Linux Security Guide

looking for the missing data in partition

2008-12-07T03:12:00.000-08:00

# grep -a -B10 -A100 -i fibonacci /dev/hda2 > fabonacci.out
note:
a. searching string fibonacci in partition /dev/hda2, it was in a deleted file.
b. you need a few Mbytes free on the partition while running this command

-a treat device as a series of ASCII characters
-BN before N line
-AN after N line
-i not case-sensitive

use Sleuth kit to recover deleted files

2008-12-07T03:10:00.000-08:00

1. install Sleuth , just make will do
2. making sure /usr/local/sleuthkit/bin is in your path before running the following command
3. dd if=/dev/disk-or-partition bs=1024 of=nameofimagefile conv=noerror

Sleuth is great for recoving text files

a. use TSK's dls command to extract all of the unallocated space froom the disk image into a single file, which expedites the process of searching for the file that you've deleted.

# dls hd5_image_etc_files_deleted.img > dls_output.dls

b. use standard strings command to search for all text strings in the output file
# strings -t d dls_output.dls > dls_output.dls.str

c. use grep to search for a string that identifies the file you're looking for
grep ":0:0" dls_output.dls.str
131698688 root:x:0:0
.....

d. divide the above number by block size of file system (4096 for ext2/ext3 file system)
echo "131698688/4096" | bc
32153

e. dcalc -u 32153 hd5_image_etc_filess_deleted.img

f. dcat hd5_image_etc_files_deleted.img [> filename]
root:x:0.0...
bin:x:1:1
.....

....

g. another tools is Foremost (http://foremost.sf.net)

use Nikto for Web server security test

2008-10-29T00:00:00.000-07:00

http://www.cirt.net/nikto2

scp stalled through firewall, ssh no problem

2008-05-27T06:50:00.000-07:00

someone says:

I have seen similar effects by several reasons:
- disallow icmp and mtu mismatch between networks (e.g. different
networks with then ethernet).
- Split routes
- firewall timeouts
- auto negotiation
========
Stalled "scp" session

Symptom: When "scp" huge files (> 4GB) between hosts, it stalls forever at random instants. It even happens with ftp/rsync. Two reasons may attribute to this problem:
1. Since scp greedyly grabs as much bandwidth of the network as possible when it transfers files, any delay caused by the network switch or the SuSE firewall can easily make the TCP connection stalled.
For this reason, the solution is to limit the bandwidth quota for scp as below:

username@localhost> scp -l 2000 SOURCE DESTINATION # The option "-l 2000" limits the bandwidth up to 2000 Kbit/s which is safe and fast enough.

2. It is due to the Linux SACK implementation problem for
both 2.4 and 2.6 when the TCP window is > 20 MB. Linux
takes such long time to locate the SACKed packet that
a TCP timeout is easily reached and CWND goes back to
the first packet when there are too many packets in flight
and a SACK event is invoked.
Please refer to the following links for information about
SACK:
http://www.ietf.org/rfc/rfc2018.txt
http://www.ietf.org/rfc/rfc1072.txt
It might be working to restrict the TCP buffer size to about 12 MB. However,
the total throughput is limited. The better solution may be:

username@localhost> su # Enter the root password
append "net.ipv4.tcp_sack=0" to /etc/sysctl.conf
username@localhost> sysctl -p

username@localhost> su # Enter the root password
username@localhost> cat 0 > /proc/sys/net/ipv4/tcp_sack

username@localhost> su # Enter the root password
username@localhost> sysctl -w net.ipv4.tcp_sack=0

With this configuration, the SSH transfer of huge-sized file will stall occasionally with every short period of less than 1 second and then recover automatically. That means the simple cumulative acknowledgement scheme of TCP is robust enough.
FYI: There are many other suggestions through the internet as listed below (unfortunately, non of them worked on my machine):
1. Eliminating all the DROP rules for port 22 inside the iptables.
2. Turning off SuSEfirewall2.
3. Limiting the bandwidth by:

username@localhost> scp -l 2000

4. Changing the MTU of NIC by:

username@localhost> ifconfig eth0 mtu xxx

5. Increasing the queue for transmission by

username@localhost> ifconfig eth0 txqueuelen 2000

6. Tuning TCP performance by

net.core.rmem_max=16777216
net.core.wmem_max=16777216
net.core.netdev_max_backlog=2500
net.ipv4.tcp_rmem=4096 87380 16777216
net.ipv4.tcp_wmem=4096 65536 16777216
net.ipv4.tcp_no_metrics_save=1
net.ipv4.tcp_timestamps=0

