System Administration

Transcription

1 System Administration CSE598K/CSE545 - Advanced Network Security Luke St.Clair - Spring

2 Why do we care? This is probably the most important thing you can learn to secure systems? The idea to learn a couple practical things learn some tools to learn more 2

3 How to get in... ssh - secure shell rhosts - it s great! I want that..rhosts - list of users that can log in ssh remotehost command - simply run a command on a remote host (useful for scripts) server not installed on Ubuntu by default (no open ports!) 3

4 Garage door opener Open the door easier let s just say who can access we ll do it by what people have.ssh/authorized_keys ssh-keygen -t dsa - we ll make some keys 4

5 Giving out keys We made keys, now each host just has to make a list of what keys are okay Who needs to know this? scp your.ssh/id_dsa.pub (or similar) to your VM scp.ssh/id_dsa.pub :~/coriakin-key.pub ssh cat ~/coriakin-key.pub >> ~/.ssh/ authorized_keys 5

6 Shortcomings of SSH pairwise keys - gets annoying it s really too many for me to use everywhere You have to trust where your host key is You just forget things MitM how do you check host key? ssh-keygen -l -f /etc/ssh/ssh_host_dsa_key.pub 6

7 It can be a little easier 7

8 Being privileged sudo - superuser do there s no root user! sudo visudo - you can see what the policy is your policy says anyone in the group admin can do anything, if they put their password in note that you had to sudo to change sudoers, the file that controls sudo policy 8

9 Let s get some $\/\/33t w@r3z What if there was a way to install things as long as you know what sort of thing you want? What if you could update everything with a command? 9

10 WINDOWS UPDATE!!?!?!? WINDOWS UPDATE!!!!!! Rulz! roflcopter. 10

11 Aptitude Basic Principles aptitude update - refreshes the list of what exists - practically, do this before you do things aptitude search - look in the whole repository for matches to your search terms (even descriptions!) aptitude install <package name> - installs a package. You have to type the name right aptitude (safe full)-upgrade - upgrade all your packages, safely, or fully 11

12 Let s get a Desktop Some packages are meta packages, which are just shorthand for listing tons of packages let s aptitude install apache2 installs, basically configures, and starts apache2 then aptitude install xubuntu-desktop, which will install a full desktop system, and tightvncserver 12

13 Visit your website Point your browserz at your ip address You ve been hax0r3d! Apache HTTP Server Test powered by CentOS Apache 2 Test powered by CentOS This page is used to test the proper operation of the Apache HTTP server after it has been installed. If you can read this page it means that the Apache HTTP server installed at this site is working properly. If you are a member of the general public: The fact that you are seeing this page indicates that the website you just visited is either experiencing problems or is undergoing routine maintenance. If you would like to let the administrators of this website know that you've seen this page instead of the page you expected, you should send them . In general, mail sent to the name "webmaster" and directed to the website's domain should reach the appropriate person. If you are the website administrator: You may now add content to the directory /var/www/html/. Note that until you do so, people visiting your website will see this page and not your content. To prevent this page from ever being used, follow the instructions in the file /etc/httpd/conf.d/welcome.conf. You are free to use the images below on Apache and CentOS Linux powered HTTP servers. Thanks for using Apache and CentOS! For example, if you experienced problems while visiting you should send to "webmaster@example.com". About CentOS: The Community ENTerprise Operating System (CentOS) is an Enterprise-class Linux Distribution derived from sources freely provided to the public by a prominent North American Enterprise Linux vendor. CentOS conforms fully with the upstream vendors redistribution policy and aims to be 100% binary compatible. (CentOS mainly changes packages to remove upstream vendor branding and artwork.) The CentOS Project is the organization that builds CentOS. For information on CentOS please visit the CentOS website. Note: CentOS is an Operating System and it is used to power this website; however, the webserver is owned by the domain owner and not the CentOS Project. If you have issues with the content of this site, contact the owner of the domain, not the CentOS project. 1 of 2 1/30/08 3:54 PM 13

