Server security Flashcards
Router config, ssh, openVPN and other security tasks
Where can you find a list of services and associated ports?
/etc/services
Telnet shouldn’t be used for remote access nowadays, however it is still useful. How?
As a troubleshooting tool, to check ports are open. Also to check the response from the server when clients access the port - is the server giving away more information than is necessary?
Which tool can check which ports are open, listening or have active connections.
netstat
netstat -ltn #listening tcp ports
netstat -lun #listening udp ports
the ss tool can also do this, but it is not covered in this exam.
What is netcat (or nc)
a network tool that can listen and connect to ports over the network. It can also be used to do a rudimentary port scan e.g. to
nc -vz localhost 100-200
How would you scan localhost for open TCP ports in the range 50 to 150 with nmap
nmap -sT -p 50-150 localhost
How would you scan localhost for open UDP ports in the range 50 to 150 with nmap
nmap -sU -p 50-150 localhost
How can you use nmap to try to identify the operating system on a machine on your network.
use nmap fingerprinting -A switch e.g.
nmap -A localhost
What is openvas (www.openvas.org)?
An opensource application that can detect vulnerabilities on your linux system. It receives network vulnerability updates (NVT) daily, so it is able to provide up-to-date testing.
How would you install OpenVAS on Debian?
sudo apt-get install openvas-server
How would you install OpenVAs on Redhat
yum install openvas
Which port does the openvas tool webserver run on
Port 9392
What is fail2ban
An intrusion detection application that monitors log files and blocks IP addresses for failed authentication attempts
What is the fail2ban config file
The main config is jail.conf, user defined options in jail.local
What is SNORT
Snort is a network intrusion detection system. It is placed on the network where is can see all traffic and monitors the traffic for intrusion attempts.
Snort has 3 modes, what are they
- Sniffer (dumps all packets to the network)
- Packet logger (logs all packets to a file)
- NIDS - Intrusion detection - reports intrusion attempts
Where is the Snort config utility and what is it called?
/etc/snort/snort.conf
What is the HOME_NET Snort variable used to define?
HOME_NET is used to defined the local network ranges to monitor
What is the EXTERNAL_NET Snort variable used to define?
EXTERNAL_NET is used to defined the external network ranges to monitor
Snort rules format?
action protocol address direction address options
e.g.
alert icmp any any -> 192.168.10.0/24 any (msg: “Ping traffic detected”
Snort rules can be quite complex - luckily there is a package of predefined snort rules called..
pulledpork
What is NAT?
Network address translation
How does NAT help security?
It hides internal IP addresses from external networks
What are the 3 IP ranges used for private IP addressing
- 0.0.0 - 10.255.255.255
- 16.0.0 - 172.31.255.255
- 168.0.0 - 192.168.255.255
IPv6 defines link local addresses as standard how do these addresses start?
fe80:
The Linux kernal uses an internal process called {answer] to process network packets
chains
What are the 5 linux chains used to process packets in iptables
- PREROUTING before decision making
- INPUT packets destined for local system
- FORWARD handles packets being forwarded
- POSTROUTING handles packets being sent to remote after the FORWARD filter
- OUTPUT handles packets output from the local system
What are the 3 types of tables in iptables?
- FILTER - apply filter rules to allow or block
- MANGLE - apply rules to change the packet
- NAT - apply rules to change the address
iptables command-line option to add a new rule
-A
iptables command-line option to delete a rule
-D
iptables command-line option to remove a chain or all chains
-F
iptables command-line option to list a specifed chain or all chains
-L
iptables command-line option to set the default policy for a chain
-P
iptables command-line option to specify the table a rule applies to
-t
What are the possible options for a chains default policy?
ACCEPT (packets accepted)
DROP (packets silently dropper)
LOG (packet is logged and passed to next chain)
REJECT (packet is not passed, and sender is notified)
What is this iptables command doing?
sudo iptables -t filter -P OUTPUT DROP
It sets the default policy to DROP on the filter table in the OUTPUT chain. (That is, if no other rules are matched, the packet is dropped)
What is this iptables command doing?
sudo iptables -A INPUT -s 10.0.1.25 -j REJECT
this adds a rule in the INPUT chain to Reject packets that have come from the source 10.0.1.25
How do you save your changes to iptables?
iptables-save > iptables.txt
How would you restore your iptables rules save in iptables.txt?
iptables-restore < iptables.txt
iptables rule option to specify a destination address
-d
iptables rule option to jump to a new chain
-g
iptables rule option to take an action (ACCEPT, DROP etc.)
