THE ADMIN's LAB : LINUX- 47 SECURITY & HARDENING (BASICS) -P2 (NETWORK SECURITY)

LINUX- 47 SECURITY & HARDENING (BASICS) -P2

LINUX (RHEL6 & RHEL7),

USER/LOGIN SECURITY

NETWORK SECURITY

FILE / OPERATING SYSTEM SECURITY

PHYSICAL SECURITY

LOG EVERYTHING

LOG FILE SECURITY

We already covered USER SECURITY, Next is NETWORK SECURITY.

Once we connect to Network, it is now open for entire world. And we are not supposed to open for all, only trusted connections should be allowed.

1. Find which network services are running on system

2. Finding Unused Ports

3. Finding Open Ports

4. Blocking Ports via IPTABLES & FIREWALLD

5. Disable Telnet/FTP

6. Display banner to SSH logins

7. Disable IPv6 if not required

8. TCP wrappers

9. Disable Source Routing

10.Disable IP Forwarding

11.Changing ssh port

NETWORK SECURITY:

Let’s start with finding running network services by netstat which list all active connections and sockets by telling which ports on which interfaces are active

1. Find which network services are running on system

First thing First, check which services are running on our system,

[root@rhel6-server ~]# netstat -vat

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address Foreign Address State

tcp 0 0 0.0.0.0:netbios-ssn 0.0.0.0:* LISTEN

tcp 0 0 0.0.0.0:37708 0.0.0.0:* LISTEN

tcp 0 0 0.0.0.0:sunrpc 0.0.0.0:* LISTEN

tcp 0 0 0.0.0.0:x11 0.0.0.0:* LISTEN

tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN

tcp 0 0 localhost:ipp 0.0.0.0:* LISTEN

tcp 0 0 localhost:smtp 0.0.0.0:* LISTEN

tcp 0 0 0.0.0.0:microsoft-ds 0.0.0.0:* LISTEN

tcp 0 0 localhost:smux 0.0.0.0:* LISTEN

tcp 0 0 192.168.13:microsoft-ds 192.168.135.1:swdtp ESTABLISHED

tcp 0 64 www.test.com:ssh 192.168.135.1:9512 ESTABLISHED

tcp 0 0 www.test.c:microsoft-ds 192.168.135.1:10056 ESTABLISHED

tcp 0 0 192.168.135.133:ssh 192.168.135.1:9515 ESTABLISHED

tcp6 0 0 [::]:netbios-ssn [::]:* LISTEN

tcp6 0 0 [::]:sunrpc [::]:* LISTEN

tcp6 0 0 [::]:http [::]:* LISTEN

tcp6 0 0 [::]:x11 [::]:* LISTEN

tcp6 0 0 [::]:57300 [::]:* LISTEN

tcp6 0 0 [::]:ssh [::]:* LISTEN

tcp6 0 0 localhost:ipp [::]:* LISTEN

tcp6 0 0 localhost:smtp [::]:* LISTEN

tcp6 0 0 [::]:microsoft-ds [::]:* LISTEN

-v verbose

-a display all sockets

-t tcp

First field is type of service, the fourth field which is the IP address of the interface and the port, the foreign address (if not 0.0.0.0.* means someone is actively talking to it), and the port state.

Each line that says LISTEN is a service waiting for connections.

Need to know more about ESTABLISHED connections, use “lsof”

[root@rhel7-server ~]# lsof |grep 10056

smbd 50456 root 35u IPv4 1396307 0t0 TCP www.test.com:microsoft-ds->192.168.135.1:10056 (ESTABLISHED)

[root@rhel7-server ~]# lsof |grep 9512

sshd 49333 root 3u IPv4 1348398 0t0 TCP www.test.com:ssh->192.168.135.1:951 (ESTABLISHED)

[root@rhel7-server ~]# lsof |grep ipp

cupsd 2464 root 10u IPv6 27644 0t0 TCP localhost:ipp (LISTEN)

cupsd 2464 root 11u IPv4 27645 0t0 TCP localhost:ipp (LISTEN)

[root@rhel7-server ~]# lsof |grep swdtp

smbd 50529 root 35u IPv4 1401150 0t0 TCP 192.168.135.133:microsoft-ds->192.168.135.1:swdtp (ESTABLISHED)

if anything, suspicious here we can just close that connection and make that service unusable by stopping that.

More commands to find active services and ports

[root@rhel7-server ~]# netstat -np

Active Internet connections (w/o servers)

Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name

tcp 0 0 192.168.135.133:445 192.168.135.1:10104 ESTABLISHED 50529/smbd

tcp 0 64 192.168.135.134:22 192.168.135.1:9512 ESTABLISHED 49333/sshd: root@pt

tcp 0 0 192.168.135.134:445 192.168.135.1:10056 ESTABLISHED 50456/smbd

tcp 0 0 192.168.135.133:22 192.168.135.1:9515 ESTABLISHED 49434/sshd: root@pt

Active UNIX domain sockets (w/o servers)

