9/04/2011

IPTables 1

IPTables

IPTables is a front-end to control and manage netfilter.
Netfilter (firewall) is a framework integrated in Linux Kernel.
IPTables is consist of 3 tables (Filter,NAT,Mangle).
We will focus on layer 3 (Network) controlling source and destination IP Addresses , And layer 4 (Transport) TCP and UDP.
Filter table uses to control IP packets filtering , and it's consist of 3 chains (INPUT,FORWARD,OUTPUT)


  • HOW To use IPTables:

IPTables command consist of parts starting with iptables , we now discuss iptables command fields
1- iptables
2- action (APPEND,replace,inseart,delete..) followed by name of the chain such as (INPUT,FORWARD,OUTPUT) for Filter tables .
3- name of the tables with -t option (-t mangle) , if not specified so it's a filter table by default .
4- specify source IP (-s),destination IP (-d) or both .
5- specify Protocol with ports , protocols such as (tcp,udp,icmp) with (-p),And Source port and Destination port such as (ssh,telnet ...) with (--sport) ,(--dport) respectively.
6- select target with (-j) option followed by type of target (ACCEPT,DROP,DENY,LOG,REJECT)

Hint 1: in step 3, don't use this step if you work on Filter tables , if not you should specify the name of tables.
Hint 2: you don't have to use all the steps , use what is required to make a rule right and more safety

Examples :
1- block IP address 192.168.0.20 to connect to my ssh
iptables -A INPUT -s 192.168.0.20 -p tcp --dport ssh -j DROP
-A to append the rule
INPUT to specify the name of chain , INPUT chain concerned with input communication
-s specify IP address
-p specify protocol name
--dport specify destination port (destination port because we now handling INPUT communication)
-j select target name to refuse this communication
To make sure that the rule is appended iptables -L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       tcp  --  192.168.0.20         anywhere            tcp dpt:ssh 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

now we block 192.168.0.20 to connect with local ssh
2- bloch 192.168.0.20 to connect with local system
iptables -A INPUT -s 192.168.0.20 -j DROP
Hint 3: To start iptables /sbin/service iptables start
Hint 4: to make iptables start with system booting /sbin/chkconfig iptables on 
Hint 5: use /sbin/ip6tables to configure you firewall with IPV6.

8/08/2011

File Integrity Check

File Integrity Check

We will use a program to check integrity to ensure that all my system files contain the right files and to ensure that i don't have back-doors (rootkit) and check changes in permissions,access time,inode modifying time ..etc.

AIDE (Advanced Intrusion Detection Environment)
This program use to check integrity of system files and create data base contains files information and i can reuse this data base to verify integrity on these files.

  • Installation:

1- install mhash latest version is mhash-0.9.9.9

tar -zxvf mhash-0.9.9.9.tar.gz
cd mhash-0.9.9.9
./configure
make
make install

2- install aide latest version is aide-0.15.1

tar -zxvf aide-0.15.1.tar.gz
cd aide-0.15.1
./configure
make
make install

  • Configuration:

you will find aide.conf in aide-0.15.1/doc/
1- uncomment this line
database=file:/home/example/aide.db.new
this line to specify the location of data base .
2- add files you want to save it's details and check it's integrity ,
for example : if i want to check etc file 
add /etc R  in aide.conf 
save your changes and copy configuration file to your home directory 

  • Create  data base :
by command aide  -c  aide.conf  --init (on /etc file)
AIDE, version 0.15.1

### AIDE database at aide.db.new initialized.

now it's create a file in my home directory aide.db.new
now you can save three files on CD (aide binary , aide.conf , aide.db.new)
 

Now let's test 
i will change in a configuration file located in /etc such as hosts
nano /etc/hosts 

# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1               example localhost.localdomain localhost
::1   

I will add this line 
# 127.0.0.1 localhost 

now let's check integrity on /etc file

aide -c aide.conf  --check

AIDE 0.15.1 found differences between database and filesystem!!
Start timestamp: 2011-08-08 08:51:40

Summary:
  Total number of files:        2486
  Added files:                  0
  Removed files:                0
  Changed files:                2


---------------------------------------------------
Changed files:
---------------------------------------------------

changed: /etc/hosts
changed: /etc/sysconfig/networking/profiles/default/hosts

---------------------------------------------------
Detailed information about changes:
---------------------------------------------------


