystem and thus is blind to all of its executables and libraries. It will therefore be necessary to copy local executables and libraries for thier local use.DescriptionUser directorySystem equivalentSystem devices /home/user1/dev /dev Configuration files /home/user1/etc /etc/etc/ld.so.cache /etc/ld.so.cache.d/*/etc/ld.so.conf – dynamic linker configuration/etc/nsswitch.conf/etc/passwd/etc/group/etc/hosts/etc/resolv.conf Shared libraries (32 and 64 bit) /home/user1/lib/home/user1/lib64 /lib/lib64 Executables and libraries /home/user1/usr /usr/usr/libexec/openssh/sftp-server/usr/libexec/rssh_chroot_helper Executables /home/user1/bin /bin Use scrit to add chroot required files: /opt/bin/userchroot#!/bin/bash # First and only argument ($1) is user id if [ -d /home/$1 ]; then USERDIR=/home/$1 else echo “Error: Directory /home/$1 does not exist” exit fi mkdir $USERDIR/etc mkdir $USERDIR/lib mkdir -p $USERDIR/usr/libexec/openssh mkdir -p $USERDIR/var/log mkdir $USERDIR/dev mknod -m 666 $USERDIR/dev/null c 1 3 cp -p /etc/ld.so.cache $USERDIR/etc # If directory exists if [ -d /etc/ld.so.cache.d ]; then cp -avRp /etc/ld.so.cache.d $USERDIR/etc fi grep $1 /etc/passwd > $USERDIR/etc/passwd cp -p /etc/ld.so.conf $USERDIR/etc cp -p /etc/nsswitch.conf $USERDIR/etc cp -p /etc/group $USERDIR/etc cp -p /etc/hosts $USERDIR/etc cp -p /etc/resolv.conf $USERDIR/etc cp -ap /usr/libexec/openssh/sftp-server $USERDIR/usr/libexec/openssh/sftp-server cp -ap /usr/libexec/rssh_chroot_helper $USERDIR/usr/libexec/rssh_chroot_helper # Authentication libraries required for login (32 bit and 64 bit systems) if [ -d /lib64 ]; then mkdir $USERDIR/lib64 cp -ap /lib64/libnss_files.so.? $USERDIR/lib64 cp -ap /lib64/libnss_files-*.so $USERDIR/lib64 else cp -p /lib/libnss_files.so.? $USERDIR/lib cp -p /lib/libnss_files-*.so $USERDIR/lib fi FILES=ldd /usr/libexec/openssh/sftp-server | perl -ne 's:^[^/]+::; s: \(.*\)$::; print;' for ii in $FILES do rtdir=”$(dirname $ii)” [ ! -d $USERDIR$rtdir ] && mkdir -p $USERDIR$rtdir || : /bin/cp -p $ii $USERDIR$rtdir done FILES=ldd /usr/libexec/rssh_chroot_helper | perl -ne 's:^[^/]+::; s: \(.*\)$::; print;' for ii in $FILES do rtdir=”$(dirname $ii)” [ ! -d $USERDIR$rtdir ] && mkdir -p $USERDIR$rtdir || : /bin/cp -p $ii $USERDIR$rtdir done Note:
    • Script use: /opt/bin/userchroot user1
    • The files and directories reflect the file and path names for Red Hat Enterprise Linux 5 and CentOS 5.
    • Instead of copying files, one can also use a hard link: ln /etc/ld.so.conf /home/user1/etc/ld.so.conf if the files are on the same hard drive. In that way, users recieve updates to the system. Symbolic links will not work. See symlinks and chroot for this discussion. If the user directory is on a separate drive, use the copy as defined in the script.
    • Reduce /etc/passwd to a single user (don’t have root etc):user1:x:504:504::/home/user1:/usr/bin/rssh
    • Once chroot() takes place, programs will not have access to the regular log target. Specify a chrooted syslog socket target which can be accessed. The number of sockets are limited and thus configuring rssh for each user is not a good idea for a large number of users. For use with many users, use the shared chrooted jail defined by the rssh directive: chrootpath.

Blocking FTP: Setting up rssh does not turn off or block FTP access to your system. You must still turn off vsftp: /etc/init.d/vsftpd stop. There is little point to setting up secure chrooted sftp access with rssh and also running a FTP service.

