Security Exercises: ccTLD Bangkok, Thailand

October 2004

Exercises

  1. Turn off unnecessary services
  2. Install SSH and verify that root cannot log in
  3. Starting and stopping a process
  4. Install and make work cracklib (Advanced)
1.) Turn off unnecessary services [Top]

How are we going to do this?

How do we find what's running?

As root or using "sudo"

lsof -i
netstat -an -f inet
sockstat -4
cd /etc/rc.d
cd /usr/local/etc/rc.d
ps -aux | more
/etc/inetd.conf
/etc/rc.conf
/etc/defaults/rc.conf
What do you want to run and not to run? Choose and turn off the services you don't want. How are you going to do this?

A hint...

enable_service="NO"
chmod 444 /usr/local/etc/rc.d/sample.sh
"#" is the comment character for /etc/inetd.conf
If there are services running that you do not know what they do, then try finding help on them. For instance, "man serviceName" is probably a good start.

2.) Install SSH and verify that root cannot log in [Top]

Here are the basic steps for doing this. You could consider installing the Portable (and more up-to-date) version of OpenSSH instead. how would you do that? (hint - look in pub/pkgs/All on our ftp server).

pkg_add ftp://203.159.31.129/pub/pkgs/All/openssh-3.6.1_5.tbz

/etc/rc.d/sshd start

Now you should check to see that you cannot log in to your box remotely as root:
' vi /etc/ssh/sshd_config
Look for the line that reads:

PermitRootLogin

Make sure that this is set to "no".

Now try logging in on your own machine using ssh, but not as root. If you don't have a non-root account use the "adduser" command to create one.

ssh yourUserName@localhost
What happens? How do you become root after you are logged in? Why might we do this (i.e. not allowing root logins)? What does the "host-key exchange dialogue" do, or mean, the first time you connect?

3.) Starting and stopping a process [Top]

Part of the process of securing your box inlcudes getting to know what processes are running, what they are, and controlling them. The critical commands for this are:

ps
kill
You should do:
man ps
man kill
to understand how these work. As an example let's try playing with the ssh daemon that should be running if you finished the previous excercise. To begin, let's use the ps command to see ifthe ssh server is running:
ps -aux | grep ssh
You should have seen something like this: 

root   1348  0.0  0.7  3488 2704  ??  Is    9:02AM   0:00.32 /usr/sbin/sshd
Now that you know ssh is running you can stop it in a number of ways. The most important information you got back from the command "ps -aux | grep ssh" were the items in the second column (the PID or Process ID) and the last column, the actual command used to start the process.

To stop this process you can use the "kill" command. There are two typical ways to do this assuming that the Process ID in this case was "1348":

kill 1348
or
kill -9 1348
You should always try using just "kill" first. This tells the process to end immediately and to clean up (it sends the Quit signal). If the process does not respond and you need it to stop, then youc an use the more forceful "kill -9" command, which sends the Kill signal. This is a "non-catchable" and "non-ignorable" signal. In general this just means stop the process no matter what. The problem with this is that the process will not have time to clean up after itself. It's possible that data could be lost or state could be lost. In addition, you could end up with a file that contains the old Process ID (a "pid" file) that confuses the service later on if you try to restart it. In most cases the scripts used to start a service, or the actual daemons themselves are smart enough to deal with this situation.

This is somewhat of an artificial example of the use of kill. In reality you will probably want to deal with an item like ssh by using the startup script that is available for this process. You should look for scripts that appear to stop and start these services in:

/etc/rc.d

or

/usr/local/etc/rc.d

In this case if you go to the "/etc/rc.d" directory you will find a script file called "sshd". If you do the following:
cd /etc/rc.d

./sshd

you should see the options available to you for controlling the ssh daemon. In this case there are numerous options, but the two that we are interested in are "start" and "stop". For this type of service you can type:
./sshd stop
to stop the ssh daemon. And:
./sshd start
to start the daemon. What's going on with the use of "./" in front of the "sshd" script?

A final useful variation on the kill command is:

kill -HUP processID
"HUP" stands for the "Hang UP" signal (or signal "1"). In general this is a way to restart a process in place (the process ID will not change) and ask it to reread it's configuration file. If you had, for instance, update /etc/ssh/sshd_config you could issue:
kill -HUP 1348
(1348 is a sample process ID from above) to restart the ssh daemon and have it reread it's configuration file, which is in this case /etc/ssh/sshd_config. In most cases users using this service will not notice any interruption and can continue on working. In some cases, however, this could cause the service to drop current connections - this is a service-by-service difference.

4.) Install and make work cracklib (Advanced) [Top]

If you use the "passwd" command to change your user account password you'll note that no checking is done on the password you choose. You can even choose your own name as your password! This is not a good idea for a production server.

Try compiling the cracklib library from the ports collection and then configuring your Pluggable Authentication Module (PAM) script for passwd so that cracklib is used any time a user creates a new password.

In general you would do something along the lines of:

cd /usr/ports/security/cracklib
make
make install
cd /etc/pamd.d
vi passwd
At this point you are in the /etc/pam.d/passwd PAM configuration file...

Before editing this file you may need to figure out where cracklib went on your system and/or try reading some man pages (maybe "man cracklib") to see what entry is required to get cracklib working correctly. Or, you can try searching at www.google.com for some help - maybe, "get cracklib to work with pam" or some such string.

Finally, you should note that when you edit /etc/pam.d/passwd that you can simply uncomment the line that reads: 


password        requisite       pam_passwdqc.so         enforce=users
and this will enable the FreeBSD-provided password cracking routine instead.

 

Hervey Allen
October 2004

Last modified: Oct 09 09:25:34 TST 2004