Chapter 10. Basics of network security

Table of Contents

Terminology
Firewall / Trusted and Untrusted Networks
Basic explanation - relating NAT to problems with IPv4
Checking on listening ports.
Service level security
TCP Wrappers

Terminology

What I want to cover now is some basics of security and in covering this; we need to understand some terminology.

Firewall / Trusted and Untrusted Networks

A firewall is a router-like device that exists between a trusted network and an untrusted network.

A typical example of an untrusted network is the Internet.

A typical example of a trusted network is your own internal network. Although this is not quite strictly true because most internal networks have been shown to be a source of a lot of security breaches, certainly more breaches than with the Internet.

A firewall is the mechanism that control access in and out of your network.

Almost every network that can be connected to the Internet is restricted through the use of a firewall and that generally blocks people from logging in and doesn't have to block people logging out.

So anybody logging in from the Internet to the Intranet will be blocked at the firewall, people trying to leave via the web browser to surf the net will generally be allowed through the firewall.

A firewall is a packet based device and what that means is that every packet is looked at, considered, weighed up and if meeting the required criteria may be passed through the network.

Many companies believe or have been lead to believe that having a firewall is the beginning and the end of their security set up. In fact, a firewall is only the tip of the iceberg although it is essential because it does block the gremlins from coming in from the outside in many cases.

Certain protocols like ICR for example, are blocked at the firewall whereas HTTP, SMTP (mail) and FTP might well be allowed through.

Protocols that would be blocked from coming in are things like pingsweep or just pings in general, because there's a whole wad of problems that can occur on the network if one allows a ping enter onto your network.

Firewalls offer a degree of protection from the Internet or from an untrusted network.

Basic explanation - relating NAT to problems with IPv4

Often the internal network may have an illegal class address, for example 010.0.1.X, but of course the Internet can only cope with valid addresses, for example 196.7.14.X. As a result, the firewall does a process called NAT, Network Address Translation, where it will translate between the illegal internal address and the legal external address.

This is one of the ways that they've managed to overt the crisis of running out of version 4 (IPv4) IP addresses. Big companies have given back huge stocks of ip addresses for use on the Internet. They use NAT to translate their illegal IP addresses they use on their Intranet to those used in the Internet.

Checking on listening ports.

On a Linux machine, Linux can act as both a firewall and a NAT filter and it can also provide all sorts of services like http, sftp and ssh etcetera.

What services is your Linux box providing right now?

netstat

One of the ways to see this is to use the netstat command. If you run a "netstat -l"command it will show you what ports are currently listening on your Linux machine.

So you can do a netstat -l and pipe that through "less" and that will show you what ports are currently listening on the Linux machine.

