SLIDE 1
Network Security Fundamentals
Security Training Course
- Dr. Charles J. Antonelli
Network Security Fundamentals Security Training Course Dr. Charles - - PowerPoint PPT Presentation
Network Security Fundamentals Security Training Course Dr. Charles - - PowerPoint PPT Presentation
Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013 Network Security Fundamentals Module 9 Linux Security & Logging Linux Security Real-World Linux Security RHEL
SLIDE 2
SLIDE 3
Linux Security
- Real-World Linux Security
- RHEL Security Guides
- Logging
3 04/13 cja 13
SLIDE 4
Real-World Linux Security
SLIDE 5
Real-World Linux Security
The seven deadly sins
- Weak/default passwords
- Open network ports
- Old software versions
- Insecure programs
- Insufficient resources
- Stale/unnecessary accounts
- Procrastination
5 04/13 Bob Toxen, “Real World Linux Security: intrusion detection, prevention, and recovery,” 2nd Ed., Prentice-Hall 2003. cja 13
SLIDE 6
Turn off insecure passwords
- Use SHA-512 & passphrases
- Password hashes in /etc/shadow should
start with $6$
- Maximum password length is 256 characters
- Use /etc/shadow
- Both defined by default
6 04/13 cja 13
SLIDE 7
Prevent ARP Cache Poisoning
- Prevent ARP entries from being spoofed
by making them permanent
- add known ARP entries to /etc/ethers
- add following to /etc/rc.d/rc.local
arp -f /etc/ethers entries read from file are marked permanent
- Use network switch port configurations
7 04/13 cja 13
SLIDE 8
arp
- /sbin/arp command
- w/o args, displays contents of ARP cache
- -a
show all cache entries
- -d h
delete entry for host h
- -s h e set permanent entry for host h with layer 2
address e
- -s h e temp
set temporary entry for host h with layer 2 address e
- -f f
read (default permanent) entries from file f
- -n
don’t convert host addresses to names
8 04/13 cja 13
SLIDE 9
arping
- Similar to ping, but uses ARP requests
and replies for probing
- Doesn’t require sender to have a IP address
- Limited to local subnet, unless proxy ARP
04/13 9 cja 13
SLIDE 10
arping
- /sbin/arping destination
- w/o args, displays usage
- -I i
use interface i (required)
- -b
use only Layer 2 broadcasts
- -s s
use source address s
- -U
unsolicited ARP
- -D
detect duplicate IP addr (RFC 2131)
10 04/13 cja 13
SLIDE 11
arpwatch
- Monitors ARP traffic
- Detects Layer 2 / Layer 3 address pairing changes
- Records to syslog
- Emails to administrator
- Changes detected
- New station – new pairing using previously unseen layer 2 address
- New activity – new pairing using previously seen layer 2 address
- Flip flop – layer 2 address changed in existing pairing
- Changed ethernet address – layer 2 address changed on host
04/13 11 cja 13
SLIDE 12
arpwatch lab
- Look at man page
- man arpwatch
- Display syslog messages
- Start another terminal window
- sudo tail –f /var/log/messages
- Edit config file
- sudo vi /etc/sysconfig/arpwatch
- Insert “-i ethN” into OPTIONS if needed, adjust others as necessary
- (Optional) set arpwatch to start on boot
- chkconfig –list arpwatch
- chkconfig arpwatch on
- chkconfig --list arpwatch
- Start arpwatch
- sudo service arpwatch start
- You should see eth2 entering promiscuous mode in the syslog
- Generate some ARP traffic
- Empty, then list your ARP cache
- You should see something like the following in the log (and in an email message, if you’ve set that up)
Apr 21 16:10:58 localhost arpwatch: new station 172.16.234.2 0:50:56:e7:f7:34
- No output? Get arpwatch to forget:
- sudo service arpwatch stop
- sudo cp /dev/null /var/lib/arpwatch/arp.dat
- sudo service arpwatch start
12 04/13 cja 13
SLIDE 13
RHEL Security Guides
- Canonical step-by-step guide
- Security overview
- Attackers and Vulnerabilities
- Security Updates
- Workstation Security
- Server Security
- Virtual Private Networks
- Firewalls
- Vulnerablity Assessment
- Intrusion Detection
- Incident Response
13 04/13 cja 13
SLIDE 14
Security Guides
