LinuxHardening

jimpop1998

Netlab2_Manual_2b.pdf

Home >Computer Science homework help >LinuxHardening

LINUX+ LAB SERIES (LX0-102)

Lab 10b: Host Security

Document Version: 2015-09-24

This work by the National Information Security and Geospatial Technologies Consortium (NISGTC), and except where otherwise noted, is licensed under the Creative Commons Attribution 3.0 Unported License.

Development was funded by the Department of Labor (DOL) Trade Adjustment Assistance Community College and Career Training (TAACCCT) Grant No. TC-22525-11-60-A-48; The National Information Security, Geospatial Technologies Consortium (NISGTC) is an entity of Collin College of Texas, Bellevue College of Washington, Bunker Hill Community College of Massachusetts, Del Mar College of Texas, Moraine Valley Community College of Illinois, Rio Salado College of Arizona, and Salt Lake Community College of Utah.

This workforce solution was funded by a grant awarded by the U.S. Department of Labor's Employment and Training Administration. The solution was created by the grantee and does not necessarily reflect the official position of the U.S. Department of Labor. The Department of Labor makes no guarantees, warranties or assurances of any kind, express or implied, with respect to such information, including any information on linked sites, and including, but not limited to accuracy of the information or its completeness, timeliness, usefulness, adequacy, continued availability or ownership.

http://creativecommons.org/licenses/by/3.0/deed.en_US

Linux+ Lab Series (LX0-102) Lab 10b: Host Security

Contents

Introduction ........................................................................................................................ 2 Objective ............................................................................................................................. 2 Linux+ LX0-102 Exam Objectives ........................................................................................ 3 Lab Topology ....................................................................................................................... 4 Lab Settings ......................................................................................................................... 5 1 Login Accounts ............................................................................................................ 6 2 TCP Wrappers ........................................................................................................... 17 3 Managing Network Services ..................................................................................... 22

Linux+ Lab Series (LX0-102) Lab 10b: Host Security

Introduction

This lab provides guidance on performing Lab 10b: Host Security of the Linux+ LX0-102 course, using a NETLAB+ system. By performing this lab, students will learn how to establish host security. Objective

The following task will be performed: Establish host security to alleviate vulnerability of network services.

Linux+ Lab Series (LX0-102) Lab 10b: Host Security

Linux+ LX0-102 Exam Objectives

This lab will cover the topics for the following LX0-102 objectives: 110.2 Setup host security

1. Awareness of shadow passwords and how they work. 2. Turn off network services not in use. 3. Understand the role of TCP wrappers.

The following is a partial list of the used files, terms, and utilities:

a. /etc/nologin b. /etc/passwd c. /etc/shadow d. /etc/xinetd.d/* e. /etc/xinetd.conf f. /etc/inetd.d/* g. /etc/inetd.conf h. /etc/inittab i. /etc/init.d/* j. /etc/hosts.allow k. /etc/hosts.deny

Linux+ Lab Series (LX0-102) Lab 10b: Host Security

Lab Topology

Linux+ Lab Series (LX0-102) Lab 10b: Host Security

Lab Settings

The information in the table below will be used to complete the lab. Additional details will be provided within the task sections as required.

System Username/Password

CentOS Server sysadmin/netlab123

Ubuntu Server sysadmin/netlab123

Fedora Workstation sysadmin/netlab123

Ubuntu Workstation sysadmin/netlab123

All Machines root/netlab123

Linux+ Lab Series (LX0-102) Lab 10b: Host Security

1 Login Accounts

In this task, in order to secure your host, you should be aware which accounts have login capabilities and how that can be affected by the existence of the /etc/nologin file.

1. Click on the Fedora Workstation icon in the pod topology to launch the virtual machine.

2. The virtual machine will display a login screen. Make sure sysadmin is in the user field. Enter the password netlab123 and press Enter.

Linux+ Lab Series (LX0-102) Lab 10b: Host Security

3. Once you have logged in, a terminal window may appear. If it does not, click on the Kickoff Application Launcher, the “f”, in the lower-left corner of the desktop. In the search bar, type konsole and click on Konsole, which will launch a terminal window:

Linux+ Lab Series (LX0-102) Lab 10b: Host Security

4. In order to login to a host, an account name must be used along with a password. Account names are stored in the /etc/passwd file. On most Linux distributions, user accounts are assigned the /bin/bash shell. Accounts used to run services are normally assigned the /sbin/nologin shell. Display all accounts that are not assigned the 'nologin' shell by running the following command:

grep -v nologin /etc/passwd

Your output should be similar to the following:

5. The /etc/shadow file stores encrypted passwords and information about "aging" of those passwords (expiration date, etc.), but ordinary users do not have permission to view this file. Try the following cat command, which should fail since you are not logged in as the root user:

cat /etc/shadow

Your output should be similar to the following:

Linux+ Lab Series (LX0-102) Lab 10b: Host Security

6. Switch to the root user to perform the following tasks:

su -

netlab123

Linux+ Lab Series (LX0-102) Lab 10b: Host Security

7. View the /etc/shadow file with the cat command: cat /etc/shadow

Linux+ Lab Series (LX0-102) Lab 10b: Host Security

8. By using the following grep command, you can display the lines that do not contain either the exclamation point or asterisk characters in the password field of the /etc/shadow file. The "!" and "*" characters mean that these accounts don't have a valid password and, therefore, can't be directly logged into. The output of the following command will display the accounts that have a valid password:

grep -Ev '!|\*' /etc/shadow

Your output should be similar to the following:

9. If the system administrator wants to prevent other users from being able to log in to the host, then this can be accomplished by creating a /etc/nologin file. When this file exists, only the root user can log in. All other users will not be able to log in and will instead be presented with the contents of the /etc/nologin file.

