Network Security Fundamentals Security Training Course Dr. Charles - PowerPoint PPT Presentation

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013

Network Security Fundamentals Module 9 Linux Security & Logging

Linux Security • Real-World Linux Security • RHEL Security Guides • Logging 04/13 cja 13 3

Real-World Linux Security

Real-World Linux Security The seven deadly sins  Weak/default passwords  Open network ports  Old software versions  Insecure programs  Insufficient resources  Stale/unnecessary accounts  Procrastination Bob Toxen, “Real World Linux Security: intrusion detection, prevention, and recovery,” 2nd Ed., Prentice-Hall 2003. 04/13 cja 13 5

Turn off insecure passwords • Use SHA-512 & passphrases  Password hashes in /etc/shadow should start with $6$ �  Maximum password length is 256 characters • Use /etc/shadow • Both defined by default 04/13 cja 13 6

Prevent ARP Cache Poisoning • Prevent ARP entries from being spoofed by making them permanent  add known ARP entries to /etc/ethers  add following to /etc/rc.d/rc.local  arp -f /etc/ethers  entries read from file are marked permanent • Use network switch port configurations 04/13 cja 13 7

arp • /sbin/arp command  w/o args, displays contents of ARP cache  -a show all cache entries  -d h delete entry for host h  -s h e set permanent entry for host h with layer 2 address e  -s h e temp set temporary entry for host h with layer 2 address e  -f f read (default permanent) entries from file f  -n don ’ t convert host addresses to names 04/13 cja 13 8

arping • Similar to ping, but uses ARP requests and replies for probing  Doesn ’ t require sender to have a IP address  Limited to local subnet, unless proxy ARP 04/13 cja 13 9

arping • /sbin/arping destination  w/o args, displays usage  -I i use interface i (required)  -b use only Layer 2 broadcasts  -s s use source address s  -U unsolicited ARP  -D detect duplicate IP addr (RFC 2131) 04/13 cja 13 10

arpwatch • Monitors ARP traffic • Detects Layer 2 / Layer 3 address pairing changes  Records to syslog  Emails to administrator • Changes detected  New station – new pairing using previously unseen layer 2 address  New activity – new pairing using previously seen layer 2 address  Flip flop – layer 2 address changed in existing pairing  Changed ethernet address – layer 2 address changed on host 04/13 cja 13 11

arpwatch lab • Look at man page  man arpwatch • Display syslog messages  Start another terminal window  sudo tail –f /var/log/messages • Edit config file  sudo vi /etc/sysconfig/arpwatch  Insert “ -i eth N ” into OPTIONS if needed, adjust others as necessary • (Optional) set arpwatch to start on boot  chkconfig –list arpwatch  chkconfig arpwatch on  chkconfig --list arpwatch • Start arpwatch  sudo service arpwatch start  You should see eth2 entering promiscuous mode in the syslog • Generate some ARP traffic  Empty, then list your ARP cache  You should see something like the following in the log (and in an email message, if you ’ ve set that up) Apr 21 16:10:58 localhost arpwatch: new station 172.16.234.2 0:50:56:e7:f7:34 • No output? Get arpwatch to forget:  sudo service arpwatch stop  sudo cp /dev/null /var/lib/arpwatch/arp.dat  sudo service arpwatch start 04/13 cja 13 12

RHEL Security Guides • Canonical step-by-step guide  Security overview  Attackers and Vulnerabilities  Security Updates  Workstation Security  Server Security  Virtual Private Networks  Firewalls  Vulnerablity Assessment  Intrusion Detection  Incident Response 04/13 cja 13 13

Security Guides • Three guides:  http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide- i731.pdf  http://people.redhat.com/sgrubb/files/hardening- rhel5.pdf  http://docs.redhat.com/docs/en-US/ Red_Hat_Enterprise_Linux/6/pdf/Security_Guide/ Red_Hat_Enterprise_Linux-6-Security_Guide-en- US.pdf 04/13 cja 13 14

Logging

Roadmap • Motivation • Challenges • Syslog • Centralized Logging • Log reduction • Swatch, logwatch 04/13 cja 13 16

Motivation • Administration & debugging • Detect & analyze security & performance incidents • Auditing • Regulatory requirements  HIPAA, SOX, PCI, GLBA, … 04/13 cja 13 17

Example Jan 2 16:19:23 host.example.com snort [1260]: RPC Info Query: 10.2.3.4 -> host.example.com:111 Jan 2 16:19:31 host.example.com snort [1260]: spp_portscan: portscan status from 10.2.3.4: 2 connections across 1 hosts: TCP(2), UDP(0) 04/13 cja 13 18