Debugging:

  • One can pull in the full root path by issuing an internal mount:
    • mount –bind /dev /home/user1/dev
    • mount –bind /dev /home/user1/lib
    • mount –bind /dev /home/user1/lib64
    • mount –bind /dev /home/user1/usr

    This technique can be used to narrow down the error to find which directory has the missing files. It should not be used as a final solution. Unmount when done: umount /home/user1/dev

  • If authenticating to ldap, nis, etc, pull in the appropriate libraries. You can test with all: cp -p /lib/libnss_* /home/user1/lib This can be performed for /lib64 as well.
  • Checklog files for errors: /var/log/messages

Man pages:

  • rssh man page
  • rssh.conf man page
  • sftp man page

Using gFTP as a Linux sftp client:

  • Start program through menu or command line: gftp&
  • Select “FTP” from toolbar
  • Select “Options”
  • Select “SSH” tab
  • Select “Apply” amd “Ok”
  • On the upper rigt hand side of the gftp window, select “SSH” from the pull-down menu.

Using FileZilla as a Linux sftp client:

  • Select “File” + “Site Manager”
  • Select “New Site” (bottom left)
  • Enter “Host:”
  • Choose “Servertype:” “SFTP using SSH2”
  • Select “Logontype:” “Normal”
  • Enter “User:” and click on “Connect”.

Links:

  • Multi-platform GUI client FileZilla
  • MS/Windows client WinSCP (supports sftp)

 

SentryTools: PortSentry

This tool will monitor the network probes and attacks against your server. It can be configured to log and counter these probes and attacks. PortSentry can modify your /etc/hosts.deny (PAM module) file and issue IP firewall commands automatically to block hackers.

PortSentry can be loaded as an RPM but this tutorial covers compiling PortSentry from source to configure a more preferable system logging.

Note: Version 1.2 of portsentry can issue iptables, ipchains or route commands to thwart attacks. Iptables/Ipchains is a Linux firewall system built into the Linux kernel. Linux kernel 2.6/2.4 uses iptables, kernel 2.2 (old) uses ipchains. References to ipfwadm are for even older Linux kernels. Route commands can be used by any Unix system including those non-Linux systems which do not support Iptables/Ipchains.

Steps to install and configure portsentry:

  1. Download and unzip source code
  2. Edit include file and compile
  3. Start PortSentry
  4. Read logs
  1. Download and unzip source code:
    • Download: PortSentry source code
    • Move to your source directory and unzip: tar -xzf portsentry-1.2.tar.gz
  2. Edit include file and compile: cd portsentry_beta/ Read file README.install. It details the following:
    • Edit file: portsentry_config.hSet file paths and configure separate log file for Portsentry:

      Set options:

      • CONFIG_FILE – PortSentry run-time configuration file.
      • WRAPPER_HOSTS_DENY – The path and name of TCP wrapper hosts.deny file.

      #define CONFIG_FILE “/opt/portsentry/portsentry.conf” #define WRAPPER_HOSTS_DENY “/etc/hosts.deny” #define SYSLOG_FACILITY LOG_DAEMON – Default. Change to LOG_LOCAL6 #define SYSLOG_LEVEL LOG_NOTICE(Note: I use /opt/portsentry/ because I like to locate “optional” files/software there. It allows for an easy backup by separating it from the OS. If you prefer, you can use /etc/portsentry/ for configurations files and follow the Linux/Unix file system logic)

      The above default, “LOG_DAEMON”, will log messages to the /var/log/messages file.

      To log to a separate file dedicated to PortSentry logging: (This will eliminate logging clutter in the main system logging file)

      • Add logging directives to syslogd configuration file: /etc/syslog.confChange the following line by adding an extra log facility for portsentry messages which are not going to be logged to the regular syslog output file /var/log/messages. This lists what messages to filter out from /var/log/messages.

        *.info;mail.none;news.none;authpriv.none;cron.none;local6.none /var/log/messagesAdd the following line to assign a portsentry log facility:

        local6.* /var/log/portsentry.logNote: Use tab not spaces in the syslog configuration file.

