Linux Security Hands-On Practice 2

This page is at:
http://joelandrebecca.martintribe.org/linuxconf/security/hands_on2.html

If you are looking at the web page, then the commands to executed in
a terminal shell are blue or red and left justified. You will also
want to work with a partner, or have a separate machine that you
have access to.

Command line hints:
- Ctrl-C -> Stop a long running program or get a fresh prompt
- Ctrl-D -> Logout from a shell prompt (or type "exit")
- Up,Down -> Cycle through previous commands
- Shift-PageUp,Shift-PageDown -> Works like scroll bar
in the terminal even when scrollbar isn't there.
- Tab - Will complete command line if it's obvious
- Tab-Tab - All possible ways to complete the current
command line will be shown. If run from a blank
command prompt, will show all executable programs.

Security Tools/Commands:

Here is a list of security tools and commands that you may want to
install and experiment with. Only some of them are touched on in this
hands-on.

Commands (usually included on most systems):

chgrp - change file group ownership
chmod - change file permissions
chown - change file user ownership
ifconfig - show network configuration information
lsof - show the process(es) that have specific files open
kill - terminate a process
netstat - show network and port information
newgrp - change your active group id
passwd - change a user's login password
ping - send ping packets to another computer
ps - process list
ssh - remote secure shell
su - switch user
up2date - Red Hat's graphical software update agent
yum - command line software update agent

Security architectures:

iptables - comprehensive firewall system included in Linux
pam - pluggable authentication modules
tcp_wrappers - monitor and filter incoming network traffic
selinux - Security Enhanced Linux: fine grained access controls
xinetd - master service that governs access to certain services

1. Get your hands-on environment ready
- yum is a network aware update program that is able to automate
some common package management tasks.
- We are going to configure yum to automatically use several
community supported packages repositories.
- Log into you system as root. Then open a terminal window
"System Tools->Terminal"
- Download a yum configuration file into the correct location.
cd /etc/
mv yum.conf yum.conf.bak
wget http://joelandrebecca.martintribe.org/linuxconf/yum.conf

- synaptic is similar to yum, but it provides a very nice interface
for doing package management.
- Use yum to find, download and install the synaptic package
manger which provides a nice graphical interface to
package management. When you execute this command yum will
gather information from all the repositories that it is aware
of. Then ask you if you wish to continue installing the package.
yum install synaptic
- If that completes successfully then you're done and ready to do
this hands-on session.

2. Commands and security architectures

Commands (usually included on most systems):

Security architectures:

- If you're going to do Linux security you need to be familiar with
reading man pages for commands. The man pages can be terse and
technical to read, but generally the man pages are the
authoritative guide to the command (if it is a command line tool).
The first place you will generally want to start is google. That
can give you a good idea of the purpose, common uses and common
problems that people have with the commands. However, you will be
turning to the man pages frequently, so become accustomed to using
and reading man pages and you will be well on your way to being
a Linux guru :-)
- Begin to read man pages for the commands and security
architectures listed above. All the commands have man pages that
are named the same as the command. The security architectures also
have man pages with the same names except for tcp_wrappers. You
can find the man page for tcp_wrappers under "hosts.allow".
man lsof
man kill
man up2date
man selinux
man hosts.allow
...

3. Security Tools

ClamAV (www.clamav.net) - Very good open source virus scanner. Windows
version is also available called ClamWin.
ethereal (www.ethereal.com) - THE premier network protocol analyzer.
Linux and Windows versions.
firehol (firehol.sf.net) - simpler tool for configuring Linux
firewalls.
firestarter (www.fs-security.com) - graphical tool for configuring
a firewall on Linux.
iptraf (iptraf.seul.org) - command line network statistics utility.
John the Ripper (www.openwall.com/john) - password cracking/testing
utility.
kismet (www.kismetwireless.net) - wireless detector, sniffer, and
intrusion detection utility.
nagios (www.nagios.org) - comprehensive and flexible host, service and
network monitoring program.
nessus (www.nessus.org) - remote security and vulnerability scanner
nmap (www.insecure.org/nmap) - network scanner/analyzer
putty (www.putty.nl) - Windows ssh client
rootkit hunter (www.rootkit.nl) - scan for suspicious files/data
snort (www.snort.org) - Network intrusion detection system
spamassassin (spamassassin.apache.org) - spam detector
tcpdump (www.tcpdump.org) - command line network traffic viewer
tripwire (www.sourceforge.net/projects/tripwire) - detects and
notifies when system files are modified.

- Now that you have yum pointing at community repositories and
have synaptic installed, you can use either yum or synaptic to
install the tools above. The exceptions are Nessus, and tripwire.
Nessus and tripwire are not available in the repositories that
synaptic points to by default but they are available in the ones
that we informed yum about.

3. Play Time

- Find a security tool from the list above that that you would like
to learn more about and install it. Most of these tools have man
pages that you can view. Experiment with the tool.
- Note that not all packages will add an entry to the Applications
menu automatically. You can almost always run it from the command
line using it's name.
- The following command will list the contents of the package that
was installed. This is useful for many reasons one of which is
that you may find additional documentation that is installed with
the package.
rpm -ql PKGNAME
- Rinse and repeat.

For further reference and study:

Security Guides:
- Red Hat Enterprise 3 Security Guide: very comprehensive security
guide for securing Red Hat Linux or Fedora Core.
https://www.redhat.com/docs/manuals/enterprise/RHEL-3-Manual/security-guide/

- Securing Fedora Presentation
http://www.lboro.ac.uk/computing/security/securing-fedora-linux.html

- Securing Red Hat Linux HOWTO
http://www.ibiblio.org/pub/Linux/docs/HOWTO/other-formats/html_single/Security-Quickstart-Redhat-HOWTO.html

Keeping up to date:
- Fedora updates:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/
- Download from RHN if using RHEL
http://www.redhat.com/security/updates/
(useful to follow even for fedora)
- Fedora Announce list
https://www.redhat.com/mailman/listinfo/fedora-announce-list
- Subject starts with [SECURITY]
- Archive of Fedora Announce list
https://www.redhat.com/archives/fedora-announce-list/2005-June/msg00007.html
- BugTrack
http://www.securityfocus.com
- CERT (Computer Emergency Response Team)
http://www.cert.org

Command Line:
- Complete this online book and you will be on your way to being
a Linux command line expert.
http://www.icon.co.za/~psheer/book/index.html.gz

Package Management:
- Search for Fedora RPMs:
http://www.fedoratracker.org/

- Yum tutorial:
http://www.fedorafaq.org/#installsoftware

- Excellent rpm search engine
http://rpm.pbone.net/

General Fedora sites:
http://fedora.redhat.com/
http://www.fedorafaq.org/
http://www.fedoranews.org/
http://www.fedoraforum.org/