Proto RefCnt Flags Type State I-Node PID/Program name Path

unix 2 [ ] DGRAM 13861 1/systemd /run/systemd/shutdownd

unix 5 [ ] DGRAM 1384 1/systemd /run/systemd/journal/socket

unix 28 [ ] DGRAM 1386 1/systemd /dev/log

unix 2 [ ] DGRAM 12400 1/systemd @/org/freedesktop/systemd1/notify

unix 3 [ ] STREAM CONNECTED 22190 1243/gdm-simple-sla

unix 3 [ ] STREAM CONNECTED 27344 2386/master

unix 3 [ ] STREAM CONNECTED 17942 1039/bluetoothd

unix 3 [ ] STREAM CONNECTED 28017 2464/cupsd

unix 3 [ ] STREAM CONNECTED 24973 2009/upowerd

unix 3 [ ] STREAM CONNECTED 24410 1933/gnome-session

Which Linux networking program is running on or opening a TCP/IP network port

[root@rhel7-server ~]# netstat -tulpan

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name

tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN 2454/smbd

tcp 0 0 0.0.0.0:37708 0.0.0.0:* LISTEN 2283/rpc.statd

tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 2270/rpcbind

tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN 1352/Xorg

tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 48492/sshd

tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 2464/cupsd

tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2386/master

tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN 2454/smbd

tcp 0 0 127.0.0.1:199 0.0.0.0:* LISTEN 32645/snmpd

tcp 0 0 192.168.135.133:445 192.168.135.1:10104 ESTABLISHED 50529/smbd

tcp 0 0 192.168.135.134:22 192.168.135.1:9512 ESTABLISHED 49333/sshd: root@pt

tcp 0 0 192.168.135.134:445 192.168.135.1:10056 ESTABLISHED 50456/smbd

tcp 0 0 192.168.135.133:22 192.168.135.1:9515 ESTABLISHED 49434/sshd: root@pt

tcp6 0 0 :::139 :::* LISTEN 2454/smbd

tcp6 0 0 :::111 :::* LISTEN 2270/rpcbind

tcp6 0 0 :::80 :::* LISTEN 50750/httpd

tcp6 0 0 :::6000 :::* LISTEN 1352/Xorg

tcp6 0 0 :::57300 :::* LISTEN 2283/rpc.statd

tcp6 0 0 :::22 :::* LISTEN 48492/sshd

tcp6 0 0 ::1:631 :::* LISTEN 2464/cupsd

tcp6 0 0 ::1:25 :::* LISTEN 2386/master

tcp6 0 0 :::445 :::* LISTEN 2454/smbd

udp 0 0 0.0.0.0:111 0.0.0.0:* 2270/rpcbind

udp 0 0 0.0.0.0:123 0.0.0.0:* 1084/chronyd

udp 0 0 192.168.135.255:137 0.0.0.0:* 2436/nmbd

udp 0 0 192.168.135.133:137 0.0.0.0:* 2436/nmbd

udp 0 0 192.168.135.255:137 0.0.0.0:* 2436/nmbd

udp 0 0 192.168.135.134:137 0.0.0.0:* 2436/nmbd

udp 0 0 192.168.199.255:137 0.0.0.0:* 2436/nmbd

udp 0 0 192.168.199.131:137 0.0.0.0:* 2436/nmbd

udp 0 0 0.0.0.0:137 0.0.0.0:* 2436/nmbd

udp 0 0 192.168.135.255:138 0.0.0.0:* 2436/nmbd

udp 0 0 192.168.135.133:138 0.0.0.0:* 2436/nmbd

udp 0 0 192.168.135.255:138 0.0.0.0:* 2436/nmbd

udp 0 0 192.168.135.134:138 0.0.0.0:* 2436/nmbd

udp 0 0 192.168.199.255:138 0.0.0.0:* 2436/nmbd

udp 0 0 192.168.199.131:138 0.0.0.0:* 2436/nmbd

udp 0 0 0.0.0.0:138 0.0.0.0:* 2436/nmbd

udp 0 0 0.0.0.0:161 0.0.0.0:* 32645/snmpd

udp 0 0 0.0.0.0:177 0.0.0.0:* 1213/gdm

udp 0 0 0.0.0.0:5353 0.0.0.0:* 1046/avahi-daemon:

udp 0 0 127.0.0.1:323 0.0.0.0:* 1084/chronyd

udp 0 0 0.0.0.0:54711 0.0.0.0:* 2283/rpc.statd

udp 0 0 0.0.0.0:740 0.0.0.0:* 2270/rpcbind

udp 0 0 127.0.0.1:766 0.0.0.0:* 2283/rpc.statd

udp 0 0 0.0.0.0:47918 0.0.0.0:* 1046/avahi-daemon:

udp6 0 0 :::111 :::* 2270/rpcbind

udp6 0 0 :::123 :::* 1084/chronyd

udp6 0 0 ::1:323 :::* 1084/chronyd

udp6 0 0 :::740 :::* 2270/rpcbind

udp6 0 0 :::58201 :::* 2283/rpc.statd

-t tcp

-u udp

-l display listening server sockets

-p display PID/Program name for sockets

-a display all sockets

-n numeric/don't resolve names

[root@rhel7-server ~]# netstat -tulpan | grep ':80'

tcp6 0 0 :::80 :::* LISTEN 50750/httpd

[root@rhel7-server ~]# lsof -i:80

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME

httpd 50750 root 4u IPv6 1408552 0t0 TCP *:http (LISTEN)

httpd 50751 apache 4u IPv6 1408552 0t0 TCP *:http (LISTEN)

httpd 50752 apache 4u IPv6 1408552 0t0 TCP *:http (LISTEN)

httpd 50753 apache 4u IPv6 1408552 0t0 TCP *:http (LISTEN)

httpd 50754 apache 4u IPv6 1408552 0t0 TCP *:http (LISTEN)

httpd 50755 apache 4u IPv6 1408552 0t0 TCP *:http (LISTEN)

httpd 50765 apache 4u IPv6 1408552 0t0 TCP *:http (LISTEN)

[root@rhel7-server ~]# lsof -i:161

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME

snmpd 32645 root 6u IPv4 782600 0t0 UDP *:snmp

[root@rhel7-server ~]# lsof -i:139

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME

smbd 2454 root 32u IPv6 27954 0t0 TCP *:netbios-ssn (LISTEN)

smbd 2454 root 34u IPv4 27956 0t0 TCP *:netbios-ssn (LISTEN)

We need to watch the output closely and decide what is required and what is not, then we may close the unwanted services.

Let’s for example I think samba is threat to system and don’t want smbd to run.

[root@rhel7-server ~]# systemctl status smb |grep Active

Active: active (running) since Sat 2018-08-18 18:06:41 IST; 1 months 12 days ago

[root@rhel7-server ~]# systemctl status nmb |grep Active

Active: active (running) since Sat 2018-08-18 18:06:39 IST; 1 months 12 days ago

Now we need to stop as well as disable them so that it will not start even after reboot.

