Security tasks (212.4)

Candidates should be able to receive security alerts from various sources, install, configure and run intrusion detection systems and apply security patches and bugfixes.

Key Knowledge Areas:

Tools and utilities to scan and test ports on a server

Locations and organizations that report security alerts as Bugtraq, CERT, or other sources

Tools and utilities to implement an intrusion detection system (IDS)

Awareness of OpenVAS and Snort

Terms and utilities:

  • telnet

  • nmap

  • fail2ban

  • nc

  • OpenVAS

  • Snort IDS

nc (netcat)

Description

Netcat (nc) is a very versatile network tool. Netcat is a computer networking service for reading from and writing to network connections using TCP or UDP. Netcat is designed to be a dependable "back-end" device that can be used directly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and investigation tool. Netcat's features are numerous; Netcat can, for instance, be used as a proxy or portforwarder. It can use any local source port, or use loose source-routing. It is commonly referred to as the TCP/IP Swiss army knife.

Some of the major features of netcat are:

  • Outbound or inbound connections, TCP or UDP, to or from any ports

  • Full DNS forward/reverse checking, with appropriate warnings

  • Ability to use any local source port

  • Ability to use any locally-configured network source address

  • Built-in port-scanning capabilities, with randomizer

  • Built-in loose source-routing capability

  • Can read command line arguments from standard input

  • Slow-send mode, one line every N seconds

  • Hex dump of transmitted and received data

  • Optional ability to let another program service establish connections

  • Optional telnet-options responder

Because netcat does not make any assumptions about the protocol used across the link, it is better suited to debug connections than telnet.

Example netcat. Using netcat to perform a port scan

With the -z option netcat will perform a portscan on the ports given on the command line. By default netcat will produce no output. When scanning only one port the exit status indicates the result of the scan, but with multiple ports the exit status will allways be "0" if one of the ports is listening. For this reason using the "verbose" option will be useful to see the actual results:

	# nc -vz localhost 75-85
	nc: connect to localhost port 75 (tcp) failed: Connection refused
	nc: connect to localhost port 76 (tcp) failed: Connection refused
	nc: connect to localhost port 77 (tcp) failed: Connection refused
	nc: connect to localhost port 78 (tcp) failed: Connection refused
	Connection to localhost 79 port [tcp/finger] succeeded!
	Connection to localhost 80 port [tcp/http] succeeded!
	nc: connect to localhost port 81 (tcp) failed: Connection refused
	nc: connect to localhost port 82 (tcp) failed: Connection refused
	nc: connect to localhost port 83 (tcp) failed: Connection refused
	nc: connect to localhost port 84 (tcp) failed: Connection refused
	nc: connect to localhost port 85 (tcp) failed: Connection refused
				

The man page of netcat shows some more examples on how to use netcat.

Netcat can easily be used in scripts for a lot of tests you want to run automated.

The fail2ban command

Description

Fail2ban scans log files like /var/log/pwdfail or /var/log/apache/error_log, and bans IP addresses that cause too many rejected password attempts. It updates firewall rules to block the IP addresses.

Fail2ban's main function is to block IP addresses that belong to hosts that may be trying to breach the system's security. It determines these by monitoring log files (e.g. /var/log/pwdfail, /var/log/auth.log, etc.) and bans any host IP that does too many login attempts or performs any other unwanted action within a time frame set by the administrator. Fail2ban is typically configured to unban a blocked host after a certain period, so as to not "lock out" any genuine connections. An unban time of several minutes is usually sufficient to prevent a network connection from being flooded by malicious attempts, as well as to reduce the likelihood of a successful dictionary attack.

The nmap command

Description

nmap is a network exploration tool and security scanner. It can be used to scan a network, determine which hosts are up and what services they are offering.

nmap supports a large number of scanning techniques such as: UDP, TCP connect(), TCP SYN (half open), ftp proxy (bounce attack), Reverse-ident, ICMP (ping sweep), FIN, ACK sweep, Xmas Tree, SYN sweep, IP Protocol and Null scan.

If you have built a firewall, and you wish to check that no ports are open that you do not want open, nmap is the tool to use.

