[PPT] - System Administration CSE598K/CSE545 - Advanced Network Security PowerPoint Presentation

SLIDE 1

฀฀฀฀ ฀

฀฀฀฀

฀฀฀฀฀ ฀฀฀฀฀฀

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

System Administration

CSE598K/CSE545 - Advanced Network Security Luke St.Clair - Spring 2008

1

SLIDE 2

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

Why do we care?

This is probably the most

important thing you can learn to secure systems?

The idea
to learn a couple practical things
learn some tools to learn more

2

SLIDE 3

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

How to get in...

ssh - secure shell
rhosts - it’s great! I

want that.

.rhosts - list of users that

can log in

ssh remotehost

command - simply run a command on a remote host (useful for scripts)

server not installed on

Ubuntu by default (no

pen ports!)

3

SLIDE 4

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

Garage door opener

Open the door easier
let’s just say who can access
we’ll do it by what people have
.ssh/authorized_keys
ssh-keygen -t dsa - we’ll

make some keys

4

SLIDE 5

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

Giving out keys

We made keys, now each host just has to make a list
f what keys are okay
Who needs to know this?
scp your .ssh/id_dsa.pub (or similar) to your

VM

scp .ssh/id_dsa.pub 130.203.83.20:~/coriakin-key.pub
ssh 130.203.83.20 “cat ~/coriakin-key.pub >> ~/.ssh/

authorized_keys”

5

SLIDE 6

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

Shortcomings of SSH

pairwise keys - gets annoying
it’s really too many for me to use everywhere
You have to trust where your host key is
You just forget things
MitM
how do you check

host key?

ssh-keygen -l -f

/etc/ssh/ssh_host_dsa_key.pub

6

SLIDE 7

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

It can be a little easier

7

SLIDE 8

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

Being privileged

sudo - superuser do
there’s no root user!
sudo visudo - you can see what the

policy is

your policy says anyone in the group “admin”

can do anything, if they put their password in

note that you had to sudo to change

sudoers, the file that controls sudo policy

8

SLIDE 9

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

Let’s get some $\/\/33t w@r3z

What if there was a way to

install things as long as you know what sort of thing you want?

What if you could update

everything with a command?

9

SLIDE 10

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

WINDOWS UPDATE!!?!?!?

WINDOWS UPDATE!!!!!! Rulz!
roflcopter.

10

SLIDE 11

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

Aptitude

Basic Principles
aptitude update - refreshes the list of what exists -

practically, do this before you do things

aptitude search - look in the whole repository for matches to

your search terms (even descriptions!)

aptitude install <package name> - installs a package.

You have to type the name right

aptitude (safe|full)-upgrade - upgrade all your packages, safely,
r fully

11

SLIDE 12

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

Let’s get a Desktop

Some packages are “meta” packages, which are just

shorthand for listing tons of packages

let’s aptitude install apache2
installs, basically configures, and starts apache2
then aptitude install xubuntu-desktop, which will install a full

desktop system, and tightvncserver

12

SLIDE 13

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

Visit your website

Point your browserz at your ip address
You’ve been hax0r3d!

13

Apache HTTP Server Test Page powered by CentOS http://mirror.centos.org/mirrorscripts/noindex_new.html 1 of 2 1/30/08 3:54 PM

Apache 2 Test Page

powered by CentOS This page is used to test the proper operation of the Apache HTTP server after it has been installed. If you can read this page it means that the Apache HTTP server installed at this site is working properly. About CentOS: The Community ENTerprise Operating System (CentOS) is an Enterprise-class Linux Distribution derived from sources freely provided to the public by a prominent North American Enterprise Linux vendor. CentOS conforms fully with the upstream vendors redistribution policy and aims to be 100% binary compatible. (CentOS mainly changes packages to remove upstream vendor branding and artwork.) The CentOS Project is the

rganization that builds CentOS.

For information on CentOS please visit the CentOS website. Note: CentOS is an Operating System and it is used to power this website; however, the webserver is owned by the domain owner and not the CentOS Project. If you have issues with the content of this site, contact the owner of the domain, not the CentOS project. If you are a member of the general public: The fact that you are seeing this page indicates that the website you just visited is either experiencing problems or is undergoing routine maintenance. If you would like to let the administrators of this website know that you've seen this page instead of the page you expected, you should send them e-mail. In general, mail sent to the name "webmaster" and directed to the website's domain should reach the appropriate person. For example, if you experienced problems while visiting www.example.com, you should send e-mail to "webmaster@example.com". If you are the website administrator: You may now add content to the directory /var/www/html/. Note that until you do so, people visiting your website will see this page and not your content. To prevent this page from ever being used, follow the instructions in the file /etc/httpd/conf.d/welcome.conf. You are free to use the images below on Apache and CentOS Linux powered HTTP servers. Thanks for using Apache and CentOS!

SLIDE 14

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

Alternately...