To see a demonstration of this, first use a text editor to create the /etc/nologin file. Place the following text in this file:

System is unavailable due to required maintenance

Then, verify the contents match the following by using the cat command:

cat /etc/nologin

Linux+ Lab Series (LX0-102) Lab 10b: Host Security

10. Close the terminal menu. 11. Click on the "F" in the lower-left, then click on Leave in the lower-right, then click

on Log Out at the top. Click Logout on the following windows as well.

Linux+ Lab Series (LX0-102) Lab 10b: Host Security

12. The virtual machine will display a login screen. Make sure sysadmin is in the user field. Enter the password netlab123 and press Enter.

This attempt should fail and the text inside of the /etc/nologin file should show on the screen. Click on OK:

Linux+ Lab Series (LX0-102) Lab 10b: Host Security

14. Log in as root with the password netlab123:

Linux+ Lab Series (LX0-102) Lab 10b: Host Security

15. Once you have logged in, a terminal window may appear. If it does not, click on the Kickoff Application Launcher, the “f”, in the lower-left corner of the desktop. In the search bar, type konsole, and click on Konsole, which will launch a terminal window:

Linux+ Lab Series (LX0-102) Lab 10b: Host Security

16. Remove the /etc/nologin file, so other users are now allowed to log in: rm /etc/nologin

rm: remove regular file '/etc/nologin'? y

17. Close terminal and log out and close the Fedora Workstation remote pc viewer.

Linux+ Lab Series (LX0-102) Lab 10b: Host Security

2 TCP Wrappers

To learn how to secure certain services that may be accessed over the network using the files /etc/hosts.allow and /etc/hosts.deny.

1. Click on the CentOS Server icon in the pod topology to launch the virtual machine.

2. The virtual machine will display a login screen. Click on sysadmin and enter the password netlab123.

Linux+ Lab Series (LX0-102) Lab 10b: Host Security

3. Once you have logged in, open a terminal by clicking on Applications, then System Tools, and finally selecting Terminal:

4. Switch to the root user in the terminal window that opens: su -

netlab123

Linux+ Lab Series (LX0-102) Lab 10b: Host Security

5. If the executable that starts a service is "linked" with libwrap.so library (in other

words, it uses the library), then that service can be secured using TCP wrappers. Using the following commands shows that /usr/sbin/sshd is linked with the /lib/libwrap.so file, but that the /usr/sbin/postfix file is not:

ldd /usr/sbin/sshd | grep libwrap

ldd /usr/sbin/postfix | grep libwrap

6. Since executables can also have TCP Wrapper support compiled in directly (without linking), a second check is necessary on files that do not appear to be linked with libwrap. Using the following strings command confirms that /usr/sbin/postfix does not have TCP wrapper support as the string hosts_access is not present in the file:

strings /usr/sbin/postfix | grep hosts_access

Linux+ Lab Series (LX0-102) Lab 10b: Host Security

7. Use a text editor to add to the /etc/hosts.deny file a line, which will block all services from all clients, ALL:ALL. This will prevent anything from "slipping" past the TCP wrapper rules that we will be making in the /etc/hosts.allow file. Use the cat command to display the /etc/hosts.deny to confirm that it matches what is shown below:

cat /etc/hosts.deny

Your output should be similar to the following:

Linux+ Lab Series (LX0-102) Lab 10b: Host Security

8. Using the text editor of your choice, add an entry to the /etc/hosts.allow file that will limit ssh access to hosts on the 127.0.0.0/8 network. Use the cat command to display /etc/hosts.allow to confirm that it is the same as what is shown below:

cat /etc/hosts.allow

Your output should be similar to the following:

9. Test whether our ssh client can connect on the 192.168.1.0/24 and 127.0.0.0/8 networks to our host machine. The first command should fail as the system is only allowing connections from the 127.0.0.0/8 network. The second command should succeed:

ssh 192.168.1.2

ssh 127.0.0.1

Are you sure you want to continue connecting (yes/no) no

Your output should be similar to the following:

You don't need to actually connect, which is why you answered "no" to the prompt.

Linux+ Lab Series (LX0-102) Lab 10b: Host Security

3 Managing Network Services

By learning how to disable unused network services, you will be able to enhance the security of a host by eliminating unnecessary vulnerabilities.

1. To view which services are enabled to start, use the chkconfig command to list the services. Note that not every service listed is a network service. Note that the service names are highlighted below:

chkconfig --list | grep ':on'

Your output should be similar to the following:

2. To disable a service in a Redhat-derived distribution like Fedora or CentOS, use the chkconfig servicename off command, where "servicename" is the name of a service like avahi-daemon. This will prevent the service from starting automatically. The names of available services can also be found by listing the contents of the /etc/init.d and /etc/xinetd.d directories:

chkconfig avahi-daemon off

Linux+ Lab Series (LX0-102) Lab 10b: Host Security

3. Note that the chkconfig command prevents services from being started up during a reboot. The service is still currently running. To stop a services immediately, use the service servicename stop command:

service avahi-daemon stop

Your output should be similar to the following:

Important note: Before stopping any service, consult the documentation to learn what the service does. A good place to start looking for this information is man pages.

4. Click the X in the upper-right corner to close the terminal window. 5. Close the CentOS Server remote pc window. 6. Click the I’m Done button to end the reservation.