Using the nmap command

If a machine gets infected by a rootkit, some system utilities like top, ps and netstat will usually be replaced by the attacker. The modified versions of these commands aide the attacker by not showing all available processes and listening ports. By performing portscans against our host we can explore which ports are open, and compare this with a list of known services. As an example, here's an example of a TCP portscan against our localhost:

	$ nmap -sT localhost

	Starting Nmap 6.25 ( http://nmap.org ) at 2013-07-04 06:33 CDT
	Nmap scan report for localhost (127.0.0.1)
	Host is up (0.0011s latency).
	Other addresses for localhost (not scanned): 127.0.0.1
	Not shown: 993 closed ports
	PORT     STATE SERVICE
	22/tcp   open  ssh
	25/tcp   open  smtp
	53/tcp   open  domain
	80/tcp   open  http
	111/tcp  open  rpcbind
	389/tcp  open  ldap
	3000/tcp open  ppp

	Nmap done: 1 IP address (1 host up) scanned in 0.20 seconds
				

Note

By default, nmap will only scan the 1000 most common ports. Use the -p 1-65535 or -p - switch to scan all available ports.

Let's perform the same scan, using the UDP protocol:

	$ nmap -sU localhost
	You requested a scan type which requires root privileges.
	QUITTING!
			

Nmap is a very powerful network scanner, but some options require root privileges. If you would perform the command nmap localhost both as root and using your own privileges, nmap would use the -sS option as root and the -sT when run with normal user privileges.

Now, let's run the UDP scan again using root privileges trough sudo:

	$ sudo nmap -sU localhost
	[sudo] password for bob: ********

	Starting Nmap 6.25 ( http://nmap.org ) at 2013-07-04 06:51 CDT
	Nmap scan report for localhost (127.0.0.1)
	Host is up (0.000040s latency).
	Other addresses for localhost (not scanned): 127.0.0.1
	Not shown: 995 closed ports
	PORT     STATE         SERVICE
	53/udp   open          domain
	68/udp   open|filtered dhcpc
	111/udp  open          rpcbind
	1900/udp open|filtered upnp
	5353/udp open|filtered zeroconf

	Nmap done: 1 IP address (1 host up) scanned in 1.48 seconds
				

Nmap is a very versatile and powerful tool, and offers a variety of options regarding its capabilities. Nmap can, for example, be used for active TCP/IP stack fingerprinting to determine the remote OS. You need administrator rights to do this:

	[root@lnx1 ~]# nmap -A 192.168.1.183

	Starting Nmap 5.51 ( http://nmap.org ) at 2015-10-30 16:03 CET
	Nmap scan report for 192.168.1.183
	Host is up (0.0012s latency).
	Not shown: 999 closed ports
	PORT   STATE SERVICE VERSION
	22/tcp open  ssh     OpenSSH 6.0p1 Debian 4+deb7u2 (protocol 2.0)
	| ssh-hostkey: 1024 65:44:cf:c2:b8:e9:6a:a5:21:18:9f:55:70:1d:d9:57 (DSA)
	|_2048 87:15:36:b4:28:09:3c:84:fa:ea:9f:b3:9d:33:39:f9 (RSA)
	MAC Address: 00:0F:60:02:BA:0D (Lifetron Co.)
	No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
	TCP/IP fingerprint:
	OS:SCAN(V=5.51%D=10/30%OT=22%CT=1%CU=34692%PV=Y%DS=1%DC=D%G=Y%M=000F60%TM=5
	OS:63386C7%P=x86_64-redhat-linux-gnu)SEQ(SP=109%GCD=1%ISR=103%TI=Z%CI=I%II=
	OS:I%TS=7)SEQ(SP=107%GCD=1%ISR=104%TI=Z%CI=I%II=I%TS=7)OPS(O1=M5B4ST11NW6%O
	OS:2=M5B4ST11NW6%O3=M5B4NNT11NW6%O4=M5B4ST11NW6%O5=M5B4ST11NW6%O6=M5B4ST11)
	OS:OPS(O1=M5B4ST11NW6%O2=NNT11%O3=M5B4NNT11NW6%O4=M5B4ST11NW6%O5=M5B4ST11NW
	OS:6%O6=M5B4ST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN(R=
	OS:Y%DF=Y%T=40%W=7210%O=M5B4NNSNW6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%R
	OS:D=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%
	OS:DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%
	OS:O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=4
	OS:0%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

	Network Distance: 1 hop
	Service Info: OS: Linux

	TRACEROUTE
	HOP RTT     ADDRESS
	1   1.16 ms 192.168.1.183
				

As you can tell from the output, the tested machine was a Debian linux host.

Please consult the manpage of nmap(1) to learn more about its features.

