Notes from Fedora Linux Toolbox: 1000+ Commands for Fedora, CentOS, & Red Hat Power Users Christopher Negus 978-0470082911
Download 295.94 Kb.
|
- Navigate this page:
- Objects
- Blockhosts (
- Other Advanced Security Features
- /etc/httpd/conf/httpd.conf Notes
- User directories
- Fedora firewalls / iptables notes
- The basic structure of iptables mangle (1) (3) mangle filter nat --------->Routing Decision -------> FORWARD -----POSTROUTING
- FireHOL
SELinux Traditional Linux security, called Discretionary Access Control (DAC): In a DAC model, file and resource decisions are based solely on user identity and ownership of the objects. Each user and program run by that user has complete discretion over the user's objects. Malicious or flawed software can do anything with the files and resources it controls through the user that started the process. If the user is the super-user or the application is setuid or setgid to root, the process can have root level control over the entire file system. The following is an example of permissions used on Linux operating systems that do not run Security-Enhanced Linux (SELinux). The permissions and output in these examples may differ from your system. Use the ls -l command to view file permissions: $ ls -l file1 -rw-rw-r--. 1 user1 group1 0 May 11 10:46 file1 SELinux (Security Enhanced Linux), implements Mandatory Access Control (MAC): A MAC system does not suffer from these problems. First, you can administratively define a security policy over all processes and objects. Second, you control all processes and objects, in the case of SELinux through the kernel. Third, decisions are based on all the security relevant information available, and not just authenticated user identity. The following is an example of the labels containing security-relevant information that are used on processes, Linux users, and files, on Linux operating systems that run SELinux. This information is called the SELinux context, and is viewed using the ls -Z command: $ ls -Z file1 -rw-rw-r--. user1 group1 unconfined_u:object_r:user_home_t:s0 file1 In this example, SELinux provides a user (unconfined_u), a role (object_r), a type (user_home_t), and a level (s0). This information is used to make access control decisions. It is important to remember that SELinux policy rules are checked after DAC rules. SELinux policy rules are not used if DAC rules deny access first. SELinux provides a combination of Role-Based Access Control (RBAC), Type Enforcement® (TE), and, optionally, Multi-Level Security (MLS). SELinux can be in one of three states (modes): Enforcing: SELinux policy is enforced. SELinux denies access based on SELinux policy rules. Permissive: SELinux policy is not enforced. SELinux does not deny access, but denials are logged for actions that would have been denied if running in enforcing mode. Warnings are issued Disabled: SELinux is disabled. Only DAC rules are used. SELinux implements one or more of the following policies: Targeted—Applies to specific objects MLS—Multilevel Security Strict—Applies SELinux Contexts for Processes ps -eZ unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 13212 pts/1 00:00:00 passwd There is always a tradeoff between security and usability.
http://docs.fedoraproject.org/en-US/Fedora/13/html/SELinux_FAQ/ Two ways to disable SELinux: You can modify the /etc/selinux/config file so that it includes the line SELINUX=disabled and reboot the system, or you can use system-config-selinux (as explained on the next page). Files on FC system-config-selinux (a GUI tool) /etc/selinux/config SELINUX= (disabled, permissive, or enforcing) SELINUXTYPE= (targeted or strict) /etc/selinux/targeted/ /usr/sbin/getenforce /usr/sbin/setenforce /usr/sbin/sestatus /usr/sbin/semanage The getenforce and setenforce utilities report on and temporarily set the SELinux mode. The sestatus utility displays a summary of the state of SELinux: Security Contexts
All Objects (files, interprocess communcation channels, sockets, network hosts, etc) and Subjects (processes) have a single security context associated with them user:role:type (our primary focus is the type portion) run id in a terminal run ls -Z run ps -Z ps -auxZ Type enforcement Access Control rule format: Source Type(s) Target Type(s) Object Class(es) Permission(s) allow user_t bin_t : file {read executee getattr}; allow user_t passwd_exec_t : file {getattr execute}; sestatus results on my FC14 SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing
Policy version: 24 Policy from config file: targeted
# SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing # SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # mls - Multi Level Security protection. SELINUXTYPE=targeted Blockhosts (http://www.aczoom.com/cms/blockhosts) --> After install -- rpm -ql BlockHosts /etc/blockhosts.cfg /etc/logrotate.d/blockhosts /etc/logwatch/conf/services/blockhosts.conf /etc/logwatch/scripts/services/blockhosts /usr/bin/bhrss.py /usr/bin/blockhosts.py /usr/share/doc/BlockHosts-2.4.0 /usr/share/doc/BlockHosts-2.4.0/CHANGES /usr/share/doc/BlockHosts-2.4.0/INSTALL /usr/share/doc/BlockHosts-2.4.0/LICENSE /usr/share/doc/BlockHosts-2.4.0/README /usr/share/doc/BlockHosts-2.4.0/bhrss.html /usr/share/doc/BlockHosts-2.4.0/blockhosts.html --- /etc/blockhosts.cfg HOSTS_BLOCKFILE = "/etc/hosts.allow" COUNT_THRESHOLD = 7 number of invalid attempts AGE_THRESHOLD = 12 number of hours to block WHITELIST list of IPs to always allow BLACKLIST list of IPs to always block LOGFILES – default list of logs to process (/var/log/secure) --- /etc/hosts.allow /etc/hosts.allow (or /etc/hosts.deny but only one not both files) - the hosts block file Add following sections, in this order: -- your permanent whitelist and blacklist of IP addresses (if needed) -- blockhosts marker lines - two lines -- execute command to kick off blockhosts.py on connects to services
# ----
# permanent whitelist addresses - these should always be ALLOWED access – edit as needed ALL: 127.0.0.1 : allow ALL: 192.168.0. : allow
ALL: 10. : deny ALL: 192. : deny ALL: 172. : deny # ---------------------------------------- # next section is the blockhosts section - it will add/delete entries in # between the two marker lines (#---- BlockHosts Additions)
#---- BlockHosts Additions # ---------------------------------------- # finally, the command to execute the blockhosts script, based on # connection to particular service or services, for example, for # sshd, proftpd, etc - if using pure-ftpd, etc, be sure to use those # words instead - this is spread over multiple lines, so has \ at end of # line to signal continuation: sshd, proftpd, vsftpd: ALL: spawn /usr/bin/blockhosts.py \ --echo "%c-%s" --ipblock=iptables \ --whitelist="10\..*,127.0.0.1" --blacklist="192.168.1.1,192.168.1.2" \ #---
sshd, proftpd, in.proftpd: ALL: spawn (/usr/bin/blockhosts.py \ --verbose --echo "%c-%s" >> /var/log/blockhosts.log 2>&1 )& : allow \ Other Advanced Security Features SELinux
Central Logging Tripwire
RMPdatabase chkroot
Apache 2.2.6-1 Notes and 2.2.17-1 Basics
Find the server rpms: rpm -qa | grep httpd (apache to httpd) Show files rpm -ql httpd service httpd start or /etc/init.d/httpd restart /sbin/chkconfig httpd on Important files / folders in httpd-2.2.6-1.fc7 and httpd-2.2.17-1.fc14.x86_64
/etc/httpd most of the config files or links to them /etc/httpd/conf /etc/httpd/conf.d module specific config files, see README /etc/httpd/conf/httpd.conf main apache server config file for 'global environment', 'main or default server', & 'virtual hosts' /etc/httpd/logs link to /var/log/httpd /etc/httpd/modules link to /usr/lib64/httpd/modules /etc/httpd/run link to /var/run /etc/logrotate.d/httpd how often to rotate logs /etc/rc.d/init.d/httpd startup script /etc/sysconfig/httpd basic service config file for httpd startup script /usr/bin/ab benchmarking tool /usr/bin/htdigest manage user files for digest automation /usr/bin/htpasswd manage user files for basic authentication /usr/bin/logresolve resolve IP addresses to host names in log files /usr/lib64/httpd/modules apache modules for added functionality /usr/sbin/apachectl server control interface /usr/sbin/httpd man server binary /usr/sbin/rotatelogs /usr/sbin/suexec switch user before executing, allows apache user not root /var/www/error where error files are /var/www/html main server html root /var/www/icons server icons A limited graphical configuration utility system-config-httpd-1.4.3-1.fc7 and system-config-httpd-1.5.2-2.fc14.noarch /usr/bin/system-config-httpd /etc/httpd/conf/httpd.conf Notes ### Section 1: Global Environment ServerRoot "/etc/httpd" PidFile run/httpd.pid Timeout 120 KeepAlive Off MaxKeepAliveRequests 100 KeepAliveTimeout 15 #Listen 12.34.56.78:80 Listen 80 # LoadModule foo_module modules/mod_foo.so DSO support Include conf.d/*.conf User apache Group apache
ServerAdmin root@localhost #ServerName www.example.com:80 UseCanonicalName Off DocumentRoot "/var/www/html"
Options FollowSymLinks AllowOverride None
Options Indexes FollowSymLinks AllowOverride None #controls what directives may be placed in .htaccess files Order allow,deny Allow from all
DirectoryIndex index.html index.html.var AccessFileName .htaccess ErrorLog logs/error_log # The following directives define some format nicknames for use with a CustomLog directive # http://publib.boulder.ibm.com/iseries/v5r2/ic2924/info/rzaie/rzaielogformat.htm LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined LogFormat "%h %l %u %t \"%r\" %>s %b" common LogFormat "%h %l %u %t \"%r\" %>s %b %f %{host}i" debug
