Manage Security Flashcards

1
Q

access firewall through GUI

A

System-Administration-Firewall

Any changes made using this utility will overwrite any manual changes made to the IPtables file

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

/etc/services

A

/etc/services file is a list of predefined services along with their port numbers and protocols associated with them.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

netfilter

A

Netfilter is the standard firewall for Linux, which can be controlled by the IPtables command.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

files where firewall rules are stored

A

The firewall rules are stored in /etc/sysconfig/iptables

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

IPtables rules

A

The iptables rules consist of three chains:
INPUT: processing packets coming into the system.
FORWARD: Packets that would be routed through the system
OUTPUT: Processes packets that originate from the systemExample
::INPUT ACCEPT [0:0] - all accepted
A INPUT -i lo -j ACCEPT -> loopback address allow input
The IPtables rules are processed from top to bottom

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

IPtables command

A
#service iptables restart   -> restarts the iptables service
# iptables -L  -> check the rules that are loaded in memory
# iptables -F  -> flush out rules
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Modifying firewall rules

A
When modifying firewall rules using the iptables command, better to insert than to append. Insert will put INPUT rule before the REJECT rules. 
# iptables -I INPUT -p tcp --dport 21 -j ACCEPT
This is only temporary, once the machines restart(or the service restarts, all is lost). To permanently add changes:
# service iptables save#service iptables restart
#iptables -D INPUT -p tcp --dport 21 -j ACCEPT -> delete rule
#service iptables save
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Configure SSH key-based authentication

A

Instead of connecting through login/password to a remote host, SSH allows you to use key-based authentication. To set up key-based authentication, you need two virtual/physical servers that we will call server1 and server2. On the server1, create a user user01 with password user01:

# useradd user01
# passwd user01

On the server2, create the same user with password user01:

# useradd user01
# passwd user01

On the server1, connect as this new user:

# su - user01
Generate a private/public pair for key-based authentication (here rsa key with 2048 bits and no passphrase):

[user01@server1 ~]$ ssh-keygen -b 2048 -t rsa

Still on server1, copy the public key to server2.

[user01@server1 ~]$ ssh-copy-id -i .ssh/id_rsa.pub user01@server2.example.com

On the server2, edit the /etc/ssh/sshd_config file and set the following options:

PasswordAuthentication no
PubkeyAuthentication yes
Note: Don’t hesitate to set up a virtual console access on server2, this will avoid re-installing the physical/virtual server if something goes wrong. Restart the sshd service:

# systemctl restart sshd
On the server1 as user01, connect to the server2:

[user01@server1 ~]$ ssh server2.example.com

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Packages to install to troubleshoot SELinux

A

yum install policycoreutils-gui setroubleshoot- access system-config-selinux or from the GUISystem -> Administration -> SeLinux management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

get and change SELinux modes

A

In the GUI, under the status category, we can change the enforcing mode.
#getenforce -> see current SELinux mode
# setenforce Permissive
# sertenforce 0 -> boolean value
-> 0 - enforce
-> 1 - Permissive
You can also edit this file /etc/selinux/config (permanent)You can also get the current SELinux status using:
#sestatus
#setenforce enforcing -> set enforcing mode

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

List and identify SELinux file and process context

A
To get a SELinux file context:
#ls -Z
To get a SELinux process context:
#ps -eZ
Any process label unconfined_t are not protected by SELinux
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

change security context on a file

A
- to change the security context on a file
# chcon --reference /root/anaconda-ks.cfg_backup /etc/ssh/sshd_config
---- copies context from the anaconda file to the sshd_config file
---This actually will break the sshd service. if you try to start the service, you'll get an AVC denial error
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Parsing SELinux AVC messages

A
You can use the sealert command to parse SELinux AVC messages
#sealert -a /var/log/audit/audit.log
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

restore SELinux file context

A
use the restorecon command to restore SELinux file context
#restorecon -R -v /etc/ssh/sshd_config
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

To set the security context of the file (not mandatory)