7. Turning off the buggy TCP segmentation offload by

username@localhost> ethtool -K eth0 tso off

8. Compressing the files being transfered by

username@localhost> scp -C

9. Using pipe and std io to avoid possible "scp" huge file
limitation by

username@localhost> cat localfile | ssh ravana cat ">" remotefile

username@localhost> tar cf - . | ssh ravana tar xvpf -

10. Clamping MSS by

username@localhost> iptables -I FORWARD 1 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu"

====for my company, I used the following over 2M lease line link

scp -l 1500 VMware-server-1.0.5-80187.i386.rpm 1.2.3.4:/tmp

setup tcptraceroute under CentOS 5

2008-05-06T19:56:00.000-07:00

download tcptraceroute from http://michael.toren.net/code/tcptraceroute/
install libpcap package on CentOS 5 using yum

#yum install libpcap*
including libpcap-devel package so that libpcap.h can be used for 'make'

install libnet package

# yum install libnet (without *)

run 'ldconfig -v' before compiling tcproute

compile tcproute

# ./configure;make;make install

done

setup sudosh and swatch on Linux server

2008-04-10T00:29:00.000-07:00

purpose:

assuming root password is locked in safebox, normal user like 'jephe' can only use 'sudo sudosh' to become root, after that, everything will be recorded and can be replayed later.

install sudosh

download it from DAG website(search google for 'DAG sudosh') for using 'yum install sudosh' from CentOS 5 or run 'yum install sudosh' from RHEL 5 after registering with RHN using command 'rhnreg_ks --proxy=http://x.y.z.k:port --username=user1 --password=pass1

put the folllowing to /etc/sudoers

jephe ALL=/usr/bin/sudosh

initialize sudo folder by running 'sudosh -i', the permission should be like this:

[root@jephe ~]# ls -ld /var/log/sudosh
drwx-wx-wx 2 root root 4096 Apr 10 15:37 /var/log/sudosh

install swatch to realtime scan /var/log/secure to monitor 'su, sudo and console root login'

1. installing swatch rpm using the same method as sudosh
2. put the following to /etc/swatch.conf
[root@jephe ~]# more /etc/swatch.conf
watchfor /sudo:.*/
mail root,subject=--- server sudo alert! ---

watchfor /su:.*/
mail root,subject=--- server su alert! ---

watchfor /login: ROOT LOGIN.*/
mail root,subject=--- server console login alert! ---
3. set root alias in /etc/alias, then run 'newaliases', for those environment that doesn't have DNS server, using /etc/mail/service.switch
[root@jephe ~]# cd /etc/mail
[root@jephe mail]# more service.switch
hosts files
4. put the following to /etc/rc.local
/usr/bin/swatch -c /etc/swatch.conf -t /var/log/secure --daemon
5. put the following to /etc/logrotate.d/syslog
[root@jephe logrotate.d]# more syslog
/var/log/messages /var/log/secure /var/log/maillog /var/log/spooler /var/log/boot.log /var/log/cron {
sharedscripts
postrotate
/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true

##added by Jephe####
kill -9 `ps -ef | grep -e swatch -e '/usr/bin/tail -n 0' | grep -v grep | awk '{print $2}'`
sleep 5
/usr/bin/swatch -c /etc/swatch.conf -t /var/log/secure --daemon
###end#####
endscript
}
6. put the following to /usr/local/sbin/restartsw (for restarting swatch)
[root@db7 logrotate.d]# more /usr/local/sbin/restartsw
#!/bin/sh
kill -9 `ps -ef | grep -e swatch -e '/usr/bin/tail -n 0' | grep -v grep | awk '{print $2}'`
sleep 2
/usr/bin/swatch -c /etc/swatch.conf -t /var/log/secure --daemon

configuring sendmail.mc to masquerade in non-dns environment

[root@db7 mail]# diff sendmail.mc.orig sendmail.mc
39a40
> define(`SMART_HOST',`mailrelay')dnl
103c104
<> dnl EXPOSED_USER(`root')dnl
160c161
<> MASQUERADE_AS(`newdomain.com')dnl
164c165
<> FEATURE(masquerade_envelope)dnl
168c169
<> FEATURE(masquerade_entire_domain)dnl
170,172c171,173
<> MASQUERADE_DOMAIN(localhost)dnl
> MASQUERADE_DOMAIN(localhost.localdomain)dnl
> MASQUERADE_DOMAIN(domain.com)dnl

note: assuming server hostname is jephe.domain.com, so swatch will send out email using root@jephe.domain.com normally, which is not-exist domain, but newdomain.com is valid, so we masquerade it to root@newdomain.com.

