Host Security Exercises - PacNOG 10 ------------------------------------ I. System Services In this section we'll be using some of the commands that are used to monitor a running system. Unix Systems Administrators use these commands every day. Remember to use the manual pages if you need to check the options and syntax of commands: % man ps % man netstat ( the manpages below will not be there until you install the utilities ) % man lsof % man nmap % man last % man acct You need to know how to stop and start services. a) service 1. Start a webserver on your system. Verify that the system is running using: 1) ps 2) lsof 3) nmap % sudo apt-get install apache2 Did the webserver start up after install? If you open a browser, can you connect to: http://pcXX.ws.nsrc.org 2. Stop the service % sudo service apache2 stop Try the browser test again. Can you connect? 3. Start the service again % sudo service apache2 start Now, instead of using a browser, let's verify that the service is running using all of our tools: %ps, %lsof, %netstat, and %nmap * INSTALL THE nmap and lsof PACKAGES! * % sudo apt-get install nmap % sudo apt-get install lsof Now let's see what is running on the system: % ps -af | grep apache2 % netstat -apt % netstat -lpt # is the webserver running??? % netstat -lnpt ( what is different on this command ) % nmap localhost # is the webserver running??? % sudo lsof | grep apache2 % sudo lsof | grep apache2 | grep TCP # is the webserver running??? Now, stop the service again. 4. Stop the service again % sudo service apache2 stop Now run your different commands for looking at the system again. % ps -af | grep apache2 % netstat -lpt % nmap localhost % sudo lsof | grep apache2 Did you see anything running? b) update-rc.d Now, let's make sure that we have all of the systems in place so that if the machine is rebooted, we know whether or not the apache2 service is going to be started. 1. see what is there now % ls /etc/init.d % ls /etc/rc3.d % ls /etc/rc5.d Are the apache startup files in the system? That is, do you see files named: /etc/rc3.d/SXXapache2 or named /etc/rc5.d/SXXapache2 ??? 2. let's say we do *NOT* want apache2 to run at startup. Let's disable the service using the "update-rc.d" command: % sudo service apache2 stop % sudo update-rc.d apache disable Now let's look at those directories again. Do we have any startup files in /etc/rc?.d/S*apache* ??? % ls /etc/init.d % ls /etc/rc3.d % ls /etc/rc5.d Take a look at rc3.d and rc5.d directories. What other scripts run in rc3.d ??? c) initctl List the running services? What is the command option you use with initctl to show all services? % man initctl % sudo initctl ??? ------------------------------------ II. System Updates Let's make sure the system is up-to-date. When ever we install a system, the first thing we do is apply updates. a) system updates % sudo apt-get update # this updates the package cache % sudo apt-get upgrade # this performs the upgrade Now let's make sure that we have Security updates automatically. To do this we need the "unattended-upgrades" package? b) security updates Do you already have the packages? % sudo ls /etc/apt/apt.conf.d If not, install it: % sudo apt-get install unattended-upgrades Now let's check again: % sudo ls /etc/apt/apt.conf.d ------------------------------------ III. Filesystem Integrity In this section, we'll add the programs necessary for monitoring filesystem integrity. We'll do this at multiple levels, using the debsums, the fcheck, and the incron packages. a) debsums You keep the checksums of the files up to date. You must remember to update the checksums after you make major changes to the system. % sudo apt-get install debsums Initialize the debsums database: % sudo debsums_init Now let's change something in the filesystem and see if debsums can detect it: % sudo mv /sbin/ss /sbin/st % sudo debsums -c Did debsums detect the change??? % let's move the file back in place % sudo mv /sbin/st /sbin/ss b) incrond Inotify in the kernel can provide real-time notification of filesystem changes. Install the incron package and configure incrond to monitor important filesystems. % sudo apt-get install incron % tail /var/log/sys % cd /etc/incron.d % vi globals # add the following line to the globals file: /etc IN_MODIFY,IN_CLOSE_WRITE,IN_CREATE,IN_DELETE /usr/bin/logger -p news.warn "$% $@/$#" That's it. The changes you make to incron are updated automatically. Because incron can recognize changes, it even recognizes when you change the configuration for incron, and it updates. Now add a file to the /etc directory: % sudo touch /etc/dog Take a look at /var/log/syslog. What does it say??? % sudo tail /var/log/syslog From now on, any changes you make in the /etc directory will generate syslog messages. ------------------------------------ IV. Enable System Accounting System accounting gives us logs of all the commands that have run and terminated on the system. Let's see if we have the acct package: % which sa Did "which" find the command? If not install the package: % sudo apt-get install acct % which sa Let's run a command and see if acct records it. % whoami % sudo sa -u Did "sa" show a record for the command? Let's try the "lastcomm" command as well: % lastcomm sysadm --- Now we have a system that is up-to-date, and it gets security updates automatically. We are monitoring the system files with debsums, and we are logging changes immediately as well with the incron/inotify. We have disabled services that are not necessary. And we have accounting records to log commands. This is basic host security that system administrators will do on every host they deploy. --- End