Linux Firewalls: Attack Detection and Response with iptables, psad, and fwsnort
Virtually nothing can be done to stop an attacker with unlimited resources and unlimited time. From DoS attacks to rootkits to physical attacks, if someone wants at your data bad enough, chances are that he can get to it, given no other constraints. That said, there are many things you can do to limit your exposure to most risks. Neither this chapter nor this book deals with physical attacks on any level. If an attacker is onsite and can simply walk off with the computer or hard drive containing the data, there's no amount of firewalling that will help. If the attacker has physical access to the computer or device holding the data, the attacker can steal the data itself or possibly plant his own malicious trojan software. This section gives some general suggestions that are field-tested to keep systems secure. The suggestions given here are by no means all-encompassing; rather they are merely things I suggest to help ensure system integrity. Secure Often
Securing the computing environment is a continual process rather than an endpoint. As you work to secure systems and networks, new vulnerabilities are being discovered and new software is being developed. There is simply no magic bullet that enables you to be done and complete when it comes to securing a computer environment. This book has been devoted to securing a network and its systems through the use of a firewall built on Linux. This chapter has introduced some of the other aspects of a security-in-depth process. Using the tools available to you, such as those already introduced in this chapter, you can secure a computer and the network on which it resides. There are, of course, additional steps you can take to further enhance the security of the environment. KERNEL ENHANCEMENTS
There are certain things you can do with the Linux kernel to enhance its security. Naturally, anything you do at this, the lowest, level of the operating system will only serve to help the security of those things above it. Two such kernel enhancements, SELinux and GrSecurity, are discussed in Chapter 13, "Kernel Enhancements." BASTILLE LINUX
Bastille Linux is a program that helps automate the process of system security as well as report on the security of the system. Bastille Linux implements many of the security best practices that you could find by reading volumes of material and countless websites. All of those best practices are implemented through a wizard-like interface (command-line or GUI) that contains a lot of information on not only what you're being asked but why it's important. Bastille Linux goes so far as to give recommendations for certain features. Unlike many tools that try to give recommendations, Bastille gets it right by explaining the reasoning behind the proposed change, as well as the implications that it might have if you choose to use the step. Finally, Bastille also includes an undo process so that you can quickly undo any changes that might be causing problems. Bastille is welcomed by experienced Linux administrators and those new to Linux alike. Some Linux distributions include Bastille as a package. More information on Bastille Linux can be found at http://www.bastille-linux.org/. Update Often
Although by far the most effortless of any task in this book, keeping a computer system up-to-date is an often-overlooked aspect of system security. The best way to ensure that a computer will be broken into is to leave it running without updating it. One of the greatest strengths of Linux and open-source software is security. Some attempt to argue that this security is achieved because open-source software is less popular. Of course, this completely ignores market-share statistics such as Netcraft's web server survey showing that Apache holds nearly 70% of the web server market. Part of this security strength comes from the open-source community's ability to provide fixes within hours of the security disclosure. It's quite common for fixes to be available the same day as the disclosure, even for security issues that weren't previously disclosed. In events in which a fix might take a little time, the community has historically been excellent at providing workarounds to mitigate and sometimes eliminate the vulnerabilities entirely. Both of these characteristics, quick fixes and quick workarounds, work to your advantage in maintaining system security. However, for either one to be of use, you need to keep track of their availability by monitoring mailing lists and security websites. Most major Linux vendors offer announce-only security mailing lists in which subscribers receive an email whenever a vulnerability is disclosed. In addition, there are other industry mailing lists that can keep you up-to-date on security issues. Appendix A, "Security Resources," lists some of the more popular sites and lists. Keeping software up-to-date is an important aspect of system security. I recommend updating as often as possible while obviously paying attention to the software that's being updated to ensure that none of the updates breaks live systems. Test Often