CustomLog logs/access_log combined ServerSignature On ScriptAlias /cgi-bin/ "/var/www/cgi-bin/" Alias /image /ftp/pub/image A request for ~public/public_html user directory (/home/durrett) must be chmod 711, but not all of its subdirectories public_html & all of its subdirectories must be 755 UserDir enable test (you must list the users to enable) Doing this makes it possible to find users on the system An alternative to the above is: create a new /var/www/html directory (mkdir DrJohn) change ownership to the user:apache (chown durrett:apache /var/www/html/DrJohn) add the user link to the directory (ln -s /var/www/html/DrJohn /home/durrett/DrJohn_site) # UserDir disable chmod 711 mkdir /home/drjohn/public_html chmod 755 /home/drjohn/public_html # # Control access to UserDir directories. The following is an example # for a site where these directories are restricted to read-only. # # # AllowOverride FileInfo AuthConfig Limit # Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec # # Order allow,deny # Allow from all # # # Order deny,allow # #
# # Use name-based virtual hosting. # NameVirtualHost *:53148 # # NOTE: NameVirtualHost cannot be used without a port specifier # (e.g. :80) if mod_ssl is being used, due to the nature of the # SSL protocol. #
# VirtualHost example: # Almost any Apache directive may go into a VirtualHost container. # The first VirtualHost section is used for requests without a known # server name. # # # ServerAdmin webmaster@dummy-host.example.com # DocumentRoot /www/docs/dummy-host.example.com # ServerName dummy-host.example.com # ErrorLog logs/dummy-host.example.com-error_log # CustomLog logs/dummy-host.example.com-access_log common # # ServerAdmin webmaster@dummy-host.example.com DocumentRoot /var/www/gandalf ServerName gandalf ErrorLog logs/gandalf-error_log # CustomLog logs/dummy-host.example.com-access_log common # ServerAdmin webmaster@dummy-host.example.com DocumentRoot /var/www/mediawiki ServerName wiki ErrorLog logs/wiki-error_log # CustomLog logs/dummy-host.example.com-access_log common Fedora firewalls / iptables notes (partially from Negus' Fedora Linux toolbox) Negus – Ch 10: Configuring the built in firewall -- based on the iptables facility (www.netfilter.org) -- lots of GUIs: sudo /usr/bin/system-config-firewall, firestarter, shorewall, fwbuilder
iptables -L -- display current iptables filter table iptables-save -- send current iptables filter table to stdout ( > somefile to save it) ------------------------------------------------------------------------- Other notes:
--------->Routing Decision -------> FORWARD -----POSTROUTING PREROUTING | ↑ | |
| (2) mangle | | filter OUTPUT mangle & nat | & INPUT | (4) filter | |------> local process ----> Routing Decision
when packet enters from network kernel looks at destination if destined for this machine packet goes to INPUT chain if not destined for this machine, if FORWARD chain exists rules in it are applied and packet is sent as specified in the rules, if FORWARD chain does not exist default policy is applied packets sent from local process are routed, then put on the OUTPUT chain ---------------------------------------------------------- iptables basic concepts different sets of rules for different chains within different tables initial tables are: NAT, FILTER, MANGLE initial chains are: INPUT, OUTPUT, FORWARD, PREROUTING, POSTROUTING targets to jump to are: ACCEPT, DROP, REJECT, LOG, SNAT, MASQUERADE iptables operations to manage whole chains: Create a new chain (-N). Delete an empty chain (-X). Change the policy for a built-in chain. (-P). List the rules in a chain (-L). Flush the rules out of a chain (-F). iptables operations on the rules inside a chain: Append a new rule to a chain (-A). Insert a new rule at some position in a chain (-I). Replace a rule at some position in a chain (-R). Delete a rule at some position in a chain, or the first that matches (-D). individual rules: Each rule specifies a set of conditions the packet must meet, and what to do if it meets them (a `target') EX: wipe out (flush) all previous rules iptables -F EX: set default policies for INPUT chain iptables -P INPUT DROP EX: create a new chain in the filter table iptables -N okay EX: drop all ICMP packets coming from the IP address 127.0.0.1. iptables -A INPUT -s 127.0.0.1 -p icmp -j DROP EX: accept everything coming from the loopback address iptables -A INPUT -p ALL -i lo -s 127.0.0.1 -j ACCEPT EX: accept packets for the local web server coming from the Internet (eth0) iptables -A INPUT -p TCP -i eth0 -s 0/0 --dport 80 -j ACCEPT EX: forward all packets addressed to a web server to gandalf iptables -t nat -A PREROUTING -p tcp -d $EXT_NIC --dport 80 \ --to-destination $WEB_SVR Fedora rpm iptables files: /sbin/iptables /sbin/iptables-save /etc/sysconfig/iptables-config /etc/sysconfig/iptables -- test hint “how do I find this out?” /etc/init.d/iptables ------------------------------------------------------ steps to play with iptables: cd ~ vi rc.firewall WEB_SVR=”gandalf” EXT_NIC=”eth0” /sbin/iptables -F /sbin/iptables -P INPUT DROP # you are not going to get much now ...