[root@rhel7-server ~]# systemctl stop smb

[root@rhel7-server ~]# systemctl stop nmb

[root@rhel7-server ~]# systemctl disable smb

[root@rhel7-server ~]# systemctl disable nmb

[root@rhel7-server ~]# netstat -tulpan | grep ':139'

[root@rhel7-server ~]# lsof -i:139

TCP states for Reference,

CLOSED Indicates that the server has received an ACK signal from the client and the connection is closed

CLOSE_WAIT Indicates that the server has received the first FIN signal from the client and the connection is in the process of being closed

ESTABLISHED Indicates that the server received the SYN signal from the client and the session is established

FIN_WAIT_1 Indicates that the connection is still active but not currently being used

FIN_WAIT_2 Indicates that the client just received acknowledgment of the first FIN signal from the server

LAST_ACK Indicates that the server is in the process of sending its own FIN signal

LISTENING Means port is listening but do not have any connection with a remote host

SYN_RECEIVED Indicates that the server just received a SYN signal from the client

SYN_SEND Indicates that this particular connection is open and active

TIME_WAIT Indicates that the client recognizes the connection as still active but not currently being used

2. Finding Unused Ports

3. Finding Open Ports

Ports which are not open are unused.

There are 65535 ports,

0 – 1023 – Referred to as Well Known Ports

1024 – 49151 – Referred to as Registered Ports

49152 – 65535 – Referred to as Dynamic Ports

Ports are defined in /etc/services along with application.

[root@rhel7-server ~]# cat /etc/services |tail -10

3gpp-cbsp 48049/tcp # 3GPP Cell Broadcast Service Protocol

isnetserv 48128/tcp # Image Systems Network Services

isnetserv 48128/udp # Image Systems Network Services

blp5 48129/tcp # Bloomberg locator

blp5 48129/udp # Bloomberg locator

com-bardac-dw 48556/tcp # com-bardac-dw

com-bardac-dw 48556/udp # com-bardac-dw

iqobject 48619/tcp # iqobject

iqobject 48619/udp # iqobject

matahari 49000/tcp # Matahari Broker

[root@rhel7-server ~]# cat /etc/services |grep rpcbind

sunrpc 111/tcp portmapper rpcbind # RPC 4.0 portmapper TCP

sunrpc 111/udp portmapper rpcbind # RPC 4.0 portmapper UDP

[root@rhel7-server ~]# cat /etc/services |grep smbd

smbdirect 5445/tcp # Server Message Block over Remote Direct Memory Access

smbdirect 5445/sctp # Server Message Block over Remote Direct Memory Access

[root@rhel7-server ~]# cat /etc/services |grep 139

netbios-ssn 139/tcp # NETBIOS session service

netbios-ssn 139/udp

[root@rhel7-server ~]# cat /etc/services |grep -i sockets

rndc 953/tcp # rndc control sockets (BIND 9)

rndc 953/udp # rndc control sockets (BIND 9)

ddm-ssl 448/tcp # DDM-Remote DB Access Using Secure Sockets

ddm-ssl 448/udp # DDM-Remote DB Access Using Secure Sockets

SOCKETS: Socket allows communication from two different processes on the same or different machines.

Though we did it already, but let’s check it again. And we will use “netstat -lat” OR “netstat -vat” to find the complete list of listening and established ports (TCP), if we use “u” also as flag [“netstat -laut” OR “netstat -vaut”] then we will get UDP as well.

-l display listening server sockets

-v verbose

-a display all sockets

-t tcp

-u udp

When a port is not on any of those states (listening and established) it doesn't exist for the system.

[root@rhel7-server ~]# netstat -laut

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address Foreign Address State

tcp 0 0 0.0.0.0:37708 0.0.0.0:* LISTEN

tcp 0 0 0.0.0.0:sunrpc 0.0.0.0:* LISTEN

tcp 0 0 0.0.0.0:x11 0.0.0.0:* LISTEN

tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN

tcp 0 0 localhost:ipp 0.0.0.0:* LISTEN

tcp 0 0 localhost:smtp 0.0.0.0:* LISTEN

tcp 0 0 localhost:smux 0.0.0.0:* LISTEN

tcp 0 64 www.test.com:ssh 192.168.135.1:9512 ESTABLISHED

tcp 0 0 192.168.135.133:ssh 192.168.135.1:9515 ESTABLISHED

tcp6 0 0 [::]:sunrpc [::]:* LISTEN

tcp6 0 0 [::]:http [::]:* LISTEN

tcp6 0 0 [::]:x11 [::]:* LISTEN

tcp6 0 0 [::]:57300 [::]:* LISTEN

tcp6 0 0 [::]:ssh [::]:* LISTEN

tcp6 0 0 localhost:ipp [::]:* LISTEN

tcp6 0 0 localhost:smtp [::]:* LISTEN

udp 0 0 0.0.0.0:sunrpc 0.0.0.0:*

udp 0 0 0.0.0.0:ntp 0.0.0.0:*

udp 0 0 0.0.0.0:snmp 0.0.0.0:*

udp 0 0 0.0.0.0:xdmcp 0.0.0.0:*

udp 0 0 0.0.0.0:mdns 0.0.0.0:*

udp 0 0 localhost:323 0.0.0.0:*

udp 0 0 0.0.0.0:54711 0.0.0.0:*

udp 0 0 0.0.0.0:740 0.0.0.0:*

udp 0 0 localhost:766 0.0.0.0:*

udp 0 0 0.0.0.0:47918 0.0.0.0:*

udp6 0 0 [::]:sunrpc [::]:*

udp6 0 0 [::]:ntp [::]:*

udp6 0 0 localhost:323 [::]:*

udp6 0 0 [::]:740 [::]:*

udp6 0 0 [::]:58201 [::]:*

if want port number then use below command,

[root@rhel7-server ~]# netstat -lanut

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address Foreign Address State

