Network Security and Performance Tuning: 69-3 Nguyen Thi Nho, P9, Q.Tbinh, Tp. HCM

Chapter 18
Network Security and

Performance Tuning
SAIGONLAB 69-3 Nguyen Thi Nho, P9, Q.TBinh, Tp. HCM LPI 102
Objectives
Define your role in security

Explain physical and software security
Methods of security
Outline security for NFS, client and server
Data integrity
Network security
Explain and implement iptables and iptables
Workstation security
Your role in security
As a administrator, you are ultimately responsible for the

security of the system. You should develop a security plan
for your system
Risk Assessment : look at each area in your system
and understand the potential threat in each area.
Measures : Put counter measures to protect your
system : physical, softwares, electronic, ...
Auditing : Using some monitor tools, log files, .. to
detect intruders
Response : If security is compromised, what will you do
to put the system back the way it was ? Use
backups/restores, …
About security
Security is a deep topic. When developing

security policies, keep in mind 3 things:
Eliminate : remove or do NOT install programs,
services that you don’t need.
Restrict : restrict who has access to network,
file systems, … by IP addresses and users.
Limit Risk : limit who has access to programs
or utilities reserved for root
Physical Security
If someone has local access to a machine,

there is nothing one can do to prevent them
get into it.
Software Security
You can take secure to your system via OS
features and softwares:
Disable/delete inactive accounts
Shadow password : user password hashes are
relocated to another file (/etc/shadow) and read-
only by root
Check the file permission of important files and
programs : 666 on /etc/shadow, setuid on
programs that can change /etc/passwd or
/etc/shadow
 Firewall
Proxy server
Software Security (continue)
PAM (Pluggable Authentication Modules) : a

suite of libraries ( /etc/pam.d ) that enable
system administrator to choose how
applications authenticate users
TCP_WRAPPERS : use /etc/host.allow,
/etc/host.deny to identify which hosts have
acces if the mentioned services use libwrap or
the TCP Wraper
Big Brother :consists of simple shell scripts
that periodically monitor network system
Exploit
Exploit programs, C source codes, … to

find errors : buffer overflow, …
Security Tools
Nesus : free, powerful, up-to-date, easy to

use remote security scanner that automatically
audits and flushes out weaknesses or exploits.
AIDE (Advanced Intrusion Detection
Environment) : verify the integrity of the file.
SNORT : open source IDS, real-time traffic
analysis and packet login on IP networks; used
to detect a variety of attacks and probes: buffer
overflow, stealth port scan, CGI attack, OS
printfinger attempts, SMB
probe.http://www.snort.org
Security Tools
TAMU suite : extremely powerful and includes

easy to use programs for securing individual
host.
COPS (Computer Oracle and Password
System) : collection of security tools that are
designed especially to aid SA, programmer,
operator, ...
Bastille Linux : enhances the security of the
Linux box by configuring daemons, system
settings and firewalls http://www.bastille-
linux.org
Network Security
Security is an enforcement of policy. A security

policy requires careful planning and risk analysis
Elements representing the security :
Availability of services and resources
Integrity data : application data, configuration data,..
Confidentially : resources only be accessed by
authorized people
Some things to consider when planning policy and
security:
Cost
Constraint
Requirement
The Shadow Password Suite (SPS)
Many of simple commands used to manage

users and groups are part of SPS
User and group password are store
/etc/shadow and /etc/gshadow files
Four key commands in this suite:
pwconv
pwunconv
grpconv
grpunconv
Two Main Types of Network Attacks
These are : unauthorized access and service

attacks
Unauthorized access: when unauthorized gain
access to a computer or network, all data could be
in jeopardy.
Service Attack: is an attack to use up all server
resources. As a result, other legitimate users
impacted by the lack of available services. A
common type of this attack is Denial of Service
(DoS)
DoS (Denial of Service) Attacks
DoS attack is characterized by an explicit

attempt by attackers to prevent legitimate users
of a service from using that service.
Including :
Flooding a network to inhibit legitimate network
traffic
Disruption connection between two or more
machines prevent the use of service
Disrupting a particular service to a user or system
…
Type of DoS attack
Buffer Overflow attack

