3 Amazing facts about SElinux.

What is SELinux?

SELinux, Security-Enhanced linux , is an additional method to protect your system.Presuming we want to allow remote anonymous access to a web server,we must open the ports through firewall. However,that means that malicious people can try to crack into the system through a security exploit and, if they compromise the web server process, gain its permissions: the permissions to the apache user and the apache group. That user/group has read access to things like the document root (/var/www/html),as well as write access to /tmp,/var/tmp and any other files/directories that are world writable.

SELinux is a a set of security rules that determine which process can access which files, directories, ports, etc. Every file, process, directory and ports has a special security label called Selinux contexts. 

A context is simply a name that is used by the SELinux policy to determine whether or not a process can access a file, directory or post.

SELinux labels have several contexts, but we will discuss only one context with web server: The type context. Type context names usually end with_t.The type context for the web server is httpd_t. The type context for files and directories normally found in /var/www/html is httpd_sys_content_t. The type contexts for files and directories normally found in /tmp and /var/tmp is tmp_t.The t type context for web server ports is http_port_t.

There is a rule in the policy that permits Apache (the web server process running as httpd_t) to access files and directories with a context normally found in /var/www/html and other web server directories (httpd_sys_content_t). There is no allow rule in the policy for files normally found in /tmp and /var/tmp, so access is not permitted. With SELinux enabled a malicious user could not access the /tmp directory, let alone write files to it. SELinux even has rules for remote filesystems such as NFS and CIFS, although all files on these filesystems are labeled with the same context.

SELinux MODES

• Enforcing Mode
• Premissive Mode
• Disabled

Enforcing Mode:In enforcing mode, SELinux actively access to the web server attempting to read files with tmp_t type context. In enforcing mode , SELinux both logs and protects.

Permissive Mode:Permissive mode is often used to troubleshoot issues. In permissive mode, SELinux allows all interactions, even if there is an explicit rule mentioned and it logs all of the denied interactions. This mode can be used to determine if you are having an SELinux issue. NO reboot is required to go from enforcing to permissive or back again.

Disabled:A third mode,disabled, completely disables SELinux. You must reboot to disable SELinux entirely, or to get from disabled mode to enforcing or permissive.

Enable And Disable SELinux Mode

There are two ways of Enable and Disable SElinux on linux:

1. Make the changes in /etc/sysconfig/selinux file.

# This file controls the state for selinux on the system.

# selinux= can take one of these three values: 

# enforcing – SELinux security policy is enforced.

# permissive – SELinux prints warnings instead of enforcing.

# disabled – No SELinux policy is loaded. 

SELINUX=enforcing 

# SELINUXTYPE= can take one of these two values: 

# targeted – Targeted processes are protected, 

# mls – Multi Level Security protection. 

SELINUXTYPE=targeted

use /etc/sysconfig/selinux to change the default SELinux mode at boot time. In the example above, it is set to enforcing mode.

2. Changed the Mode at command line.

To make the SELinux mode change without restart you can use the two commands:-

• getenforce

• setenforce

To check the current status of SELinux on the system use getenforce 

[root@serverx ~]# getenforce 

Enforcing

It show's the current SELinux Status is Enforcing.

To change the current Status of SELinux on the system use Setenforce

[root@serverx ~]# setenforce

 usage: setenforce [enforcing | permissive | 1 | 0 ]

You can choose either enforcing or permissive mode but you can't disable it with setenforce.

 [root@serverx ~]# setenforce 0 

 [root@serverx ~]# getenforce 

 Permissive 

SElinux Status changed to Premissive

 [root@serverx ~]# setenforce 1 

 [root@serverx ~]# getenforce 

 Enforcing 

SElinux Status changed to Enforcing

[root@serverx ~]# setenforce permissive 

[root@serverx ~]# getenforce 

permissive 

SElinux Status changed to Premissive

[root@serverx ~]# setenforce enforcing

 [root@serverx ~]# getenforce 

Enforcing

SElinux Status changed to Enforcing

Above Example shows you the different usage of setenforce command to change the modes of SELinux.

By: Unknown On 10:39 PM

Continue Reading

Snort : Network Intrusion Detection System

snort really isn't hard to use,this article aims to make using snort easier for new users

snort can be configured to run in three modes:

• sniffer mode: which simply reads packets off the network

• packet logger mode: which logs the packets to disk 

• Network Intrusion Dectection system mode: The most complex and most configurable.