tcp 0 0 0.0.0.0:37708 0.0.0.0:* LISTEN

tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN

tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN

tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN

tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN

tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN

tcp 0 0 127.0.0.1:199 0.0.0.0:* LISTEN

tcp 0 64 192.168.135.134:22 192.168.135.1:9512 ESTABLISHED

tcp 0 0 192.168.135.133:22 192.168.135.1:9515 ESTABLISHED

tcp6 0 0 :::111 :::* LISTEN

tcp6 0 0 :::80 :::* LISTEN

tcp6 0 0 :::6000 :::* LISTEN

tcp6 0 0 :::57300 :::* LISTEN

tcp6 0 0 :::22 :::* LISTEN

tcp6 0 0 ::1:631 :::* LISTEN

tcp6 0 0 ::1:25 :::* LISTEN

udp 0 0 0.0.0.0:111 0.0.0.0:*

udp 0 0 0.0.0.0:123 0.0.0.0:*

udp 0 0 0.0.0.0:161 0.0.0.0:*

udp 0 0 0.0.0.0:177 0.0.0.0:*

udp 0 0 0.0.0.0:5353 0.0.0.0:*

udp 0 0 127.0.0.1:323 0.0.0.0:*

udp 0 0 0.0.0.0:54711 0.0.0.0:*

udp 0 0 0.0.0.0:740 0.0.0.0:*

udp 0 0 127.0.0.1:766 0.0.0.0:*

udp 0 0 0.0.0.0:47918 0.0.0.0:*

udp6 0 0 :::111 :::*

udp6 0 0 :::123 :::*

udp6 0 0 ::1:323 :::*

udp6 0 0 :::740 :::*

udp6 0 0 :::58201 :::*

Rest all ports are unused.

To determine which ports are listening for connections from the network,

# netstat -pan -A inet,inet6 | grep -v ESTABLISHED

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name

tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN 2349/smbd

tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 2288/rpcbind

tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN 1341/Xorg

tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2286/sshd

tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 2367/cupsd

tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN 2349/smbd

tcp 0 0 0.0.0.0:54432 0.0.0.0:* LISTEN 2298/rpc.statd

tcp 0 0 127.0.0.1:199 0.0.0.0:* LISTEN 2284/snmpd

tcp6 0 0 :::139 :::* LISTEN 2349/smbd

tcp6 0 0 :::32878 :::* LISTEN 2298/rpc.statd

tcp6 0 0 :::111 :::* LISTEN 2288/rpcbind

tcp6 0 0 :::6000 :::* LISTEN 1341/Xorg

tcp6 0 0 :::21 :::* LISTEN 2294/vsftpd

tcp6 0 0 :::22 :::* LISTEN 2286/sshd

tcp6 0 0 :::23 :::* LISTEN 1/systemd

tcp6 0 0 :::445 :::* LISTEN 2349/smbd

udp 0 0 0.0.0.0:111 0.0.0.0:* 2288/rpcbind

udp 0 0 0.0.0.0:123 0.0.0.0:* 1074/chronyd

udp 0 0 192.168.135.255:137 0.0.0.0:* 2338/nmbd

udp 0 0 192.168.135.133:137 0.0.0.0:* 2338/nmbd

udp 0 0 192.168.135.255:137 0.0.0.0:* 2338/nmbd

udp 0 0 192.168.135.134:137 0.0.0.0:* 2338/nmbd

udp 0 0 192.168.199.255:137 0.0.0.0:* 2338/nmbd

udp 0 0 192.168.199.131:137 0.0.0.0:* 2338/nmbd

udp 0 0 0.0.0.0:137 0.0.0.0:* 2338/nmbd

udp 0 0 192.168.135.255:138 0.0.0.0:* 2338/nmbd

udp 0 0 192.168.135.133:138 0.0.0.0:* 2338/nmbd

udp 0 0 192.168.135.255:138 0.0.0.0:* 2338/nmbd

udp 0 0 192.168.135.134:138 0.0.0.0:* 2338/nmbd

udp 0 0 192.168.199.255:138 0.0.0.0:* 2338/nmbd

udp 0 0 192.168.199.131:138 0.0.0.0:* 2338/nmbd

udp 0 0 0.0.0.0:138 0.0.0.0:* 2338/nmbd

udp 0 0 0.0.0.0:161 0.0.0.0:* 2284/snmpd

udp 0 0 0.0.0.0:177 0.0.0.0:* 1316/gdm

udp 0 0 0.0.0.0:5353 0.0.0.0:* 1047/avahi-daemon:

udp 0 0 127.0.0.1:323 0.0.0.0:* 1074/chronyd

udp 0 0 0.0.0.0:45395 0.0.0.0:* 1047/avahi-daemon:

udp 0 0 0.0.0.0:751 0.0.0.0:* 2288/rpcbind

udp 0 0 127.0.0.1:778 0.0.0.0:* 2298/rpc.statd

udp 0 0 0.0.0.0:57175 0.0.0.0:* 2298/rpc.statd

udp6 0 0 :::111 :::* 2288/rpcbind

udp6 0 0 :::123 :::* 1074/chronyd

udp6 0 0 :::751 :::* 2288/rpcbind

udp6 0 0 :::59241 :::* 2298/rpc.statd

We can also use “lsof” for open ports.

