6/27/2011

NMAP 2

NMAP 2

Let's try using nmap to scan and how to use it to lockdown and stop unused services (may attacker used this services to attack by exploiting these services )



by using command nmap -sS localhost to scanning my computer
result :

Starting Nmap 5.00 ( http://nmap.org ) at 2011-06-28 00:51 EEST
Interesting ports on example (127.0.0.1):
Not shown: 996 closed ports
PORT     STATE SERVICE
25/tcp   open  smtp
111/tcp  open  rpcbind
631/tcp  open  ipp
80/tcp open http

Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds

we see here 4 ports we 4 services on my computer
want to get more information about these services 
 1- SMTP using port 25 if it not use on your computer ,shut it down by stopping it's daemon(exim4 or postfix) by command /etc/init.d/postfix stop

let's start scanning again nmap -sS localhost
result :

Starting Nmap 5.00 ( http://nmap.org ) at 2011-06-28 00:51 EEST
Interesting ports on example (127.0.0.1):
Not shown: 996 closed ports
PORT     STATE SERVICE
111/tcp  open  rpcbind
631/tcp  open  ipp
80/tcp open http

Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds



SMTP it gone


2- rpcbind 
let's see what is that 

/etc/services | grep 111
result :

sunrpc        111/tcp        portmapper    # RPC 4.0 portmapper
sunrpc        111/udp        portmapper 

 and try another netstat -ntlp | grep 111
result :

tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      2419/portmap

"LISTEN" it's active and waiting ,so let's stop portmap daemon
/etc/init.d/portmap stop 

scanning again  nmap -sS localhost
result :
 
Starting Nmap 5.00 ( http://nmap.org ) at 2011-06-28 00:51 EEST
Interesting ports on example (127.0.0.1):
Not shown: 996 closed ports
PORT     STATE SERVICE
631/tcp  open  ipp
80/tcp open http

Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds  

 portmap is gone too 

3- ipp

cat /etc/services | grep 631
result :

ipp        631/tcp                # Internet Printing Protocol
ipp        631/udp
 
and try another netstat -ntlp | grep 631
result :

tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      1197/cupsd   

 "LISTEN" it's activated ,let's shut it down 
/etc/init.d/cups stop


scanning again nmap -sS localhost
result:


Starting Nmap 5.00 ( http://nmap.org ) at 2011-06-28 00:51 EEST
Interesting ports on example (127.0.0.1):
Not shown: 996 closed ports
PORT     STATE SERVICE
80/tcp open http

Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds   

it's better now (if you want to shutdown HTTP, just shut down it's daemon "apache") 

hint: 
i used here /etc/init.d/  to stop and start daemons , another distro of linux may be different such as redhat or centos (/sbin/service httpd start) to start apache server or (http) .

6/25/2011

NMAP 1

NMAP 1

nmap or Network Mapper ,it's a security scanner ,used to (scan ports , OS fingerprinting ,banners and others ) in range of network or a specific machine .
it's written by Faydor
Now we want to use this program to scan our system to know what banners will shown to attacker , and open ports that is not useful to my system and i have to close it or shutdown these services that works on these ports .
1 - installation:
you can download it from nmap

2- some explanation :

when i write command nmap it will show a lot of options or (techniques) ,

will explain with the most commonly used techniques.

-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans

-sU: UDP Scan

-sN/sF/sX: TCP Null, FIN, and Xmas scans

--scanflags <flags>: Customize TCP scan flags

-sI <zombie host[:probeport]>: Idle scan

-sY/sZ: SCTP INIT/COOKIE-ECHO scans

-sO: IP protocol scan

-b <FTP relay host>: FTP bounce scan

-------------
-sS

it's TCP SYN the default scanning operation and it's fast and can scan larg range of ports in seconds

it's scan TCP ports by making half open connection (when pc1 want to connect with pc2 by TCP port by three hand shake ,it's occur by sequence 1- pc1 send SYN packet 2- pc2 send SYN/ACK packet 3- pc3 send ACK packet) this called three hand shake , so in half open connection there is no ACK packet

it's more safe and stealthy

-sT

it's TCP connect() , it's also scan TCP ports but with complete three hand shake , it's establish a connection between client and server , it's not stealthy and may be scan operation is logging (because it's establish a connection )

-sU

used to scan UDP ports .

-sY

(Stream Control Transmission Protocol) it's combining most characteristics of TCP and UDP protocols

it's equivalent to TCP SYN scanning (make half open connection)





3- usage :
simply by command nmap -technique ip address or host name

for example: nmap -sS localhost
let's apply this command nmap -sS localhost   
result:

Starting Nmap 5.00 ( http://nmap.org ) at 2011-06-26 02:25 EEST
Interesting ports on example (127.0.0.1):
Not shown: 997 closed ports
PORT     STATE SERVICE
111/tcp  open  rpcbind
631/tcp  open  ipp

Nmap done: 1 IP address (1 host up) scanned in 1.22 seconds

 
it's mean i have just two ports open (111 and 631) services (rpcbind and ipp)
 
 and by applying nmap -sU localhost   
result:

Starting Nmap 5.00 ( http://nmap.org ) at 2011-06-26 02:43 EEST
Interesting ports on example (127.0.0.1):
Not shown: 997 closed ports
PORT     STATE         SERVICE
111/udp  open|filtered rpcbind
631/udp  open|filtered ipp
5353/udp open|filtered zeroconf