 This article will focus more on the installation and configuration of snort,if you are looking for detail description of snort,I would request you to please go thru the documentation.

Prerequisites 

•  Libpcap-1.2.1-dev 
•  daq-0.6.2
•  libdnet-1.12
•  libpcap-1.2.1
•  bison
•  flex 
•  PCRE 
•  libc6-dev
•  g++ 
•  gcc

 The first thing I like to do is grab all the dependant packages once your are done with the installation of all the dependencies we are ready for the next step.It's time to download tar package of snort and untar the packages.I would like to have all the tar packages at a single place,So I'm going to use edge's structure here:

  # cd /opt

  # mkdir snortpackage

  # cd /opt/snortpackage

Let's get snort. The latest version of snort at the time of writing is 2.9.2.1

Open a web browser and navigate to http://www.snort.org/; download the most recent release in /opt/snortpackages.It's time to untar the Snort package

 #tar -xzvf /opt/snortpackage/snort-2.9.2.1.tar.gz

 It's time to get snort rules.Change directories into the new snort-2.9.2.1 folder

# cd /opt/snortpackages/snort-2.9.2.1

Open a web browser and navigate to http://www.snort.org/snort-rules/#registered

Scroll down to the "Sourcefire VRT Certified Rules - The Official Snort Rule set (registered user release)" section and download the snort rules.

 Untar the Snort Rules

 # tar -xzvf /opt/snortpackages/snortrules-snapshot-2911.tar.gz

Now it's time start the installation of snort

# cd  /opt/snortpackages/snort-2.9.2.1

Here we will do the make/install

# ./configure -enable-dynamicplugin --with-mysql
# make
# make install

after the above commands are executed successfully.We need to create some folders in /etc for snort to function correctly and copy some files over to them

 # mkdir /etc/snort /etc/snort/rules /var/log/snort

 Let's move some files.

# cd /opt/snortpackages/snort-2.9.2.1/rules
# cp * /etc/snort/rules/

Let's get the /etc snort files also.

# cd /opt/snortpackages/snort-2.9.2.1/etc
# cp * /etc/snort/

We are done with the installation of snort and now we need to tweak some options to configure snort according to your requirement.

 We need to modify the snort.conf file to suite our needs.
Open /etc/snort/snort.conf with your favorite text editor.

# vim /etc/snort/snort.conf

Change "var HOME_NET any" to "var HOME_NET 192.168.1.0/24" (your home network may differ from 192.168.1.0)

Change "var EXTERNAL_NET any" to "var EXTERNAL_NET !$HOME_NET" (this is stating everything except HOME_NET is external)

Change "var RULE_PATE ../rules" to "var RULE_PATH /etc/snort/rules"

Once you are done with changes in the config,you can test those changes with following command:
# snort -c /etc/snort/snort.conf

We are done. Congrats!!!

To start Snort in the terminal type:

 # snort -c /etc/snort/snort.conf -A fast -D

This starts snort  in a daemon mode.

To make sure it is running you can check with the following command:

# ps aux | grep snort

If it's running you will see an entry similar to snort -c /etc/snort/snort.conf -A fast -D

By: Unknown On 2:17 PM

Continue Reading

Enhance Security with Port Knocking

In the field of IT systems security, concept of” port knocking” is relatively new. However with the passage of time, it is getting popular day by day among system and security administrators.

Port knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of pre-specified closed ports. Once a correct sequence of connection attempts is received, the firewall rules are dynamically modified to allow the host which sent the connection attempts to connect over specified port (s).
The primary purpose of port knocking is to prevent an attacker from scanning a system for potentially exploitable services by doing a port scan. Until the correct knock sequence is used, the protected ports will appear closed– so attackers won’t be able to conduct an attack on those ports.