OpenVAS

The Open Vulnerability Assessment System (OpenVAS) is an open source framework of several services and tools offering a comprehensive and powerful vulnerability scanning and vulnerability management solution.

The actual security scanner is accompanied with a daily updated feed of Network Vulnerability Tests (NVTs), over 30,000 in total (as of April 2013).

Detailed information about OpenVAS can be found at: Openvas - Open vulnerability assessment system community site .

The Snort IDS (Intrusion Detection System)

Snort is an open source network intrusion detection system (NIDS) capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts and much more. Snort uses a flexible rules language to describe traffic that it should collect or pass, as well as a detection engine that utilizes a modular plugin architecture. Snort has a real-time alerting capability as well, incorporating alerting mechanisms for syslog, a user-specified file, a UNIX socket or WinPopup messages to Windows clients using Samba's smbclient. Snort has three primary uses. It can be used as a straight packet-sniffer like tcpdump, a packet-logger (useful for network traffic debugging, etc), or as a full blown network-intrusion detection system. Snort logs packets in either tcpdump binary format or in Snort's decoded ASCII format to logging directories that are named based on the IP address of the foreign host.

Basic structure of Snort rules

All Snort rules have two logical parts: rule header and rule options.

The rule header contains information about what action a rule takes. It also contains criteria for matching a rule against data packets. The options part usually contains an alert message and information about which part of the packet should be used to generate the alert message. The options part contains additional criteria for matching a rule against data packets. A rule may detect one type or multiple types of intrusion activity. Intelligent rules should be able to apply to multiple intrusion signatures.

Structure of Snort rule headers

The action part of the rule determines the type of action taken when criteria are met and a rule is exactly matched against a data packet. Typical actions are generating an alert or log message or invoking another rule. You will learn more about actions later in this chapter.

The protocol part is used to apply the rule on packets for a particular protocol only. This is the first criterion mentioned in the rule. Some examples of protocols used are IP, ICMP, UDP etc.

The address parts define source and destination addresses. Addresses may be a single host, multiple hosts or network addresses. You can also use these parts to exclude some addresses from a complete network. More about addresses will be discussed later. Note that there are two address fields in the rule. Source and destination addresses are determined based on direction field. As an example, if the direction field is “->”, the Address on the left side is source and the Address on the right side is destination.

In case of TCP or UDP protocol, the port parts determine the source and destination ports of a packet on which the rule is applied. In case of network layer protocols like IP and ICMP, port numbers have no significance.

The direction part of the rule actually determines which address and port number is used as source and which as destination.

Just some examples:

	alert icmp any any -> any any (msg: "Ping with TTL=100";  ttl: 100;)
	alert udp any 1024:2048 -> any any (msg: "UDP ports";)
	alert tcp 192.168.2.0/24 23 <> any any (content: "confidential"; msg: "Detected confidential";)
	log udp any !53 -> any any log udp
				

Detailed information about Snort can be found at: Snort IDS .

Intrusion Detection and Prevention Systems

When talking about Intrusion Detection Systems (IDS), we can make a distinction between Host Intrusion Detection Systems (HIDS) and Network Intrusion Detection Systems (NIDS). A HIDS alerts when a host is suffering from suspicious activities. A NIDS usually inspects network traffic, preferably at a low level and alerts if suspicious traffic is detected.

Some IDS systems can be configured in a way that they do not only send out an alert, but also prevent access to a certain resource. This resource can either be a TCP/IP or UDP port, a physical port on a network device or complete access to a certain host or network segment trough a router or firewall. Since these systems not only detect, but also prevent they are called Intrusion Prevention Systems (IPS). As well as with IDS systems, we can distinguish HIPS from NIPS systems.

Both intrusion detection and intrusion prevention systems use a system of definitions for detection. These definitions describe certain characteristics that when met, trigger off an alert or countermeasure. If a detection takes place and is correct, we call this a true positive. If a detection takes place but is inaccurate, this is called a false positive.. When the system does not detect something that does not occur, this is called a true negative. When there actually is an event which is not detected by the system, this is called a false negative.

Often, the detection capabilities of the IDS are expanded by using heuristic detection methods. In order for these to be both effective and accurate, the system needs to be trained. During this period, a lot of false positives may be detected which isn't a bad thing. But the system needs to be tweaked so the amount of false positives will be reduced to a minimum. A false negative is equal to having no IDS in place, and is the most undesirable behavior for an IDS.

