Questions and answers

1. System Security

1.1.

List the private network address ranges defined by IANA

  • 10.0.0.0 - 10.255.255.255 (10.0.0.0/8)

  • 172.16.0.0 - 172.31.255.255 (172.16.0.0/12)

  • 192.168.0.0 - 192.168.255.255 (192.168.0.0/16)

Private Network Addresses

1.2.

What does the accronym NAT stand for?

Network Address Translation.

Network Addresses Translation

1.3.

How can a server with a private IP address connect to a server on the internet?

By connecting through a router (or server with router functionality) that performs Network Address Translation.

Network Addresses Translation implementation

1.4.

Which tool is used to set up, maintain, and inspect the tables of IPv4 packet filter rules in the Linux kernel?

iptables

iptables

1.5.

Name the netfilter CHAINS

PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING

iptables chains

1.6.

Name the netfilter TABLES.

Filter, Nat, Mangle

iptables tables

1.7.

What module is needed to perform stateful firewalling on FTP traffic?

ip_conntrack_ftp

iptables ip_conntrack_ftp

1.8.

What is needed for FTP to work through a firewall ("incoming")?

  • Module ip_conntrack_ftp has to be loaded

  • Incoming NEW connections to port 21 have to be ACCEPTED

  • Incoming traffic for RELATED and ESTABLISHED connections have to be ACCEPTED

  • Outgoing traffic has to be accepted (minimal from port 21 and ESTABLISHED and RELATED).

FTP through the firewall

1.9.

Name the connection states a packet can be in when arriving at a stateful firewall.

NEW, ESTABLISHED, RELATED, INVALID

iptables connection states

1.10.

What are the minimal iptables rules to enable responding to a ping originating from any server on the network?

Assuming that the network is attached to eth0:

iptables -t filter -A INPUT -i eth0 -p icmp --icmp-type echo-request -m state -j ACCEPT
iptables -t filter -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables allow ICMP

1.11.

What's the difference between FTP in active and passive mode?

In active mode, the client sends the server the IP address and port number on which the client will listen, and the server initiates the TCP connection.

In passive mode the client sends a PASV command to the server and receives an IP address and port number in return. The client uses these to open the data connection to the server.

FTP passive active

1.12.

What protocol is implemented by the routed daemon?

The RIP routing protocol.

routed implements RIP

1.13.

Which 4 targets does iptables know by default?

ACCEPT, DROP, QUEUE, RETURN

iptables default targets

1.14.

Name at least three extended iptables targets

LOG, MARK, REJECT, TOS, MIRROR, SNAT, DNAT, MASQUERADE, REDIRECT

iptables extended targets

1.15.

Which modules are included in iptables by default? (name 4)

tcp, udp, icmp, mac, limit, multiport, mark, owner, state, unclean, tos

iptables modules

1.16.

Describe "DoS with IP address spoofing"

System A sends packets to system B. These packets have the forged source address of system C. As a result system B will send responses to system C.

DoS with IP address spoofing

1.17.

How can DoS attacks be prevented?

DOS attacks cannot be prevented, but the impact can be reduced by applying filtering and rate limiting rules to the firewall.

Preventing DoS

1.18.

What is SSH?

SSH is a secure replacement for rlogin and rsh.

SSH usage

1.19.

Name the possible values for the sshd configuration option PermitRootLogin

yes, no, without-password, forced-commands-only

SSH PermitRootLogin

1.20.

What is the prefered way to display x content from within an ssh session?

Enable X11 forwarding to foward X data to the local display over the SSH connection.

SSH enable X forward

1.21.

Name a security implication of using passphrase ssh keys and at least one way to reduce the impact.

Anyone with access to the passphraseless key has access because no passphrase is needed to use the key. Set a forced command for the key and preferably limit access to one (or a few) client host(s).

Passphraseless keys risk

1.22.

How can you make sure you don't have to type in your passphrase for each new connection (using the same key)?

Use ssh-agent to load the key(s) and enable agent forwarding.

ssh-agent

1.23.

What is SNORT?

Snort is a network Intrusion Detection System.

the section called “The Snort IDS (Intrusion Detection System)”

1.24.

How can services on an internal servers with a private IP address be made available for access from the internet?

Configure port forwarding for incoming connections on the firewall.

iptables port forwarding

1.25.

What has to be done to enable passwordless logon?

Create a public/private key pair and add the contents of the public key to the authorized_keys file of the remote user.

SSH authorized_keys

1.26.

What is the most important reason not to perform SOURCE NAT on incoming connections from the internet?

It hampers auditing of these connections on the receiving server because all traffic will seem to originate from the same client (the firewall).

iptables Source Nat consideration

1.27.

How is running pure-ftpd different from running any other FTP server?

Unlike many daemons, Pure-FTPd doesn't read any configuration file (except for LDAP and SQL when used). Instead, it uses command-line options.

Pure-FTPD configuration

1.28.

Do you need to run xhost to allow connections to the local X server if we want to display X output generated in an SSH session with X11 forwarding enabled?

No. Because the X output is seemingly created locally no xhost settings have to be changed to enable displaying the content.

SSH X11 forwarding without xhost

1.29.

How does port forwarding with SSH work?

SSH binds a local port, tunnels all traffic from that port through the open SSH connection associated with the bound local port to a port on a server on the other side of that connection.

SSH port mapping

1.30.

What's the use of nmap?

Nmap can be used to scan a network to determine which hosts are up and what services they are offering.

nmap

1.31.

Describe openVAS.

OpenVAS is a framework of several services and tools offering a comprehensive and powerful vulnerability scanning and vulnerability management

openvas

1.32.

Name a few sources for security alerts.

  • Bugtraq

  • CERT

  • CIAC

Security alerts

Copyright Snow B.V. The Netherlands