14 Alternately... 14

15 init.d Nearly every service that would run in the background (apache, ssh, etc) has a script that controls it instead of trying to figure out which process (ps aux) does what, and how to start/stop the process correctly (not kill!), just ask they all start/stop/restart - restart is always a safe bet you d do this if you change the config of a running program let s restart apache sudo /etc/init.d/apache restart (remember to tab complete!) 15

16 VNC this is all easier on the command line... but some stuff isn t (adding users w/ adduser, adding users to groups with usermod -G group user) so we want a desktop, which runs on a remote system, but that we see on our local system 16

17 Tunneling To get this, we have to tunnel our data Clever firewall admins don t let VNC through ssh -L 5900:firsthost:5901 -TN secondhost forwards local port 5900 to port 5901 on firsthost via secondhost - remember this description set up a tunnel from port 5900 on your machine, to 5901 on your VM, via your VM 17

18 All that s left is to connect... Have to start a server on the remote host this is per-user: vncserver :1 set a password On your local host, point your VNC viewer at yourself (remember, 5900, the VNC port gets tunneled to a remote party via someone s ssh service), password is your VNC password, NOT ssh password You ll be prompted for your VNC password if you didn t put it in already 18

19 Ugly Desktop See help.ubuntu.com/community/vncoverssh basically, just put something in your.vnc/xstartup wget put it in your.vnc file in your home directory 19

20 Where to get more help Ubuntuforums.org - by far the best source IRC - lots of noise to signal ratio - irc.freenode.org, #ubuntu wiki.ubuntu.org 20

21 Certificate creation Let s make a certificate Don t try to remember this, just look it up Make a CA: openssl genrsa -des3 -out cakey.key 4096 openssl req -new -x509 -days 365 -key cakey.key -out cacert.crt Create server key, request, sign openssl rsa -des3 -out server.key 4096 openssl req -new -key server.key -out server.csr openssl x509 -req -days 365 -in server.csr -CA cacert.crt -CAkey cakey.key -set_serial 01 server.crt this avoids reissuing the same certificate 21

22 Setting up Apache sudo a2enmod ssl (enables the SSL module) add to /etc/apache2/sites-available/default, right under virtualhost: SSLEngine on SSLProtocol all SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key In /usr/share/doc/ directory, allow all Order allow, deny Allow all 22

23 Firewalls There are so many ways to do this 23

24 GUIs, or G-U-I s Let s make a firewall, simple-style You can do all of these things with iptables, and there are many good tutorials 24

25 Basic settings Setup pokes some holes in the firewall your ethernet device may be different - there should only be one to choose from anyway 25

26 Policy Play around with this. Firewall your website s port 80, to stop normal http connections (this is not really the best way to do this, but whatever) Don t forget to Apply policy once you create it Browse port 80 and check logs 26

27 IPsec set up rules for when we want ipsec first, add #!/usr/sbin/setkey -f flush; spdflush; to the top of the file - this gets rid of stuff before spdadd any -P in ipsec esp/transport// require; packets from.21 to.20 incoming match this rule - require ipsec spdadd any -P out ipsec esp/ transport//require packets from.20 to.21 outgoing match this rule what does spdadd any -P in... do? 27

28 Racoon This is the program that listens for connections get racoon.conf from tools/config/racoon put it in /etc/racoon.conf Let s look through it... 28

29 Racoon.conf remote anonymous applies this to everything alternative is to configure by ip addr, as in comments proposal is what you propose - other side picks here we only propose one hash, one encryption, and we only auth by pre-shared key, not certs dh_group defines diffie-hellman group - don t worry about this 29

30 SA in racoon.conf Defines how long your connection is good for Defines what encryption you support That s it! 30

31 What did we miss? 31

32 psk Fill in /etc/racoon/psk.txt mine is Try to ping my machine ( ) note the delay or failure sudo setkey -F, sudo setkey -FP should show you something, if you want to check errors or just see what s happening if this doesn t work /etc/init.d/racoon stop, sudo racoon -f /etc/racoon/racoon.conf, and we can see what happens 32