File: /etc/hosts
 Size     : 194                              , 216
 Mtime    : 2011-08-07 01:27:39              , 2011-08-08 08:42:27
 Ctime    : 2011-08-07 01:27:39              , 2011-08-08 08:42:27
 MD5      : 02FfBTSv7TnxZkxsS9VL3g==         , 5p1GYAT86+ChpPhP3T5Rzg==

File: /etc/sysconfig/networking/profiles/default/hosts
 Size     : 194                              , 216
 Mtime    : 2011-08-07 01:27:39              , 2011-08-08 08:42:27
 Ctime    : 2011-08-07 01:27:39              , 2011-08-08 08:42:27
 MD5      : 02FfBTSv7TnxZkxsS9VL3g==         , 5p1GYAT86+ChpPhP3T5Rz

it's works right 

if i want to make this change on /etc/hosts is to be add to aide data base 
aide -c aide.conf --update 

AIDE, version 0.15.1

### All files match AIDE database. Looks okay!

### New AIDE database written to aide.db.new

if i recheck integrity aide -c aide.conf  --check

AIDE, version 0.15.1

### All files match AIDE database. Looks okay!
Finally i recommend to use this program frequently and check integrity of these files (/bin /boot /etc /lib /usr /sbin) 
Add to aide.conf
/bin     R
/boot   R
/etc     R
/lib      R
/usr     R
/sbin    R

Hint1 : if you want to create data base for (/) file add / R
Hint2 : if you want to make a compressed data base uncomment 
# gzip_dbout=no and change it's value to yes  and create new data base (will create compressed data base).

7/20/2011

GPG 2

GNU Privacy guard 2

  •  Encryption and Decryption
We now try to encrypt messages or text file by using GPG , For Example i have a file (example.txt) contain

Testing GPG encryption 
1 2 3 4 5 6 7 8 9 10
11 12 13 14 15 16 17 18 19 20

i will encrypt it with my public key ,let's list our keys by command gpg --list-key

pub   2048R/55728FBB 2010-11-20
uid                  example <example@example.com>
sub   2048R/5A5F62F0 2010-11-20

we will encrypt example.txt with my public key (so just me who can decrypt this file because i have the private key that match this public key)
the slandered command gpg -option -r (ID of recipient) file to be encrypt 
55728FBB --> ID of my public key
let's encrypt gpg -- encrypt -r  55728FBB example.txt
it will generate new file (example.txt.gpg)
to decrypt .gpg files
gpg --decrypt example.txt.gpg

user: "example <example@example.com>"
2048-bit RSA key, ID B7512E52, created 2011-07-20 (main key ID
55728FBB)
 
gpg: encrypted with 2048-bit RSA key, ID 5A5F62F0, created 2011-07-20
      "example <example@example.com>"
Testing GPG encryption
1 2 3 4 5 6 7 8 9 10
11 12 13 14 15 16 17 18 19 20

  • Armor option (Encryption and Decryption)
let's improve encryption by using armor option to generate ASCII armored file

gpg -ea
-r  55728FBB example.txt
will generate example.txt,asc file
let's see the contents of this file  
cat example.txt.asc
-----BEGIN PGP MESSAGE-----
Version: GnuPG v2.0.14 (GNU/Linux)

hQEMA9gg9Pa3US5SAQf/Tkra15Cvy6AV7L8BW0s13Z9MKbzGy6f6pa2YrbQA7KUM
A+uEP+zWXt8R53Qe5CJj11uIuVNQ03GhZ7RJCPwQoaMTWdnAtjRUlFLILH/8EEDj
NUc8TE/KVwUEMFTV27dt3Gsb8f9yWWLOSM8if9akhvIy3/Ahgad8PuzfGpuN0O5L
y8vrytGoBI7dv3tKzTpJ0kK+Phrlt4aVXXt3zTh9ULQaI9TLJazbP1KvhfnzagCI
sMsSRfS7oxLcljWkr6KhDblMy3DHAZDi7AUsTlMScBcuJo/81l2xgqcxST9tbyA0
OkR1EnrCwV5ofTp5bNZc959kb4Z7ePG+BFnS4AwQkdKLAR+vUtASXYNUs/2Uq2/5
JVj64hZbOVyxIAJWyGYcl2ikwA7xHnNhGevACZlCyaKrAk5CjqmaNDMmQuvZJoLv
pKLjE2k24/kxyxR4GcTY+jx++Ke6YnOEJFFZbDlsJ/VltFSh3VkAY/opM80i2b8Q
ny+SaC8Ki3RKV8o1P0FyPmDS6G767ei2O5QrZQ==
=Yq4y
-----END PGP MESSAGE-----

