Linux Security Hands-On Practice 1
This page is at:
http://joelandrebecca.martintribe.org/linuxconf/security/hands_on1.html
There is a lot to cover in this session. Go at your own pace but try
cover most of the sections at least briefly. If you don't have any
experience with the command line, try work with somebody who does. Ask
as many questions as you need. Consult the manual pages for the
different commands. It's a steep learning curve, but the knowledge
will pay off. Keep working at it when you return home.
If you are looking at the web page, then the commands to executed are
blue or red and left justified. You will also want to work with
a partner, or have a separate machine that you have access to.
- Ctrl-C -> Stop a long running program or get a fresh prompt
- Ctrl-D -> Logout from a shell prompt (or type "exit")
- Up,Down -> Cycle through previous commands
- Shift-PageUp,Shift-PageDown -> Works like scroll bar
in the terminal even when scrollbar isn't there.
- Tab - Will complete command line if it's obvious
- Tab-Tab - All possible ways to complete the current
command line will be shown. If run from a blank
command prompt, will show all executable programs.
Here is a list of commands you may want to experiment around
with during this session:
cat - print file contents to screen
chgrp - change file group ownership
chmod - change file permissions
chown - change file user ownership
cp - make a copy of a file
echo - print a text string to screen
grep - search a file (or input stream) for a text string
id - show your current user and group ids
ifconfig - show network configuration information
kill - terminate a process
less - page through
ls - directory listing
mkdir - create a directory
mount - attach a disk partition to filesystem
mv - rename or move file to another location
netstat - show network and port information
newgrp - change your active group id
passwd - change a user's login password
ping - send ping packets to another computer
ps - process list
pwd - show the present working directory
rm - remove a file
rmdir - remove an empty directory
rpm - package management command
sort - sort lines of a file (or input stream)
ssh - remote secure shell
su - switch user
touch - create a file or change modification time
umount - detach a disk partition from the filesystem
useradd - add a user to the system
userdel - remove a user from the system
yum - network aware rpm packagement management
wc - count the number of lines in a file (or stream)
wget - download a file or web page from the internet
- Log into the desktop environment as root (don't make a regular
habit of this, this is just for ease right now)
- Open a two shell terminals
- Arrange them side by side so that you can quickly switch between
them.
- In one shell, create a user named "jsmith"
useradd -m jsmith
- Set jsmith's passwd to something you won't forget
passwd jsmith
- Now in one shell, switch to jsmith
su - jsmith
- The implication of what you just did may not have set in yet.
root can do anything. root can even impersonate another user. That
is why root is called the super-user.
- You can tell the difference between the shell that is owned by
jsmith and the one that is owned by root. jsmith's shell prompt
ends in "$" whereas roots ends in "#". This is a normal convention
but don't rely on it, because it can be easily changed.
- Use the official way to determine who you are in each shell.
id
id
- If you are viewing this page online then the commands for the root
shell are in red and the commands for the jsmith shell are in
blue.
- Situation: You have some files that you want to share between some
users but not with others.
- GUI alternate: Nautilus (double click Computer icon on the
desktop)
- In jsmith's shell, make sure you are in jsmith's home directory
cd
pwd
- Create a directory called scratch and enter it
mkdir scratch
cd scratch
- Create a file called testfile1
touch testfile1
- List the directory contents
ls
- Create a file called testfile2
touch testfile2
- List the directory contents
ls
- List directory contents in long format (extra info)
ls -l
- List directory contents including hidden files in long format
ls -al
- Edit testfile1 using the nano text editor, add some text
and exit the editor using Ctrl-X
nano testfile1
ls -l
- Set the group ownership of the file to the "users" group
chgrp users testfile1
ls -l
- Set the ownership of the file to the apache user. jsmith cannot do
this because it would be a security issue. To change the group
ownership you will need to use the root user's shell to do this.