root@debian:/etc# netstat -l
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address   State
tcp        0      0 *:printer              		*:*                     LISTEN
tcp        0      0 *:1011              	   	*:*                     LISTEN
tcp        0      0 *:2049              	    	*:*                     LISTEN
tcp        0      0 *:www                   		*:*   	             LISTEN
tcp        0      0 *:webcache              		*:*                     LISTEN
tcp        0      0 *:3128                  		*:*                     LISTEN
tcp        0      0 *:ssh                   		*:*                     LISTEN
tcp        0      0 *:netbios-ssn           		*:*                     LISTEN
tcp        0      0 *:nntp                  		*:*                     LISTEN
tcp        0      0 *:1025                	  	*:*                     LISTEN
tcp        0      0 *:auth                  		*:*                     LISTEN
tcp        0      0 *:smtp                  		*:*                     LISTEN
tcp        0      0 *:ftp                   		*:*                     LISTEN
tcp        0      0 *:telnet                		*:*                     LISTEN
tcp        0      0 *:daytime               		*:*                     LISTEN
tcp        0      0 *:discard               		*:*                     LISTEN
tcp        0      0 *:1024                  		*:*                     LISTEN
tcp        0      0 localhost:953           		*:*                     LISTEN
tcp        0      0 debian.zoo.org.za:domain 	*:*                     LISTEN
tcp        0      0 localhost:domain        		*:*                     LISTEN
tcp        0      0 *:sunrpc                		*:*                     LISTEN
udp       0      0 *:1008                  		*:*
udp       0      0 *:2049                  		*:*
udp       0      0 *:icpv2                 		*:*
udp       0      0 debian.zoo.o:netbios-dgm *:*
udp       0      0 debian.zoo.or:netbios-ns 	*:*
udp       0      0 *:netbios-dgm           	*:*
udp       0      0 *:netbios-ns            		*:*
udp       0      0 *:ntalk                 		*:*
udp       0      0 *:talk                  		*:*
udp       0      0 *:discard               		*:*
udp       0      0 *:1026                  		*:*
udp       0      0 localhost:921           		*:*
udp       0      0 *:1025                  		*:*
udp       0      0 *:791                   		*:*
udp       0      0 *:1024    			*:*
udp       0      0 debian.zoo.org.za:domain *:*
udp       0      0 localhost:domain        	*:*
udp       0      0 *:sunrpc                		*:*
raw        0      0 *:icmp                  		*:*                     7
raw       0	     0 *:tcp                   		*:*                     7
Active UNIX domain sockets (only servers)
Proto RefCnt Flags       Type       State         I-Node 	Path
unix  0      [ ACC ]     STREAM     LISTENING     184  	/var/run/news/nntpin
unix  0      [ ACC ]     STREAM     LISTENING     327   	/tmp/.gdm_socket
unix  0      [ ACC ]     STREAM     LISTENING     234    	/tmp/.font-unix/fs7100
unix  0      [ ACC ]     STREAM     LISTENING     53122  	/dev/printer
root@debian:/etc#
                    

Looking at the above report, the following services are some of the services available or listening: the torque server, ntorque the network torque server, telnet, ftp, some rpc, netfile session and netfile's name server.

Now the problem with having so much available, is that people might be connecting to these services without us knowing - so a good rule of thumb is to shut down any services that are not being used.

Many of these services are started as inet services.

Now in Debian there's a file called /etc/inetd.conf which configures a lot of these services, it's a case of editing this file and commenting out using a #, those services that you don't want to be used.

I encourage you now to look through the netstat -l report to determine which of the services that you do not want to use (such as telnet), and to comment these entries out of your inetd.conf file.

root@debian:/etc# cat inetd.conf
# /etc/inetd.conf:  see inetd(8) for further informations.
#
# Internet server configuration database
#
#
# Lines starting with "#:LABEL:" or \
                        "#<off>#" should not
# be changed unless you know what you are doing!
#
# If you want to disable an entry so it isn't touched during
# package updates just comment it out with a single \
                        '#' character.
#
# Packages should modify this file by using update-inetd(8)
#
# <service_name> <sock_type> <proto> \
                        <flags> <user> \
                        <server_path> <args>
#
#:INTERNAL: Internal services
#echo           stream  tcp     nowait  root    internal
#echo           dgram   udp     wait    root    internal
#chargen        stream  tcp     nowait  root    internal
#chargen        dgram   udp     wait    root    internal
discard         stream  tcp     nowait  root    internal
discard         dgram   udp     wait    root    internal
daytime         stream  tcp     nowait  root    internal
#daytime        dgram   udp     wait    root    internal
#time           stream  tcp     nowait  root    internal
#time           dgram   udp     wait    root    internal

#:STANDARD: These are standard services.
telnet          stream  tcp     nowait  telnetd.telnetd \
                        /usr/sbin/tcpd  
	/usr/sbin/in.telnetd
ftp             stream  tcp     nowait  root   \
                        /usr/sbin/tcpd  
	/usr/sbin/in.ftpd

#:BSD: Shell, login, exec and talk are BSD protocols.
talk            dgram   udp     wait    nobody.tty      
	/usr/sbin/in.talkd      in.talkd
ntalk           dgram   udp     wait    nobody.tty     
	/usr/sbin/in.ntalkd     in.ntalkd

