Security Exercises: IP Services: SANOG IV

July 2004

1.) Turn off unnecessary services.

How are we going to do this?

How do we find what's running?

As root or using "sudo"

lsof -i
netstat -natup
cd /etc/rc.d/init.d/
chkconfig --list | more

What do you want to run and not to run? Choose and turn off the services you don't want. How are you going to do this?

A hint...

chkconfig...

A few more hints... A hint...

chkconfig --del "name"
chkconfig --list | grep name
man chkconfig

2.) Protect a service using tcpwrapper (xinetd)

We are going to start an insecure service and try to make it a bit more secure for our environment.

We'll start the telnet service using the tcpwrapper xinetd.

Open the file /etc/xinetd.d/telnet

Now, we want our telnet file to look like this:

# default: on
# description: The telnet server serves telnet sessions; it uses \
#       unencrypted username/password pairs for authentication.
service telnet
{
        flags           = REUSE
        socket_type     = stream
        wait            = no
        user            = root
        server          = /usr/sbin/in.telnetd
        only_from       = nnn.nnn.nnn.0
        no_access       = nnn.nnn.nnn.xx
        log_on_failure  += USERID
        disable         = no
}

In the "only_from" field enter in the IP range for our local network. The "0" indicates we are going to allow our entire subnet to connect to this machine. In the "no_access" field put the IP address of your neighbor's machine.

If you have questions about any of the fields in the file then read:

man xinetd.conf

Now let's start the Telnet service. How do we start telnet in this case?

A hint...

cd /etc/rc.d/init.d

And, if xinetd is already running:

./xinetd restart

Or, if it's not running to test just do:

./xinetd start

Now let's test to see if things are working:

telnet localhost

Now try to telnet to your neighbor's machine. The one that has your IP address in the "no_access" field in their /etc/xinetd.d/telnet file.

3.) Install LibSafe against Buffer Overflow attacks

LibSafe is a solution against buffer overflow attacks that intercepts calls to library functions that typically have buffer overflow security holes. These functions include:

              strcpy(char *dest, const char *src)
              strpcpy(char *dest, const char *src)
              wcscpy(wchar_t *dest, const wchar_t *src)
              wcpcpy(wchar_t *dest, const wchar_t *src)
                     May overflow the dest buffer.
 
              strcat(char *dest, const char *src)
              wcscat(wchar_t *dest, const wchar_t *src)
                     May overflow the dest buffer.
 
              getwd(char *buf)
                     May overflow the buf buffer.
 
              gets(char *s)
                     May overflow the s buffer.
 
              [vf]scanf(const char *format, ...)
                     May overflow its arguments.
 
              realpath(char *path, char resolved_path[])
                     May overflow the path buffer.

              [v]sprintf(char *str, const char *format, ...)
                     May overflow the str buffer.
                     May exploit "%n".

If you install LibSafe and someone attempts to break in to your system using a buffer overflow during a call to one of these functions then LibSafe will protect you against this. This type of attack is one of the most common security exploits in the Linux world:

To get LibSafe connect to the workshop noc machine using FTP. You should be root when you do this:

ftp noc
anonymous
user@address
cd pub/software/libsafe
binary
lcd /usr/local/src
mget *
exit

Now we are going to verify that the LibSafe file matches the md5sum signature file that came with it. Note, in real life this file should exist in a separate location from the file you are trying to procted. Go to the /usr/local/src directory. Look for a file called "md5". This has the digital signature for the LibSafe file (libsafe-2.x-xx.tgz). You generate the signature for this file by doing "md5sum filename). The idea is that md5 will generate a unique signature for the file. So far, there has never been duplicate md5sum signatures found for two files.

Using this method if the signature you generate matches the md5 signature you downloaded, then you can verify that no one has touched the original LibSafe file. If there has been any change made to the file, then the signatures will not match, adn they will be quite different - even if only one bit has changed:

Start by doing:

cd /usr/local/src
md5sum libsafe-2.x-xx.tgz > sig.txt
diff sig.txt md5

If you don't see any output on the screen, then the file are identical. Take a look inside sig.txt and md5 (cat sig.txt, cat md5).

Now we'll decompress and expand out the file libsafe-2.x-xx. Do you remember how to do this?

tar xvzf libsafe-2.x-xx.tgz
cd libsafe-2.x-xx

Now we have to decide what to do. Always before you install new software you should read the documenations. In this case it's in the files INSTALL and README. Thus:

less README
less INSTALL

If you read both you are going to note that if there is a buffer overflow attack that there is a way to have an email sent to root@localhost or to the users specified in the file /etc/libsafe.notify if it exists. In order for LibSafe to do this you have to change some compile options in the file src/Makefile. We are going to make this change:

Open the file src/Makefile with, "vi src/Makefile".

Go to line 77 (:77)

Change the line that reads:

CCFLAGS         = -O2 -Wall -fPIC -DLIBSAFE_VERSION=\"$(VERSION)\" $(LIBPRELUDE_CFLAGS)

So that it says:

CCFLAGS         = -O2 -Wall -fPIC -DNOTIFY_WITH_EMAIL -DLIBSAFE_VERSION=\"$(VERSION)\" $(LIBPRELUDE_CFLAGS)

And, now to install LibSafe:

make
make install

And, now read "man libsafe" - You must tell your system that you are going to use libsafe. You can do this temporarily and permanently. To do this permanently you need to add the new environmental variable we'll discuss to /etc/profile. But, first do this temporarily in case there are problems!