A
#chcon -t etc_t /etc/ssh/sshd_config  -> temporary fix
# semanage fcontext -a -t etc_t "/etc/ssh/sshd_config"  -> to make permanent
 # restorecon -R -v /etc/ssh/sshd_config -> also needed to make permanent
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

list SELinux Booleans

A

To see a complete list of SELinux Booleans on your system at the command line, run:
#semanage boolean -l | less
you can alose use the System-config-selinux application
#getsebool -a | grep ftp -> get boolean for ftp service
To get a more detailed list of SeLinux booleans by using the semanage command, you might need to install first:
#yum install -y setroubleshoot-server
#semanage boolean -l
To get a list of SELinux booleans assigned with non-default value:
#more /etc/selinux/targeted/modules/active/booleans.local

17
Q

set SELinux boolean for services

A
#setsebool ftp_home_dir on  -> you can also use: off - 0 or false to turn off. on - 1 - or true to turn on 
#setsebool -P ftp_home_dir on -> for permanent change
18
Q

Display the SELinux policy violations

A

You’ll need to install the setroubleshoot-server
#yum install - settroubleshoot-server
to display the SELinux policy violations:
#sealert -a /var/log/audit/audit.log

19
Q

Firewalld

A

Firewalld is the new userland interface in RHEL 7. It replaces the iptables interface and connects to the netfilter kernel code. It mainly improves the security rules management by allowing configuration changes without stopping the current connections. You can still use iptables, but you shouldn’t have both of those running.

20
Q

To know if Firewalld is running, type:

A

systemctl status firewalld

or alternatively:
# firewall-cmd –state
Note: If Firewalld is not running, the command displays not running.

21
Q

If you’ve got several network interfaces in IPv4,

A

you will have to activate ip forwarding.
To do that, paste the following line in the /etc/sysctl.conf file:
net.ipv4.ip_forward=1

Then, activate the configuration:
# sysctl -p
22
Q

Diagnose and address routine SELinux policy violations

A

Install the setroubleshoot-server package:

# yum install -y setroubleshoot-server
Display the SELinux policy violations:
# sealert -a /var/log/audit/audit.log
In addition, when an AVC (Access Vector Cache) event occurs, you can grab the associated line displayed in the /var/log/audit/audit.log file and send it to the audit2why command to get a diagnostic.

For example, let’s assume you’ve got this line in your /var/log/audit/audit.log file:

type=AVC msg=audit(1415714880.156:29): avc: denied { name_connect } for pid=1349 \
comm=”nginx” dest=8080 scontext=unconfined_u:system_r:httpd_t:s0 \
tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket

Execute this command to get a diagnostic:
# grep 1415714880.156:29 /var/log/audit/audit.log | audit2why
23
Q

Zone management

A

Also, a new concept of zone appears: all network interfaces can be located in the same default zone or divided into different ones according to the levels of trust defined. In the latter case, this allows to restrict traffic based on origin zone.
Note: Without any configuration, everything is done by default in the public zone. If you’ve got more than one network interface or use sources (see Source management section below), you will be able to restrict traffic between zones.

To get the default zone, type:
# firewall-cmd --get-default-zone
public
To get the list of zones where you’ve got network interfaces or sources assigned to, type:
# firewall-cmd --get-active-zones
public
interfaces: eth0
To get the list of all the available zones, type:
# firewall-cmd --get-zones
block dmz drop external home internal public trusted work
To change the default zone to home permanently, type:
# firewall-cmd --set-default-zone=home
success

Network interfaces can be assigned to a zone in a temporary (until the next reboot or reload) or permanent way.

To assign the eth0 network interface temporary to the internal zone, type:

firewall-cmd –zone=internal –change-interface=eth0
success
To assign the eth0 network interface permanently to the internal zone (a file called internal.xml is created in the /etc/firewalld/zones directory), type:
# firewall-cmd –permanent –zone=internal –change-interface=eth0
success

To know which zone is associated with the eth0 interface, type:
# firewall-cmd --get-zone-of-interface=eth0
internal
To get all the details about the public zone, type:
# firewall-cmd --zone=public --list-all

Note: The –list-all option only displays the permanent settings.