#:MAIL: Mail, news and uucp services.
smtp            stream  tcp     nowait  mail   \
                        /usr/sbin/exim exim -bs
#pop-3          stream  tcp     nowait  root   \
                        /usr/sbin/tcpd  
	/usr/sbin/in.qpopper -f \
                        /etc/qpopper.conf
#imap2  stream  tcp     nowait        root   \
                        /usr/sbin/tcpd  \
                        /usr/sbin/imapd
#imap3  stream  tcp     nowait        root   \
                        /usr/sbin/tcpd  /usr/sbin/imapd

#:INFO: Info services
ident           stream  tcp     wait    identd  \
                        /usr/sbin/identd        identd
#finger         stream  tcp     nowait  nobody  \
                        /usr/sbin/tcpd 
	/usr/sbin/in.fingerd

#:BOOT: Tftp service is provided primarily for booting.  Most sites
# run this only on machines acting as "boot servers."

#:RPC: RPC based services

#:HAM-RADIO: amateur-radio services

#:OTHER: Other services
#<off># netbios-ns      dgram   udp     wait    root    
	/usr/sbin/tcpd  /usr/sbin/nmbd -a
#<off># netbios-ssn     stream  tcp     nowait  root   
	/usr/sbin/tcpd  /usr/sbin/smbd
#<off># swat            stream  tcp     nowait.400      root    
	/usr/sbin/tcpd  /usr/sbin/swat
391002/1-2 stream rpc/tcp wait root /usr/sbin/famd fam

root@debian:/etc#
                    

Service level security

xinetd and inetd service restrictions

In addition to commenting out lines in inetd.conf, you would need to restart your inetd server and the easiest way to do this is to use the "/etc/init.d/inetd restart "command, or to send a kill -SIGHUP to the inetd process.

root@debian:/home# /etc/init.d/inetd restart
Restarting Internet superserver: inetd
.
root@debian:/home#
                    

Once you kill the inetd services that you're not using like telnet, time and finger, you then want to have a look at other services.

Look at my netstat - l report again, I see that there are other processes like SMTP and ftp that are currently running and I want to disable these so that people don't connect to me without me knowing.

So once you've shut down on the unnecessary services you can go into your /etc/init.d directory and you can see in the init.d directory there are a whole lot of files that would take the start-up or the shut-down services command.

This means that you could say for example, "/etc/init.d/ftp stop" and that would then stop the ftp server. Debian stops services permanently using the rcconfig.d

Inetd is the "old" way of doing things - the SysVR4 way. Now there is a newer superdaemon - xinetd. It has lots of additional security enhancements and is able to be configured in many different ways, but essentially it offers the same services that inetd did before. It is configured using two sets of files:

  • /etc/xinetd.conf - the configuration file for xinetd defaults and

  • /etc/xinetd.d/<service-config-name>

In xinetd, each service has an individual configuration file. Thus, POP3 will have a file containing configuration information for the pop3d daemon. Finger, telnet, rsync, Etc. all have configuration files here. Included below is a copy of the rsync configuration file:

# default: off
# description: The rsync server is a good addition to \
                        am ftp server, as it \
#       allows crc checksumming Etc.
service rsync
{
        disable = yes
        socket_type     = stream
        wait            = no
        user            = root
        server          = /usr/bin/rsync
        server_args     = --daemon
        log_on_failure  += USERID
}
                    

The configuration is fairly straightforward. Options such as disable=yes are specified in the {} for the service. Additionally, xinetd configuration files can include the hosts that are/aren't allowed to connect to this service, what times of the day/night clients may/may not connect, Etc. For more information on configuration of you superdaemon processes, consult the manpage for xinetd.conf (man 5 xinetd.conf).

TCP Wrappers

TCP wrappers are an important part of securing your hosts. Thus, they are a complete chapter on their own.