Example Jan 02 16:19:45 host.example.com rpc.statd[351]: gethostbyname error for ^X÷ÿ¿^X÷ÿ¿^Y÷ÿ¿^Y÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿^[÷ÿ¿^[÷ÿ¿bffff750 8 0 4 9 7 1 0 9 0 9 0 9 0 9 0 6 8 7 4 6 5 6 7 6 2 7 4 7 3 6 f 6 d 6 1 6 e 7 9 7 2 6 5 2 0 6 5 2 0 7 2 6 f 7 2 2 0 7 2 6 f 6 6 b f f f f 7 1 8 bffff719 bffff71a b f f f f 7 1 b _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ ! _ _ ! _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 04/13 cja 13 19

Example • Jan 02 16:20:25 host.example.com adduser[12152]: new user: name=cgi, uid=0, gid=0, home=/home/cgi, shell=/bin/ bash • Jan 02 16:22:02 host.example.com PAM_pwdb[12154]: password for (cgi/0) changed by ((null)/0) 04/13 cja 13 20

Challenges • Log generation & storage • Log CIA • Log analysis 04/13 cja 13 21

CEE - Coming soon? Common Event Expression • Standardizes the way computer events are described, logged, and exchanged  Create an event expression taxonomy for uniform and precise log definitions that lead to a common event representation.  Create logging syntax utilizing a single data dictionary to provide consistent event specific details.  Standardize flexible event transport mechanisms to support multiple environments.  Propose log recommendations for the events and attributes devices generate. • http://cee.mitre.org/language/1.0-beta1/overview.html • (August, 2012) 04/13 cja 13 22

syslog • UNIX/Linux logging daemon  facility (origin) & priority (importance)  log entry accepted by daemon  logged according to config file • Windows third-party tools  Windows event log -> syslog  http://www.eventreporter.com/  http://www.winagents.com/  syslog -> Windows  http://www.winsyslog.com/en/ 04/13 cja 13 23

syslog • LogAnalyzer (née phpLogCon)  Front end for searching, reviewing and analyzing event data  Data sources  syslog, rsyslog, WinSyslog log files  MySQL databases » Adiscon MonitorWare, php-syslog-ng schemas  Any LF-delimited file  Multiple instances  Data display  GUI controls: scroll, search, tooltip, …  http://loganalyzer.adiscon.com/ 04/13 cja 13 24

syslog • Splunk  Indexes log file data, also config files, arbitrary script output  Data sources  syslog, rsyslog, WinSyslog log files  Config files  Arbitrary script outputs  Multiple instances  Indexes data  Free for indexing up to 500 MB/day  Data display  GUI controls: scroll, search, tooltip, …  http://www.splunk.com/ 04/13 cja 13 25

rsyslog • The reliable & extended Linux logging daemon • Upward-compatible with syslogd  Provides reliable remote logging  TCP – ubiquitous, uses reliable connection  RELP- queues locally until loghost accessible • man rsyslogd • man 5 rsyslog.conf • /etc/rsyslog.conf 04/13 cja 13 26

rsyslog basic lab • Edit log destination  sudo vi /etc/rsyslog.conf  Add line under RULES section *.debug,mark.debug /var/log/fulllog • Tell syslog to re-read config file  sudo service rsyslog restart • Test the syslog  logger ‘ Hello, world! ’ 04/13 cja 13 27

centralized logging lab • Your instructor will provide the identity of a central logging host  pst.merit.edu • Edit local /etc/rsyslog.conf  Add forwarding rule with remote host *.* @pst.merit.edu • Tell local syslog to re-read config file  sudo service rsyslog restart • Test with logger 04/13 cja 13 28

Relay Architecture 04/13 cja 13 29

Log Reduction • Make three piles  ignore - don ’ t want to see these, ever  baseline - aren ’ t likely to contain time-critical security information  investigate - those that do 04/13 cja 13 30

Log Reduction • A simple first step  cut -f5- -d\ /var/log/fulllog | sed -e ‘ s/[0-9] [0-9]*/###/g ’ | sort | uniq -c | sort -nr • Use script in /usr/local/lab/syslog/reduce 04/13 cja 13 31

Baselining I • Construct a baseline  Measure set of known data to compute range of “ normal ” values  Examples  Network traffic by protocol  Logins/logouts  Accesses of admin accounts  DHCP address management  DNS requests  Amount of log data/day  Number of processes running 04/13 cja 13 32