        Restart syslogd: /etc/init.d/syslog restart

      • Set portsentry_config.h entry to new log facility: Change from default setting: #define SYSLOG_FACILITY LOG_DAEMON To: #define SYSLOG_FACILITY LOG_LOCAL6

      FYI: Options for the SYSLOG_FACILITY are defined in /usr/include/sys/syslog.h They include:

      SYSLOG_FACILITY Facility Name Description LOG_LOCAL0 local0 reserved for local use LOG_LOCAL1 local1 reserved for local use LOG_LOCAL2 local2 reserved for local use LOG_LOCAL3 local3 reserved for local use LOG_LOCAL4 local4 reserved for local use LOG_LOCAL5 local5 reserved for local use LOG_LOCAL6 local6 reserved for local use LOG_LOCAL7 local7 reserved for local use LOG_USER user random user-level messages LOG_MAIL mail mail system LOG_DAEMON daemon system daemons LOG_SYSLOG syslog messages generated internally by syslogd LOG_LPR lpr line printer subsystem LOG_NEWS news network news subsystem LOG_UUCP uucp UUCP subsystem LOG_CRON cron clock daemon LOG_AUTHPRIV authpriv security/authorization messages (private) LOG_FTP ftp ftp daemonOptions for the SYSLOG_LEVEL include:

      SYSLOG_LEVEL Priority Description LOG_EMERG 0 system is unusable LOG_ALERT 1 action must be taken immediately LOG_CRIT 2 critical conditions LOG_ERR 3 error conditions LOG_WARNING 4 warning conditions LOG_NOTICE 5 normal but significant condition LOG_INFO 6 informational LOG_DEBUG 7 debug-level messages

    • Edit file: portsentry.conf to set paths for configuration files and ports to monitor. TCP_PORTS=”1,11,15,20,21,23,25,69,79, … ” UDP_PORTS=”1,7,9,69,161,162,513,635, … ” … … IGNORE_FILE=”/opt/portsentry/portsentry.ignore” HISTORY_FILE=”/opt/portsentry/portsentry.history” BLOCKED_FILE=”/opt/portsentry/portsentry.blocked” #KILL_ROUTE=”/sbin/route add -host $TARGET$ reject”– Generic Unix KILL_ROUTE I prefer iptables/ipchains options below Uncomment and modify if necessary the appropriate statements. The TCP_PORTS=, UDP_PORTS= lists are ignored for stealth scan detection modes. Add common but unused services. i.e. add port 25 if the system is not accepting email as port 25 is included in most scans. I added UDP port 68 (BOOTP) and TCP 21 (ftp), 22 (ssh), 25 (smtp mail), 53 (dns bind), 80 (http web server), 119 (news) to the ADVANCED_EXCLUDE_UDP and ADVANCED_EXCLUDE_TCP statements respectively. ADVANCED_EXCLUDE_TCP=”21,22,25,53,80,110,113,119″ – serverADVANCED_EXCLUDE_UDP=”21,22,53,110,520,138,137,68,67″ OR ADVANCED_EXCLUDE_TCP=”113,139″ – workstation ADVANCED_EXCLUDE_UDP=”520,138,137,68,67″PAM options:
      • KILL_HOSTS_DENY=”ALL: $TARGET$”

      For more on PAM see YoLinux network Admin TutorialChoose one option: (Options: network “route” or firewall command “iptables/ipchains”)

      1. For those using iptables (Linux Kernel 2.6/2.4+): KILL_ROUTE=”/sbin/iptables -I INPUT -s $TARGET$ -j DROP” (Note: The default used in portsentry.conf uses the incorrect path for Red Hat. Change /usr/local/bin/iptables to /sbin/iptables)
      2. For Linux 2.2.x kernels (version 2.102+) using ipchains: (Best option) KILL_ROUTE=”/sbin/ipchains -I input -s $TARGET$ -j DENY -l” OR KILL_ROUTE=”/sbin/ipchains -I input -s $TARGET$ -j DENY” Note: The second option is without the “-l” or logging option so ipchains won’t keep logging the portscan in /var/log/messages
      3. Simple method to drop network return routes if iptables or ipchains are not compiled into your kernel: KILL_ROUTE=”/sbin/route add -host $TARGET$ reject” You can check the addresses dropped with the command: netstat -rn They will be routed to interface “-“.

      Note on Red Hat 7.1: During installation/upgrade the firewall configuration tool /usr/bin/gnome-lokkit may be invoked. It will configure a firewall using ipchains and will add this to your boot process. To see if ipchains and the Lokkit configuration is invoked during system boot, use the command: chkconfig –list | grep ipchains. You can NOT use portsentry to issue iptables rules if your kernel is configured to use ipchain rules.More info on iptables and ipchains support/configuration in Red Hat 7.1 and kernel 2.4.