It is also possible to create new zones. To create a new zone (here test), type:
# firewall-cmd --permanent --new-zone=test
# firewall-cmd --reload
24
Q

Source management

A

A zone can be bound to a network interface (see above) and/or to a network addressing (called here a source).
Any network packet entering in the network stack is associated with a zone.
The association is done according to the following pattern:
– is the packet coming from a source already bound to a zone? (if yes, it is associated with this zone),
– if not, is the packet coming from a network interface already bound to a zone? (if yes, it is associated with this zone),
– if not, the packet is associated with the default zone.

This way, multiple zones can be defined even on a server with only one network interface!

To add a source (here 192.168.2.0/24) to a zone (here trusted) permanently, type:
# firewall-cmd --permanent --zone=trusted --add-source=192.168.2.0/24
success
Note1: Use the –remove-source option to delete a previous assigned source.
Note2: Use the –change-source option to move the source to the new specified zone.
To get the list of the sources bound to a zone (here trusted) permanently, type:
# firewall-cmd --permanent --zone=trusted --list-sources
192.168.2.0/24
To keep track of your configuration (active zones are zones, that have a binding to an interface or source), type:
# firewall-cmd --get-active-zones
25
Q

Service management

A
after assigning each network interface to a zone, it is now possible to add services to each zone.
To allow the http service permanently in the internal zone, type:
# firewall-cmd --permanent --zone=internal --add-service=http
success
# firewall-cmd --reload

Note1: Type –remove-service=http to deny the http service.

Note2: The firewall-cmd –reload command is necessary to activate the change. Contrary to the –complete-reload option, current connections are not stopped.

To get the list of services in the default zone, type:
# firewall-cmd --list-services
dhcpv6-client ssh

Note: To get the list of the services in a particular zone, add the –zone= option.

26
Q

Service firewall configuration

A

With the Firewalld package, the firewall configuration of the main services (ftp, httpd, etc) comes in the /usr/lib/firewalld/services directory. But it is still possible to add new ones in the /etc/firewalld/services directory. Also, if files exist at both locations for the same service, the file in the /etc/firewalld/services directory takes precedence.

For example, it is the case of the HAProxy service. There is no firewall configuration associated.
Create the /etc/firewalld/services/haproxy.xml and paste the following lines:

HAProxy
HAProxy load-balancer

Assign the correct SELinux context and file permissions to the haproxy.xml file:
# cd /etc/firewalld/services
# restorecon haproxy.xml
# chmod 640 haproxy.xml
Add the HAProxy service to the default zone permanently and reload the firewall configuration:
# firewall-cmd --permanent --add-service=haproxy
# firewall-cmd --reload
27
Q

Port management

A

Port management follows the same model as service management.

To allow the 443/tcp port temporary in the internal zone, type:
# firewall-cmd --zone=internal --add-port=443/tcp
success
# firewall-cmd --reload
Note: type –remove-port=443/tcp to deny the port.
To get the list of ports open in the internal zone, type:
# firewall-cmd --zone=internal --list-ports
443/tcp
28
Q

Masquerading

A

If your firewall is your network gateway and you don’t want everybody to know your internal addresses, you can set up two zones, one called internal, the other external, and configure masquerading on the external zone. This way, all packets will get your firewall ip address as source address.

To set up masquerading on the external zone, type:
# firewall-cmd --zone=external --add-masquerade

Note1: To remove masquerading, use the –remove-masquerade option.

Note2: To know if masquerading is active in a zone, use the –query-masquerade option.

29
Q

Port forwarding

A
In addition to the masquerading, you can want to use port forwarding.
If you want all packets intended for port 22 to be now forwarded to port 3753, type:
# firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toport=3753

Note1: To remove port forwarding, use the –remove-forward-port option.

Note2: To know if port forwarding is active in a zone, use the –query-forward-port option.

Also, if you want to define the destination ip address, type:
# firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toport=3753:toaddr=10.0.0.1
30
Q

Direct rules

A
It is still possible to set specific rules by using the direct mode (here to open the tcp port 9000) that by-passes the Firewalld interface:
# firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport 9000 -j ACCEPT
success
# firewall-cmd --reload

Note: This last example has been borrowed from Khosro Taraghi’s blog.

To display all the direct rules added, type:
# firewall-cmd --direct --get-all-rules