it's the encrypted file 
gpg -e example.txt.asc
or you can save output in a file by using -o option
gpg -o example2.txt -d example.txt.asc
  • Import and Export
Now, how to export my public key (in armor form) to allow others to add my public key to send me encrypted files gpg --export -a -o output file
for example gpg --export -a -o hamza.pub-key
cat hamza.pub-key

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.14 (GNU/Linux)

mQENBE4m7kMBCACtNn36aL5sxaS9KCWoZjkkWGKQWu1ik1CjC1CTfQBfQIwJM77L
B0qDjK7lg7ts+LDpJ03O3cNrcLHWpWiwMiOkg3j2kjEXQYvBRDwJXpRInWsOMt+x
KdDXcm650V00VNQdAtTLONF61ZPRGZTs4vKzqK0TjB5v0QF8tpsb+2KhVYZ8CLs/
xl4PWuTAh/LPurA32QNCKP3KhWm0z/ZGjCdGp2vbrFQJdd00j4Y8MjqeOm4BLFxc
xeDc4843yLYHymudzYAyQ0n64s9D5MP+eTIjZsQMeIUBlVH5yYFZO8UmyYpBBOCB
DEAdSOv9iZgdwJlKEO1sE6xfFIKT31YoqDPFABEBAAG0HWV4YW1wbGUgPGV4YW1w
bGVAZXhhbXBsZS5jb20+iQE4BBMBAgAiBQJOJu5DAhsDBgsJCAcDAgYVCAIJCgsE
FgIDAQIeAQIXgAAKCRD1GTv8yJYDoaTUB/46J4ADDrIWxfLCcGio/FJpnCMSbcIx
hyEHXrz0OyLi4yLbwnwu8sfI0rebCEkqNteCm7rbawmhXNLLTQxR6kBiw/36rFSG
C2RZoF3LGPkTPNikykHqvfJpPUHGBBcy0YBCyiwJ6gYPXBRqyt+Hbq2fZkqYfWo3
CVSsVCZXwkRbcP3/nZU+UFwYtGyiw5C1ZwIuCYIs5/0zED33mq0dMaPBgYV4VJ5W
+SlBRBheYqvQZMrmppdoYQN+Y5921PrKhrAxofFunYuz7qYIQhJhXK4ir61RcIz1
mWFXcbVhKJ7TpJ7dtKx+7sjUS27jnbv09Rw3GJNguk6yASFZcQn3oOveuQENBE4m
7kMBCACxKf+lgfDCpHmCMHW9+Va4j1/8/ykyfTZ6lqvL9Nc8o4PPqnN7+FwZpgVW
CrPgcP9FwUZDPpEbc3ZLFTcJ4SXX7wmd5ttjT9JKKfeOV+WpIsazSlvE4it8spMt
a0EYCP/yoFuSXcCv9YFB285ZrDC/ylCzil92SSBqLqQLp+Kpc2944A91BRE9TV9Q
brDTGYwmREBd1OXCZzbUUbpSNcAjtySmeUHBwBXkNdYPDRMbiWIyaJxVfvEss0NI
GCDhLUZHY/BsOv/s7QFknKQ9LRwEpkf+7FaA3qze27vw0D0cw5SCwNo+lrVD6cy5
NKzl4rEjOelaumrdWhWAnmdp5u+3ABEBAAGJAR8EGAECAAkFAk4m7kMCGwwACgkQ
9Rk7/MiWA6Ez0wf+PR2qWxxdPC5vbAkyRAQ85jedPCmXGEaQBNjWmBIOmWQ2rmdE
36Wtv1khqiNNMzjVejJoGchlMiO1/Rzeo0pVfKncWDvqYDJqNnCyo8sMtowPrHqq
nFY900GcNhmZQz42wVyaWrSN4oGfhwjTHmGGuMqXzEIlVdZL9FO5rL76801Y0WzF
H4wJ+TuhLfEfvzCMUVX4Ew9vmaje3ZK3crOjT5CDK6uRdt3IRmulHugva+8zbSu2
GXN+hv8pZmXhqyU6MQ+pkXQPcXKLwnI0TCHKN6b3E2KuBtSeYukerexYDV9ZAI7A
aRMJ3dFlvQsWEvtZreruzGvZmide26dUtruhVA==
=uaNC
-----END PGP PUBLIC KEY BLOCK-----