    • Edit file: portsentry.ignore (contains IP addresses to ignore. ) 127.0.0.1 0.0.0.0 Your IP address The at Home network routinely scans for news servers on port 119 from a server named authorized-scan1.security.home.net. Adding the IP address of this server (24.0.0.203) greatly reduces the logging. I also added their BOOTP server. (24.9.139.130)I manually issued the iptables (kernel 2.6/2.4) commands on my workstation to drop the hosts and deny their scans. At Home users may add the commands to the file /etc/rc.d/rc.local

      /sbin/iptables -I INPUT -s 24.0.0.203 -j DROP

      /sbin/iptables -I INPUT -s 24.9.139.130 -j DROP

    • Edit file: Makefile         INSTALLDIR = /opt

      And remove the line under “uninstall”: (dangerous line!!)         #               /bin/rmdir $(INSTALLDIR)

      And remove the line under “install”: (troublesome line!!)#               chmod 700 $(INSTALLDIR)To:#               chmod 700 $(INSTALLDIR)/$(CHILDDIR)

    • Compile: make linuxFix the following compile errors in portsentry.c
      • Change printf (“Copyright 1997-2003 Craig H. Rowland <craigrowland at users dot sourceforget dot net>\n”); to one line: printf (“Copyright 1997-2003 Craig H. Rowland\n”);
      • Fix warning: warning: passing argument 3 of ‘accept’ from incompatible pointer type Separate and change declaration of “length” to: unsigned int length;
    • Install (as root): make install
  3. Run PortSentry for advanced UDP/TCP stealth scan detection:
    • portsentry -atcp
    • portsentry -audp

    OR use init scripts below in next section.

  4. Check logfile for hacker attacks. See: /var/log/messages or /var/log/portsentry.log if you are logging to a dedicated file. Also check /etc/hosts.deny to see a list of IP addresses that PortSentry has deamed attackers. Check the “HISTORY_FILE” /opt/portsentry/portsentry.history

Note: Is is possible to have all logging sent to a logging daemon on a single server. This will allow the administrator to check the logs on only one server rather than individually on many.

Note on Red Hat 7.1: Powertools RPM layout:

  • /usr/sbin/portsentry – (chmod 700) executable
  • /etc/portsentry/ – (chmod 700) Directory used for configuration files.
  • /etc/portsentry/portsentry.conf (chmod 600)
  • /etc/portsentry/portsentry.ignore (chmod 600)
  • /var/portsentry/portsentry.history
  • /var/portsentry/portsentry.blocked

Instead of using a firewall command (ipchains/iptables), a false route is used: /sbin/route add -host $TARGET$ gw 127.0.0.1. My init script calls the portsentry executable twice with the apropriate command line arguments to monitor tcp and udp ports. The Red Hat 7.1 init script uses the file /etc/portsentry/portsentry.modes and a for loop in the init script to call portsentry the appropriate number of times. Their init script also recreates the portsentry.ignore file each time portsentry is started by including the IP addresses found with ifconfig and the addresses 0.0.0.0 and localhost. Persistent addresses must be placed above a line stating: Do NOT edit below this otherwise it is not included in the creation of the new file. The Red Hat 7.1 Powertools portsentry version logs everything to /var/log/messages. My configuration avoids log clutter by logging to a separate file.

Notes on DOS (Denial of Service) possibility: If portsentry is configured to shut down an attack with firewall rules, an attacker may use this feature to slow down your machine over time by creating a huge set of firewall rules. It would require the hacker to use (or spoof) a new IP address each time. It is probably a good idea to monitor or even clear the firewall rules from time to time.

  • iptables:
    • List firewall rules: iptables -L
    • Clear firewall rules: iptables -F
  • ipchains:
    • List firewall rules: ipchains -L
    • Clear firewall rules: ipchains -F

Clean-up script: /etc/cron.monthly/reset-chainrules (-rwx—— 1 root root) This script is run automatically once a week by cron. (The presence of this script in this directory for the Red Hat configuration makes it so)

#!/bin/bash # Purge and re-assign chain rules ipchains -F ipchains -A input -p tcp -s 0/0 -d 0/0 2049 -y -j REJECT ipchains -A input -p udp -s 0/0 -d 0/0 2049 -j REJECT ipchains -A input -p tcp -s 0/0 -d 0/0 6000:6009 -y -j REJECT ipchains -A input -p tcp -s 0/0 -d 0/0 7100 -y -j REJECT ipchains -A input -p tcp -s 0/0 -d 0/0 515 -y -j REJECT ipchains -A input -p udp -s 0/0 -d 0/0 515 -j REJECT ipchains -A input -p tcp -s 0/0 -d 0/0 111 -y -j REJECT ipchains -A input -p udp -s 0/0 -d 0/0 111 -j REJECT ipchains -A input -j REJECT -p all -s localhost -i eth0 -l

