Security tasks (212.4)
Candidates should be able to receive security alerts from various sources, install, configure and run intrusion detection systems and apply security patches and bugfixes.
Key Knowledge Areas:
Tools and utilities to scan and test ports on a server
Locations and organizations that report security alerts as Bugtraq, CERT, or other sources
Tools and utilities to implement an intrusion detection system (IDS)
Awareness of OpenVAS and Snort
Terms and utilities:
Netcat (nc) is a very versatile network tool. Netcat is a computer networking service for reading from and writing to network connections using TCP or UDP. Netcat is designed to be a dependable \"back-end\" device that can be used directly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and investigation tool. Netcat's features are numerous; Netcat can, for instance, be used as a proxy or portforwarder. It can use any local source port, or use loose source-routing. It is commonly referred to as the TCP/IP Swiss army knife.
Some of the major features of netcat are:
Outbound or inbound connections, TCP or UDP, to or from any ports
Full DNS forward/reverse checking, with appropriate warnings
Ability to use any local source port
Ability to use any locally-configured network source address
Built-in port-scanning capabilities, with randomizer
Built-in loose source-routing capability
Can read command line arguments from standard input
Slow-send mode, one line every N seconds
Hex dump of transmitted and received data
Optional ability to let another program service establish connections
Optional telnet-options responder
telnet Because netcat does not make any assumptions about the protocol
used across the link, it is better suited to debug connections than
Example netcat. Using netcat to perform a port scan
With the -z option netcat will perform a portscan on the ports given on the command line. By default netcat will produce no output. When scanning only one port the exit status indicates the result of the scan, but with multiple ports the exit status will allways be \"0\" if one of the ports is listening. For this reason using the \"verbose\" option will be useful to see the actual results:
# nc -vz localhost 75-85 nc: connect to localhost port 75 (tcp) failed: Connection refused nc: connect to localhost port 76 (tcp) failed: Connection refused nc: connect to localhost port 77 (tcp) failed: Connection refused nc: connect to localhost port 78 (tcp) failed: Connection refused Connection to localhost 79 port [tcp/finger] succeeded! Connection to localhost 80 port [tcp/http] succeeded! nc: connect to localhost port 81 (tcp) failed: Connection refused nc: connect to localhost port 82 (tcp) failed: Connection refused nc: connect to localhost port 83 (tcp) failed: Connection refused nc: connect to localhost port 84 (tcp) failed: Connection refused nc: connect to localhost port 85 (tcp) failed: Connection refused
The man page of netcat shows some more examples on how to use netcat.
Netcat can easily be used in scripts for a lot of tests you want to run automated.
Fail2ban scans log files like
/var/log/apache/error_log, and bans IP addresses that cause too many
rejected password attempts. It updates firewall rules to block the IP
Fail2ban's main function is to block IP addresses that belong to hosts
that may be trying to breach the system's security. It determines these
by monitoring log files (e.g.
etc.) and bans any host IP that does too many login attempts or performs
any other unwanted action within a time frame set by the administrator.
Fail2ban is typically configured to unban a blocked host after a certain
period, so as to not \"lock out\" any genuine connections. An unban time
of several minutes is usually sufficient to prevent a network connection
from being flooded by malicious attempts, as well as to reduce the
likelihood of a successful dictionary attack.
nmap is a network exploration tool and nmap security scanner. It
can be used to scan a network, determine which hosts are up and what
services they are offering.
nmap supports a large number of scanning techniques network scanning
nmapnetwork scanning such as: UDP, TCP connect(), TCP SYN (half open),
ftp proxy (bounce TCP SYN bounce attack reverse-ident ping sweep ACK
sweep Xmas Tree SYN sweep NULL Scan nmapTCP SYN nmapbounce attack
nmapreverse-ident nmapping sweep nmapACK sweep nmapXmas Tree nmapSYN
sweep nmapNULL Scan attack), Reverse-ident, ICMP (ping sweep), FIN, ACK
sweep, Xmas Tree, SYN sweep, IP Protocol and Null scan.
If you have built a firewall, and you wish to check that no ports are
open nmaptesting a firewall that you do not want open,
nmap is the
tool to use.