Now i can send this file to anyone to send me encrypted message.
To import anyone public key to send to him encrypted message or to verify
gpg --import (public key file name)
gpg --import hamza.pub-key

  • Signing and Encryption
Signing is different from encryption , It's used to prove the authenticity, Signing is created from private key of the sender (signer) and signature is verification by using the sender public key.
We using signing to verify that we receiving  from trusted person .
 To make a good signing , The sender and receiver should increase level of trust for each one public key .
For example:
I want to send encrypted file with signing to Debian server , To make a good signing , I should increase level of trust of Debian's public key , and Debian should do the same of my my public key .
So , How now to increase the level of trust 
If i import a public key of another computer on my network 
and list my keys gpg --list-key
pub   2048R/55728FBB 2010-11-20
uid                  example <example@example.com>
sub   2048R/5A5F62F0 2010-11-20


pub   2048R/AC5A8F7A 2011-03-20
uid                  example2 <example2@example.com>
sub   2048R/A85BBC19 2011-03-20

To increase level of trust of example2 on my computer and run 
gpg --edit-key AC5A8F7A
gpg (GnuPG) 2.0.14; Copyright (C) 2009 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

pub  2048R/AC5A8F7A  created: 2011-03-20  expires: never       usage: SC 
                     trust: undefined     validity: unknown
sub  2048R/A85BBC19  created: 2011-03-20  expires: never       usage: E  
[ unknown] (1). example2 <example2@example.com>

Command>

Write trust (if you want more options enter help)
Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately
  m = back to the main menu

Your decision? 
now i chose 5 I trust ultimately, Then Enter quit .Now you trust this public key , To make sure  
gpg --edit-key AC5A8F7A
gpg (GnuPG) 2.0.14; Copyright (C) 2009 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

pub  2048R/AC5A8F7A  created: 2011-03-20  expires: never       usage: SC 
                     trust: ultimate      validity: ultimate
sub  2048R/A85BBC19  created: 2011-03-20  expires: never       usage: E  
[ultimate] (1). example2 <example2@example.com>

On a remote machine should do the same to my public key.
now on the remote machine : How to encrypt and sign a file(example.txt) to me
gpg -sea -r 55728FBB example2.txt  ,will generate example2.txt.asc
Then he send it to me , To decrypt this file ,GPG will tell me if it a good signing or not .
gpg -o example2.output.txt -d example2.txt.asc
user: "example <example@example.com>"
2048-bit RSA key, ID B7512E52, created 2011-03-20 (main key ID AC5A8F7A)

gpg: encrypted with 2048-bit RSA key, ID A85BBC19, created 2011-03-20
gpg: Signature made Thu 21 March 2011 01:30:39 AM EET using RSA key ID 55728FBB
gpg: Good signature from "example2 <example2@example.com>"

We notice here Good signature 
  • Detach Signature
  We use it to sure that encrypted file meet the sender public key 
To generate  verifying file for our file (example.txt.asc) received from example2
gpg -b example.txt.asc , will generate (example.txt.asc.sig)
To verifying a encrypted file 
gpg --verify example.txt.asc.sig example.txt.asc
gpg: Signature made Thu 21 Jul 2011 02:04:46 AM EET using RSA key ID AC5A8F7A
gpg: Good signature from "example2 <example2@example.com>"

We notice again Good signature.
Hint1: to encrypt in armor form directly by command
gpg -ea -r (ID of public key of receiver) (file to encrypt)
Hint2:to encrypt in armor form with signing
gpg -sea -r (ID of public key of receiver) (file to encrypt)
Hint3:to verify downloaded file 
1- import public key 
2- Download the file 
3- Download signature file (.sig)
4- increase level of trust gpg --edit-key (ID of public key to increase trust)
5- check verification gpg --verify (file.sig) (downloaded file)

7/18/2011

GPG 1

GNU Privacy guard 

 

GNU Privacy Guard (GPG/PGP) use for encrypting messages by using PKI or asymmetric key .