SYN attack
Teardrop attack
Smurf attack
Basic NFS security
Security and NFS : a basic problem with NFS

is the client always trusts the server and vice
versa.
Client security : forbid setuid programs to
work from the NFS with the nosetuid
Server security :
Use root_squash option in /etc/exports: client’s
root account can NOT access or change file that
root account on server can
Limit access to server via IP address
X Window Security
There are many scanner today can locate a

machine running X server on port 6000 and
then attempt to exploit certain features in order
to determine if the host is unprotected
Using TCP based network, intruder can
connect and open X display, log and store
every keystroke, launch programs, …
Keep Up On Security Updates
http://www.cert.org
http://www.securityfocus.com
 http://www.freshmeat.net
http://www.insecure.org
http://www.redhat.com/solutions/security
…
TCP Wrappers
It’s a security layer “wrapped” around

services (smtp, www, ssh, ..) used to verify
requests.
The wrapper program, tcpd, can invoke ftpd,
telnetd, is an intermediary between inetd and
the actual services. Three main services:
Responds and verifies network request
Logs requests for internet services (vi authpriv
syslog facility for connection requests)
Provides access control checking via
/etc/hosts.allow,/etc/hosts.deny
tcpd Access Control Files
They are /etc/hosts.allow and /etc/hosts.deny

tcpd searchs hosts.allow first and it stop if it
find the host match. Entry format :
<services>: <clients> [:shell command]
Examples:
in.tftpd: LOCAL, .my.domain
in.tftpd: ALL: spawn (/some/where/safe_finger -l
@%h | /usr/ucb/mail -s %d-%h root) &
ALL EXCEPT imapd, ipop3d : ALL
Wrapper Variables
%a Client’s IP address
%h Client’s host name
%A Server’s IP address
%H Server’s host name
%c All available client info
%p Network daemon PID
%d Network daemon process name
%s All available server info
%N Server’s host name
%% % symbol
%n Client’s host name, UNKNOWN if unknown PARANOID
if reversed look up fail
tcpdump
Used to examine packets, for security and

troubleshooting.
It read packets from TCP interface and
compares packets to the filter you define. If
match, it displays.
(See #man tcpdump for more information)
Introduction To iptables (IPTABLES)
Some related terminology

filter Something that allow for removal unwanted
materials while allowing wanted materials pass
through.
proxy The authority to act on the behalf of another. It
can cache recent information to speeds internal
network access.
masquerade It refers to ability of many internal IP
address to appear as one particular IP address to the
outside network. It’s familiar with the term NAT.
firewall It’s a combination of many things as above to
give the internal network a more secure environment
while allowing access to out side network services
iptables
It’s a packet filtering technology that comes

with the Linux kernel
Prior version named IPFWADM. The next
generation of iptables will be in two modules :
NETFILTER and IPTABLES
It provides ability to accept or deny packets
as they arrive and also control masquerading
and transparent proxying
IPTABLES
How to install ? – it’s features of Linux kernel, most Linux

distribution have iptables in the kernel. Use the kernel
configuration tools (menuconfig, xconfig ) to enable some options
if you plan to use it :
– CONFIG_PACKET
– CONFIG_NETFILTER
– CONFIG_IP_NF_CONNTRACK
– CONFIG_IP_NF_FTP
– CONFIG_IP_NF_MATCH_MAC
– CONFIG_IP_NF_IPTABLES
– CONFIG_IP_NF_FILTER
– CONFIG_IP_NF_NAT
– CONFIG_IP_NF_MATCH_STATE
– CONFIG_IP_NF_TARGET_LOG
– CONFIG_IP_NF_MATCH_LIMIT
– CONFIG_IP_NF_TARGET_MASQUERADE
IPTABLES Switches (Options)
-A Append new rule to chain

-N Creates new user-defined chain
-P Set the policy (or default) of the chain
-D Delete a rule
-R Replaces the rule in the chain
-F Removes all rules from chain
IPTABLES Switches (Options)
-L List rules in chain

-X Delete user-defined chain
-Z Zero out packet/byte counters
IPTABLES Parameters
-p <protocol> Specify protocol

-s <addr>/<mask port> Source address
-d <addr>/<mask port> Destination address
-j <target> Identifies a standard
policy to handle packet
-v Verbose mode
…
IPTABLES Rules and Features
Rules to filter packets