If a machine gets infected by a rootkit, some system utilities like
netstat will usually be replaced by the attacker. The
modified versions of these commands aide the attacker by not showing all
available processes and listening ports. By performing portscans against
our host we can explore which ports are open, and compare this with a
list of known services. As an example, here's an example of a TCP
portscan against our localhost:
$ nmap -sT localhost Starting Nmap 6.25 ( http://nmap.org ) at 2020-05-08 11:51 CEST Nmap scan report for localhost (127.0.0.1) Host is up (0.0011s latency). Other addresses for localhost (not scanned): 127.0.0.1 Not shown: 993 closed ports PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 53/tcp open domain 443/tcp open http 389/tcp open ldap Nmap done: 1 IP address (1 host up) scanned in 0.20 seconds
nmap will only scan the 1000 most common ports. Use the
-p 1-65535 or
-p - switch to scan all available ports.
Let's perform the same scan, using the UDP protocol:
$ nmap -sU localhost You requested a scan type which requires root privileges. QUITTING!
Nmap is a very powerful network scanner, but some options require root
privileges. If you would perform the command
localhost both as root and using your own privileges,
nmap would use the
-sS option as root and the
-sT when run with
normal user privileges.
Now, let's run the UDP scan again using root privileges trough sudo:
$ sudo nmap -sU localhost Starting Nmap 7.60 ( https://nmap.org ) at 2020-05-08 12:42 CEST Nmap scan report for localhost (127.0.0.1) Host is up (0.0000090s latency). Other addresses for localhost (not scanned): ::1 Not shown: 998 closed ports PORT STATE SERVICE 111/udp open rpcbind 2049/udp open nfs Nmap done: 1 IP address (1 host up) scanned in 1.62 seconds
Nmap is a very versatile and powerful tool, and offers a variety of options regarding its capabilities. Nmap can, for example, be used for active TCP/IP stack fingerprinting to determine the remote OS. You need administrator rights to do this:
jos@xml:~$ nmap -A lpic2.unix.nl Starting Nmap 7.60 ( https://nmap.org ) at 2020-05-08 12:46 CEST Nmap scan report for lpic2.unix.nl (18.104.22.168) Host is up (0.011s latency). Other addresses for lpic2.unix.nl (not scanned): 2a01:7c8:aab3:101::8080 rDNS record for 22.214.171.124: 149-210-155-120.colo.transip.net Not shown: 995 filtered ports PORT STATE SERVICE VERSION 25/tcp closed smtp 80/tcp closed http 443/tcp open ssl/ssl Apache httpd (SSL-only mode) | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Apache/2.4.43 (FreeBSD) OpenSSL/1.1.1d-freebsd |_http-title: Maintenance | ssl-cert: Subject: commonName=lpic2.unix.nl | Subject Alternative Name: DNS:lpic2.unix.nl | Not valid before: 2020-05-06T08:18:57 |_Not valid after: 2020-08-04T08:18:57 |_ssl-date: TLS randomness does not represent time 2222/tcp open ssh OpenSSH 7.8 (FreeBSD 20180909; protocol 2.0) | ssh-hostkey: | 2048 98:60:f4:d9:52:42:79:9c:81:bc:04:09:1b:97:3d:d3 (RSA) | 256 04:d7:19:2d:c9:81:b4:26:c6:22:46:b0:f8:98:10:c8 (ECDSA) |_ 256 48:a7:4f:e9:c1:89:d0:67:8e:44:ab:29:a9:70:1c:b7 (EdDSA) 8080/tcp closed http-proxy Service Info: OS: FreeBSD; CPE: cpe:/o:freebsd:freebsd Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 18.04 seconds
As you can tell from the output, the tested machine was the machine which host this website.
Please consult the manpage of
nmap(1) to learn more about its
OpenVAS The Open Vulnerability Assessment System (OpenVAS) is an open source framework of several services and tools offering a comprehensive and powerful vulnerability scanning and vulnerability management solution.
The actual security scanner is accompanied with a daily updated feed of Network Vulnerability Tests (NVTs), over 50,000 in total (as of May 2020).
Detailed information about OpenVAS can be found at: Openvas - Open vulnerability assessment system community site.
