Configuring the Qpopper Software

The latest version of Qpopper at the writing of this book (3.1) does not automatically create an xinetd entry in order to spawn itself automatically. To make sure this happens, simply create the file etc xinetd.d qpopper with the contents in Listing 6.6. Listing 6.6 Contents of the etc xinetd.d qpopperfile The directives in Listing 6.6 ensure that your server listens to requests for the POP3 service (TCP port 110) with the usr sbin in.qpopper as the daemon. If you are using inetd instead of...

The Samba Server

Samba is a full-featured implementation of a Server Message Block (SMB) server, which can offer transparent file services to Windows (95, 98, NT, 2000) clients, as well as to OS 2 clients. The brain child of LinuxCare's Andrew Tridgell back in 1992, Samba is now widely used and updated with help from programmers from all over the world. Samba allows network administrators to use a Linux server's ability to store and manage a large number of files, while still preserving the use of Windows-based...

The pampwdb Module

The pam_pwdb module provides a generic interface to the Password Database library (pwdb). The use of the pam_pwdb module varies according to the management group in question Account When used as an account function, the pam_pwdb module establishes the status of the user's account and password. In the case of the password, pam_pwdb may offer advice to the user on changing their password, and it may even delay giving service to the user until they have established a new password. Authentication...

SMTP over TLS

Sendmail version 8.11 introduces support for secure SMTP over TLS (STARTTLS) per RFC2487. The term STARTTLS simply refers to the new SMTP command that is used to initiate the TLS-enabled mail transport session. This extension allows you to set up a secure bridge from two SMTP (Sendmail) servers that can communicate using TLS (also known as Secure Sockets Layer, or SSL). This ensures the privacy and integrity of the exchange and strongly authenticates the identity of the two communicating peers....

The pamaccess Module

This module provides login access control based on a number of customizable parameters, including the user's login name, host or domain names, Internet addresses or network numbers, and even terminal line names for logins from directly connected terminals. The pam_ access module controls which user can log in from which place. Both login successes and failures are logged through the syslog facility. The pam_access module is used for account management tasks. It accepts only one argument,...

The Legacy ipfwadm and ipchains

Starting with kernel version 1.2.1, Linux has offered a number of utilities to configure the rules used by the kernel to accept or discard IP packets. The first incarnation of this utility was Alan Cox and Jos Vos' ipfwadm utility, which was based on BSD's ipfw utility and worked with kernel versions 1.2 through 2.1. The last version of ipfwadm was released in July 1996. Starting with kernel version 2.1.102 and later, ipfwadm has been replaced by Paul Rusty Russell and Michael Neuling's...

The pamgroup Module

The pam_group module assigns group membership based on the user's name and the terminal that they are attempting to access, and it takes into account the time of day at which the request is made. The pam_group module does not provide user authentication. Instead, it grants group memberships to the user during the credential phase of the authentication module. Group memberships are based on the service the user is applying for. The group memberships are listed in text form in the etc security...

Application Layer Firewalls

Chapter 10, Transport Layer Firewalls, discussed proxying at the transport layer, where a number of TCP and UDP services share a common transport layer port on the proxy device using the SOCKS protocol. This type of appliance is considered a circuit-level firewall, where several applications share a common proxying framework, defined by the SOCKS protocol. An alternate approach to transport layer firewalls is one where each application type on the internal network connects to a separate...

The Present Netfilter

Linux kernel 2.4 includes a number of features and stability enhancements that make it a very robust platform to use for your firewall. One of the most noticeable improvements of this kernel version is the packet-filtering subsystem, which is now named Netfilter. The development of Netfilter has been largely funded by Watchguard Technologies. This U.S.-based company develops and markets commercial firewalls appliances based on Linux platforms, as well as security services based on their...