Asymmetric key mechanism uses public and private key


  • sender side:
public key use to encrypt message to send it.

  • receiver side:
private key use to decrypt encrypted message.

  • Owner of the keys can exchange public key with others , and then they send back encrypted messages again to the owner (message encrypt by public key and decrypt by private key), and as usual private key must be secured well.
  • GPG is CLI program (command line interface) and there are GUI program such as Seahorse .
  • GPG used for encrypt messages ,ASCII files,verification.

  • Using GPG 
Generate public and private key:
by command gpg --gen-key
result:

This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. 

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection?

now hit enter to specify the default 
result:

RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)

hit enter again to specify the default
result:

Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n year

you can specify expire date , hit enter to chose key does not expire.
result:

Key does not expire at all
Is this correct? (y/N)

Hit y .
result:

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

Real name:

Now enter you real name and hit enter , And then
Email address:
Now enter your e-mail address
And then hit enter for comment
result:

You selected this USER-ID:
    "example <example@example.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? 

Enter o to continue or (N , C , E ) to change your data

You need a Passphrase to protect your secret key.
Enter passphrase:

if you wan to to use a password for your keys (if you wan to, ,just enter the password and then . if you don't just hit enter).

Repeat passphrase:

repeat the password or hit enter again
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

and GNU start to generate keys , (hit random keys and move mouse to improve generating public and private key ).

let's navigate GPG file
cd ~/.gnupg/
there are two important files
secring.gpg ---> private key
pubring.gpg ---> public key

And now you can exchange your public key (pubring.gpg) with others to send you encrypted messages...

to see your keys use command gpg --list-keys
result:

pub   2048R/55728FBB 2010-11-20
uid                  example <example@example.com>
sub   2048R/5A5F62F0 2010-11-20

55728FBB ID of public key ,ID is a unique and use to specify the recipient or the owner of private key that match public key.

7/11/2011

SSH 3

SSH 3 (Port Forwarding)

SSH Port Forwarding or SSH tunneling allow to establish SSH session (secured connection) , And then making TCP connection (unsecured connection) inside the tunnel or through it .
it's used for securing unsecured connection.




  • Local Port Forwarding :

To understand port forwarding let's see examples
when i want to access my mail client via pop (post office protocol) port : 110 , so , to secure this connection , i should first establish SSH session , and then make a normal TCP connection through this channel
1- establish SSH session
ssh -L 10000:localhost:110 user@mailserver.com
after authentication with any method (password or public key) we established SSH session
let's describe this command
-L : local forwarding
10000 : local port or local socket that connection will out to server , here SSH bind 10000 to loopback (127.0.0.1)
110 : remote port
mailserver.com: server that ssh connect with

2- making TCP connection through SSH channel
 in a separate shell window apply
telnet localhost 10000

we making SSH session and and bind port 10000 to loopback, now to make a connection through SSH channel by command telnet localhost 10000 , it's normal and unsecured ,but it's inside a secure channel
client send a message through port 10000 inside SSH channel and server deliver it to port 110


Another example:

when i have on my server telnet service , and to improve telnet security , I disabled to receive connections from any computer (just loopback)
by editing /etc/xinetd.d/telnet , And add bind = 127.0.0.1
when i try to connect to telnet from remote computer telnet 192.168.0.200 23
result:
telnet: connect to address 192.168.0.200: Connection refused
telnet: Unable to connect to remote host: Connection refused


we here can access telnet via SSH tunnel from client
ssh -L 9999:127.0.0.1:23 192.168.0.20

and from client again and in a separate shell window
telnet localhost 9999

it will connect ,now i make a secure connection between client and server (telnet) although ,telnet is not a secure connection.
it's can also apply on any unsecured connection such as FTP

FTP connection will be secured inside SSH channel


  • Remote Port Forwarding :

In Local Port Forwarding i started the session from client to server , but in Remote Port Forwarding is opposite , The session will start from the server and then go to the client.