The Snort IDS (Intrusion Detection System)
Snort Snort is an open source network intrusion detection system (NIDS) capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts and much more. Snort uses a flexible rules language to describe traffic that it should collect or pass, as well as a detection engine that utilizes a modular plugin architecture. Snort has a real-time alerting capability as well, incorporating alerting mechanisms for syslog, a user-specified file, a UNIX socket or WinPopup messages to Windows clients using Samba's smbclient. Snort has three primary uses. It can be used as a straight packet-sniffer like tcpdump, a packet-logger (useful for network traffic debugging, etc), or as a full blown network-intrusion detection system. Snort logs packets in either tcpdump binary format or in Snort's decoded ASCII format to logging directories that are named based on the IP address of the foreign host.
Basic structure of Snort rules
All Snort rules have two logical parts: rule header and rule options.
The rule header contains information about what action a rule takes. It also contains criteria for matching a rule against data packets. The options part usually contains an alert message and information about which part of the packet should be used to generate the alert message. The options part contains additional criteria for matching a rule against data packets. A rule may detect one type or multiple types of intrusion activity. Intelligent rules should be able to apply to multiple intrusion signatures.
Structure of Snort rule headers
The action part of the rule determines the type of action taken when criteria are met and a rule is exactly matched against a data packet. Typical actions are generating an alert or log message or invoking another rule. You will learn more about actions later in this chapter.
The protocol part is used to apply the rule on packets for a particular protocol only. This is the first criterion mentioned in the rule. Some examples of protocols used are IP, ICMP, UDP etc.
The address parts define source and destination addresses. Addresses may be a single host, multiple hosts or network addresses. You can also use these parts to exclude some addresses from a complete network. More about addresses will be discussed later. Note that there are two address fields in the rule. Source and destination addresses are determined based on direction field. As an example, if the direction field is "->", the Address on the left side is source and the Address on the right side is destination.
In case of TCP or UDP protocol, the port parts determine the source and destination ports of a packet on which the rule is applied. In case of network layer protocols like IP and ICMP, port numbers have no significance.
The direction part of the rule actually determines which address and port number is used as source and which as destination.
Just some examples:
alert icmp any any -> any any (msg: "Ping with TTL=100"; ttl: 100;) alert udp any 1024:2048 -> any any (msg: "UDP ports";) alert tcp 192.168.2.0/24 23 <> any any (content: "confidential"; msg: "Detected confidential";) log udp any !53 -> any any log udp
Detailed information about Snort can be found at: Snort IDS.
Intrusion Detection and Prevention Systems
When talking about Intrusion Detection Systems (IDS), we can make a distinction between Host Intrusion Detection Systems (HIDS) and Network Intrusion Detection Systems (NIDS). A HIDS alerts when a host is suffering from suspicious activities. A NIDS usually inspects network traffic, preferably at a low level and alerts if suspicious traffic is detected.
Some IDS systems can be configured in a way that they do not only send out an alert, but also prevent access to a certain resource. This resource can either be a TCP/IP or UDP port, a physical port on a network device or complete access to a certain host or network segment trough a router or firewall. Since these systems not only detect, but also prevent they are called Intrusion Prevention Systems (IPS). As well as with IDS systems, we can distinguish HIPS from NIPS systems.
Both intrusion detection and intrusion prevention systems use a system of definitions for detection. These definitions describe certain characteristics that when met, trigger off an alert or countermeasure. If a detection takes place and is correct, we call this a true positive. If a detection takes place but is inaccurate, this is called a false positive.. When the system does not detect something that does not occur, this is called a true negative. When there actually is an event which is not detected by the system, this is called a false negative.
Often, the detection capabilities of the IDS are expanded by using heuristic detection methods. In order for these to be both effective and accurate, the system needs to be trained. During this period, a lot of false positives may be detected which isn't a bad thing. But the system needs to be tweaked so the amount of false positives will be reduced to a minimum. A false negative is equal to having no IDS in place, and is the most undesirable behavior for an IDS.
Keeping track of security alerts
Security alerts are warnings about vulnerabilities in certain pieces security alerts of software. Those vulnerabilities can result in a decrease of your vulnerability service level because certain individuals are very good at misusing those vulnerabilities. This can result in your system being hacked or blown out of the water.
Most of the time there is already a solution for the problem or someone is already working on one, as will be described in the rest of this section.