setup osiris for Windows

2008-04-10T00:12:00.000-07:00

purpose: for recording down system user/group changes and Windows directory and any other directories changes.
how it works: osiris on Windows is agent, the management tool and daemon are residing on Linux server. You need to configure it on Linux sever after installing software on Windows. Then it will generate a base database for comparing every 24 hours by default, then send out email alert for any changes
install it on Windows

if you are installing it through terminal service, it will install to wrong place.
Solution:
1. after installing , copy c:\document and settings\sysmgr\windows\osiris directory to c:\win2k03
2. copy c:\documents and setting\sysmgr\windows\osiris to c:\win2k03\system32
3. startup osiris service again

note: if you encounter error saying "error writing to file osimessage.dll", u can rename c:\windows\system32\osimessage.dll first

osiris on Linux

1. ./configure;make;make install
2. enable tcp port 2265 and 2266 for iptables host firewall
3. enable in-between firewall ports too for above 2 ports
4. on server, configure management console
# osiris
# login as username and password
# add-host
all the way to default, except for email alert part choose (y,y,n,y)

copy configuration file to the windows server name to be monitored
start-scan servername
list-db servername

setup Snare for Windows for centralized system log

2008-04-09T22:52:00.000-07:00

download snare for Windows
after install, access it using http://localhost:6161
go to 'network configuration' to give the remote Linux syslog-ng server ip at 'Destination Snare Server address', also give 'Destination Port which is 514 for syslog-ng'
go to 'remote control' to setup password
access it next time using username and password pair 'snare/password you gave'

setup Snort on CentOS 5

2008-03-06T19:34:00.000-08:00

follow the documentation on www.internetsecurityguru.com
certain things to take note as follow:

selinux

vi /etc/selinux/config, change to disabled, then reboot

yum -y update, and you might want to add 'export http_proxy=http://10.0.0.252:8080' to /etc/profile
oinkmaster

login to snort website as registered user, go to rules-download rules, from there you will know how to get the oinkmaster code for automatic download rules for registered user.

after setting up oinkmaster cronjob script, you might want to add root cronjob to restart snort itself also, in case the new rules are downloaded by oinkmaster, then it can be used snort

cronjob -l -u snort
30 5 * * * export http_proxy=http://1.2.3.4:8080; /usr/bin/oinkmaster.pl -C /etc/pinkmaster.conf -C /etc/autodisable.conf -b /etc/snort/backup > /tmp/snort.cron 2>&1 ;sync;sync;sync;sleep 15; (echo:snort@domain.com";echo "Subject: snort rules daily update";echo "";cat /tmp/snort.cron) | /usr/sbin/sendmail -f snort@domain.com jephe@domain.com

pear config-show

use pear config-set to set http_proxy as 1.2.3.4:8080 then run 'pear install xxxxx'

perl -MCPAN -e shell

install Net::RawIP or force install Net::RawIP

barnyard

download it from www.snort.org
./configure --enable-mysql;make;make install
use the following configuration for /etc/snort/barnyard.conf
config localtime
config hostname: localhost
config interface: eth1
output alert_fast
output log_dump
output log_acid_db: mysql, database snort, server localhost, user snort, password snort, detail full

you only need to modify bylog.waldo once, after that, barnyard will update it automatically.

here is the init script for barnyard:
--------------------
#!/bin/sh
#
# chkconfig: 2345 99 82
# description: Starts and stops Barnyard
#
# config: /etc/snort/barnyard.conf
# processname: barnyard

# Source function library
. /etc/rc.d/init.d/functions

# program name
BASE=barnyard

# program options
CONF="/etc/snort/barnyard.conf"
GEN_MAP="/etc/snort/gen-msg.map"
SID_MAP="/etc/snort/sid-msg.map"
LOG_DIR="/var/log/snort"
LOG_FILE="snort.log"
WALDO_FILE="/var/log/snort/bylog.waldo"
DAEMON="-D"