The Nec Socks5 Proxy Server

The NEC NSL SOCKS reference implementation was a pioneer in the field of application layer security, offering a full-featured proxy server application based on version 5 of the popular SOCKS protocol. This chapter walks you through the process of compiling, installing, and configuring the Linux version of NEC's SOCKS5 implementation. It also describes how to use SOCKSCap, which is a WinSock-based library that provides seamless SOCKS support for Microsoft Windows applications that are not...

Pluggable Authentication Modules PAMs

With the explosion of network-aware Linux applications, authentication has become an important issue. Traditionally, Linux application developers included their own authentication mechanisms in their programs, ranging anywhere from no authentication (e.g., TFTP) to strong Kerberos and S Key authentication (e.g., telnet). Hard-coding authentication into each application has several drawbacks The user is forced into a specific mode of authentication. Changing authentication mechanisms involves...

Inetd Configuration Examples

By default, Linux distributions are shipped with a generous set of daemons in the inetd.conf file. Consider, for instance, the standard etc inetd.conf file that is shipped with the SuSE 7.0 distribution, as shown in Listing 4.2. (The comment lines in this etc inetd.conf file have been removed for simplicity.) Listing 4.2 A typical default etc inetd.conffile http-rman stream tcp nowait.10000 nobody usr sbin tcpd usr sbin http-rman swat stream tcp nowait.400 root usr sbin swat swat The system...

Ethereal

PortSentry is a useful tool for detecting port-scan attempts at the transport layer (TCP or UDP), but system administrators often find themselves in need of a tool that allows them to examine the content of network packets as they fly through the wire. Ethereal is the optimal tool for this kind of application. Offered under the GNU GPL, Ethereal is the product of a large collaborative effort by a group of developers who were unhappy with the high price of commercial packet analyzers. The result...

Network Based Auditing Tools

While there have always been attempts to build a comprehensive tool for exposing network vulnerabilities on a system, it wasn't accomplished until 1995, when Dan Farmer and Wietse Venema (who also created TCP Wrappers) released the first version of SATAN (Security Administrator's Tool for Analyzing Networks). This network-based auditing tool quickly became a household word among network and systems administrators. In their 1993 landmark paper, Improving the Security of Your Site by Breaking...

Configuring modssl

There is a fundamental choice to be made before configuring mod_ssl, which has to do with the way you will use digital certificates and authentication. You need to do one of the following Seek the services of a well-known CA (Verisign, Thawte, Entrust, Xcert, etc.) whose root certificate comes preloaded with many of today's network applications (Web browsers, mail clients, etc.). Create your own CA using OpenSSL, create the Apache server's digital certificate, and sign it with the CA's private...

Managing Kerberos Credentials

The non-privileged user interacts with the Kerberos system to manage the Kerberos tickets that are used to request network services. There are four commands used for this purpose klist The klist command displays a list of the Kerberos tickets that you are currently holding. The ticket information is kept in the file tmp krb5cc_XXX, where XXX is your UID on the Linux server. kinit The kinit command requests a ticket-granting ticket from the KDC and holds it in the tmp krb5cc_XXX file for...

FWTK The TIS Firewall Toolkit

The Firewall ToolKit (FWTK) is a complete application layer firewall package freely available on the Internet. FTWK can be compiled to run on a Linux server without any source code modifications. First released to the public back in 1993, FWTK was written by Trusted Information Systems (TIS), now part of Network Associates International, with funding from the U.S. government through the Advanced Research Projects Agency (ARPA). Marcus Ranum, who is now a legendary figure in Internet security,...

Starting and Stopping the SOCKS5 Server

The main SOCKS5 daemon application (located, by default in usr local bin socks5) must be running at all times in order for your server to proxy incoming connections. The process listens on a pre-specified port (1080, by default), where internal clients can contact it to request proxy service. The SOCKS5 daemon can be started in one of four different modes Stand-alone Stand-alone mode is the default for most Linux network servers. The system starts a single socks5 process from the usual startup...