Also see:

  • Sourceforge: Portsentry Home Page – PortSentry, Logcheck and HostSentry home page.
  • Portsentry description
  • FAQ: Firewall Forensics – Robert Graham

Other tools to detect portscans and network based hacker attacks:

  • scanlogd – Attack detection.
  • InterSect Alliance – Intrusiuon analysis. Identifies malicious or unauthorized access attempts.
  • snort – Instead of monitoring a single server with portsentry, snort monitors the network, performing real-time traffic analysis and packet logging on IP networks for the detection of an attack or probe. Also see: YoLinux IDS and Snort links

Using an init script to start and stop the portsentry program.

Init configuration: /etc/rc.d/init.d/portsentry The init script needs to be executable: chmod a+x /etc/rc.d/init.d/portsentry After adding the following script, enter it into the init process with the command: chkconfig –add portsentry or chkconfig –level 345 portsentry on See YoLinux Init Tutorial for more information.

#!/bin/bash # # Startup script for PortSentry # # chkconfig: 345 85 15 # description: PortSentry monitors TCP and UDP ports for network attacks # # processname: portsentry # pidfile: /var/run/portsentry.pid # config: /opt/portsentry/portsentry.conf # config: /opt/portsentry/portsentry.ignore # config: /opt/portsentry/portsentry.history # config: /opt/portsentry/portsentry.blocked # Source function library. . /etc/rc.d/init.d/functions # Source networking configuration. . /etc/sysconfig/network # Check that networking is up. [ ${NETWORKING} = “no” ] && exit 0 # See how we were called. case “$1” in start) echo -n “Starting portsentry: ” daemon /opt/portsentry/portsentry -atcp /opt/portsentry/portsentry -audp echo touch /var/lock/subsys/portsentry ;; stop) echo -n “Shutting down portsentry: ” killproc portsentry echo rm -f /var/lock/subsys/portsentry rm -f /var/run/portsentry.pid ;; status) status portsentry ;; restart) $0 stop $0 start ;; reload) echo -n “Reloading portsentry: ” killproc portsentry -HUP echo ;; *) echo “Usage: $0 {start|stop|restart|reload|status}” exit 1 esac exit 0

Logrotate Configuration:

Create the following file to have your logs rotate. File: /etc/logrotate.d/portsentry/var/log/portsentry.log { rotate 12 monthly errors root@localhost missingok postrotate /usr/bin/killall -HUP portsentry 2> /dev/null || true endscript }

Also see the YoLinux Sys Admin tutorial covering logrotate.

Tests:

  • Portscan your workstation – Use your web browser to go to this site. Select “Probe my ports” and it will scan you. You can then look at the file/opt/portsentry/portsentry.blocked.atcp to see that portsentry dropped the scanning site: Host: shieldsup.grc.com/207.71.92.221 Port: 23 TCP Blocked

    The file /var/log/portsentry.log will show the action taken: portsentry[589]: attackalert: SYN/Normal scan from host: shieldsup.grc.com/207.71.92.221 to TCP port: 23 portsentry[589]: attackalert: Host 207.71.92.221 has been blocked via wrappers with string: “ALL: 207.71.92.221” portsentry[589]: attackalert: Host 207.71.92.221 has been blocked via dropped route using command: “/sbin/ipchains -I input -s 207.71.92.221 -j DENY -l”

  • nmap: portscanner – This is the hacker tool responsible for many of the portscans you may be recieving.Command arguments:

    ArgumentDescription-sO IP scan. Find open ports. -sT TCP scan. Full connection made. -sS SYN scan (half open scan). This scan is typically not logged on receiving system. -sP Ping ICMP scan. -sU UDP scan. -P0 Don’t ping before scan. -PT Use ping to determine which hosts are available. -F Fast scan. Scan for ports listed in configuration. -T Set timing of scan to use values to avoid detection. -O Determins operating system. -p 1000-1999,5000-5999 Scan port ranges specified.Also see: nmap man page for a full listing of nmap command line arguments.