[root@rhel7-server ~]# lsof -i

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME

avahi-dae 1046 avahi 12u IPv4 21439 0t0 UDP *:mdns

avahi-dae 1046 avahi 13u IPv4 21440 0t0 UDP *:47918

chronyd 1084 chrony 1u IPv4 20197 0t0 UDP *:ntp

chronyd 1084 chrony 2u IPv6 20198 0t0 UDP *:ntp

chronyd 1084 chrony 3u IPv4 20199 0t0 UDP localhost:323

chronyd 1084 chrony 5u IPv6 20200 0t0 UDP localhost:323

gdm 1213 root 9u IPv4 22114 0t0 UDP *:xdmcp

Xorg 1352 root 1u IPv6 22253 0t0 TCP *:x11 (LISTEN)

Xorg 1352 root 3u IPv4 22254 0t0 TCP *:x11 (LISTEN)

rpcbind 2270 rpc 7u IPv4 26242 0t0 UDP *:sunrpc

rpcbind 2270 rpc 8u IPv4 26243 0t0 UDP *:740

rpcbind 2270 rpc 9u IPv4 26244 0t0 TCP *:sunrpc (LISTEN)

rpcbind 2270 rpc 10u IPv6 26245 0t0 UDP *:sunrpc

rpcbind 2270 rpc 11u IPv6 26246 0t0 UDP *:740

rpcbind 2270 rpc 12u IPv6 26247 0t0 TCP *:sunrpc (LISTEN)

rpc.statd 2283 rpcuser 7u IPv4 27080 0t0 UDP *:54711

rpc.statd 2283 rpcuser 8u IPv4 27083 0t0 TCP *:37708 (LISTEN)

rpc.statd 2283 rpcuser 9u IPv4 27067 0t0 UDP localhost:766

rpc.statd 2283 rpcuser 10u IPv6 27087 0t0 UDP *:58201

rpc.statd 2283 rpcuser 11u IPv6 27090 0t0 TCP *:57300 (LISTEN)

master 2386 root 13u IPv4 27313 0t0 TCP localhost:smtp (LISTEN)

master 2386 root 14u IPv6 27314 0t0 TCP localhost:smtp (LISTEN)

cupsd 2464 root 10u IPv6 27644 0t0 TCP localhost:ipp (LISTEN)

cupsd 2464 root 11u IPv4 27645 0t0 TCP localhost:ipp (LISTEN)

snmpd 32645 root 6u IPv4 782600 0t0 UDP *:snmp

snmpd 32645 root 8u IPv4 782601 0t0 TCP localhost:smux (LISTEN)

sshd 48492 root 3u IPv4 1306495 0t0 TCP *:ssh (LISTEN)

sshd 48492 root 4u IPv6 1306497 0t0 TCP *:ssh (LISTEN)

sshd 49333 root 3u IPv4 1348398 0t0 TCP www.test.com:ssh->192.168.135.1:9512 (ESTABLISHED)

sshd 49434 root 3u IPv4 1349757 0t0 TCP 192.168.135.133:ssh->192.168.135.1:9515 (ESTABLISHED)

httpd 50750 root 4u IPv6 1408552 0t0 TCP *:http (LISTEN)

httpd 50751 apache 4u IPv6 1408552 0t0 TCP *:http (LISTEN)

httpd 50752 apache 4u IPv6 1408552 0t0 TCP *:http (LISTEN)

httpd 50753 apache 4u IPv6 1408552 0t0 TCP *:http (LISTEN)

httpd 50754 apache 4u IPv6 1408552 0t0 TCP *:http (LISTEN)

httpd 50755 apache 4u IPv6 1408552 0t0 TCP *:http (LISTEN)

httpd 50765 apache 4u IPv6 1408552 0t0 TCP *:http (LISTEN)

[root@rhel7-server ~]# lsof -n -P | grep LISTEN

Xorg 1352 root 1u IPv6 22253 0t0 TCP *:6000 (LISTEN)

Xorg 1352 root 3u IPv4 22254 0t0 TCP *:6000 (LISTEN)

Xorg 1352 1702 root 1u IPv6 22253 0t0 TCP *:6000 (LISTEN)

Xorg 1352 1702 root 3u IPv4 22254 0t0 TCP *:6000 (LISTEN)

Xorg 1352 1703 root 1u IPv6 22253 0t0 TCP *:6000 (LISTEN)

Xorg 1352 1703 root 3u IPv4 22254 0t0 TCP *:6000 (LISTEN)

rpcbind 2270 rpc 9u IPv4 26244 0t0 TCP *:111 (LISTEN)

rpcbind 2270 rpc 12u IPv6 26247 0t0 TCP *:111 (LISTEN)

rpc.statd 2283 rpcuser 8u IPv4 27083 0t0 TCP *:37708 (LISTEN)

rpc.statd 2283 rpcuser 11u IPv6 27090 0t0 TCP *:57300 (LISTEN)

master 2386 root 13u IPv4 27313 0t0 TCP 127.0.0.1:25 (LISTEN)

master 2386 root 14u IPv6 27314 0t0 TCP [::1]:25 (LISTEN)

cupsd 2464 root 10u IPv6 27644 0t0 TCP [::1]:631 (LISTEN)

cupsd 2464 root 11u IPv4 27645 0t0 TCP 127.0.0.1:631 (LISTEN)

snmpd 32645 root 8u IPv4 782601 0t0 TCP 127.0.0.1:199 (LISTEN)

sshd 48492 root 3u IPv4 1306495 0t0 TCP *:22 (LISTEN)

sshd 48492 root 4u IPv6 1306497 0t0 TCP *:22 (LISTEN)

httpd 50750 root 4u IPv6 1408552 0t0 TCP *:80 (LISTEN)

httpd 50751 apache 4u IPv6 1408552 0t0 TCP *:80 (LISTEN)

httpd 50752 apache 4u IPv6 1408552 0t0 TCP *:80 (LISTEN)

httpd 50753 apache 4u IPv6 1408552 0t0 TCP *:80 (LISTEN)

httpd 50754 apache 4u IPv6 1408552 0t0 TCP *:80 (LISTEN)

httpd 50755 apache 4u IPv6 1408552 0t0 TCP *:80 (LISTEN)

httpd 50765 apache 4u IPv6 1408552 0t0 TCP *:80 (LISTEN)

We can also use “nmap” to detect open ports on system.