Running Pop Top

Once you have configured the PPP layer and the PPTP daemon, make sure that the process starts with every system start Note that the pptpd daemon automatically sends itself to the background if invoked from a terminal. Don't forget to set the Linux server to forward packets echo 1 > proc sys net ipv4 ip_forward PPTP uses destination port TCP 1723 on the Linux server and IP protocol ID 47 to exchange the data once the control connection has been established. If you are using IPtables to filter...

IP Authentication Header

As your traffic travels though the Internet, it is subject to a number of vulnerabilities, including one where an attacker modifies the content of your IP packets. This is easy to do in the current Internet model, a store-and-forward architecture where your packet is guaranteed to traverse a number of intermediary systems over which you have no control. One way to ensure that the content of your IP packets is not altered along the way is to affix a header with a one-way hash value of the state...

Sample Firewall Scenarios

The following example scenarios should capture the most popular network architectures in place today, from the simple dial-on-demand connection to a complex scenario featuring a dedicated router and a demilitarized zone where you can offer public services without compromising the security of your private network. Most small enterprises or branch offices have a single, non-dedicated connection to the Internet, and they don't want anyone coming back into their network or their firewall....

The SOCKS5 IPv4toIPv6 Translator

A little-known bonus that you get with the SOCKS5 reference implementation is the ability to bridge the gap between IPv4 and IPv6 hosts in your network. This is currently accomplished via a patch to the standard SOCKS5 server distribution, although NEC plans to eventually roll IPv6-to-IPv4 translation support in the standard SOCKS5 distribution. The translator, named Socks-Trans, functions by accepting both IPv4 and IPv6 requests, either on separate interfaces (as a multi-homed server) or on...

Port Sentry

Part of Psionic Software's Abacus suite of security software, PortSentry is a real-time monitoring tool designed to detect a port scan directed at your system, and to respond to it appropriately. These responses are configurable and they vary in nature, from adding the offender's IP address to your TCP Wrappers' etc hosts.deny file, to modifying the local routing table to divert responses to that host. One of PortSentry's strongest suits is its Advanced Stealth Scan Detection Mode, which is the...

P debian

Hom Ab oui Debian News Distribution Support Development Search Debian take security very senously Most security problems hrought to our arrentian. arc corrected vnthm 4S hours Espen.ence has shown that 'security through obscurity does m.ot work PiMc disclosure allows for mor e rapid sod better sa-irtioiis is security prohlems In that vsm, this page addresses Debian's sii-tus with respect tc various knovm security holes, which couid potentially affect Debian Security b'lEgs ire only tricked...

The pamcracklib Module

The pam_cracklib module provides strength checking of passwords before they are accepted. This module prompts the user for a password and checks its strength against a system dictionary and a set of rules for identifying potentially vulnerable password choices. By default, pam_cracklib prompts for a single password, checks its strength, and then, if it is considered strong, prompts for the password a second time to verify that it was typed correctly the first time. In addition to the checks to...

Configuring the Kerberos Domain Controller KDC

There are three distinct phases to configuring a Kerberos authentication environment < 1. First, you need to configure your Kerberos KDC, which listens for ticket requests from Kerberos clients. 2. Next, you have to populate the database on the KDC with the Kerberos principals for which you will be seeking authentication. 3. Finally, you have to configure your Kerberos-enabled servers to make use of Kerberos authentication for popular services such as Telnet and FTP. All Kerberos systems need...

OpenSSH

While the original implementation of SSH was freely available, starting with v.1.2.12, the licensing was made increasingly more restrictive until it eventually became a commercial product currently available from Data Fellows, Inc. The open-source community realized that the SSH concept was too valuable in the public domain and embarked on an organized effort to rewrite SSH into a free derivative. Starting in 1999, Bj rn Gr nvall, and later the OpenBSD development team, took the original...