More specifically, Port knocking works on the concept that users wishing to attach to a network service must initiate a predetermined sequence of port connections or send a unique string of bytes before the remote client can connect to the eventual service.
For example, suppose that a remote client wants to connect to an FTP server. The administrator configures the port-knocking requirements ahead of time, requiring that connecting remote clients first connect to ports 2000, 4000, and 7107 before connecting to the final destination port, 21 on FTP server.
The administrator tells all legitimate clients about the correct” combination” of knocks to port knocking daemon running on FTP server and hence when they want to connect to FTP service, they simply send these knocks to the server and then start using FTP service.
The question arises, what is the basic advantage of the additional step of sending knocks and then connecting to FTP service? The answer is simple: The FTP service is not always running on the server, it will be started only when the correct port knocks are sent to server, and it will shut down once it receives another predefined sequence of port knocks.
The potential backdoor to business-critical services is only to be opened for a short time, when it’s required. Once the service is no longer needed, it is closed again, mitigating the vulnerability to attack.
One of the primary advantages to using port knocking is that it is platform, service, and application agnostic. Any operating system with the correct client and server software can take advantage of port knocking. If you need help finding a tool, you can find a list of port knocking implementations here. The site lists clients and daemons for pretty much any platform you’d care to use.
I selected knockd, which is considered to be one of the most famous and robust implementation of port knocking mechanism for Linux and UNIX. In this article, I will cover setting up port knocking on a Red Hat Enterprise Linux (RHEL) server, using knockd, a popular open source port knocking tool. Most importantly, I will try to extend the idea of port knocking beyond simple firewall modifications to more complex system administration tasks.
Note that knockd is available for other systems as well, so if you’re using Debian, Ubuntu, Mac OS X, or even Windows, you should be able to follow along with most of the advice herein to secure your system with knockd.

Flaws with Port Knocking

Before we begin, I should note that port knocking has some detractors. Some IT security professionals say that a predefined and fixed sequence of knocks is, in and of itself, a security flaw. To overcome this, some port knocker daemons have been modified to generate a random sequence of knocks, which can be used by clients to issue requests.
It’s also important to remember that port knocking is just one component of a successful security strategy. You’ll need to deploy other security mechanisms so that if an attacker is successful in providing the correct sequence, they are still faced with authentication and other barricades before connecting to a service.

Port Knocking: A Basic Overview

To start, let’s take a look at the basic functionality of a port knock server. knockd is a daemon that runs on a server, passively listening to network traffic. You configure knockd with a sequence of ports, the length of time between connection attempts, the type of packet that will be sent, and the command to be run when the correct sequence is given.
Once knockd” sees” a port sequence it has been configured to recognize, it will run the command it’s been configured to run. Note that you can use TCP, UDP, or a combination of both. Usually the action will be an iptables command, but not always.
So, to implement port knocking, we start with the installation of knockd and run it in the background. (Or foreground, if you wish, but we will usually want to run it in the background.)

Securing A MySQL Database Remote Connections with Port Knocks

Now that we know what port knocking is, let’s put it to use. In this scenario, I have a business-critical MySQL-based application running on RHEL. On occasion, I need to allow remote connections from a DBA who is performing basic database maintenance activities.
However, for security reasons, we don’t want to allow remote database connections at all times or from every IP address. Because we wanted tighter control over remote connections, we decided to explore port knocking so that remote connections would be open for a limited time only and from a specific IP address.
Let’s start with the firewall rule, just in case you’re not already a firewall wizard. To append a rule to one of the” chains,” you’ll use the -A option. The -I parameter tells iptables to insert the rule into a specific position in the chain. This is important because you may want specific rules to be processed first. Make sure you give it a rule number.
Now, to secure MySQL connections to my database server (172.16.2.183), I blocked network traffic on server’s MySQL port (default 3306) coming from all addresses. For this purpose, I executed following command:

iptables -A INPUT -p tcp -s 0/0 -d 172.16.2.183 --dport 3306 -j REJECT

You don’t want to be reissuing the command every time you restart the machine, so you’ll want to save the rule permanently, using iptables-save.

Getting and configuring knockd

The next step is to install the knockd server on the system you want to use it on. You can get the RPM from the RHEL network.
After installing knockd it’s time to customize your configuration. The knockd config file is found at /etc/knockd.conf

[options]
  logfile=/var/log/knockd.log
[DB2clientopen]
        sequence    = 7050,8050,9050
        seq_timeout = 10
        tcpflags    = syn
        command     = /sbin/iptables -I INPUT 1 -p tcp -s 192.168.2.201 
       --sport 1024:65535 -d 172.16.2.183 --dport 3306 -m state 
 --state NEW,ESTABLISHED -j ACCEPT
[DB2clientclose]
        sequence    = 9050,8050,7000
        seq_timeout = 10
        tcpflags    = syn
        command     = /sbin/iptables -D INPUT 1