- Three guides:
- http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-
i731.pdf
- http://people.redhat.com/sgrubb/files/hardening-
rhel5.pdf
- http://docs.redhat.com/docs/en-US/
Red_Hat_Enterprise_Linux/6/pdf/Security_Guide/ Red_Hat_Enterprise_Linux-6-Security_Guide-en- US.pdf
14 04/13 cja 13
SLIDE 15
Logging
SLIDE 16
Roadmap
- Motivation
- Challenges
- Syslog
- Centralized Logging
- Log reduction
- Swatch, logwatch
16 04/13 cja 13
SLIDE 17
Motivation
- Administration & debugging
- Detect & analyze security & performance
incidents
- Auditing
- Regulatory requirements
- HIPAA, SOX, PCI, GLBA, …
17 04/13 cja 13
SLIDE 18
Example
Jan 2 16:19:23 host.example.com snort [1260]: RPC Info Query: 10.2.3.4 -> host.example.com:111 Jan 2 16:19:31 host.example.com snort [1260]: spp_portscan: portscan status from 10.2.3.4: 2 connections across 1 hosts: TCP(2), UDP(0)
18 04/13 cja 13
SLIDE 19
Example
Jan 02 16:19:45 host.example.com rpc.statd[351]: gethostbyname error for ^X÷ÿ¿^X÷ÿ¿^Y÷ÿ¿^Y÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿^[÷ÿ¿^[÷ÿ¿bffff750 8 0 4 9 7 1 0 9 0 9 0 9 0 9 0 6 8 7 4 6 5 6 7 6 2 7 4 7 3 6 f 6 d 6 1 6 e 7 9 7 2 6 5 2 0 6 5 2 0 7 2 6 f 7 2 2 0 7 2 6 f 6 6 b f f f f 7 1 8 bffff719 bffff71a b f f f f 7 1 b _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ ! _ _ ! _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
19 04/13 cja 13
SLIDE 20
Example
- Jan 02 16:20:25 host.example.com
adduser[12152]: new user: name=cgi, uid=0, gid=0, home=/home/cgi, shell=/bin/ bash
- Jan 02 16:22:02 host.example.com
PAM_pwdb[12154]: password for (cgi/0) changed by ((null)/0)
20 04/13 cja 13
SLIDE 21
Challenges
- Log generation & storage
- Log CIA
- Log analysis
21 04/13 cja 13
SLIDE 22
CEE - Coming soon?
Common Event Expression
- Standardizes the way computer events are described,
logged, and exchanged
- Create an event expression taxonomy for uniform and precise
log definitions that lead to a common event representation.
- Create logging syntax utilizing a single data dictionary to
provide consistent event specific details.
- Standardize flexible event transport mechanisms to support
multiple environments.
- Propose log recommendations for the events and attributes
devices generate.
- http://cee.mitre.org/language/1.0-beta1/overview.html
- (August, 2012)
22 04/13
cja 13
SLIDE 23
syslog
- UNIX/Linux logging daemon
- facility (origin) & priority (importance)
- log entry accepted by daemon
- logged according to config file
- Windows third-party tools
- Windows event log -> syslog
http://www.eventreporter.com/ http://www.winagents.com/
- syslog -> Windows
http://www.winsyslog.com/en/
23 04/13 cja 13
SLIDE 24
syslog
- LogAnalyzer (née phpLogCon)
- Front end for searching, reviewing and analyzing event data
- Data sources
syslog, rsyslog, WinSyslog log files MySQL databases
» Adiscon MonitorWare, php-syslog-ng schemas
Any LF-delimited file Multiple instances
- Data display
GUI controls: scroll, search, tooltip, …
- http://loganalyzer.adiscon.com/
24 04/13
cja 13
SLIDE 25
syslog
- Splunk
- Indexes log file data, also config files, arbitrary script output
- Data sources
syslog, rsyslog, WinSyslog log files Config files Arbitrary script outputs Multiple instances
- Indexes data
Free for indexing up to 500 MB/day
- Data display
GUI controls: scroll, search, tooltip, …
- http://www.splunk.com/
25 04/13
cja 13
SLIDE 26
rsyslog
- The reliable & extended Linux logging daemon
- Upward-compatible with syslogd
- Provides reliable remote logging
TCP – ubiquitous, uses reliable connection RELP- queues locally until loghost accessible
- man rsyslogd
- man 5 rsyslog.conf
- /etc/rsyslog.conf
26 04/13 cja 13
SLIDE 27
rsyslog basic lab
- Edit log destination
- sudo vi /etc/rsyslog.conf
- Add line under RULES section
*.debug,mark.debug /var/log/fulllog
- Tell syslog to re-read config file
- sudo service rsyslog restart
- Test the syslog
- logger ‘Hello, world!’