- In root's shell, change to jsmith's home directory.
cd /home/jsmith
chown apache testfile1
ls -l
- Set the permissions on the file so that the apache user can
read, write, and modify the file
chmod u+rwx testfile1
ls -l
- Set the permissions on the file so that users in the "users"
group can read the file contents and execute the file, but
not modify or write to the file.
chmod g+rx testfile1
chmod g-w testfile1
ls -l
- Set the permission on the file so that all other users can
only execute the file, but cannot view the contents or
modify the file.
chmod o+x testfile1
ls -l
chmod o-rw testfile1
ls -l
- Go back to jsmith's home directory
cd
- Create a second scratch directory. Remove execute permission from
that scratch directory and notice that you can no longer change
into that directory.
mkdir scratch2
ls -ld scratch2
chown 000 scratch2
ls -ld scratch2
cd scratch2
- Now remove scratch2
rmdir scratch2
- Notice that you can still remove scratch2, this is because the
ability to delete is a property of the containing directory
(jsmith's home directory), not the item itself.
- Situation: You have two new users that will be collaborating on
a project and need to share documents but don't want other to be
able to access them.
- GUI alternate: "System Settings->Users and Groups" and Nautilus
(Computer icon on desktop)
- In root's shell, display the current contents of the group file:
cat /etc/group
- Create a new group for the two users called class1.
groupadd class1
- Show the new contents of the group file:
cat /etc/group
- Add the new users to the system:
useradd -m -G class1 student1
useradd -m -G class1 student2
- Give the users passwords
passwd student1
passwd student2
- Show the contents of /etc/passwd. Your new user should be at the
end of the file.
cat /etc/passwd
- In root's terminal, log in as student1
ssh student1@localhost
id
- Allow others to cd into and view the contents of student1's home
directory (but not add or remove files). The "." means the current
directory (which is /home/student1).
chmod go+rx .
- Create a private file
echo "private file text" > testfile1
- Set the file permissions to deny group and other permissions
echo "private file text" > testfile1
ls -l
chmod go-rwx testfile1
ls -l
- Now create a file to share with student2
echo "shared file text" > testfile2
- Change the file to have class1 group ownership
ls -l
chgrp class1 testfile2
- Make the file readable and writeable by the class1 group and deny
permissions to other users
chmod g+rw testfile2
chmod o-rwx testfile2
ls -l
- Now log out as student1
exit
- Verify that you are the root user again
id
- Now test the permissions as student2. In root's terminal, log in
as student2
ssh student2@localhost
id
- Change to student1's home directory and show the contents
cd /home/student1
ls -l
- Try and show the contents of testfile1 and testfile2. You should
get permission denied for testfile1 and see the contents of
testfile2.
cat testfile1
cat testfile2
- Use nano to modify the contents of testfile2.
- Log out as student2 and verify that you are root.
exit
id
- Situation: There is a run-away process running on the system that
is bogging it down.
- GUI Alternate: "System Tools->System Monitor"
- In jsmith's shell, run the program "top" which continuously shows
the process on the system in order to CPU usage.
top
- In root's shell, show all the process that are running. The last
column is the name of the process. The first column is the user
who owns the process. The second column is the id of the process
(the pid).
ps aux
- Show all the process that are running that are owned by jsmith.
You should see one named "top".
ps aux| grep jsmith
- Kill the top process (PROCESSNUM is pid of "top" from above)
kill PROCESSNUM
- If that doesn't work, kill with extreme prejudice
kill -KILL PROCESSNUM
- Notice that the top exits in jsmith's terminal. Verify using ps.
ps aux| grep jsmith
- Notice that jsmith has a process named "-bash". This is process is
jsmith's shell.
- Kill jsmith's bash shell process using the pid of the "-bash"
process. (the -KILL option is necessary to kill the bash shell).
kill -KILL PROCESSNUM
- Notice that jsmith's shell prompt was clossed. In the terminal
window that was running jsmith's shell, login again as jsmith.
su - jsmith
- Situation: You want to administer or monitor a system remotely.
- GUI Alternate: vnc server and client (more difficult to setup and
secure than ssh)
- Find a partner, have him/her add a user to their system
and visa-versa. Add the user to the wheel group so that
the user can switch to the root user.
useradd -m -G wheel USERNAME
passwd USERNAME
- Find out your IP address, the "inet addr" of network interface
"eth0". Give your system's IP address to your partner.
ifconfig
- ssh to your partner's IP address using the user account
name that he created for you.
ssh USERNAME@IP_ADDR
- Switch from that user to the root account. Your partner will
have to provide his root password (or type it in for you).
su -
- Practice doing some of the earlier administrative tasks on
your partner's computer
- Situation: you caught a student looking over your shoulder while
you have logged into a system. You want to see if they have been
trying to login to your account.