Example :
when i want to connect SSH server (internal) IP192.168.0.20 but the server is behind a firewall ,so client (external) can't access .



To access we make revers Tunnel or Remote Port Forwarding ,
1- Establish the SSH session from the server by command
ssh -R 9999:localhost:22 192.168.0.20

2-Make SSH connection through SSH tunnel
ssh -p 9999 localhost

we here make the SSH session from the server to the client (revers) , and the client access via tunnel to SSH ,because client can't make the SSH session because of the firewall.

Hint 1: To see SSH Port Forwarding debug by useing -v option ,for example:
ssh -v -L 9999:127.0.0.1:23 192.168.0.20 
Hint 2: When destination host in not localhost this mean the connection is not fully encrypted
for example :
ssh -L 9999:192.168.0.25:23 192.168.0.20
this mean the connection between client and 192.168.0.20 is encrypted , but between 192.168.0.20 and 192.168.0.25 will not encrypted


client connect to 192.168.0.20 via SSH connection (encrypted) , and 192.168.0.20 deliver the messages from client to 192.168.0.25 through port 25 via telnet (not encrypted) and we have here another use of SSH Port Forwarding , You can connect to server that provide a service Via SSH server .

7/10/2011

SSH 2

SSH 2


Configuring SSH :

  •   generate keys by command ssh-keygen -t rsa
    And then follow the default configuration

Generating public/private rsa key pair.
Enter file in which to save the key (/home/example/.ssh/id_rsa):
Created directory '/home/example/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/example/.ssh/id_rsa.
Your public key has been saved in /home/example/.ssh/id_rsa.pub.
The key fingerprint is:
5e:3f:6f:57:42:d0:b2:f5:aa:98:53:0f:20:5d:b0:2a example@example

it will generates 2 files in ~/.ssh (id_rsa and id_rsa.pub)

id_rsa : it's a private key ,should be protected.
id_rsa.pub : it's a public key .


  • installing public key
you can use command ssh-copy-id  to copy public key to another computer , or you can also use scp to copy public key.

  • server trust client
if server trust client to access to SSH server without password (password-less log-in)  .

1-server copy client's public key to ~/.ssh/ (ssh-copy-id or scp).
2-change public key name into authorized_keys.
3- change it's permission into 600 (chmod 600 authorized_keys).

  • x11 session forwarding
To allow to run some X window programs such as (Firefox) on a remote computer.



edit sshd_config : nano /etc/ssh/sshd_config 
and check these option :
X11Forwarding yes 
X11DisplayOffset 10 
X11UseLocalhost yes 

Then connect to remote computer by command:
ssh -X username@server



Securing SSH :
  • don't allow root log-in 
edit sshd_config nano/etc/ssh/sshd_config , you will find #PermitRootLogin yes
remove # and change value into no PermitRootLogin no 


  • By TCP Wrapper
Add SSHD to TCP Wrapper to allow and deny hosts to connect to SSHD 
edit /etc/hosts.allow or  /etc/hosts.deny
for example
to deny host 192.168.0.132 to connect to SSH server

nano /etc/hosts.deny

sshd : 192.168.0.132

7/06/2011

SSH 1

SSH 1

SSH (secure shell) :used for making encrypted connection between 2 computers by using a secure Channel between these computers for (remote access, copying files, etc.. ).

SSH is based on client server model:
  • server (SSHD)
  • clients (scp,sftp,ssh)


Why SSH: 
SSH with it's sub-system (scp , sftp ) is instead of (telnet , ftp , rcp ), and protocols that run these program are unsecured.
Telnet for example use unsecured channel to connect with another computer , so , man in the middle attack can intercept telnet messages and can get sensitive information such as (user name and password) .
you can try it , use telnet to connect to another computer in your network then use a sniffer program such as (wire shark or TCP dump)you will see every message between computers.
So , we using ssh to securing connections and can copy files and sending commands between networks securely .
SSH uses asymmetric key mechanism to authenticate and securing the connection .
asymmetric key or public-key cryptography mechanism:
It's consist of two pairs of keys , public key and private key.

  • sender side:
public key use to encrypt message to send it.

  • receiver side:
private key use to decrypt encrypted message.