    Examples:

    nmap -sT -F IP-address Scan nmap -sS -F IP-address SYN Scan nmap -sU -F IP-address Scan UPD ports nmap -sF -F IP-address FIN Scan nmap -O -F IP-address Determine OS nmap -p22 -F -O IP-address nmap -p 1-30,40-65535 IP-Address Scan given port ranges Add the option -v (verbose) or -vv (super verbose) for more info. The ports will be determined to be open, filtered or firewalled.Sample output from command: nmap -sS -F -O IP-Address

    Starting nmap V. 2.54BETA7 ( www.insecure.org/nmap/ )…..(The 1067 ports scanned but not shown below are in state: closed)Port State Service21/tcp open ftp 22/tcp open ssh 25/tcp open smtp 53/tcp open domain 111/tcp open sunrpc – Shut down the portmap (RPC) daemon: /etc/rc.d/init.d/portmap stop 137/tcp filtered netbios-ns – Turn off netbios services: /etc/rc.d/init.d/smb stop 138/tcp filtered netbios-dgm 139/tcp filtered netbios-ssn TCP Sequence Prediction: positive increments Difficulty=2727445 (Good luck!) Remote operating system guess: Linux 2.1.122 – 2.2.16 Nmap run completed — 1 IP address (1 host up) scanned in 36 seconds

  • nmap/nmapfe: nmapfe = nmap front end – GUI front end to nmap. It’s an amazingly easy and usefull tool which will help you make discoveries about your servers before the hackers do.Nmap and nmapfe are available with distribution or on the Red Hat Powertools CD for older (7.1) releases:
    • nmap-XXX.i386.rpm
    • nmap-frontend-XXX.i386.rpm

Links:

  • nmap man page
  • The Art of Port Scanning – by Fyodor
  • ndiff – Compares two nmap scans and outputs the differences. Monitor network for changes.

 

Tripwire: (security monitoring)

Tripwire monitors your file system for changes. Tripwire is used to create an initial database of information on all the system files then runs periodically (cron) to compare the system to the database.

Use the command tripwire –version or rpm -q tripwire to determine the version.

Red Hat includes Tripwire as an optional package during install. The Ubuntu/Debian install is as easy as apt-get install tripwire. Upon installation it will proceed to scan your entire filesystem to create a default database of what your system looks like. (files and sizes etc) It took about ten minutes to run on my server!

Tripwire configuration files:

  • Tripwire 2.3.0-58: (Red Hat 7.1)
    • /etc/tripwire/twcfg.txt
    • /etc/tripwire/twpol.txt

    These files are first edited and then processed by the script /etc/tripwire/twinstall.sh which configures Tripwire after the installation of the Tripwire RPM package.Edit and change file: /etc/tripwire/twcfg.txt

    Change:LOOSEDIRECTORYCHECKING =false to LOOSEDIRECTORYCHECKING=TRUEThis was recommended in the comments of the file twpol.txtEdit and change file: /etc/tripwire/twpol.txt

    Change:severity = $(SIG_XXX) to severity = $(SIG_XXX),emailto = root@localhost or severity = $(SIG_XXX),emailto = root@localhost;admin@isp.com 

    where XXX is the severity level. This will cause Tripwire to email a report of discrepancies for the rule edited. Set the email address to one appropriate for you.I also added:

    • “User binaries” rule: directory /opt/bin
    • “Libraries” rule: directory /opt/lib

    I removed/commented out:

    • the rule “System boot changes” as it reports changes due to system boot.
    • Rule: “Root config files”: Many of the non-existant files listed under /root were commented out to reduce the number of errors reported.
    • Rule “File System and Disk Administraton Programs”: Many of the non-existant binaries listed under /sbin were commented out to reduce the number of errors reported.

    After configuration files have been edited run the script: /etc/tripwire/twinstall.sh The script will ask for a “passphrase” for the site and local system. This is a similar concept to a password – remember it!

    If at any point you want to make configuration/policy changes, edit these files and re-run the configuration script. The script will generate the true configuration files used by Tripwire:

    • /etc/tripwire/tw.cfg (View with command: twadmin –print-cfgfile)
    • /etc/tripwire/tw.pol (View with command: twadmin –print-polfile)
    • /etc/tripwire/site.key
    • /etc/tripwire/ServerName-a-local.key

    These files are binary and not human readable.

  • Tripwire 1.2-3 (Red Hat 6.2 Powertools): /etc/tw.config

Tripwire initialization:

If at any time you change the configuration file to monitor your system differently or install an upgrade (changes a whole lot of files which will “trip” tripwire into reporting all changes) you may want to generate a new database.