- GUI Alternate: "System Tools->System Logs"
- Change to the log directory
cd /var/log
- Print the security log file to the screen
cat secure
- Just print the end of the file (most recent entries)
tail secure
- Print lines that mention the user you created above
cat secure | grep USERNAME
- Try logging as an nonexistent user three times.
ssh zzzz@localhost
- Notice a new "failed" entry at the end of the secure
log.
tail secure
- Follow the earlier instructions and add a user to the system.
- Set the password for that user.
- Now attempt to log-in as that use but use an incorrect password.
ssh USERNAME@localhost
- Now list every mention of USERNAME in the secure log. You can look
through the time stamps on each log entry to verify that logins
are not happening for your account at odd times.
cat secure | grep USERNAME
- Situation: You realize that your mail server is running a web
server and doesn't need to be.
- GUI alternate: "System Settings->Server Settings->Services"
- In root's shell, show services that are installed on the system
ls /etc/init.d/
- Start the apache web server
/etc/init.d/httpd start
- Get the web server status
/etc/init.d/httpd status
- Point a browser at http://localhost/ to verify that
the server is serving web pages
- Stop the web server
/etc/init.d/httpd stop
- Point a browser at http://localhost/ to verify that
the server has in fact stopped
- Make the server startup on boot and verify that server
is marked on for run level five
chkconfig httpd on
chkconfig --list httpd
- Remove the server from the boot sequence and verify that
it is marked off for runlevel 5
chkconfig httpd off
chkconfig --list httpd
- Situation: You discover that your web server has a port open to
the Internet. You want to figure out whether it is serving
a required function, otherwise you want to close the port.
- GUI alternate: "System Tools->Network Tools"
- From root's terminal, look at the list of standard port to service
mappings. Use nano to look at the definition file. Use Ctrl-X to
exit nano when you are done.
nano /etc/services
- Start the cups service
/etc/init.d/cups start
- Use nmap to scan your systems for open ports. Normally it is best
to run nmap from another machine for accurate information. A scan
of the local machine may show ports that are in fact not
accessible because of firewall software. You should see a line
like this "631/tcp open ipp".
nmap localhost
- Use nano to view /etc/services again and try and find port 631 in
the list.
nano /etc/services
- "Internet Printing Protocol" is the protocol name listed in
/etc/services. List the services that are installed on the system.
You will note that none refer to ipp or printing. So you will have
to take a different route.
ls /etc/init.d
- Use the netstat command to list all the processes that have open
ports. The text may wrap so you may want to widen your terminal
and then run the command. The fourth column has the IP address and
port number. The last column is the process id with the process
name. You can see from this that the process with port 631 open is
cupsd.
netstat -tnlp
- Shut down the cups service
/etc/init.d/cups stop
- Scan your ports again to make sure that the port is in fact
closed.
nmap localhost
- Now remove cups from the startup sequence.
chkconfig httpd off
- Situation: There is a program on your system that requires root
access to run. However, you wish to let users that are in
a certain group run this program without giving them root access.
- GUI alternate: Nautilus
- In jsmith's terminal, run the date command to show the date and
time.
date
- Now try and use date to change the time. (to June 01, 07:35) You
will note that this fails.
date 06010735
- In root's terminal, make the date command setuid. This means that
date will run as the owner of the date command instead of running
with the ownership of the user that is executing it.
chmod u+s /bin/date
- In jsmith's terminal, now try to set the date. It should succeed.
date 06010735
date
- Remove the setuid bit from the data command to put it back the way
it was.
chmod u-s /bin/date
- You should now set correct data and time.
date DATETIME
If there is time, start looking at manual pages for
the commands already mentioned and experiementing
with them more.
For further reference and study:
- Complete this online book and you will be on your way to being
a Linux command line expert.
http://www.icon.co.za/~psheer/book/index.html.gz
- Good Fedora sites:
http://fedora.redhat.com/
http://www.fedorafaq.org/
http://www.fedoranews.org/
http://www.fedoraforum.org/
Package Management:
- Search for Fedora RPMs:
http://www.fedoratracker.org/
- Yum tutorial:
http://www.fedorafaq.org/#installsoftware
- Excellent rpm search engine
http://rpm.pbone.net/