/sbin/iptables -L then play #an example #!/bin/sh # Simple masq firewall #Assumes all modules are either loaded or compiled into kernel #setup network for forwarding, dynamic ips echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv4/ip_dynaddr IPTABLES=/usr/sbin/iptables DEPMOD=/sbin/depmod MODPROBE=/sbin/modprobe
CLASS_A="10.0.0.0/8" # Class-A Private (RFC-1918) Networks CLASS_B="172.16.0.0/12" # Class-B Private (RFC-1918) Networks CLASS_C="192.168.0.0/16" # Class-C Private (RFC-1918) Networks EXTIF="eth0" INTIF="eth1" echo " External Interface: $EXTIF" echo " Internal Interface: $INTIF" $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD DROP
$IPTABLES -F INPUT $IPTABLES -F OUTPUT $IPTABLES -F -t nat echo "FWD: Allow all connections OUT and only existing and related ones IN" $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT $IPTABLES -A FORWARD -j LOG echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF" $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE # Deny TCP and UDP packets to privileged ports #$IPTABLES -A INPUT -i $EXTIF -d $ANY -p tcp --dport 0:1023 -j DROP #$IPTABLES -A INPUT -i $EXTIF -d $ANY -p udp --dport 0:1023 -j DROP # Deny TCP connection attempts #$IPTABLES -A INPUT -i $EXTIF -p tcp --syn -j DROP
$IPTABLES -A INPUT -p TCP -i $EXTIF -s 0/0 --dport 80 -j ACCEPT # Deny IMCP echo-requests $IPTABLES -A INPUT -i $EXTIF -s $ANY -p icmp --icmp-type echo-request -j DROP FireHOL, the iptables stateful packet filtering firewall builder. FireHOL, the iptables stateful packet filtering firewall builder. http://firehol.sourceforge.net/ Identify your network interfaces sudo ip link show 1: lo: link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 2: eth0: link/ether 00:1f:c6:51:13:11 brd ff:ff:ff:ff:ff:ff 3: eth1: link/ether 00:1f:c6:51:13:12 brd ff:ff:ff:ff:ff:ff
Think about what each interface should do Ignore lo, in the case above eth0 is not used and eth1 is everything Also think about what services ie servers you want. Create the FireHOL configuration structure In my Fedora 10 system the configuration file is /etc/firehol/firehol.conf and by default it says version 5 # Accept all client traffic on any interface interface any world client all accept You should probably rename the interface if you are going to build a “real” firewall version 5 interface eth1 world client all accept Now add servers and clients you wish to accept version 5 interface any world client all accept interface eth1 home server dns accept server ssh accept server http accept If you have special ports or have moved services you may define your own servers server custom myservice proto/sports cports accept
If you want to move the ssh port to 41265 the above file becomes: version 5 interface any world client all accept interface eth1 home server dns accept server custom myssh tcp/41265 default accept server http accept Checking Run sudo /etc/rc.d/init.d/firehol debug And it will show you the iptables results or problems Pretty much done. You can do much more, routing tables, masquerade, NAT but this gets you started Directory: 3351 -> Notes Notes -> Fedora Core 5 Security Notes 3351 -> Bridge to success 1824 N. Pearl Street*Jacksonville, Florida 32209*(904) 520-7640 …i am Moving Forward! Graduation Information 2014 Download 295.94 Kb. Share with your friends:
|