System Administration CSE598K/CSE545 - Advanced Network Security - PowerPoint PPT Presentation

�������฀฀���฀฀�������� ��������������฀�������� � � �������฀���฀��������฀��������฀������ ����������฀��฀��������฀�������฀���฀����������� ������������฀�����฀�����������฀����������฀����฀฀�� System Administration CSE598K/CSE545 - Advanced Network Security Luke St.Clair - Spring 2008 CSE598K/CSE545 - Advanced Network Security - McDaniel Page 1

Why do we care? • This is probably the most important thing you can learn to secure systems? • The idea ‣ to learn a couple practical things ‣ learn some tools to learn more CSE598K/CSE545 - Advanced Network Security - McDaniel Page 2

How to get in... • ssh - secure shell • rhosts - it’s great! I want that. ‣ .rhosts - list of users that can log in ‣ ssh remotehost command - simply run a command on a remote host (useful for scripts) • server not installed on Ubuntu by default (no open ports!) CSE598K/CSE545 - Advanced Network Security - McDaniel Page 3

Garage door opener • Open the door easier ‣ let’s just say who can access ‣ we’ll do it by what people have ‣ .ssh/authorized_keys • ssh-keygen -t dsa - we’ll make some keys CSE598K/CSE545 - Advanced Network Security - McDaniel Page 4

Giving out keys • We made keys, now each host just has to make a list of what keys are okay • Who needs to know this? ‣ scp your .ssh/id_dsa.pub (or similar) to your VM • scp .ssh/id_dsa.pub 130.203.83.20:~/coriakin-key.pub ‣ ssh 130.203.83.20 “cat ~/coriakin-key.pub >> ~/.ssh/ authorized_keys” CSE598K/CSE545 - Advanced Network Security - McDaniel Page 5

Shortcomings of SSH • pairwise keys - gets annoying ‣ it’s really too many for me to use everywhere • You have to trust where your host key is • You just forget things • MitM ‣ how do you check host key? ‣ ssh-keygen -l -f /etc/ssh/ssh_host_dsa_key.pub CSE598K/CSE545 - Advanced Network Security - McDaniel Page 6

It can be a little easier CSE598K/CSE545 - Advanced Network Security - McDaniel Page 7

Being privileged • sudo - superuser do • there’s no root user! • sudo visudo - you can see what the policy is ‣ your policy says anyone in the group “admin” can do anything, if they put their password in • note that you had to sudo to change sudoers, the file that controls sudo policy CSE598K/CSE545 - Advanced Network Security - McDaniel Page 8

Let’s get some $\/\/33t w@r3z • What if there was a way to install things as long as you know what sort of thing you want? • What if you could update everything with a command? CSE598K/CSE545 - Advanced Network Security - McDaniel Page 9

WINDOWS UPDATE!!?!?!? • WINDOWS UPDATE!!!!!! Rulz! • roflcopter. CSE598K/CSE545 - Advanced Network Security - McDaniel Page 10

Aptitude • Basic Principles ‣ aptitude update - refreshes the list of what exists - practically, do this before you do things ‣ aptitude search - look in the whole repository for matches to your search terms (even descriptions!) ‣ aptitude install <package name> - installs a package. You have to type the name right ‣ aptitude (safe|full)-upgrade - upgrade all your packages, safely, or fully CSE598K/CSE545 - Advanced Network Security - McDaniel Page 11

Let’s get a Desktop • Some packages are “meta” packages, which are just shorthand for listing tons of packages ‣ let’s aptitude install apache2 ‣ installs, basically configures, and starts apache2 ‣ then aptitude install xubuntu-desktop, which will install a full desktop system, and tightvncserver CSE598K/CSE545 - Advanced Network Security - McDaniel Page 12