14

SLIDE 15

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

init.d

Nearly every service that would run in the background

(apache, ssh, etc) has a script that controls it

instead of trying to figure out which process (ps aux) does

what, and how to start/stop the process correctly (not kill!), just ask

they all start/stop/restart - restart is always a safe bet
you’d do this if you change the config of a running program
let’s restart apache
sudo /etc/init.d/apache restart (remember to tab complete!)

15

SLIDE 16

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

VNC

this is all easier on the command line...
but some stuff isn’t (adding users w/ adduser, adding

users to groups with usermod -G group user)

so we want a

desktop, which runs on a remote system, but that we see on our local system

16

SLIDE 17

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

Tunneling

To get this, we have to tunnel our data
Clever firewall admins don’t let VNC through
ssh -L 5900:firsthost:5901 -TN secondhost
forwards local port 5900 to

port 5901 on firsthost via secondhost - remember this description

set up a tunnel from port 5900
n your machine, to 5901 on

your VM, via your VM

17

SLIDE 18

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

All that’s left is to connect...

Have to start a server on the remote host
this is per-user: vncserver :1
set a password
On your local host, point your

VNC viewer at yourself (remember, 5900, the VNC port gets tunneled to a remote party via someone’s ssh service), password is your VNC password, NOT ssh password

You’ll be prompted for your

VNC password if you didn’t put it in already

18

SLIDE 19

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

Ugly Desktop

See help.ubuntu.com/community/VNCOverSSH
basically, just put something in your .vnc/xstartup
wget http://www.lukestclair.com/tools/config/xstartup
put it in your .vnc file

in your home directory

19

SLIDE 20

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

Where to get more help

Ubuntuforums.org - by far the best source
IRC - lots of noise to signal ratio - irc.freenode.org,

#ubuntu

wiki.ubuntu.org

20

SLIDE 21

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

Certificate creation

Let’s make a certificate
Don’t try to remember this, just look it up
Make a CA:
openssl genrsa -des3 -out cakey.key 4096
openssl req -new -x509 -days 365 -key cakey.key -out cacert.crt
Create server key, request, sign
openssl rsa -des3 -out server.key 4096
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -CA cacert.crt -CAkey

cakey.key -set_serial 01 server.crt

this avoids reissuing the same certificate

21

SLIDE 22

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

Setting up Apache

sudo a2enmod ssl (enables the SSL module)
add to /etc/apache2/sites-available/default, right under

virtualhost:

SSLEngine on
SSLProtocol all
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
In /usr/share/doc/ directory, allow all
Order allow, deny
Allow all

22

SLIDE 23

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

Firewalls

There are so many ways to do this

23

SLIDE 24

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

GUIs, or G-U-I’s

Let’s make a firewall, simple-style
You can do all of these things with iptables, and there

are many good tutorials

24

SLIDE 25

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

Basic settings

Setup pokes some holes in the firewall
your ethernet device may be different - there should only be
ne to choose from anyway

25

SLIDE 26

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

Policy

Play around with this. Firewall your website’s port 80,

to stop normal http connections (this is not really the best way to do this, but whatever)

Don’t forget

to “Apply” policy once you create it

Browse port

80 and check logs

26

SLIDE 27

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

IPsec

set up rules for when we want ipsec
first, add
#!/usr/sbin/setkey -f
flush; spdflush; to the top of the file - this gets rid of stuff

before

spdadd 130.203.32.21 130.203.32.20 any -P in ipsec esp/transport//

require;

packets from .21 to .20 incoming match this rule - require ipsec
spdadd 130.203.32.20 130.203.32.21 any -P out ipsec esp/

transport//require

packets from .20 to .21 outgoing match this rule
what does spdadd 130.203.32.20 130.203.32.21 any -P in ... do?

27

SLIDE 28

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

Racoon

This is the program that listens for

connections

get racoon.conf from http://lukestclair.com/

tools/config/racoon

put it in /etc/racoon.conf
Let’s look through it...

28

SLIDE 29

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

Racoon.conf

remote anonymous applies this to everything
alternative is to configure by ip addr, as in comments
proposal is what you propose - other side picks
here we only propose one

hash, one encryption, and we only auth by pre-shared key, not certs

dh_group defines

diffie-hellman group - don’t worry about this

29

SLIDE 30

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

SA in racoon.conf

Defines how long your connection is good for
Defines what encryption you support
That’s it!

30

SLIDE 31

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

What did we miss?

31

SLIDE 32

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

psk

Fill in /etc/racoon/psk.txt
mine is l33th@x0R
Try to ping my machine (130.203.83.20)
note the delay or failure
sudo setkey -F, sudo setkey -FP should show you

something, if you want to check errors or just see what’s happening

if this doesn’t work /etc/init.d/racoon stop, sudo

racoon -f /etc/racoon/racoon.conf, and we can see what happens

32