Spawning Internet Daemons with inetd

All Linux distributions (and all Berkeley-style Unix variants for that matter) include a central network service utility controlled by the inetd process. This super-server acts as the clearinghouse, or central point of administration, for all Internet services running on the server. You can verify that the master inetd process is running on your system by entering the following command root 421 0.0 0.0 1232 60 S Sep24 0 00 inetd The inetd daemon is started by Linux at system startup, and it...

The netstat Command

The netstat command is one of the most powerful utilities available to you in your quest for a secure network configuration. While the process table shows you which daemons have been started from the command line, and the etc inetd.conf file shows you the ones that are inetd-controlled, the netstat command is the ultimate authority on diagnosing which ports your Linux server is listening on. The netstat command is very broad in function, but it is the --inet and -a options that show you the...

Testing Your TCP Wrappers Configuration

Aside from man pages and documentation, the TCP Wrappers RPM file installs four executables as part of the TCP Wrappers package. You have already seen two of these usr sbin tcpd The tcpd file is the main daemon executable, which is invoked by the inetd daemon before dispatching the appropriate network server application. usr sbin safe-finger The safe-finger file is the finger application often used to obtain information across the network from the client that is attempting to establish an...

Compiling the Latest SOCKS5 Release

The SOCKS5 Linux distribution can be downloaded in source format from NEC's Web site at (see Figure 10.2). Figure 10.2 Downloading the SOCKS5 source distribution from the NEC Web site lt .___. _,. _______ (jf Wfrqt'sR 3. 5'inTmrfDrJnr- Ig) MyVnhoo' 'rw nH wy. gl WffmrJ Lmkup J, Ncwf.Q-iri gj gl n unon's Mfln' g lt .___. _,. _______ (jf Wfrqt'sR 3. 5'inTmrfDrJnr- Ig) MyVnhoo' 'rw nH wy. gl WffmrJ Lmkup J, Ncwf.Q-iri gj gl n unon's Mfln' g All tfTE software pacxages downloadable from this page...

Installing SOCKS5 with RPM

Use the rpm command with the -q (or --query) option to see if SOCKS5 is already installed on your system If SOCKS5 is already installed, but you would like to upgrade the installed package to a more recent version, use the -U (or - -upgrade) with the new version of the package ramon sudo rpm -U socks5-1.0r11-1.i386.rpm ramon rpm -q socks5 In addition to the base server package (SOCKS5), I recommend that you also install three additional RPM packages The SOCKS5 Linux clients (socks5-c1ients) The...

Installing FreeSWAN

There are four fundamental pieces to the FreeS WAN software distribution Kernel source patches and additions The IKE daemon, which is called pluto A set of scripts to manage the package Man pages and configuration files Start by installing the kernel patches. Go to the usr src freeswan directory and enter the make xgo command To install the FreeS WAN software, you need a valid source tree because the make xgo command rebuilds the kernel. I recommend that you download the kernel source,...

Gateway Rules

In addition to the NetACL utility, the FWTK includes a number of specialized application layer proxies that are installed as separate executables in the usr local etc directory. These include the following proxies tn-gw the Telnet proxy for handling interactive terminal connections ftp-gw the FTP proxy for handling File Transfer Protocol connections http-gw the HTTP proxy for handling HTTP connections to a Web server plug-gw a generic proxy that can be configured to handle any type of transport...

Authsrv

The authsrv daemon is an authentication facility for the use of any of the FTWK proxies. It maintains a database with a record for each known proxy user. The record consists of the following fields Username The username field is the unique user description that characterizes each proxy user. User Group The user group field is the primary group to which the user belongs. Full Name The full name field represents the name of the user in first, middle initial, last format (e.g., Ramon J. Hontanon)....

The runsocks Script

The SOCKS5 distribution comes with a compile option to build a dynamically linked library ( usr 1oca1 1ib 1ibsocks5_sh.so) that can be used by native Linux client applications in conjunction with a SOCKS5 server. The script usr local bin runsocks works by adding the location of the SOCKS5 dynamic library to the front of the standard Linux LD_LIBRARY_PATH, and effectively SOCKS-ifies any standard Linux network clients by replacing references to the commonly used Berkeley Sockets systems calls...