# Check that $BASE exists.
[ -f /usr/local/bin/$BASE ] || exit 0

# Source networking configuration.
. /etc/sysconfig/network

# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0

RETVAL=0

# See how we were called.
case "$1" in
start)
if [ -n "`/sbin/pidof $BASE`" ]; then
echo -n $"$BASE: already running"
echo ""
exit $RETVAL
fi
echo -n "Starting Barnyard service: "
/usr/local/bin/$BASE -c $CONF -g $GEN_MAP -s $SID_MAP -d $LOG_DIR -f $LOG_FILE -w $WALDO_FILE $DAEMON
sleep 1
action "" /sbin/pidof $BASE
RETVAL=$?
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/barnyard
;;
stop)
echo -n "Shutting down Barnyard service: "
killproc /usr/local/bin/$BASE
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/barnyard
;;
restart|reload)
$0 stop
$0 start
RETVAL=$?
;;
status)
status $BASE
RETVAL=$?
;;
*)
echo "Usage: snort {start|stop|restart|reload|status}"
exit 1
esac

exit $RETVAL
--------------------------

snort.conf

output alert_syslog: LOG_LOCAL1
output alert_unified: filename snort.alert, limit 128
output log_unified: filename snort.log, limit 128

change interface to eth1 in /etc/init.d/snort script

cronjob for snort:
50 5 * * * /sbin/service snort restart 2>&1 > /tmp/snortrestart.cron;sleep 5;(echo "From:sensor1@domain.com";echo "Subject:snort daily restart";echo "";cat /tmp/snortrestart.cron)| /usr/sbin/sendmail -f snort@domain.com jephe@domain.com

swatch

more /etc/swatch.conf:
watchfor /snort.*Priority.* -> .*/
mail jephe@domain.com:wu@domain.com,subject=--- Sensor1 Snort Alert! ---

syslog

add the following to /etc/logrotate.d/syslog
/var/log/snortalert {
daily
sharedscripts
postrotate
/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
kill -9 `ps -ef | grep -e swatch -e '/usr/bin/tail -n 0' | grep -v grep | awk '{print $2}'`
sleep 5
/usr/bin/swatch -c /etc/swatch.conf -t /var/log/snortalert --daemon
endscript
}
grep snort /etc/syslog.conf
local1.* /var/log/snortalert

/etc/rc.local

/usr/bin/swatch -c /etc/swatch.conf -t /var/log/snortalert --daemon

sendmail

masqrade root@snort.domain.com to root@domain.com
a. change DS part to DS[1.2.3.5] which is smtp server
b. put the following to /etc/mail/sendmail.mc
masquerade_as('domain.com')
feature(masquerade_envelope)
feature(masquerade_entire_domain)
masquerade_domain(localhost)
masquerade_domain(localhost.domain)
then go to /etc/mail/sendmail.cf to commen out C{E} root

conclusion

use snort, oinkmaster update rules daily then require snort restart, swatch to watch /var/log/snortalert to send out email notification, but after syslog rotation, need to restart swatch. barnyard is doing mysql database recording for snort alert.

enable snmptrapd to work with selinux under Fedora Core 3

2008-01-11T01:53:00.001-08:00

Purpose: to make HP ILO to send out snmp trap to snmp trap server running snmptrapd, through which, to send out email using snmptraptoemail function.

enable snmptrapd to work with selinux first

download selinux-policy-targeted-sources-1.17.30-2.19.noarch.rpm then install it using rpm -ivh , after that, run the following commands

[root@mail policy]# pwd
/etc/selinux/targeted/src/policy
[root@mail policy]# dmesg |audit2allow
allow snmpd_t bin_t:dir { search };
allow snmpd_t device_t:sock_file { write };
allow snmpd_t snmpd_t:fifo_file { write };

then put the above lines to domains /etc/selinux/targeted/src/policy/domains/misc/local.te, after that, under policy folder, then 'make load'
finally, restart snmptrapd service before testing sending test snmp alert from ILO web interface.

2. how to setup snmptrap to email?
[root@mail snmp]# more /etc/snmp/snmptrapd.conf
traphandle default /usr/bin/perl /usr/bin/traptoemail -s localhost -f hpsnmptrap@yourdomain.com youremailaddress

You can put multiple lines for above snmptrapd.conf configuration

3. go to ILO - Administration - SNMP/ Insight Manager Setting to enable SNMP ILO Alert and put your snmp trap server IP address, send test alert out now.

set up webcam for home security under CentOS 4

2007-10-25T23:47:00.000-07:00

step:

1. yum install *sdl*
this will install DSL and devel-DSL and a lot of xorg-x11 rpm packages if you don't have X11 installed

2. modprobe video

3. install kernel devel rpm packages for compiling spca5xx

4. download spca5xx driver and spcaview package from docs.maxposs.com/docs/spca5xx
then do 'make; make install ' for them

5. modprobe spca5xx

6. ssh -X jephe.dyndns.org
xterm
spcaview (default device is /dev/video0)