Let’s take a look at the format. The syntax is very simple, you give knockd option / value pairs, separated by =, and port numbers are separated by commas in the order you want the” knocks” to be received. Don’t forget to specify a logfile, you may need to review it later!
It should be obvious from the knockd.conf example that it has two types of actions that can be executed by the daemon, depending on the sequence it receives.
First, if it receives syn packets to port 7050, 8050, and 9050, knockd will insert the first iptables rule as rule number 1 in the INPUT chain. This will open the MySQL database port, so a remote connection can be made from 192.168.2.201– and only that IP address. It’s a good idea to specify the IP address whenever possible, so that if an attacker tries to connect while the port is open, they will still be denied.
On the other hand, if the server receives a knock sequence of 9050, 8050, and 7000, it will delete the rule so that all remote database connections will be closed down again.
I made sure that MySQL would know what address my DBA would be coming from, so I added my PC’s IP address to the server’s /etc/hosts file and created a test database called test1, and created a user called test1 as well with the appropriate grant privileges.
First, fire up the MySQL client with mysql-u root-p test1 and enter the following commands:

mysql> create user test;
mysql> grant all privileges on *.* to 'test@dbawin' 
identified by 'polanipass' with grant option;

Next, restart knockd as a daemon.

/usr/sbin/knockd -d

It should be noted that, by default, knockd will start listening on eth0. If you need it to run on a different interface, you can configure it to do so using the -i option. For instance, to start knockd as a daemon on wlan0 you’d use /usr/sbin/knockd-i wlan0. If you’re always going to run knockd on a different interface, you can add this to your knockd.conf:

[options]
 interface = wlan0

Knock, Knock, It’s Me!

Now, knockd isn’t very useful without a client, so let’s get a client to talk to knockd. I chose a Windows-based Cygwin client, but you can find a client for just about any client OS at the implementations page mentioned earlier.
To use the Windows client, you open a DOS prompt and run something similar to this command:

C:KNOCKKNOCKWINDOWS>knock.exe 172.16.2.183 9050 8050 7000

Of course, the IP address and ports will vary. Once the” knock” is issued, the knock daemon will execute the iptables command listed under the [DB2clientopen] section of knockd.conf and add the rule in INPUT chain to allow DB2 PC to connect to database running on server.
Now you can connect to your MySQL database with your favorite client and do whatever you need to do. Once you’re finished, it’s time to close the door.
If you send the close knock sequence, in this case a syn packet sent to ports 9050, 8050, and then 7000, the MySQL port will be closed and all connections will be terminated. If you try to reconnect to the server, your MySQL client will time out and you’ll eventually see an access error. This will be the case until you send the proper sequence to re-open the port.
So, now you see how you can use port knocking to increase security for remote MySQL connections. Of course, this is really database (and application) independent, so you can use port knocking to secure any database or application you want to connect to remotely.
If it’s too much hassle to open and close the connection each time you need to connect to the database, it might make more sense to set it up so that the port is open during specific hours. For example, if your database guru works 10 a.m. to 7 p.m., you could set up a script to open the port a bit before 10 a.m., and close the port a bit after 7 p.m.
This is not quite as secure, but it does mean that the port won’t be open 24/7, so it may block some automated and casual (i.e., not targeted) attacks. Also, if the port knocking is coupled with only allowing connections from specific IP addresses or IP address ranges, then you have an additional layer of security.
Performing Other System Administration Tasks with Knocks
But wait, that’s not all! Port knocking can be used to do more than set iptables rules. After configuring knockd to play doorkeeper, I decided to explore the feature and see if I could use it to make my life easier in other ways.
I decided I wanted to be able to restart my system remotely, just by” knocking” in the right sequence. I also configured knockd to kick off my backups to tape, so I don’t even need to log in to start the backup– just send a quick series of packets, and my data is safe another day.
Here’s my /etc/knockd.conf:

[options]
  logfile=/var/log/knockd.log
[systemreboot]
        sequence    = 7050,8050,9050
        seq_timeout = 10
        tcpflags    = syn
        command     = /usr/bin/reboot
[systembackup]
        sequence    = 9050,8050,7000
        seq_timeout = 10
        tcpflags    = syn
        command     =  /usr/bin/tar -cf  /dev/rmt0 /home/root/

You can take this a lot farther, and set it up so that other admins (say, the junior admin who’s reliable but still a bit green) can perform complex actions just by using a knock client, or even just by running a shell script that sends the packets.