This mechanism is uses in SSH

 
  • SSH generates public and private keys
by applying a command ssh-keygen
  • keys located in ~/.ssh/
id_rsa ---> private key (must keep secured).
id_rsa.pub ---> public key and can copy to another computer to connect with SSH server (SSHD).

  • public key can be copied to another computer by using command ssh-copy-id
known_hosts ---> file contains public keys which this computer use it to connect with another ssh server (SSHD) and not a public key.

SSH also contains sub-systems (scp , sftp )
  • scp use to copy a file in a secure channel (secured by ssh).
  • sftp use instead of ftp to transfare file between 2 computers securely.

7/01/2011

TCP Wrapper

TCP Wrapper

inetd : it’s daemon listens on specific ports such as (telnet 23 , ftp 21), when it receive a packet ,it's lunches the appropriate program to handle the connection.

Xinetd : it's make the same work , but with more security such as (TCP Wrapper).

TCP Wrapper : it's supports TCP/IP security by using (Access Control List) , it's work with Xinetd to support security for some connections such as (telnet or ftp , even SSH).

when you want to connect to telnet (in.telnetd) , Xinetd consulting TCP Wrapper if this connection is allowed or not.

TCP Wrappers consist of :

1-hosts.allow and hosts.deny files.
2-tcpdmatch : program explain how the TCP Wrapper would handle a specific request.
3-tcpdchk : TCP wrapper configuration checker program.

How it works :

when i want to connect to telnet server (in.telnetd)
1- parse hosts.allow to apply rules on telnet service ,if it found it's allow connection , else , it's moves to step 2.
2- parse hosts.deny to apply rules  on telnet service ,if it found it's deny connection.
3- if no matching in hosts.allow or hosts.deny ,it's grant access.

Securing TCP:

  • TO allow hosts to access by adding rule in hosts.allow ,for example to allow 192.168.0.150 to access my telnet server 
Edit my hosts.allow

nano /etc/hosts.allow

and add rule to allow 192.168.0.150 to access my telnet server

in.telnetd : 192.168.0.150

  • To deny hosts to access my telnet server,by adding rule in hosts.deny,for example if i want deny 192.168.0.160 to access my telnet 

Edit my hosts.deny

nano /etc/hosts.deny

and add rule to deny 192.168.0.160 to access my telnet server

in.telnetd : 192.168.0.160

hint 1: to add more then one address just separate between addresses with space.

in.telnetd : 192.168.0.160 192.168.0.161 192.168.0.162

hint 2: no need to restart or reload any daemons after editing hosts.allow or hosts.deny.

hint 3: to allow all network to access 

in.telnetd : 192.168.0.

or

in.telnetd : 192.168.0.0/255.255.255.0

6/27/2011

NMAP 2

NMAP 2

Let's try using nmap to scan and how to use it to lockdown and stop unused services (may attacker used this services to attack by exploiting these services )



by using command nmap -sS localhost to scanning my computer
result :

Starting Nmap 5.00 ( http://nmap.org ) at 2011-06-28 00:51 EEST
Interesting ports on example (127.0.0.1):
Not shown: 996 closed ports
PORT     STATE SERVICE
25/tcp   open  smtp
111/tcp  open  rpcbind
631/tcp  open  ipp
80/tcp open http

Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds

we see here 4 ports we 4 services on my computer
want to get more information about these services 
 1- SMTP using port 25 if it not use on your computer ,shut it down by stopping it's daemon(exim4 or postfix) by command /etc/init.d/postfix stop

let's start scanning again nmap -sS localhost
result :

Starting Nmap 5.00 ( http://nmap.org ) at 2011-06-28 00:51 EEST
Interesting ports on example (127.0.0.1):
Not shown: 996 closed ports
PORT     STATE SERVICE
111/tcp  open  rpcbind
631/tcp  open  ipp
80/tcp open http

Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds



SMTP it gone


2- rpcbind 
let's see what is that 

/etc/services | grep 111
result :

sunrpc        111/tcp        portmapper    # RPC 4.0 portmapper
sunrpc        111/udp        portmapper 

 and try another netstat -ntlp | grep 111
result :

tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      2419/portmap

"LISTEN" it's active and waiting ,so let's stop portmap daemon
/etc/init.d/portmap stop 

scanning again  nmap -sS localhost
result :
 
