Agenda: host-security-exercises.txt

File host-security-exercises.txt, 5.7 KB (added by kemp, 7 years ago)

host-security-exercises

Line 
1
2Host Security Exercises - PacNOG 10
3
4------------------------------------
5
6I.  System Services
7
8In this section we'll be using some of the commands that are used to
9monitor a running system.  Unix Systems Administrators use these
10commands every day.  Remember to use the manual pages if you need
11to check the options and syntax of commands:
12
13        % man ps
14        % man netstat
15
16( the manpages below will not be there until you install the utilities )
17
18        % man lsof
19        % man nmap
20        % man last
21        % man acct
22
23You need to know how to stop and start services.
24
25a) service
26
27        1. Start a webserver on your system.  Verify that the
28        system is running using: 1) ps 2) lsof 3) nmap
29
30        % sudo apt-get install apache2
31
32Did the webserver start up after install?
33If you open a browser, can you connect to: http://pcXX.ws.nsrc.org
34
35        2. Stop the service
36
37        % sudo service apache2 stop
38
39Try the browser test again.  Can you connect?
40
41        3. Start the service again
42
43        % sudo service apache2 start
44
45Now, instead of using a browser, let's verify that the service
46is running using all of our tools: %ps, %lsof, %netstat, and %nmap
47
48* INSTALL THE nmap and lsof PACKAGES! *
49
50        % sudo apt-get install nmap
51        % sudo apt-get install lsof
52
53Now let's see what is running on the system:
54
55        % ps -af | grep apache2
56
57        % netstat -apt
58
59        % netstat -lpt                          # is the webserver running???
60
61        % netstat -lnpt  ( what is different on this command )
62
63        % nmap localhost                        # is the webserver running???
64
65        % sudo lsof | grep apache2
66
67        % sudo lsof | grep apache2 | grep TCP   # is the webserver running???
68
69Now, stop the service again.
70
71        4. Stop the service again
72
73        % sudo service apache2 stop
74
75        Now run your different commands for looking at the system again.
76
77        % ps -af | grep apache2
78        % netstat -lpt
79        % nmap localhost
80        % sudo lsof | grep apache2
81
82        Did you see anything running?
83       
84b) update-rc.d
85
86Now, let's make sure that we have all of the systems in place
87so that if the machine is rebooted, we know whether or not the
88apache2 service is going to be started.
89
901. see what is there now
91
92        % ls /etc/init.d
93
94        % ls /etc/rc3.d
95
96        % ls /etc/rc5.d
97
98Are the apache startup files in the system?
99That is, do you see files named: /etc/rc3.d/SXXapache2
100or named /etc/rc5.d/SXXapache2 ???
101
1022. let's say we do *NOT* want apache2 to run at startup.
103Let's disable the service using the "update-rc.d" command:
104
105        % sudo service apache2 stop
106
107        % sudo update-rc.d apache disable
108
109Now let's look at those directories again.
110Do we have any startup files in /etc/rc?.d/S*apache* ???
111
112        % ls /etc/init.d
113        % ls /etc/rc3.d
114        % ls /etc/rc5.d
115
116Take a look at rc3.d and rc5.d directories.
117What other scripts run in rc3.d ???
118
119c) initctl
120
121List the running services?  What is the command option
122you use with initctl to show all services?
123
124        % man initctl
125
126        % sudo initctl ???
127
128------------------------------------
129
130II. System Updates
131
132Let's make sure the system is up-to-date.
133When ever we install a system, the first thing
134we do is apply updates.
135
136a) system updates
137
138        % sudo apt-get update           # this updates the package cache
139
140        % sudo apt-get upgrade          # this performs the upgrade
141
142Now let's make sure that we have Security updates automatically.
143To do this we need the "unattended-upgrades" package?
144
145b) security updates
146
147Do you already have the packages?
148
149        % sudo ls /etc/apt/apt.conf.d
150
151If not, install it:
152
153        % sudo apt-get install unattended-upgrades
154
155Now let's check again:
156
157        % sudo ls /etc/apt/apt.conf.d
158
159------------------------------------
160
161III. Filesystem Integrity
162
163In this section, we'll add the programs necessary for monitoring
164filesystem integrity.  We'll do this at multiple levels, using the
165debsums, the fcheck, and the incron packages.
166
167a) debsums
168
169You keep the checksums of the files up to date.  You must remember to
170update the checksums after you make major changes to the system.
171
172        % sudo apt-get install debsums
173
174Initialize the debsums database:
175
176        % sudo debsums_init
177
178Now let's change something in the filesystem and see if
179debsums can detect it:
180
181        % sudo mv /sbin/ss /sbin/st
182
183        % sudo debsums -c
184
185Did debsums detect the change???
186
187        % let's move the file back in place
188
189        % sudo mv /sbin/st /sbin/ss
190
191b) incrond
192
193Inotify in the kernel can provide real-time notification of filesystem
194changes.  Install the incron package and configure incrond to monitor important
195filesystems.
196
197        % sudo apt-get install incron
198
199        % tail /var/log/sys
200
201        % cd /etc/incron.d
202
203        % vi globals            # add the following line to the globals file:
204
205/etc IN_MODIFY,IN_CLOSE_WRITE,IN_CREATE,IN_DELETE /usr/bin/logger -p news.warn "$% $@/$#"
206
207That's it.  The changes you make to incron are updated automatically.
208Because incron can recognize changes, it even recognizes when you change
209the configuration for incron, and it updates.
210
211Now add a file to the /etc directory:
212
213        % sudo touch /etc/dog
214
215Take a look at /var/log/syslog.  What does it say???
216
217        % sudo tail /var/log/syslog
218
219From now on, any changes you make in the /etc directory will
220generate syslog messages.
221
222------------------------------------
223
224IV. Enable System Accounting
225
226System accounting gives us logs of all the commands that
227have run and terminated on the system.  Let's see if we
228have the acct package:
229
230        % which sa
231
232Did "which" find the command?  If not install the package:
233
234        % sudo apt-get install acct
235
236        % which sa
237
238Let's run a command and see if acct records it.
239
240        % whoami
241
242        % sudo sa -u
243
244Did "sa" show a record for the command?
245
246Let's try the "lastcomm" command as well:
247
248        % lastcomm sysadm
249       
250---
251
252Now we have a system that is up-to-date, and it
253gets security updates automatically.  We are monitoring
254the system files with debsums, and we are logging changes
255immediately as well with the incron/inotify.  We have
256disabled services that are not necessary.  And we have
257accounting records to log commands.
258
259This is basic host security that system administrators
260will do on every host they deploy.
261
262--- End
263
264
265