Nmap done: 1 IP address (1 host up) scanned in 2.47 seconds



now i have three UDP ports open but filtered (by firewall)
and close unused ports and services will discuss later

now we have addition features :
  •  OS detection : used to detect OS 
         by using command nmap -O ip address or host name
  • Service and Version Detection :used to detect services name and version of demons that runs on these services

    by using command nmap -sV ip address or host name

  • detect both OS  and Service and Version :

    by using command nmap -A ip address or host name


6/21/2011

Step 1


 We will start to navigate Linux security from zero
how to protect your system from unauthorized users, and how to monitoring your Linux system (demons, ports, processes and services installed on your machine)

First
Read log Files
when i log-in to my system i have to read two important files (boot.log and dmesg.log)

These files show me boot sequence and booting hardware such as hard disk and network adapter ,and if there any problem in booting operation.

log files located in /var/log

reading dmesg file by command

cat /var/log/dmesg

? so what to check in this file

  • check kernel version and compare it with your kernel version

when you look at dmesg file you will see something like that (Linux version 2.6.32-5-686 Debian 2.6.32-31)

and by comparing it with your kernel number from command  uname -a and output will be (Linux rsht 2.6.32-5-686 )

so it's the same version of kernel

  • check your memory and CPU from dmesg file and compare it with your resources

Common Linux log files name and usage

/var/log/message: General message and system related stuff

/var/log/auth.log: Authenication logs

/var/log/kern.log: Kernel logs

/var/log/cron.log: Crond logs (cron job)

/var/log/maillog: Mail server logs

/var/log/qmail/ : Qmail log directory (more files inside this directory)

/var/log/httpd/: Apache access and error logs directory

/var/log/lighttpd: Lighttpd access and error logs directory

/var/log/boot.log : System boot log

/var/log/mysqld.log: MySQL database server log file

/var/log/secure: Authentication log

/var/log/utmp or /var/log/wtmp : Login records file

/var/log/yum.log : Yum log files

second 
check your mounted driver by using command 
df -h

now
Let's start with securing,
booting of Linux is passing through many levels or stages

Bios---->grub boot---->kernel(initializes hardware)----->init
 
init is the first program run after kernel it do the following:

1- Start up system run level

2- Specify processes to be executed during system boot

3- Specify processes to be run when the specified run-level is entered

4- Specify processes to be run on certain run-levels with actions like respawn so the process is restarted any time it terminates

5- Specify certain actions or processes to be run if certain signals or user actions are indicated

These program read and apply configuration from /etc/inittab

for more information (http://linux.die.net/man/8/init or by command man 8 init)

when we look at it's configuration file (/etc/inittab) it's look like

# Author:       Miquel van Smoorenburg, 
#               Modified for RHS Linux by Marc Ewing and Donnie Barnes

id:3:initdefault:

# System initialization.
si::sysinit:/etc/rc.d/rc.sysinit

l0:0:wait:/etc/rc.d/rc 0
l1:1:wait:/etc/rc.d/rc 1
l2:2:wait:/etc/rc.d/rc 2
l3:3:wait:/etc/rc.d/rc 3
l4:4:wait:/etc/rc.d/rc 4
l5:5:wait:/etc/rc.d/rc 5
l6:6:wait:/etc/rc.d/rc 6

# Things to run in every runlevel. 
ud::once:/sbin/update

# Trap CTRL-ALT-DELETE
ca::ctrlaltdel:/sbin/shutdown -t3 -r now

# When our UPS tells us power has failed, schedule a shutdown for 2 minutes from now.
pf::powerfail:/sbin/shutdown -f -h+2 "Power Failure; System Shutting Down"

# If power was restored before the shutdown kicked in, cancel it.
pr:12345:powerokwait:/sbin/shutdown -c "Power Restored; Shutdown Canceled"

# Run gettys in standard runlevels
1:2345:respawn:/sbin/mingetty tty1
2:2345:respawn:/sbin/mingetty tty2
3:2345:respawn:/sbin/mingetty tty3
4:2345:respawn:/sbin/mingetty tty4
5:2345:respawn:/sbin/mingetty tty5
6:2345:respawn:/sbin/mingetty tty6

# Run xdm in runlevel 5
x:5:respawn:/etc/X11/prefdm -nodaemon 
 

now we have to do the following:
1- reduce number of TTYs it's ,take resources (by putting # before every TTY)  just leave in that you may need it in emergency
1:2345:respawn:/sbin/getty 38400 tty1
#2:23:respawn:/sbin/getty 38400 tty2
#3:23:respawn:/sbin/getty 38400 tty3
#4:23:respawn:/sbin/getty 38400 tty4
#5:23:respawn:/sbin/getty 38400 tty5
#6:23:respawn:/sbin/getty 38400 tty6
2- defualt run-level from 3 to 5 (usefewer resources and graphical TCP X windows)
3- Disable ctl+alt+delete  (by putting # before ca:12345:ctrlaltdel:/sbin/shutdown -t1-a -r now)
# What to do when CTRL-ALT-DEL is pressed.
#ca:12345:ctrlaltdel:/sbin/shutdown -t1-a -r now
 

There are more options to encrypt your boot operation
1- use strong password on bios
2- encrypt your grub file by using command grub-md5-crypt, for more information (man grub-md5-crypt) 3- use a very strong password for root
4- don't access to the system by root or privileged user
 
Now we have to change some files to hide information about my OS ,it's called (banner implementation)

use command cat /etc/issue will print information about your OS such as (Debian GNU/Linux 6.0 \n \l)

and cat /etc/motd also will print important information about your OS, so now we have to change information in these files to hide these information by editing it with any you want.

The different between issue and motd is issue print it's value before you log-in and motd after you log-in



we must disable root to access via ssh by editing it's configuration file  (/etc/ssh/sshd_config) by set permit root log-on to no