For TCP & UDP,

[root@rhel7-server ~]# nmap -sTU localhost

Starting Nmap 6.40 ( http://nmap.org ) at 2018-09-30 17:48 IST

Nmap scan report for localhost (127.0.0.1)

Host is up (0.00097s latency).

Other addresses for localhost (not scanned): 127.0.0.1

Not shown: 1987 closed ports

PORT STATE SERVICE

22/tcp open ssh

25/tcp open smtp

80/tcp open http

111/tcp open rpcbind

199/tcp open smux

631/tcp open ipp

6000/tcp open X11

111/udp open rpcbind

123/udp open|filtered ntp

161/udp open snmp

177/udp open xdmcp

5353/udp open|filtered zeroconf

54711/udp open|filtered unknown

Nmap done: 1 IP address (1 host up) scanned in 3.68 seconds

For Only TCP,

[root@rhel7-server ~]# nmap -sT localhost

For Only UDP,

[root@rhel7-server ~]# nmap -sU localhost

We can also use “ss” utility to find open ports in listening state.

[root@rhel7-server ~]# ss -tlw

Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port

tcp LISTEN 0 50 *:netbios-ssn *:*

tcp LISTEN 0 128 *:sunrpc *:*

tcp LISTEN 0 128 *:x11 *:*

tcp LISTEN 0 128 *:ssh *:*

tcp LISTEN 0 128 127.0.0.1:ipp *:*

tcp LISTEN 0 50 *:microsoft-ds *:*

tcp LISTEN 0 128 *:54432 *:*

tcp LISTEN 0 128 127.0.0.1:smux *:*

tcp LISTEN 0 50 :::netbios-ssn :::*

tcp LISTEN 0 128 :::32878 :::*

tcp LISTEN 0 128 :::sunrpc :::*

tcp LISTEN 0 128 :::x11 :::*

tcp LISTEN 0 32 :::ftp :::*

tcp LISTEN 0 128 :::ssh :::*

tcp LISTEN 0 128 :::telnet :::*

tcp LISTEN 0 50 :::microsoft-ds :::*

Want to terminate any connection immediately,

[root@rhel7-server ~]# fuser -k 631/tcp

631/tcp: 2464

[root@rhel7-server ~]# lsof -i:37708

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME

rpc.statd 2283 rpcuser 8u IPv4 27083 0t0 TCP *:37708 (LISTEN)

[root@rhel7-server ~]# netstat -anp|grep 37708

tcp 0 0 0.0.0.0:37708 0.0.0.0:* LISTEN 2283/rpc.statd

[root@rhel7-server ~]# kill -9 2283

OR,

[root@rhel7-server ~]# fuser -k 37708/tcp

37708/tcp: 2283

[root@rhel7-server ~]# lsof -i:37708

[root@rhel7-server ~]# netstat -anp|grep 37708

4. Blocking Ports via IPTABLES & FIREWALLD

For port blocking we need to use iptables or firewalld.

I already explain IPTABLES & FIREWALLD in Great details, please refer following links.

IPTABLES,

http://theadminslab.blogspot.com/2018/06/rhel639-ip-tables-in-linux-1.html

http://theadminslab.blogspot.com/2018/07/rhel640-ip-tables-in-linux-p2.html

http://theadminslab.blogspot.com/2018/07/rhel641-ip-tables-in-linux-p3.html

http://theadminslab.blogspot.com/2018/07/rhel642-ip-tables-in-linux-p4.html

http://theadminslab.blogspot.com/2018/07/rhel643-ip-tables-in-linux-p5.html

http://theadminslab.blogspot.com/2018/07/rhel644-ip-tables-in-linux-p6.html

http://theadminslab.blogspot.com/2018/07/rhel645ip-tables-in-linux-p7-ip-tables.html

FIREWALLD,

http://theadminslab.blogspot.com/2018/07/linux-28-firewalld-rhel7-p1.html

http://theadminslab.blogspot.com/2018/07/linux-29-firewalld-rhel7-p2.html

http://theadminslab.blogspot.com/2018/07/linux-30-firewalld-rhel7-p3.html

5. Disable Telnet/FTP

Well, we will disable Telnet & FTP, but question is WHY?

Let’s check it.

I am connecting to 192.168.135.133 via FTP from 192.168.135.142.

[root@rhel6-server ~]# ftp 192.168.135.133

Connected to 192.168.135.133 (192.168.135.133).

220 (vsFTPd 3.0.2)

Name (192.168.135.133:root): anurag

331 Please specify the password.

Password:

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> ls

227 Entering Passive Mode (192,168,135,133,170,69).

150 Here comes the directory listing.

drwxrwxr-x 2 1000 1000 6 May 01 13:04 test1

-rw-rw-r-- 1 1000 1000 0 May 01 13:04 test2

-rw-rw-r-- 1 1000 1000 0 May 12 13:20 typescript

226 Directory send OK.

ftp> bye

221 Goodbye.

That’s Great. But there is another part of that.

I ran TCPDUMP at 192.168.135.133,

# tcpdump -An -tttt -vvv port ftp -i eth0 > test.out

And see the output.

Obviously O/P is truncated, only the concerned are here.

2018-10-01 14:46:10.209237 IP (tos 0x10, ttl 64, id 899, offset 0, flags [DF], proto TCP (6), length 65)

192.168.135.143.45199 > 192.168.135.133.ftp: Flags [P.], cksum 0x8ade (correct), seq 1:14, ack 21, win 229, options [nop,nop,TS val 194166637 ecr 220281395], length 13

E..A..@.@..................Y.z.............

!:3USER anurag

2018-10-01 14:46:16.069681 IP (tos 0x10, ttl 64, id 901, offset 0, flags [DF], proto TCP (6), length 70)

192.168.135.143.45199 > 192.168.135.133.ftp: Flags [P.], cksum 0xfed2 (correct), seq 14:32, ack 55, win 229, options [nop,nop,TS val 194172497 ecr 220284100], length 18

E..F..@.@..................f.z.............

!D.PASS Redhat@123$

See the magic.

