Network Security

Network security is becoming more and more important as people spend more and
more time connected. Compromising network security is often much easier than
compromising physical or local security, and is much more common.
There are a number of good tools to assist with network security, and more and more
of them are shipping with Linux distributions.


Packet Sniffers
One of the most common ways intruders gain access to more systems on your network
is by employing a packet sniffer on a already compromised host. This "sniffer"
just listens on the Ethernet port for things like passwd and login and su in the
packet stream and then logs the traffic after that. This way, attackers gain passwords
for systems they are not even attempting to break into. Clear-text passwords are very
vulnerable to this attack.
Example: Host A has been compromised. Attacker installs a sniffer. Sniffer picks up
admin logging into Host B from Host C. It gets the admins personal password as
they login to B. Then, the admin does a su to fix a problem. They now have the root
password for Host B. Later the admin lets someone telnet from his account to Host
Z on another site. Now the attacker has a password/login on Host Z.
In this day and age, the attacker doesn’t even need to compromise a system to do
this: they could also bring a laptop or pc into a building and tap into your net.
Using ssh or other encrypted password methods thwarts this attack. Things like
APOP for POP accounts also prevents this attack. (Normal POP logins are very vulnerable
to this, as is anything that sends clear-text passwords over the network.)
System services and tcp_wrappers
Before you put your Linux system on ANY network the first thing to look at is what
services you need to offer. Services that you do not need to offer should be disabled
so that you have one less thing to worry about and attackers have one less place to
look for a hole.
There are a number of ways to disable services under Linux. You can look at your
/etc/inetd.conf file and see what services are being offered by your inetd. Disable
any that you do not need by commenting them out (# at the beginning of the line),
and then sending your inetd process a SIGHUP.
You can also remove (or comment out) services in your /etc/services file. This
will mean that local clients will also be unable to find the service (i.e., if you re
remove
ftp, and try and ftp to a remote site from that machine it will fail with an "unknown
service" message). It’s usually not worth the trouble to remove services from
/etc/services, since it provides no additional security. If a local person wanted to
use ftp even though you had commented it out, they would make their own client
that used the common FTP port and would still work fine.
Some of the services you might want to leave enabled are:
• ftp
• telnet (or ssh)
• mail, such as pop-3 or imap
• identd
If you know you are not going to use some particular package, you can also delete
it entirely. rpm -e packagename under the Red Hat distribution will erase an entire
package. Under Debian dpkg --remove does the same thing.
Additionally, you really want to disable the rsh/rlogin/rcp utilities, including login
(used by rlogin), shell (used by rcp), and exec (used by rsh) from being started in
/etc/inetd.conf. These protocols are extremely insecure and have been the cause
of exploits in the past.
You should check /etc/rc.d/rc[0-9].d (on Red Hat; /etc/rc[0-9].d on
Debian), and see if any of the servers started in those directories are not needed.
The files in those directories are actually symbolic links to files in the directory
/etc/rc.d/init.d (on Red Hat; /etc/init.d on Debian). Renaming the files in
the init.d directory disables all the symbolic links that point to that file. If you only
wish to disable a service for a particular run level, rename the appropriate symbolic
link by replacing the upper-case S with a lower-case s, like this:
root# cd /etc/rc6.d
root# mv S45dhcpd s45dhcpd
If you have BSD-style rc files, you will want to check /etc/rc* for programs you
don’t need.
Most Linux distributions ship with tcp_wrappers "wrapping" all your TCP services.
A tcp_wrapper (tcpd) is invoked from inetd instead of the real server. tcpd then
checks the host that is requesting the service, and either executes the real server, or
denies access from that host. tcpd allows you to restrict access to your TCP services.
You should make a /etc/hosts.allow and add in only those hosts that need to have
access to your machine’s services.
If you are a home dial up user, we suggest you deny ALL. tcpd also logs failed attempts
to access services, so this can alert you if you are under attack. If you add new
services, you should be sure to configure them to use tcp_wrappers if they are TCPbased.
For example, a normal dial-up user can prevent outsiders from connecting to
his machine, yet still have the ability to retrieve mail, and make network connections
to the Internet. To do this, you might add the following to your /etc/hosts.allow:
ALL: 127.
And of course /etc/hosts.deny would contain:
ALL: ALL
which will prevent external connections to your machine, yet still allow you from the
inside to connect to servers on the Internet.
Keep in mind that tcp_wrappers only protects services executed from inetd, and a
select few others. There very well may be other services running on your machine.
You can use netstat -ta to find a list of all the services your machine is offering.