-j
iptables rule option to match a protocol
-p
iptables rule option to match a source address
-s
iptables rule option to specify a source port
–sport
also specify -p protocol
iptables rule option to specify a destination port
–dport
also specify – protocol
How would you check if your linux system is currently configured to forward IP packets?
cat /proc/sys/net/ipv4/ip_forward
or
cat /proc/sys/net/ipv6/conf/all/forwarding
How can you change your system to allow IP forwarding after a reboot?
IPv4:
sysctl -w net.ipv4.ip_forward=1
IPv6:
sysctl -w net.ipv6.conf.all.forwarding=1
What is RIP
Router Information Protocol - it provides a way for network routers to advise what networks they support.
As Linux discovers new routes they are added to the routed program. They can be viewed on the command line with the route command.
What is the SSH Daemon config file called and where will you find it?
/etc/ssh/sshd_conf
don’t confuse with the client config file
/etc/ssh/ssh_conf
Command to check the expiry date of a pem file
openssl x509 -enddate -noout -in file.pem
Openssh server config option to specify the encryption protocol level.
Protocol (Level 2 is most secure)
Openssh server config option to allow user authentication with passwords
PasswordAuthentication
Openssh server config option to allow user authentication with certificates
PubkeyAuthentication
Openssh server config option to specify a list of users allowed to use SSH
AllowUsers
Openssh server config option to specify a list of users not allowed to use SSH
DenyUsers
Openssh server config option to allow the root login account to login using SSH
PermitRootLogin
Openssh server config option to allow x client applications to use SSH
X11Forwarding
Openssh server config option to allow SSH tunnelling
AllowTcpForwarding
Openssh command to generate a public/private key pair
ssh-keygen
e.g.
ssh-keygen -q -t rsa -f ~/.ssh/id_rsa -C ‘’ -N ‘’
then copy to authorised keys:
cat id_rsa.pub»_space; ~/.ssh/authorised_keys
command to install openvpn
Debian:
apt-get install openvpn
Redhat:
yum install openvpn
Openvpn config option to specify additional configuration files
config
Openvpn config option to specify a virtual network device for the VPN tunnel
dev
Openvpn config option to create the VPN tunnel without a local network address or port
nobind
Openvpn config option to set the ip addresses of the local and remote points in the VPN tunnel
ifconfig
Openvpn config option to specify a static encryption key
secret
What are the two types of of encryption method used by openvpn?
static key encryption (both client & server use same key)
public key encryption (both client & server createpublic/private key pair and share the public key)
openvpn command to generate a secret key to be used with static key encryption
openvpn-genkey-secret secret.key
here is an example openvpn config
dev tun ifconfig 192.168.10.10 10.0.10.1 keepalive 10 60 ping-timer-rem persist-tun persit-key secret secret.key
What is the local ip address of this machine?
Is ths the server or client?
is this static key encryption or public key?
ifconfig [local-IP] [remote-IP] therefore
Local IP address is 192.169.10.10
Remote IP address is 10.0.10.1
It looks like a server config, as there is no mention of the remote VPN server.
It has a secret definition - therefore, using static key encryption
here is an example openvpn config
remote vpnserver.lpicstudy.net dev tun ifconfig 10.0.10.1 192.168.10.10 keepalive 10 60 ping-timer-rem persist-tun persit-key secret secret.key
What is the local ip address of this machine?
Is the the server or client?
is this static key encryption or public key?
ifconfig [local-IP] [remote-IP] therefore
Local IP address is 10.0.10.1
Remote IP address is 192.169.10.10
It looks like a server config, as we specify a remote vpn server.
It has a secret definition - therefore, using static key encryption
How would you start openvpn on a linux server?
sudo openvpn serverconfigname.conf
How would you start openvpn on a linux client
sudo openvpn clientconfigname.conf
What are some of the resources you can use to keep up-to-date with current security issues?
www. us-cert.gov
www. sans.org
www. securityfocus.com (bugtraq mailing list)
The kernel syslog may contain messages that would be useful for an attacker trying to exploit your server. How would you restrict the dmesg command to privileged users?
With the kernel.dmesg_restrict option
for the running system:
sudo sysctl -w kernel.dmesg_restrict=1
to make the change permanent:
echo ‘kernel.dmesg_restrict=1’ | sudo tee -a /etc/sysctl.conf