Now trying same for telnet, this time changing password for user anurag.

That’s why we must have to disable FTP/Telnet.

Better uninstall or stop permanently.

RHEL-7: TELNET

[root@rhel7-server ~]# systemctl status telnet.socket |grep Active

Active: active (listening) since Mon 2018-10-01 13:38:39 IST; 3h 6min ago

[root@rhel7-server ~]# systemctl stop telnet.socket

[root@rhel7-server ~]# systemctl disable telnet.socket

OR,

[root@rhel7-server ~]# yum erase telnet

RHEL-7: FTP

[root@rhel7-server ~]# systemctl status vsftpd |grep active

Active: active (running) since Mon 2018-10-01 13:49:57 IST; 3h 1min ago

[root@rhel7-server ~]# systemctl stop vsftpd

[root@rhel7-server ~]# systemctl disable vsftpd

OR,

[root@rhel7-server ~]# yum erase vsftpd

RHEL6: TELNET

[root@rhel6-server ~]# vi /etc/xinetd.d/telnet

Change the disable value to yes from no

[root@rhel6-server ~]# grep disable /etc/xinetd.d/telnet

disable = yes

[root@rhel6-server ~]# service xinetd restart

Stopping xinetd: [ OK ]

Starting xinetd: [ OK ]

RHEL6: FTP

[root@rhel6-server ~]# service vsftpd status

vsftpd (pid 2624) is running...

[root@rhel6-server ~]# service vsftpd stop

Shutting down vsftpd: [ OK ]

[root@rhel6-server ~]# chkconfig vsftpd off

[root@rhel6-server ~]# chkconfig vsftpd --list

vsftpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off

6. Display banner to SSH logins

[root@rhel7-server ~]# vi /etc/ssh/banner-ssh

#################################################################

WARNING: Unauthorized access to this system is forbidden and will be

prosecuted by law.

#################################################################

[root@rhel7-server ~]# vi /etc/ssh/sshd_config

# Banner none

It should be look like below,

[root@rhel7-server ~]# grep Banner /etc/ssh/sshd_config

Banner /etc/ssh/banner-ssh

[root@rhel7-server ~]# systemctl restart sshd

Now I am getting Warning message,

#################################################################

WARNING: Unauthorized access to this system is forbidden and will be

prosecuted by law.

#################################################################

7. Disable IPv6 if not required

[root@rhel7-server ~]# vi /etc/sysctl.conf

#add below lines at end

net.ipv6.conf.all.disable_ipv6 = 1

net.ipv6.conf.default.disable_ipv6 = 1

[root@rhel7-server ~]# sysctl -p

kernel.pty.max = 5120

net.ipv6.conf.all.disable_ipv6 = 1

net.ipv6.conf.default.disable_ipv6 = 1

If wanted to disable for particular interface then change the all with interface name like,

net.ipv6.conf.eth2.disable_ipv6 = 1

8.TCP Wrappers

It provides host-based security separate from that provided by a firewall running on the server.

Internet è Firewall è TCP Wrappers è Network Services

Hence if somehow something escaped by Firewall then it has to face TCP Wrappers and if we have a well-defined TCP Wrapper then whatever it is, it will be blocked.

We can only control address-based access list using tcp wrappers

Two files are there for configuration,

/etc/hosts.allow: The wrapper for a service always reads first /etc/hosts.allow from top to bottom. If the daemon and client combination matches an entry in the file, access is allowed.

/etc/hosts.deny: If wrapper doesn't find a match in host.allow then it reads /etc/hosts.deny from top to bottom. If the daemon and client combination matches and entry in the file, access is denied.

The wrapper first applies the rules specified in /etc/hosts.allow, so these rules take precedence over the rules specified in /etc/hosts.deny. If a rule defined in /etc/hosts.allow permits access to a service, any rule in /etc/hosts.deny that forbids access to the same service is ignored.

RULE FORMAT:

daemon_list : client_list [: command] [: deny]

WILDCARS,

ALL — Matches everything. It can be used for both the daemon list and the client list.

LOCAL — Matches any host that does not contain a period (.), such as localhost.

KNOWN — Matches any host where the hostname and host address are known or where the user is known.

UNKNOWN — Matches any host where the hostname or host address are unknown or where the user is unknown.

PARANOID — Matches any host where the hostname does not match the host address.

All network services do not support TCP wrappers. To check if a given service supports them,

# ldd /path/to/binary | grep libwrap

[root@rhel7-server ~]# whereis sshd

sshd: /usr/sbin/sshd /usr/share/man/man8/sshd.8.gz

[root@rhel7-server ~]# ldd /usr/sbin/sshd | grep libwrap

libwrap.so.0 => /lib64/libwrap.so.0 (0x00007f8c4dfec000)

[root@rhel7-server ~]# whereis vsftpd

vsftpd: /usr/sbin/vsftpd /etc/vsftpd /usr/share/man/man8/vsftpd.8.gz

[root@rhel7-server ~]# ldd /usr/sbin/vsftpd | grep libwrap

libwrap.so.0 => /lib64/libwrap.so.0 (0x00007f6d92033000)

First deny all in /etc/hosts.deny then start allowing the trusted (hosts.deny is fetched after hosts.allow)

[root@rhel7-server ~]# vi /etc/hosts.deny

ALL: ALL

Now start allowing one by one,

[root@rhel7-server ~]# vi /etc/hosts.allow

sshd: 192.168.135.142 192.168.135.143 #i want ssh from 2 only

sshd: 192.168.135. # allowing whole subnet

sshd: 192.168.135.0/255.255.255.0 # more specific with subnet

vsftpd: 192.168.135.142 #ftp only from one

httpd: ALL #http from all

ALL EXCEPT vsftpd: 192.168.0. #allowing all except ftp from

sendmail : PARANOID : deny # PARANOID to match any host which provides an IP address that may be forged because the IP address differs from its resolved hostname. In this example, all connection requests to Sendmail which have an IP address that varies from its hostname will be denied

9. Disable Source Routing

In computer networking, source routing, also called path addressing, allows a sender of a packet to partially or completely specify the route the packet takes through the network. In contrast, in non-source routing protocols, routers in the network determine the path incrementally based on the packet's destination.