It's not enough to secure often and update often, though those two items certainly go a long way toward ensuring a secure environment. Another basic point of security in-depth is to test often. Testing ensures that the security policies are being enforced and the implementation of those security policies is successful. Penetration testing is another important aspect of system security. Penetration testing, or pen-testing, is a process by which the security of a system is tested by trying a number of attack vectors to get the system to behave in an unexpected way. The definition of penetration testing is purposely vague so that it is not limited to attacks of only a certain class or type. Penetration testing can be both informal and formal. The informal pen-tests are typically run by security administrators or even developers using anything from manual attempts to break into an application to automated attacks using a number of tools. A formal pen-test would be done by a third party who would likely use a combination of both manual and automated attacks to test the system. The type and frequency of pen-testing is a matter for your security policy. Of course, when you do test, it's important to test both types as if you were a normal attacker and as if you were an insider. Testing as a normal attacker means testing the application or system without any knowledge other than that which can be gleaned from outside of the system. In other words, if you're testing a web application, view the source of the web page to see what form of parameters are being used. Many times, testing as a normal attacker also means that you'll have to test from a location external to the local network. This is especially important when testing a firewall ruleset. This section examines some of the tools you can use to test a network and computer system. As with other lists presented in this chapter, it is not meant to be all-encompassing or comprehensive. Rather, the tools examined here provide a good starting point on which you can build your knowledge of security and penetration-testing concepts and facilities. NMAP
Nmap, the Network Mapper, is a program used to identify open ports and available devices on a network. Nmap is frequently used by the intrusion analyst to determine what ports are open and listening on a given host. In the context of a firewall, Nmap can be used from an external location to test the firewall rules to ensure that no unexpected ports are open and available. Nmap is available as a package on many popular Linux distributions. If Nmap isn't available on your distribution, it can be downloaded from http://www.insecure.org/nmap/. Nmap includes many options for probing hosts and entire networks. These options are too numerous to cover in-depth here. In practice, I've found the following syntax to be most useful for performing the aforementioned port scan, this one looking for TCP ports: nmap -sS -v <host>
For example, to scan the host 192.168.1.10 for open TCP ports, the following syntax would be used: nmap -sS -v 192.168.1.10 Note that the use of the -v option enables extra verbosity. Although this option is not required, it is recommended, and you can even add additional instances of -v to increase the verbosity. Various types of TCP scans are available with Nmap. I chose a SYN scan because I've found it to generally be the most reliable for this type of test. When Nmap begins a scan, it sends an initial ping or ICMP Echo Request to the target host. Sometimes the target doesn't respond to the ICMP Echo Request. In these cases, you can disable the initial ICMP Echo Request sent by Nmap by using the -P0 option. As previously stated, several options are available with Nmap. Typing simply nmap at the command line will print a relatively verbose set of usage instructions containing many of these options. HPING2
Hping2 is another network utility that can be used to test for open ports and also to test the behavior of network applications and devices. Hping2 enables the user to set numerous attributes of a network packet, or craft the packet as it's sometimes called. When packets are crafted, the behavior of the network application or device can be observed. Hping2 is used in Chapter 11 to show how some attacks might look when viewed with TCPDump. NIKTO
Nikto is a program to test a web server for known vulnerabilities and also to provide information on that web server. Unlike Nmap, Nikto is not included with many Linux distributions with the notable exception that it is available with Debian. Nikto can be downloaded from http://www.cirt.net/code/nikto.shtml. Because Nikto is web server specific, its coverage will be limited here. However, if you are running a web server, I highly recommend Nikto to test the server for a number of vulnerabilities. NESSUS
Nessus is a program used to test a huge number of known vulnerabilities by attempting to exploit them. Nessus works through the concept of plug-ins, and with hundreds of plug-ins available Nessus is one of the best security scanners on the market. Using Nessus, the intrusion analyst can scan for vulnerable software on both local and remote hosts so that those holes can be patched. Nessus is included with some Linux distributions and can be downloaded from http://www.nessus.org/. |
Категории