Server security

Question 1

Where can you find a list of services and associated ports?

Answer 1

/etc/services

Question 2

Telnet shouldn’t be used for remote access nowadays, however it is still useful. How?

Answer 2

As a troubleshooting tool, to check ports are open. Also to check the response from the server when clients access the port - is the server giving away more information than is necessary?

Question 3

Which tool can check which ports are open, listening or have active connections.

Answer 3

netstat

netstat -ltn #listening tcp ports
netstat -lun #listening udp ports

the ss tool can also do this, but it is not covered in this exam.

Question 4

What is netcat (or nc)

Answer 4

a network tool that can listen and connect to ports over the network. It can also be used to do a rudimentary port scan e.g. to

nc -vz localhost 100-200

Question 5

How would you scan localhost for open TCP ports in the range 50 to 150 with nmap

Answer 5

nmap -sT -p 50-150 localhost

Question 6

How would you scan localhost for open UDP ports in the range 50 to 150 with nmap

Answer 6

nmap -sU -p 50-150 localhost

Question 7

How can you use nmap to try to identify the operating system on a machine on your network.

Answer 7

use nmap fingerprinting -A switch e.g.

nmap -A localhost

Question 8

What is openvas (www.openvas.org)?

Answer 8

An opensource application that can detect vulnerabilities on your linux system. It receives network vulnerability updates (NVT) daily, so it is able to provide up-to-date testing.

Question 9

How would you install OpenVAS on Debian?

Answer 9

sudo apt-get install openvas-server

Question 10

How would you install OpenVAs on Redhat

Answer 10

yum install openvas

Question 11

Which port does the openvas tool webserver run on

Answer 11

Port 9392

Question 12

What is fail2ban

Answer 12

An intrusion detection application that monitors log files and blocks IP addresses for failed authentication attempts

Question 13

What is the fail2ban config file

Answer 13

The main config is jail.conf, user defined options in jail.local

Question 14

What is SNORT

Answer 14

Snort is a network intrusion detection system. It is placed on the network where is can see all traffic and monitors the traffic for intrusion attempts.

Question 15

Snort has 3 modes, what are they

Answer 15

1. Sniffer (dumps all packets to the network)
2. Packet logger (logs all packets to a file)
3. NIDS - Intrusion detection - reports intrusion attempts

Question 16

Where is the Snort config utility and what is it called?

Answer 16

/etc/snort/snort.conf

Question 17

What is the HOME_NET Snort variable used to define?

Answer 17

HOME_NET is used to defined the local network ranges to monitor

Question 18

What is the EXTERNAL_NET Snort variable used to define?

Answer 18

EXTERNAL_NET is used to defined the external network ranges to monitor

Question 19

Snort rules format?

Answer 19

action protocol address direction address options

e.g.
alert icmp any any -> 192.168.10.0/24 any (msg: “Ping traffic detected”

Question 20

Snort rules can be quite complex - luckily there is a package of predefined snort rules called..

Answer 20

pulledpork

Question 21

What is NAT?

Answer 21

Network address translation

Question 22

How does NAT help security?

Answer 22

It hides internal IP addresses from external networks

Question 23

What are the 3 IP ranges used for private IP addressing

Answer 23

10. 0.0.0 - 10.255.255.255
11. 16.0.0 - 172.31.255.255
12. 168.0.0 - 192.168.255.255

Question 24

IPv6 defines link local addresses as standard how do these addresses start?

Answer 24

fe80:

Question 25

The Linux kernal uses an internal process called {answer] to process network packets

Answer 25

chains

Question 26

What are the 5 linux chains used to process packets in iptables

Answer 26

1. PREROUTING before decision making 2. INPUT packets destined for local system 3. FORWARD handles packets being forwarded 4. POSTROUTING handles packets being sent to remote after the FORWARD filter 5. OUTPUT handles packets output from the local system

Question 27

What are the 3 types of tables in iptables?

Answer 27

1. FILTER - apply filter rules to allow or block 2. MANGLE - apply rules to change the packet 3. NAT - apply rules to change the address

Question 28

iptables command-line option to add a new rule

Answer 28

-A

Question 29

iptables command-line option to delete a rule

Answer 29

-D

Question 30

iptables command-line option to remove a chain or all chains

Answer 30

-F

Question 31

iptables command-line option to list a specifed chain or all chains

Answer 31

-L

Question 32

iptables command-line option to set the default policy for a chain

Answer 32

-P

Question 33

iptables command-line option to specify the table a rule applies to

Answer 33

-t

Question 34

What are the possible options for a chains default policy?

Answer 34

ACCEPT (packets accepted) DROP (packets silently dropper) LOG (packet is logged and passed to next chain) REJECT (packet is not passed, and sender is notified)

Question 35

What is this iptables command doing? | sudo iptables -t filter -P OUTPUT DROP

Answer 35

It sets the default policy to DROP on the filter table in the OUTPUT chain. (That is, if no other rules are matched, the packet is dropped)

Question 36

What is this iptables command doing? | sudo iptables -A INPUT -s 10.0.1.25 -j REJECT

Answer 36

this adds a rule in the INPUT chain to Reject packets that have come from the source 10.0.1.25

Question 37

How do you save your changes to iptables?

Answer 37

iptables-save > iptables.txt

Question 38

How would you restore your iptables rules save in iptables.txt?