BugTraq is a full disclosure moderated mailing-list at securityfocus.com for detailed discussion and announcement of computer security vulnerabilities: what they are, how to exploit them and how to fix security vulnerabilities them.
The SecurityFocus website brings together many different resources related to security. One of them is the securityfocus Bugtraq mailing list. There also is a Bugtraq FAQ.
How to subscribe to Bugtraq
Use the webform at http://www.securityfocus.com/ to subscribe to any of the SecurityFocus mailing lists.
The CERT Coordination Center (CERT/CC) is a center of Internet CERT security expertise, at the Software Engineering Institute, a SEI federally funded research and development center operated by Carnegie Mellon University. They study Internet security Carnegie Mellon vulnerabilities, handle computer security incidents, publish security alerts, research long-term changes in networked systems and develop information and training to help you improve security at your site.
CERT maintains a website called CERThttp://www.cert.org The CERT Coordination Center CERThttp://www.cert.org
How to subscribe to the CERT Advisory mailing list
See the us-cert.gov lists and feed page to sign up for the CERT Advisory mailing list or the RSS feeds issued on diverse NCAS publications.
CIAC is the U.S. Department of Energy's Computer Incident Advisory CIAC Capability. Established in 1989, shortly after the Internet Worm, CIAC provides various computer security services free of charge to employees and contractors of the DOE, such as: Incident Handling consulting, Computer Security Information, On-site Workshops, White-hat Audits.
There is a CIAC Website.
Subscribing to the mailing list
CIAC has several self-subscribing mailing lists for electronic CIACsubscribing publications:
CIAC-BULLETIN for Advisories, highest priority - time critical CIACBULLETIN information, and Bulletins, important computer security information.
CIAC-NOTES for Notes, a collection of computer security articles. CIACNOTES
SPI-ANNOUNCE for official news about Security Profile Inspector CIACSPI-ANNOUNCE (SPI) software updates, new features, distribution and availability.
SPI-NOTES, for discussion of problems and solutions regarding the CIACSPI-NOTES use of SPI products.
The mailing lists are managed by a public domain software package called ListProcessor, which ignores E-mail header subject lines. To subscribe (add yourself) to one of the mailing lists, send requests of the following form: subscribe list-name LastName, FirstName, PhoneNumber as the E-mail message body, substituting CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE or SPI-NOTES for "list-name" and valid information for "LastName" "FirstName" and "PhoneNumber." Send to: ciac-listproc\@llnl.gov. CIAC ciac-listproc\@llnl.gov
You will receive an acknowledgment containing address and initial PIN, and information on how to change either of them, cancel your subscription or get help.
Unsubscribing from the mailing list
To be removed from a CIAC mailing list, send the following request via CIAC unsubscribe E-mail to ciac-listproc\@llnl.gov: unsubscribe list-name.
Testing for open mail relays with telnet
An open mail relay is a mail server that accepts SMTP connections open relay from anywhere and will forward emails to any domain. This means that everyone can connect to port 25 on that mail server and send mail to whomever they want. As a result your server's IP might end up on anti-spam blacklists. blacklisting
Testing for open mail relaying
open relay how to testTesting a mail relay can be done by delivering an email for a recipient to a server that's not supposed to do any relaying for the recipients domain. If the server accepts AND delivers the email it is an open relay.
In the following example we use
telnet to connect to a SMTP server
running on port 25:
$ telnet localhost 25 Trying ::1... Connected to localhost. Escape character is '^]'. 220 linux.mailserver ESMTP Exim 4.80 Wed, 03 Jul 2019 08:08:06 -0500 MAIL FROM: firstname.lastname@example.org 250 OK RCPT TO: root@localhost 250 Accepted DATA 354 Enter message, ending with "." on a line by itself Open Mail Relay test message . 250 OK id=1UuMnI-0001SM-Pe QUIT 221 linux.mailserver closing connection Connection closed by foreign host.
The message is accepted because the mailserver is configured to accept
connections that origin from the local host, and because
root@localhost is a valid email address according to the SMTP server.
Telnet is not considered very suitable as a remote login protocol
because all data is being transmitted in clear text across the network.
telnet command is very useful for checking open ports. The
target port can be given as an argument, as can be seen in the example