Visit your website • Point your browserz at your ip address • You’ve been hax0r3d! Apache HTTP Server Test Page powered by CentOS http://mirror.centos.org/mirrorscripts/noindex_new.html Apache 2 Test Page powered by CentOS This page is used to test the proper operation of the Apache HTTP server after it has been installed. If you can read this page it means that the Apache HTTP server installed at this site is working properly. If you are a member of the general If you are the website public: administrator: The fact that you are seeing this page You may now add content to the directory indicates that the website you just visited /var/www/html/ . Note that until you do is either experiencing problems or is so, people visiting your website will see undergoing routine maintenance. this page and not your content. To prevent this page from ever being used, If you would like to let the administrators of follow the instructions in the file this website know that you've seen this /etc/httpd/conf.d/welcome.conf . page instead of the page you expected, you should send them e-mail. In general, You are free to use the images below on mail sent to the name "webmaster" and Apache and CentOS Linux powered directed to the website's domain should HTTP servers. Thanks for using Apache reach the appropriate person. and CentOS! For example, if you experienced problems while visiting www.example.com, you should send e-mail to "webmaster@example.com". About CentOS: The Community ENTerprise Operating System (CentOS) is an Enterprise-class Linux Distribution derived from sources freely provided to the public by a prominent North American Enterprise Linux vendor. CentOS conforms fully with the upstream vendors redistribution policy and aims to be 100% binary compatible. (CentOS mainly changes packages to remove upstream vendor branding and artwork.) The CentOS Project is the organization that builds CentOS. For information on CentOS please visit the CentOS website. Note: CentOS is an Operating System and it is used to power this website; however, the webserver is owned by the domain owner and not the CentOS Project. If you have issues with the content of this site, contact the owner of the domain, not the CentOS project. 1 of 2 1/30/08 3:54 PM CSE598K/CSE545 - Advanced Network Security - McDaniel Page 13

Alternately... CSE598K/CSE545 - Advanced Network Security - McDaniel Page 14

init.d • Nearly every service that would run in the background (apache, ssh, etc) has a script that controls it ‣ instead of trying to figure out which process (ps aux) does what, and how to start/stop the process correctly (not kill!), just ask ‣ they all start/stop/restart - restart is always a safe bet • you’d do this if you change the config of a running program ‣ let’s restart apache ‣ sudo /etc/init.d/apache restart (remember to tab complete!) CSE598K/CSE545 - Advanced Network Security - McDaniel Page 15

VNC • this is all easier on the command line... • but some stuff isn’t (adding users w/ adduser, adding users to groups with usermod -G group user) • so we want a desktop, which runs on a remote system, but that we see on our local system CSE598K/CSE545 - Advanced Network Security - McDaniel Page 16

Tunneling • To get this, we have to tunnel our data ‣ Clever firewall admins don’t let VNC through • ssh -L 5900:firsthost:5901 -TN secondhost ‣ forwards local port 5900 to port 5901 on firsthost via secondhost - remember this description ‣ set up a tunnel from port 5900 on your machine, to 5901 on your VM, via your VM CSE598K/CSE545 - Advanced Network Security - McDaniel Page 17

All that’s left is to connect... • Have to start a server on the remote host ‣ this is per-user: vncserver :1 ‣ set a password • On your local host, point your VNC viewer at yourself (remember, 5900, the VNC port gets tunneled to a remote party via someone’s ssh service), password is your VNC password, NOT ssh password • You’ll be prompted for your VNC password if you didn’t put it in already CSE598K/CSE545 - Advanced Network Security - McDaniel Page 18

Ugly Desktop • See help.ubuntu.com/community/VNCOverSSH ‣ basically, just put something in your .vnc/xstartup ‣ wget http://www.lukestclair.com/tools/config/xstartup ‣ put it in your .vnc file in your home directory CSE598K/CSE545 - Advanced Network Security - McDaniel Page 19

Where to get more help • Ubuntuforums.org - by far the best source • IRC - lots of noise to signal ratio - irc.freenode.org, #ubuntu • wiki.ubuntu.org CSE598K/CSE545 - Advanced Network Security - McDaniel Page 20

Certificate creation • Let’s make a certificate ‣ Don’t try to remember this, just look it up ‣ Make a CA: • openssl genrsa -des3 -out cakey.key 4096 • openssl req -new -x509 -days 365 -key cakey.key -out cacert.crt ‣ Create server key, request, sign • openssl rsa -des3 -out server.key 4096 • openssl req -new -key server.key -out server.csr • openssl x509 -req -days 365 -in server.csr -CA cacert.crt -CAkey cakey.key -set_serial 01 server.crt ‣ this avoids reissuing the same certificate CSE598K/CSE545 - Advanced Network Security - McDaniel Page 21