Summary

Port knocking is a very useful tool for systems security. It is because of its usefulness and robustness that the number of implementations, and users, are growing rapidly. If you can open a door into a closed black box for to perform some system administration tasks, even without requiring a login to the system, it can be very ideal for many environments.
Finally, it is always a good idea to further secure your systems by changing the knock sequences frequently, or by using random seed generators to create random port knocks.

By: Unknown On 5:54 AM

Continue Reading

Five Steps to Secure Your Linux System

There’s no excuse to run insecure systems on your network. Your data’s integrity (and your job) depend on your ability to keep those systems running correctly and securely for your co-workers and customers. Shown here are five simple ways to make your systems less vulnerable to compromise.

• Account Locking

Account locking for multiple failed tries puts extra burden on the system administrators but it also puts some responsibility on the user to remember his passwords. Additionally, locking allows the administrator to track the accounts that have potential hack attempts against them and to notify those users to use very strong passwords.
Typically, a system will drop your connection after three unsuccessful attempts to login but you may reconnect and try again. By allowing an infinite number of failed attempts, you’re compromising your system’s security. Smart system administrators can take the following measure to stop this threat: Account lockout after a set number of attempts. My preference is to set that limit to three.
Add the following lines to your system’s /etc/pam.d/system-auth file.

auth    required   /lib/security/$ISA/pam_tally.so onerr=fail no_magic_root
account required   /lib/security/$ISA/pam_tally.so per_user deny=3 no_magic_root reset

Your distribution might not include the system-auth file but instead uses the /etc/pam.d/login file for these entries.

• Cron Restriction

On multiuser systems, you should restrict cron and at to root only. If other users must have access to scheduling, add them individually to the /etc/cron.allow and /etc/at.allow files. If you choose to create these files and add user accounts into them, you also need to create /etc/cron.deny and /etc/at.deny files. You can leave them empty but they need to exist. Don’t create an empty /etc/cron.deny unless you add entries to the /etc/cron.allow because doing so allows global access to cron. Same goes for at.
To use the allow files, create them in the /etc directory and add one user per line to the file. The root user should have an entry in both allow files. Doing this restricts cron to the root user only.
As the system administrator, you can allow or deny cron and at usage based upon the user’s knowledge and responsibility levels.

• Deny, Deny, Deny

“Deny everything” sounds eerily Presidential doesn’t it? But for system security and certain political indiscretions, it’s the right answer. System security experts recommend denying all services for all hosts using an all encompassing deny rule in the /etc/hosts.deny file. The following simple entry (ALL: ALL) gives you the security blanket you need.

#
# hosts.deny    This file describes the names of the hosts which are
#               *not* allowed to use the local INET services, as decided
#               by the '/usr/sbin/tcpd' server.
#
# The portmap line is redundant, but it is left to remind you that
# the new secure portmap uses hosts.deny and hosts.allow.  In particular
# you should know that NFS uses portmap!

ALL: ALL

Edit the /etc/hosts.allow file and insert your network addresses (192.168.1., for example) where you and your users connect from before you logout or you’ll have to login via the console to correct the problem. Insert entries similar to the following to allow access for an entire network, single host or domain. You can add as many exceptions as you need. The /etc/hosts.allow file takes precedence over the /etc/hosts.deny to process your exceptions.

• Deny SSH by Root

Removing the root user’s ability to SSH provides indirect system security. Logging in as root to a system removes your ability to see who ran privileged commands on your systems. All users should SSH to a system using their standard user accounts and then issue su or sudo commands for proper tracking via system logs.
Open the /etc/ssh/sshd_config file with your favorite editor and change PermitRootLogin yes to PermitRootLogin no and restart the ssh service to accept the change.

• Change the Default Port

While changing the default SSH port (22) will have limited effectiveness in a full port sweep, it will thwart those who focus on specific or traditional service ports. Some sources suggest changing the default port to a number greater than 1024, for example: 2022, 9922 or something more random, such as 2345. If you’re going to use this method as one of your strategies, I suggest that you use a port that doesn’t include the number 22.
Edit your /etc/ssh/sshd_config and change the “Port” parameter to your preferred port number. Uncomment the Port line too. Restart the sshd service when you’re finished and inform your users of the change. Update any applicable firewall rules to reflect the change too.
System security is important and is a constant battle. You have to maintain patch levels, updates and constantly plug newly discovered security holes in system services. As long as there are black hat wearing malcontents lurking the Net looking for victims, you’ll have a job keeping those wannabe perpetrators at bay.

By: Unknown On 10:16 AM

Continue Reading