Keeping track of security alerts

Security alerts

Security alerts are warnings about vulnerabilities in certain pieces of software. Those vulnerabilities can result in a decrease of your service level because certain individuals are very good at misusing those vulnerabilities. This can result in your system being hacked or blown out of the water.

Most of the time there is already a solution for the problem or someone is already working on one, as will be described in the rest of this section.

Bugtraq

Description

BugTraq is a full disclosure moderated mailing-list at securityfocus.com for detailed discussion and announcement of computer security vulnerabilities: what they are, how to exploit them and how to fix them.

Bugtraq website

The SecurityFocus website brings together many different resources related to security. One of them is the Bugtraq mailing list. There also is a Bugtraq FAQ.

How to subscribe to Bugtraq

Use the webform at http://www.securityfocus.com/ to subscribe to any of the SecurityFocus mailing lists.

CERT

Description

The CERT Coordination Center (CERT/CC) is a center of Internet security expertise, at the Software Engineering Institute, a federally funded research and development center operated by Carnegie Mellon University. They study Internet security vulnerabilities, handle computer security incidents, publish security alerts, research long-term changes in networked systems and develop information and training to help you improve security at your site.

Website

CERT maintains a website called The CERT Coordination Center

How to subscribe to the CERT Advisory mailing list

See the us-cert.gov lists and feed page to sign up for the CERT Advisory mailing list or the RSS feeds issued on diverse NCAS publications.

CIAC

Description

CIAC is the U.S. Department of Energy's Computer Incident Advisory Capability. Established in 1989, shortly after the Internet Worm, CIAC provides various computer security services free of charge to employees and contractors of the DOE, such as: Incident Handling consulting, Computer Security Information, On-site Workshops, White-hat Audits.

Website

There is a CIAC Website .

Subscribing to the mailing list

CIAC has several self-subscribing mailing lists for electronic publications:

CIAC-BULLETIN for Advisories, highest priority - time critical information, and Bulletins, important computer security information.

CIAC-NOTES for Notes, a collection of computer security articles.

SPI-ANNOUNCE for official news about Security Profile Inspector (SPI) software updates, new features, distribution and availability.

SPI-NOTES, for discussion of problems and solutions regarding the use of SPI products.

The mailing lists are managed by a public domain software package called ListProcessor, which ignores E-mail header subject lines. To subscribe (add yourself) to one of the mailing lists, send requests of the following form: subscribe list-name LastName, FirstName, PhoneNumber as the E-mail message body, substituting CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE or SPI-NOTES for list-name and valid information for LastName FirstName and PhoneNumber. Send to: ciac-listproc@llnl.gov.

You will receive an acknowledgment containing address and initial PIN, and information on how to change either of them, cancel your subscription or get help.

Unsubscribing from the mailing list

To be removed from a CIAC mailing list, send the following request via E-mail to ciac-listproc@llnl.gov: unsubscribe list-name.

Testing for open mail relays with telnet

Description

An open mail relay is a mail server that accepts SMTP connections from anywhere and will forward emails to any domain. This means that everyone can connect to port 25 on that mail server and send mail to whomever they want. As a result your server's IP might end up on anti-spam blacklists.

Testing for open mail relaying

Testing a mail relay can be done by delivering an email for a recipient to a server that's not supposed to do any relaying for the recipients domain. If the server accepts AND delivers the email it is an open relay.

In the following example we use telnet to connect to a SMTP server running on port 25:

	$ telnet localhost 25
	Trying ::1...
	Connected to localhost.
	Escape character is '^]'.
	220 linux.mailserver ESMTP Exim 4.80 Wed, 03 Jul 2013 08:08:06 -0500
	MAIL FROM: bob@example.com
	250 OK
	RCPT TO: root@localhost
	250 Accepted
	DATA
	354 Enter message, ending with "." on a line by itself
	Open Mail Relay test message
	.
	250 OK id=1UuMnI-0001SM-Pe
	QUIT
	221 linux.mailserver closing connection
	Connection closed by foreign host.
				

The message is accepted because the mailserver is configured to accept connections that origin from the local host, and because root@localhost is a valid email address according to the SMTP server.

Telnet is not considered very suitable as a remote login protocol because all data is being transmitted in clear text across the network. But the telnet command is very useful for checking open ports. The target port can be given as an argument, as can be seen in the example above.

Copyright Snow B.V. The Netherlands