Starting Nmap 5.00 ( http://nmap.org ) at 2011-06-28 00:51 EEST
Interesting ports on example (127.0.0.1):
Not shown: 996 closed ports
PORT     STATE SERVICE
631/tcp  open  ipp
80/tcp open http

Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds  

 portmap is gone too 

3- ipp

cat /etc/services | grep 631
result :

ipp        631/tcp                # Internet Printing Protocol
ipp        631/udp
 
and try another netstat -ntlp | grep 631
result :

tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      1197/cupsd   

 "LISTEN" it's activated ,let's shut it down 
/etc/init.d/cups stop


scanning again nmap -sS localhost
result:


Starting Nmap 5.00 ( http://nmap.org ) at 2011-06-28 00:51 EEST
Interesting ports on example (127.0.0.1):
Not shown: 996 closed ports
PORT     STATE SERVICE
80/tcp open http

Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds   

it's better now (if you want to shutdown HTTP, just shut down it's daemon "apache") 

hint: 
i used here /etc/init.d/  to stop and start daemons , another distro of linux may be different such as redhat or centos (/sbin/service httpd start) to start apache server or (http) .

6/25/2011

NMAP 1

NMAP 1

nmap or Network Mapper ,it's a security scanner ,used to (scan ports , OS fingerprinting ,banners and others ) in range of network or a specific machine .
it's written by Faydor
Now we want to use this program to scan our system to know what banners will shown to attacker , and open ports that is not useful to my system and i have to close it or shutdown these services that works on these ports .
1 - installation:
you can download it from nmap

2- some explanation :

when i write command nmap it will show a lot of options or (techniques) ,

will explain with the most commonly used techniques.

-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans

-sU: UDP Scan

-sN/sF/sX: TCP Null, FIN, and Xmas scans

--scanflags <flags>: Customize TCP scan flags

-sI <zombie host[:probeport]>: Idle scan

-sY/sZ: SCTP INIT/COOKIE-ECHO scans

-sO: IP protocol scan

-b <FTP relay host>: FTP bounce scan

-------------
-sS

it's TCP SYN the default scanning operation and it's fast and can scan larg range of ports in seconds

it's scan TCP ports by making half open connection (when pc1 want to connect with pc2 by TCP port by three hand shake ,it's occur by sequence 1- pc1 send SYN packet 2- pc2 send SYN/ACK packet 3- pc3 send ACK packet) this called three hand shake , so in half open connection there is no ACK packet

it's more safe and stealthy

-sT

it's TCP connect() , it's also scan TCP ports but with complete three hand shake , it's establish a connection between client and server , it's not stealthy and may be scan operation is logging (because it's establish a connection )

-sU

used to scan UDP ports .

-sY

(Stream Control Transmission Protocol) it's combining most characteristics of TCP and UDP protocols

it's equivalent to TCP SYN scanning (make half open connection)





3- usage :
simply by command nmap -technique ip address or host name

for example: nmap -sS localhost
let's apply this command nmap -sS localhost   
result:

Starting Nmap 5.00 ( http://nmap.org ) at 2011-06-26 02:25 EEST
Interesting ports on example (127.0.0.1):
Not shown: 997 closed ports
PORT     STATE SERVICE
111/tcp  open  rpcbind
631/tcp  open  ipp

Nmap done: 1 IP address (1 host up) scanned in 1.22 seconds

 
it's mean i have just two ports open (111 and 631) services (rpcbind and ipp)
 
 and by applying nmap -sU localhost   
result:

Starting Nmap 5.00 ( http://nmap.org ) at 2011-06-26 02:43 EEST
Interesting ports on example (127.0.0.1):
Not shown: 997 closed ports
PORT     STATE         SERVICE
111/udp  open|filtered rpcbind
631/udp  open|filtered ipp
5353/udp open|filtered zeroconf

Nmap done: 1 IP address (1 host up) scanned in 2.47 seconds



now i have three UDP ports open but filtered (by firewall)
and close unused ports and services will discuss later

now we have addition features :
  •  OS detection : used to detect OS 
         by using command nmap -O ip address or host name
  • Service and Version Detection :used to detect services name and version of demons that runs on these services

    by using command nmap -sV ip address or host name

  • detect both OS  and Service and Version :

    by using command nmap -A ip address or host name