  • Tripwire 2.3.0-58: /usr/sbin/tripwire –init You will be prompted for your “local passphrase”. This will generate a tripwire database file: /var/lib/tripwire/ServerName-a.twd
  • Tripwire 1.2-3: /usr/sbin/tripwire -initializeThis will generate a tripwire database file: ./databases/tw.db_ServerName If you are in root’s home directory, this will create the file /root/databases/tw.db_ServerName At this point copy it to a useable location:

    cp -p /root/databases/tw.db_ServerName /var/spool/tripwire/tw.db_ServerNameDon’t change /etc/tw.config without first running tripwire -initialize otherwise it will show differences due to settings in tw.config file rather than true differences.

Cron and tripwire:

Cron runs tripwire:

  • Tripwire 2.3.0-58: File: /etc/cron.daily/tripwire-check#!/bin/sh HOST_NAME=uname -n if [ ! -e /var/lib/tripwire/${HOST_NAME}.twd ] ; then echo “**** Error: Tripwire database for ${HOST_NAME} not found. ****” echo “**** Run “/etc/tripwire/twinstall.sh” and/or “tripwire –init”. ****” else test -f /etc/tripwire/tw.cfg && /usr/sbin/tripwire –check fi You may move this cron script to the directory /etc/cron.weekly/ to reduce reporting from a daily to a weekly event. Tripwire reports will be written to: /var/lib/tripwire/report/HostName-Date.twr
  • Tripwire 1.2-3: File: /etc/cron.daily/tripwire.verify script which runs the command: /usr/sbin/tripwire -loosedir -q Note: You may want to move the script to /etc/cron.weekly/tripwire.verify to reduce email reporting to root.

Read tripwire report:

  • Tripwire 2.3.0-58: twprint –print-report -r /var/lib/tripwire/report/report-file.twr

Interactive mode:

  • Tripwire 1.2-3:Update tripwire database – run: tripwire -interactive This will allow you to respond Y/N to files if they should be permanently updated in the tripwire database. This will still run tripwire against the whole file system. I ran it from /root and it updated /root/databases/tw.db_ServerName You must then cp -p to /var/spool/tripwire/ to update the tripwire database.

Default configuration file:

  • Tripwire 2.3.0-58: /etc/twcfg.txtROOT                   =/usr/sbin

    POLFILE                =/etc/tripwire/tw.polDBFILE                 =/var/lib/tripwire/$(HOSTNAME).twd

    REPORTFILE             =/var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twrSITEKEYFILE            =/etc/tripwire/site.key

    LOCALKEYFILE           =/etc/tripwire/$(HOSTNAME)-local.keyEDITOR                 =/bin/vi

    LATEPROMPTING          =falseLOOSEDIRECTORYCHECKING =false

    MAILNOVIOLATIONS       =trueEMAILREPORTLEVEL       =3

    REPORTLEVEL            =3MAILMETHOD             =SENDMAIL

    SYSLOGREPORTING        =falseMAILPROGRAM            =/usr/sbin/sendmail -oi -t

  • Tripwire 1.2-3: /etc/tw.config# Log file

    @@define LOGFILEM E+pugn# Config file

    @@define CONFM E+pinugc# Binary

    @@define BINM E+pnugsci12# Directory

    @@define DIRM E+pnug# Data file (same as BIN_M currently)

    @@define DATAM E+pnugsci12# Device files

    @@define DEVM E+pnugsc# exclude all of /proc

    =/proc E#=/dev @@DIRM

    /dev @@DEVM#=/etc @@DIRM

    /etc @@CONFM# Binary directories

    #=/usr/sbin @@DIRM/usr/sbin @@BINM

    #=/usr/bin @@DIRM/usr/bin @@BINM

    #=/sbin @@DIRM/sbin @@BINM

    #=/bin @@DIRM/bin @@BINM

    #=/lib @@DIRM/lib @@BINM

    #=/usr/lib @@DIRM/usr/lib @@BINM

    =/usr/src E=/tmp @@DIRM

     

    Add:

    /var/named @@CONFM – If you are running Bind DNS slave /home/httpd/cgi-bin @@BINM Delete/comment out:#/dev @@DEVM

    This eliminated the reporting of too much junk due to a reboot of the system.

Leave a Reply

Your email address will not be published. Required fields are marked *