ACCEPT Allows packet to pass
DENY Ignores the request of the packet
REJECT Similar to DENY, but sends error to the
sender
Type of packet apply rule or chain
input Packet from interior network
output Packet from exterior network
forward Packet being forwarded
user-defined Packet from user-defined chain
IPTABLES Rules and Features
iptables supports some advanced features:

REDIRECT Allows packet to be sent to user
defined local port
RETURN Return to next packet after access
userdefined chain
MASQ Packets are masqueraded (not filter)
Implementing IPTABLES
Basic IP Masquerading : IP packet proxy,

single registered IP address can be shared
between a number of clients
The basic configuration would to be have set
the proxy as its default gateway.
Implementing IPTABLES
Using iptables : example iptables rules

iptables –P forward DENY
iptables –A forward –p tcp –s 192.168.20.0/24 –j
MASQ
Ex: You allow someone in company to send/receive
mail, browse Web but do not allow any outside
accessing our system :
iptables –A input -i eth1 –s 172.16.0.0/16 –j accept
iptables –A input -d 172.16.5.1 25 –j accept
iptables –A input -d 172.16.0.0/16 -syn –j reject
Performance Tuning
Monitoring is used to examine the system’s

performance and look for bottleneck or potential
problem areas
Monitoring can be useful for identifying
heavily used disk or users who make excessive
demands on system
Knowing your system well is the key to
successful performance tuning
What to monitor
Process (CPU) activity

Disk access (I/O) activity
Memory utilization
Network activity
Monitoring CPU Process and Memory Usage
Two ways to monitor : vmstat and looking

at /proc/meminfo
vmstat Command:
procs memory swap io system cpu
r b w swpd free buff cache si so bi bo in cs us sy id
13 0 0 42352 2796 556 19 0 1 2 25 162 130 3 1 96
(show /proc/meminfo)
Other utilities
top, netstat, ps, MRTG (Multi Router Traffic

Grapher )…
Monitoring Log Files
syslog.conf Entry Format : faculty.level action

faculty : specifies the subsystem that produced the
message, i.e. all mail programs log with the mail
facility
level : defines the severity of the message
action : defines location of log files
Monitoring Log Files
Inspecting Log Files :

# tail –f file
Log Rotation and Management
Remote Logging : something doesn’t show up
in the log doesn’t mean it didn’t happen. So
sending logs to remote machine or printer may
be increase log files monitoring
Troubleshooting
Install Problems
LILO Errors
Printer
Repairing File System
Hardware and IRQ
…
Summary
Define your role in security

Explain physical and software security
Methods of security
Outline security for NFS, client and server
Data integrity
Network security
Explain and implement iptables and iptables
Workstation security

Network Security and Performance Tuning: 69-3 Nguyen Thi Nho, P9, Q.Tbinh, Tp. HCM

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Network Security and Performance Tuning: 69-3 Nguyen Thi Nho, P9, Q.Tbinh, Tp. HCM

Caricato da

Copyright:

Formati disponibili

Chapter 18

Network Security and

Define your role in security

As a administrator, you are ultimately responsible for the

Security is a deep topic. When developing

If someone has local access to a machine,

PAM (Pluggable Authentication Modules) : a

Exploit programs, C source codes, … to

Nesus : free, powerful, up-to-date, easy to

TAMU suite : extremely powerful and includes

Security is an enforcement of policy. A security

Many of simple commands used to manage

These are : unauthorized access and service

DoS attack is characterized by an explicit

Buffer Overflow attack

Security and NFS : a basic problem with NFS

There are many scanner today can locate a

It’s a security layer “wrapped” around

They are /etc/hosts.allow and /etc/hosts.deny

Used to examine packets, for security and

Some related terminology

It’s a packet filtering technology that comes

How to install ? – it’s features of Linux kernel, most Linux

-A Append new rule to chain

-L List rules in chain

-p <protocol> Specify protocol

Rules to filter packets

iptables supports some advanced features:

Basic IP Masquerading : IP packet proxy,

Using iptables : example iptables rules

Monitoring is used to examine the system’s

Process (CPU) activity

Two ways to monitor : vmstat and looking

top, netstat, ps, MRTG (Multi Router Traffic

syslog.conf Entry Format : faculty.level action

Inspecting Log Files :

Define your role in security

Potrebbero piacerti anche