In the Internet Protocol, two header options are available which are rarely used: "strict source and record route" (SSRR) and "loose source and record route" (LSRR). Because of security concerns, packets marked LSRR are frequently blocked on the Internet. If not blocked, LSRR can allow an attacker to spoof its address but still successfully receive response packets

Reason for disabling: Attackers can use source routing to probe the network by forcing packets into specific parts of the network. Using source routing, an attacker can collect information about a network's topology, or other information that could be useful in performing an attack. During an attack, an attacker could use source routing to direct packets to bypass existing security restrictions.

First check whether is allowed or not,

# cat /proc/sys/net/ipv4/conf/all/accept_source_route

It’s already disabled. If the output is 1 then we need to disable it by

# /sbin/sysctl -w net.ipv4.conf.all.accept_source_route=0

net.ipv4.conf.all.accept_source_route = 0

# /sbin/sysctl -w net.ipv6.conf.all.accept_source_route=0

net.ipv6.conf.all.accept_source_route = 0

10. Disable IP Forwarding

What is IP Forwarding (General explanation)

IP forwarding is a process used to determine which path a packet or datagram can be sent. The process uses routing information to make decisions and is designed to send a packet over multiple networks.

Generally, networks are separated from each other by routers. For packets to travel between networks, they must be “routed” from one network to another. These routers contain a routing table that can contain specific instructions on how to send packets to a destination network (known as a route), or a set of generic instructions on where to send packets that do not match any of the other specified routes (called a default route), or both. These routes can either be hard-coded into the router by the network administrator (called a static route), or learned dynamically via a routing protocol. These routes give the routers instructions on how to utilize the physical network infrastructure that is in place to get packets to their destination, regardless of the number of hops that they must take to get there.

IP Forwarding in case of Linux System,

IP forwarding should be enabled when we want the system to act as a router, to transfer IP packets from one network to another.

Consider a server with two physical ethernet ports which is meant to connect to two different networks (say your internal network and the outside world). If you just connect and configure those two interfaces, the system can communicate on either network provided IP Forwarding is enabled on our Linux machine.

If our system is not intended to work as router, then disable IP Forwarding.

First check whether is allowed or not,

IPV4,

# sysctl -a |grep -i net.ipv4.conf.all.forwarding

net.ipv4.conf.all.forwarding = 0

IPV6,

# sysctl -a |grep -i net.ipv6.conf.all.forwarding

net.ipv6.conf.all.forwarding = 0

if the O/P is 1, then

IPV4,

[root@rhel7-server ~]# sysctl -w net.ipv4.conf.all.forwarding=0

net.ipv4.conf.all.forwarding = 0

IPV6,

[root@rhel7-server ~]# sysctl -w net.ipv6.conf.all.forwarding=0

net.ipv6.conf.all.forwarding = 0

Along with, also disable multicast forwarding.

# sysctl -w net.ipv4.conf.all.mc_forwarding=0

sysctl: setting key "net.ipv4.conf.all.mc_forwarding"

# sysctl -w net.ipv6.conf.all.mc_forwarding=0

sysctl: setting key "net.ipv6.conf.all.mc_forwarding"

11. Disable ICMP or Broadcast Request

ICMP echo messages are the messages used by the "ping" command. By ignoring broadcast ICMP echo requests, machine won't respond when someone tries to ping a broadcast address (such as 255.255.255.255, or, 192.168.135.255 on a 192.168.135.0/24 subnet) to find all the hosts on the network or subnet at the same time.

[root@rhel6-server ~]# ping 192.168.135.0 -b

WARNING: pinging broadcast address

PING 192.168.135.0 (192.168.135.0) 56(84) bytes of data.

64 bytes from 192.168.135.2: icmp_seq=1 ttl=128 time=0.345 ms

64 bytes from 192.168.135.133: icmp_seq=1 ttl=64 time=0.348 ms (DUP!)

64 bytes from 192.168.135.134: icmp_seq=1 ttl=64 time=54.6 ms (DUP!)

64 bytes from 192.168.135.140: icmp_seq=1 ttl=64 time=94.3 ms (DUP!)

This is not good to know all the systems on subnet in one go,

Disabling BC request doesn’t affect on Unicast packets, it will work as it should.

# sysctl -a |grep net.ipv4.icmp_echo_ignore_broadcasts

net.ipv4.icmp_echo_ignore_broadcasts = 0

# sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1

net.ipv4.icmp_echo_ignore_broadcasts = 1

12. Changing SSH Port

Everybody knows that ssh works on port 22, better change it to some other and let it know to trusted one’s only.

[root@rhel7-server ~]# grep Port /etc/ssh/sshd_config

#Port 22

[root@rhel7-server ~]# vi /etc/ssh/sshd_config

Change the Port to 6789

[root@rhel7-server ~]# grep Port /etc/ssh/sshd_config

#Port 22

Port 6789

Before restarting ssh service, be assure that the port is allowed in IPTables/Firewalld as well as SELinux.

RHEL7,

# firewall-cmd --zone=public --add-port=6789/tcp –permanent

RHEL6,

# iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 6789 -j ACCEPT

IF SELinux is in action then following command is must,

[root@rhel7-server ~]# semanage port -a -t ssh_port_t -p

Now restart the ssh service,

[root@rhel7-server ~]# systemctl restart sshd

And try to connect with port 22, it will say “Connection Refused”.

Need to try with new port 6789,

THE ADMIN's LAB

Tuesday, 2 October 2018

LINUX- 47 SECURITY & HARDENING (BASICS) -P2 (NETWORK SECURITY)

No comments:

Post a Comment

Labels

WAREHOUSE

Total Pageviews