27 04/13
cja 13
SLIDE 28
centralized logging lab
- Your instructor will provide the identity of a
central logging host
- pst.merit.edu
- Edit local /etc/rsyslog.conf
- Add forwarding rule with remote host
*.* @pst.merit.edu
- Tell local syslog to re-read config file
- sudo service rsyslog restart
- Test with logger
28 04/13 cja 13
SLIDE 29
Relay Architecture
29 04/13 cja 13
SLIDE 30
Log Reduction
- Make three piles
- ignore - don’t want to see these, ever
- baseline - aren’t likely to contain time-critical
security information
- investigate - those that do
30 04/13 cja 13
SLIDE 31
Log Reduction
- A simple first step
- cut -f5- -d\ /var/log/fulllog | sed -e ‘s/[0-9]
[0-9]*/###/g’| sort | uniq -c | sort -nr
- Use script in /usr/local/lab/syslog/reduce
31 04/13 cja 13
SLIDE 32
Baselining I
- Construct a baseline
- Measure set of known data to compute range of
“normal” values
- Examples
Network traffic by protocol Logins/logouts Accesses of admin accounts DHCP address management DNS requests Amount of log data/day Number of processes running
32 04/13 cja 13
SLIDE 33
Baselining II
- Compare against baseline
- Anomaly detection
detecting things you haven’t seen before
- Thresholding
identifying data that exceed a given baseline
- Windowing
detecting events within a given time period
33 04/13 cja 13
SLIDE 34
Log parsing tools
- swatch
- logwatch
34 04/13 cja 13
SLIDE 35
swatch lab
- Examine man page
- man swatch
- Copy sample rule
- cp /usr/local/lab/swatch/sample.swatchrc ~lab/.swatchrc
- Examine sample rule
- Start swatch
- sudo swatch -c ~lab/.swatchrc
- Trigger swatch
- Start a new terminal window
- logger ‘Hello, World!’
- Experiment with different rules
35 04/13 cja 13
SLIDE 36
log parsing lab
- Examine man page
- man logwatch
- Examine config and service files
- System-wide
/usr/share/logwatch/default.conf/logwatch.conf /usr/share/logwatch/scripts/services
- Locally-configured
/etc/logwatch/conf/logwatch.conf /etc/logwatch/scripts/services
- Perform log parse
- /usr/sbin/logwatch --print [--service
sendmail] [--range all] [--archives]
36 04/13 cja 13
SLIDE 37
Maintaining log files
- Log files expand to fill available space
- Control by rotation
- switch over to a new log file periodically
- overwrite oldest log file
- logrotate
- needs logging facility’s cooperation
/sbin/killall -HUP facility copytruncate
- man logrotate
- /etc/logrotate.conf
- /etc/logrotate.d/
37 04/13 cja 13
SLIDE 38
log analysis lab
- Enable httpd
- sudo yum install php
- sudo service httpd start
- Install LogAnalyzer (1)
- wget
http://download.adiscon.com/loganalyzer/loganalyzer-3.0.4.tar.gz
- tar zxf loganalyzer-3.0.4.tar.gz
- cd loganalyzer-3.0.4
- less Install
38 04/13 cja 13
SLIDE 39
log analysis lab
- Install LogAnalyzer (2)
- sudo cp -r src/* /var/www/html
- sudo touch /var/www/html/config.php
- sudo chmod 666 /var/www/html/config.php
- sudo chcon -hR -t httpd_sys_script_rw_t /var/www/html
- Install LogAnalyzer (3)
- sudo setfacl -m u:apache:r /var/log/messages
- wget http://www-personal.umich.edu/~cja/LPS10/supp/lpspol_log.te
- checkmodule -M -m -o lpspol_log.mod lpspol_log.te
- semodule_package -o lpspol_log.pp -m lpspol_log.mod
- sudo semodule -i lpspol_log.pp
39 04/13 cja 13
SLIDE 40
log analysis lab
- Install LogAnalyzer (4)
- Browse to http://localhost/
- Click the word “here” in the Critical Error Notice
- Accept all defaults except:
Step 7 – Set Syslog file to /var/log/messages
- Install LogAnalyzer (5)
- sudo chmod 644 /var/www/html/config.php
- sudo restorecon -R /var/www/html
- Run LogAnalyzer!
- Browse to http://localhost/
- When done with lab:
- sudo setfacl -b /var/log/messages
40 04/13 cja 13
SLIDE 41
References
- “Real World Linux Security: intrusion detection, prevention, and recovery,” 2nd Ed., Bob Toxen, Prentice-Hall
2003.
- http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf
- http://people.redhat.com/sgrubb/files/hardening-rhel5.pdf
- http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/pdf/Security_Guide/
Red_Hat_Enterprise_Linux-6-Security_Guide-en-US.pdf
- “Guide to the Secure Configuration of Red Hat Enterprise Linux 5,” Revision 3, National Security Agency,
October 21, 2009. http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf (accessed April 2010)
- Abe Singer and Tina Bird, “Building a Logging Infrastructure,” USENIX Association, ISBN 1-931971-25-0,
2004.
- The SANS 2007 Log Management Market Report
http://www.sans.org/reading_room/analysts_program/LogMgt_June07.pdf (accessed April 2010)
- Common Event Expression (Anton Chuvakin, cee@mitre.org)
http://cee.mitre.org/docs/Common_Event_Expression_White_Paper_June_2008.pdf (accessed April 2010)
- Karen Kant and Murugiah Souppaya,
“Guide to Computer Security Log Management," NIST Publication 800-92, September 2006.
- LogAnalyzer Documentation, http://loganalyzer.adiscon.com/doc/manual.html (accessed April 2011).