Configuring Windows SOCKS5 Clients

While it's fairly trivial to modify the Linux environment for SOCKS5 clients, there is typically also a strong need for Windows-based clients to use the proxy server to connect to the public Internet. You clearly cannot modify each Windows application to use the SOCKS5 libraries, so you need a shim, a network driver that will insert itself in the WinSock TCP IP stack and intercept all connection requests. The SOCKS5 developers augmented the capability of the Linux server with SOCKSCap, a...

SOCKS5 Shared Library Configuration

In order to control the execution of the SOCKS5 library and the operation of the SOCKS-ified clients, you must first create a configuration file, typically named etc libsocks5.conf. The contents of this file are analogous to the proxy-type directives in etc socks5.conf, discussed earlier in this chapter. The primary purpose of this file is to define which target hosts should be reached via the proxy and which target hosts should be addressed directly. Consider the following lines from a...

Configuring xinetd with etcxinetdconf

The xinetd daemon is started by Linux at system startup, and its configuration is obtained from etc xinetd.conf, as well as from all the files in the etc xinetd.d directory. Each file in this directory contains the xinetd configuration for a particular service. Each file is the equivalent of a single line of etc inetd.conf. For example, the following directory listing of etc xinetd.d shows that this system has been configured to offer telnet, tftp, and imap services via xinetd A typical file in...

IP Encapsulating Security Payload ESP

While the AH solves the problem of IP packet integrity and authentication, it does not address the issue of confidentiality. In many cases, you need to make sure that nobody is gaining unauthorized access to the payload of your IP packets as they travel over an untrusted network. The IP Encapsulated Security Payload ESP specification allows for a security gateway to completely encapsulate a private outgoing packet before it travels via the public Internet. This can be done in one of two ways...

The pamunix Module

The pam_unix module is the standard Unix authentication module. It uses standard calls from the system's libraries to retrieve and set account information as well as to perform authentication. Usually this is information is obtained from the etc passwd file, and from the etc shadow file as well if shadow is enabled. The arguments available on the pam_unix module vary according to the management group in question. Account The arguments for the account management group are as follows debug This...

SKey and OPIE

One of the major drawbacks of using conventional authentication is that if an attacker gains access to a password, they would be able to impersonate the user in question. But what if the password was different every time The concept of one-time passwords is what inspired Bellcore engineers to design the S Key system. By using a hash algorithm seeded by a small secret key e.g., a password , the S Key system allows you to use a predefined sequence of passwords to log onto a Linux server, using...

Installing the FWTK Firewall Toolkit

Due to the special terms and conditions in the licensing agreement, FWTK is only available for download via FTP from the TIS FTP site. You have to read the license, agree to it, and register your identity on their site before actually downloading the software. Start this process by reading the text file located at ftp ftp.tislabs.com pub firewalls toolkit LICENSE. After you've reviewed this license agreement and found it acceptable, send an e-mail to the address fwtk-request tislabs.com that...

System Monitoring and Auditing

M onitoring your system for abnormal behavior is an essential task in both system administration and information security. Most attackers leave their fingerprints in the system log files, and examining these logs is a fundamental step in the process of network forensics. More important, examining log files on a regular basis, looking for erratic or suspicious user behavior, can prevent attacks and enhance the overall security of your server. There are attackers who may be able to penetrate your...

Info

Information security has become a topic of increasing interest, not only in the Linux community but in all other areas of information technology. As potential threats materialize and become headline news, network and systems administrators are forced to wear other hats, as part-time police officers, as investigators, and, in a few unfortunate instances, even as forensics experts, so to speak. As the Internet continues to experience mind-boggling growth, fueled by, among other factors, the...