Answer 38

iptables-restore < iptables.txt

Question 39

iptables rule option to specify a destination address

Answer 39

-d

Question 40

iptables rule option to jump to a new chain

Answer 40

-g

Question 41

iptables rule option to take an action (ACCEPT, DROP etc.)

Answer 41

-j

Question 42

iptables rule option to match a protocol

Answer 42

-p

Question 43

iptables rule option to match a source address

Answer 43

-s

Question 44

iptables rule option to specify a source port

Answer 44

--sport | also specify -p protocol

Question 45

iptables rule option to specify a destination port

Answer 45

--dport | also specify -- protocol

Question 46

How would you check if your linux system is currently configured to forward IP packets?

Answer 46

cat /proc/sys/net/ipv4/ip_forward or cat /proc/sys/net/ipv6/conf/all/forwarding

Question 47

How can you change your system to allow IP forwarding after a reboot?

Answer 47

IPv4: sysctl -w net.ipv4.ip_forward=1 IPv6: sysctl -w net.ipv6.conf.all.forwarding=1

Question 48

What is RIP

Answer 48

Router Information Protocol - it provides a way for network routers to advise what networks they support. As Linux discovers new routes they are added to the routed program. They can be viewed on the command line with the route command.

Question 49

What is the SSH Daemon config file called and where will you find it?

Answer 49

/etc/ssh/sshd_conf don't confuse with the client config file /etc/ssh/ssh_conf

Question 50

Command to check the expiry date of a pem file

Answer 50

openssl x509 -enddate -noout -in file.pem

Question 51

Openssh server config option to specify the encryption protocol level.

Answer 51

Protocol (Level 2 is most secure)

Question 52

Openssh server config option to allow user authentication with passwords

Answer 52

PasswordAuthentication

Question 53

Openssh server config option to allow user authentication with certificates

Answer 53

PubkeyAuthentication

Question 54

Openssh server config option to specify a list of users allowed to use SSH

Answer 54

AllowUsers

Question 55

Openssh server config option to specify a list of users not allowed to use SSH

Answer 55

DenyUsers

Question 56

Openssh server config option to allow the root login account to login using SSH

Answer 56

PermitRootLogin

Question 57

Openssh server config option to allow x client applications to use SSH

Answer 57

X11Forwarding

Question 58

Openssh server config option to allow SSH tunnelling

Answer 58

AllowTcpForwarding

Question 59

Openssh command to generate a public/private key pair

Answer 59

ssh-keygen e.g. ssh-keygen -q -t rsa -f ~/.ssh/id_rsa -C '' -N '' then copy to authorised keys: cat id_rsa.pub >> ~/.ssh/authorised_keys

Question 60

command to install openvpn

Answer 60

Debian: apt-get install openvpn Redhat: yum install openvpn

Question 61

Openvpn config option to specify additional configuration files

Answer 61

config

Question 62

Openvpn config option to specify a virtual network device for the VPN tunnel

Answer 62

dev

Question 63

Openvpn config option to create the VPN tunnel without a local network address or port

Answer 63

nobind

Question 64

Openvpn config option to set the ip addresses of the local and remote points in the VPN tunnel

Answer 64

ifconfig

Question 65

Openvpn config option to specify a static encryption key

Answer 65

secret

Question 66

What are the two types of of encryption method used by openvpn?

Answer 66

static key encryption (both client & server use same key) public key encryption (both client & server createpublic/private key pair and share the public key)

Question 67

openvpn command to generate a secret key to be used with static key encryption

Answer 67

openvpn-genkey-secret secret.key

Question 68

here is an example openvpn config ``` dev tun ifconfig 192.168.10.10 10.0.10.1 keepalive 10 60 ping-timer-rem persist-tun persit-key secret secret.key ``` What is the local ip address of this machine? Is ths the server or client? is this static key encryption or public key?

Answer 68

ifconfig [local-IP] [remote-IP] therefore Local IP address is 192.169.10.10 Remote IP address is 10.0.10.1 It looks like a server config, as there is no mention of the remote VPN server. It has a secret definition - therefore, using static key encryption

Question 69

here is an example openvpn config ``` remote vpnserver.lpicstudy.net dev tun ifconfig 10.0.10.1 192.168.10.10 keepalive 10 60 ping-timer-rem persist-tun persit-key secret secret.key ``` What is the local ip address of this machine? Is the the server or client? is this static key encryption or public key?

Answer 69

ifconfig [local-IP] [remote-IP] therefore Local IP address is 10.0.10.1 Remote IP address is 192.169.10.10 It looks like a server config, as we specify a remote vpn server. It has a secret definition - therefore, using static key encryption

Question 70

How would you start openvpn on a linux server?

Answer 70

sudo openvpn serverconfigname.conf

Question 71

How would you start openvpn on a linux client

Answer 71

sudo openvpn clientconfigname.conf

Question 72

What are some of the resources you can use to keep up-to-date with current security issues?

Answer 72

www. us-cert.gov www. sans.org www. securityfocus.com (bugtraq mailing list)

Question 73

The kernel syslog may contain messages that would be useful for an attacker trying to exploit your server. How would you restrict the dmesg command to privileged users?

Answer 73

With the kernel.dmesg_restrict option for the running system: sudo sysctl -w kernel.dmesg_restrict=1 to make the change permanent: echo 'kernel.dmesg_restrict=1' | sudo tee -a /etc/sysctl.conf