1.) Turn off unnecessary services.
How are we going to do this?
How do we find what's running?
As root or using "sudo"
lsof -iWhat do you want to run and not to run? Choose and turn off the services you don't want. How are you going to do this?
netstat -natup
cd /etc/rc.d/init.d/
chkconfig --list | more
A hint...
chkconfig...A few more hints... A hint...
chkconfig --del "name"
chkconfig --list | grep name
man chkconfig
2.) Protect a service using tcpwrapper (xinetd)
We are going to start an insecure service and try to make it a bit more secure for our environment.
We'll start the telnet service using the tcpwrapper xinetd.
Open the file /etc/xinetd.d/telnet
Now, we want our telnet file to look like this:
# default: on # description: The telnet server serves telnet sessions; it uses \ # unencrypted username/password pairs for authentication. service telnet { flags = REUSE socket_type = stream wait = no user = root server = /usr/sbin/in.telnetd only_from = nnn.nnn.nnn.0 no_access = nnn.nnn.nnn.xx log_on_failure += USERID disable = no }
In the "only_from" field enter in the IP range for our local network. The "0" indicates we are going to allow our entire subnet to connect to this machine. In the "no_access" field put the IP address of your neighbor's machine.
If you have questions about any of the fields in the file then read:
man xinetd.confNow let's start the Telnet service. How do we start telnet in this case?
A hint...
cd /etc/rc.d/init.dAnd, if xinetd is already running:
./xinetd restartOr, if it's not running to test just do:
./xinetd startNow let's test to see if things are working:
telnet localhostNow try to telnet to your neighbor's machine. The one that has your IP address in the "no_access" field in their /etc/xinetd.d/telnet file.
3.) Install LibSafe against Buffer Overflow attacks
LibSafe is a solution against buffer overflow attacks that intercepts calls to library functions that typically have buffer overflow security holes. These functions include:
strcpy(char *dest, const char *src) strpcpy(char *dest, const char *src) wcscpy(wchar_t *dest, const wchar_t *src) wcpcpy(wchar_t *dest, const wchar_t *src) May overflow the dest buffer. strcat(char *dest, const char *src) wcscat(wchar_t *dest, const wchar_t *src) May overflow the dest buffer. getwd(char *buf) May overflow the buf buffer. gets(char *s) May overflow the s buffer. [vf]scanf(const char *format, ...) May overflow its arguments. realpath(char *path, char resolved_path[]) May overflow the path buffer. [v]sprintf(char *str, const char *format, ...) May overflow the str buffer. May exploit "%n".
If you install LibSafe and someone attempts to break in to your system using a buffer overflow during a call to one of these functions then LibSafe will protect you against this. This type of attack is one of the most common security exploits in the Linux world:
To get LibSafe connect to the workshop noc machine using FTP. You should be root when you do this:
ftp nocNow we are going to verify that the LibSafe file matches the md5sum signature file that came with it. Note, in real life this file should exist in a separate location from the file you are trying to procted. Go to the /usr/local/src directory. Look for a file called "md5". This has the digital signature for the LibSafe file (libsafe-2.x-xx.tgz). You generate the signature for this file by doing "md5sum filename). The idea is that md5 will generate a unique signature for the file. So far, there has never been duplicate md5sum signatures found for two files.
anonymous
user@address
cd pub/software/libsafe
binary
lcd /usr/local/src
mget *
exit
Using this method if the signature you generate matches the md5 signature you downloaded, then you can verify that no one has touched the original LibSafe file. If there has been any change made to the file, then the signatures will not match, adn they will be quite different - even if only one bit has changed:
Start by doing:
cd /usr/local/srcIf you don't see any output on the screen, then the file are identical. Take a look inside sig.txt and md5 (cat sig.txt, cat md5).
md5sum libsafe-2.x-xx.tgz > sig.txt
diff sig.txt md5
Now we'll decompress and expand out the file libsafe-2.x-xx. Do you remember how to do this?
tar xvzf libsafe-2.x-xx.tgzNow we have to decide what to do. Always before you install new software you should read the documenations. In this case it's in the files INSTALL and README. Thus:
cd libsafe-2.x-xx
less READMEIf you read both you are going to note that if there is a buffer overflow attack that there is a way to have an email sent to root@localhost or to the users specified in the file /etc/libsafe.notify if it exists. In order for LibSafe to do this you have to change some compile options in the file src/Makefile. We are going to make this change:
less INSTALL
Open the file src/Makefile with, "vi src/Makefile".
Go to line 77 (:77)
Change the line that reads:
CCFLAGS = -O2 -Wall -fPIC -DLIBSAFE_VERSION=\"$(VERSION)\" $(LIBPRELUDE_CFLAGS)
So that it says:
CCFLAGS = -O2 -Wall -fPIC -DNOTIFY_WITH_EMAIL -DLIBSAFE_VERSION=\"$(VERSION)\" $(LIBPRELUDE_CFLAGS)
And, now to install LibSafe:
makeAnd, now read "man libsafe" - You must tell your system that you are going to use libsafe. You can do this temporarily and permanently. To do this permanently you need to add the new environmental variable we'll discuss to /etc/profile. But, first do this temporarily in case there are problems!
make install
To use LibSafe now change your shell (assuming bash) like this:
LD_PRELOAD=/lib/libsafe.so.2
export LD_PRELOAD
And, now you are using LibSafe.
To read more about LibSafe go to:
http://www.research.avayalabs.com/project/libsafe/
Hervey Allen
Last modified: Wed Jul 21 22:55:31 NPT 2004