7. install libjpeg-devel* using yum

8. download motion tar file from http://www.lavrsen.dk/twiki/bin/view/Motion/WebHome
then compile it

9. cd /usr/local/share/doc/motion-3.2.8/examples
cp /usr/local/share/doc/motion-3.2.8/examples/motion.init-RH to /etc/init.d/motion
chkconfig motion on

cd /usr/local/etc/
cp /usr/local/etc/motion-dist.conf to /usr/local/etc/motion.conf
vi /usr/local/etc/motion.conf to change
webcam_quality 300
webcam_localhost off
control_localhost off

10. service motion restart

11. point your firefox to http://192.168.100.150:8081/

afick and chkrootkit

2007-10-23T18:58:00.000-07:00

1. define alias in configuration file which is linux.conf
2. running fick
#afick -c linux.conf -i
#afick -c linux.conf -k
#crontab -e
#afick -c linux.conf -u

0 1 * * * rot /path/to/afick.cron

3. http://www.chkrootkit.org/

lockdown an account

2007-09-17T17:09:00.000-07:00

# passwd -l webserv
# usermod -s /bin/false webserv

# grep webserv /etc/shadow
# grep webserv /etc/passwd
# login webserv

enable syn_cookies

2007-09-17T17:06:00.000-07:00

# echo 4096 > /proc/sys/net/ipv4/tcp_max_syn_backlog
# echo "net.ipv4.tcp_max_syn_backlog = 1" >> /etc/sysctl.conf
# echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# echo "net.ipv4.tcp_syncookies =1 " >> /etc/sysctl.conf

useful security tools

2007-09-12T21:25:00.000-07:00

http://www.net-square.com/httprint/ - web server fingherprint tool
logwatch - log file analysis daily
swatch - simple logfile watcher
portsentry
http://osiris.shmoo.com/ - host intergrity tool
ssldump
www.securityfocus.com

Forensic Analysis

Penguin Sleuth Kit(www.linux-forensics.com)
F.I.R.E (Forensic and Incident Response Environment) http://fire.dmzs.com
BSD fans, use Snarl Bootal Forensics CD http://snarl.eecue.com/

Permanently delete files or hard disk

shred -n 3 -vz filename (-u)

note: random data for 3 pass ( -n 3), be verbose (-v) and write a final pass of zeros over the file after completing the random overwrite passes (z),
if you don't specify -n 3, it will overwrite 25 times by default.
In most cases, when you shredding a file, you would also use -u option to tell shred to truncate the delete the file after overwriting it.

shred -n 3 -vz /dev/hda
Darik's Boot and Nuke http://dban.sf.net

How to setup Nessus 3 under CentOS 5

2007-09-10T01:46:00.000-07:00

download Nessus server and command line tool 'nessus', it should be binary rpm package. After you registered, it will provide a link to download.
For running a GUI client, you need to download NessusClient (a GUI client for Linux/Windows Nessusd), it's rpm package too
Automatic plug-in update

run the following command to check whether you registered or not

# /opt/nessus/bin/nessus-fetch --check
You should obtain the following output:
nessus-fetch is properly configured to receive a direct feed or
nessus-fetch is properly configured to receive a registered feed

2. after registeration, you should receive activation code for the Nessus plugin feed through email, follow the instruction in email to activate your installation, you can register online or offline

3. use the following command to auto update plugin
/opt/nessus/sbin/nessus-update-plugins -v
4. make sure option 'auto_update' is set to yes in /opt/nessus/etc/nessus/nessusd.conf (this is the default)

generate SSL certification

# cd /opt/nessus/sbin
# ./nessus-mkcert
answer questions to generate SSL keys
# ./nessus-adduser

start up NessesClient

# cd /opt/nessus/bin
# ./NessusClient
note: edit server to specify the username and password you typed in above 'nessus-adduser' command.

command line mode

# cd /opt/nessus/bin
# ./nessus -q -T html localhost 1241 nessus nessus /tmp/target /tmp/result.html

Snort related OSS tools

2007-09-06T01:57:00.000-07:00

snort - IDS
snort inline (google search it - IPS)
snortsam (IPS works with PF)
snortalog (command line log generator)
nessus (Linux and Windows, beat commercial ones)
nikto - web server scanner
acid/base (base is better)
aanval (commercial one, but has one sensor free version)
www.intertnetsecurityguru.com
apache/php/pcre/mysql/adodb
olinkmaster - autoupdate snort rules
loghog (google search)
swatch (google search)