Posts Tagged ‘Sysadmin’

Configuring vsftpd in Ubuntu : Example #1

August 2, 2010

vsftpd is one Linux package to create an FTP server. Through this article, I try to give a simple example in configuring vsftpd in Ubuntu. FTP server that will be built this using a real username of Linux system and not encrypted.

Please follow the steps below.

  1. Information schema.
       [eth1]                            [eth0]
         ||                                ||
     [Internet]--------[vsftpd]--------[Intranet]
                          ||
                    [tcp_wrappers]
  2. Installing vsftpd for the first time.

    ~# apt-get install vsftpd

  3. Make sure the configuration files in “/etc/vsftpd.conf”, at least as the following lines.

    listen=YES
    anonymous_enable=NO
    local_enable=YES
    write_enable=YES
    local_umask=022
    dirmessage_enable=YES
    xferlog_enable=YES
    connect_from_port_20=YES
    xferlog_file=/var/log/vsftpd.log
    xferlog_std_format=YES
    idle_session_timeout=600
    data_connection_timeout=120
    ftpd_banner=BLAH-FTP
    chroot_local_user=YES
    secure_chroot_dir=/var/run/vsftpd
    pam_service_name=vsftpd
    local_root=/home
    hide_ids=YES
    syslog_enable=YES
    max_clients=20
    max_per_ip=5
    pasv_min_port=5000
    pasv_max_port=5999
    tcp_wrappers=YES
    # Optional
    # deny_file={*.iso,*.lnk,*.3gp,*.3gpp}
    # cmds_allowed=PASV,RETR,QUIT

  4. Add the following rules in IPTables.

    ~# iptables -A INPUT -j ACCEPT -p tcp –dport 20:21 -m state –state NEW,RELATED,ESTABLISHED
    ~# iptables -A OUTPUT -j ACCEPT -p tcp

  5. Prevent the user cannot login into the Linux shell.

    ~# echo “/usr/sbin/nologin” >> /etc/shells

    To add users or change the Linux shell of an existing user can be done in the following way.

    ~# useradd -g ftp -s /usr/sbin/nologin -m johnson
    ~# / -OR- /
    ~# chsh -s /usr/sbin/nologin johndoe

  6. Prevent certain users to use FTP server.

    ~# echo “sysadmin” >> /etc/ftpusers

  7. Here is a simple step to securing your FTP server using “tcp_wrappers”.

    7.1. Make sure the file “/etc/hosts.deny” contains only the following.

    ALL: ALL

    7.2. Create file “/etc/hosts.sandbox” to accommodate the IP or network address will be blocked.

    ~# echo “224.” >> /etc/hosts.sandbox
    ~# echo “240.” >> /etc/hosts.sandbox
    ~# echo “248.” >> /etc/hosts.sandbox

    7.3. Add the following line into the file “/ etc / hosts.allow”.

    vsftpd: ALL EXCEPT /etc/hosts.sandbox

  8. To test whether the “tcp_wrapper” is already well underway, you can add an IP workstation to the file “/etc/hosts.sandbox”.

    If using the shell command “tcpdchk -v” to check the configuration “tcp_wrappers”, then appears an error message “no such process name in /etc/inetd.conf”.

    Please add the following line into the file “/ etc / inetd.conf”.

    ~# echo “ftp stream tcp nowait root /usr/sbin/tcpd /usr/sbin/vsftpd” >> /etc/inetd.conf

    This is not absolute, because without adding the following line, the function “tcp_wrappers” You keep running well.

    Information about file “/ etc / inetd.conf” which was removed by Ubuntu, can you read here.

  9. Finish.

Again, this is a simple example, and you can customize to your own tastes.

Essential SSH configuration

December 14, 2009

I tried to summarize everything that is considered essential in configuring the SSH service. This is not something new, especially, expert security system. But for those who do not know or beginner, this article may help you. SSH configuration file by default on most linux distributions are in “/etc/ssh/sshd_config“. The following is a sample configuration that should be essential to secure your SSH service.

~# cat /etc/ssh/sshd_config

# Determine the SSH port is used, if necessary, please changed according to your taste to deceive.
Port 22

# Since SSH protocol version 1 is not as secure you may want to limit the protocol to version 2 only.
Protocol 2

# Try to assign IP addresses on the network card that will be used. Although this seems stupid but there’s no harm done to strengthen the rules on our firewall later.
ListenAddress 192.168.0.1 # Local Interface
ListenAddress 203.154.30.212 # Internet Interface

# It’s prudent to disable direct root logins at the SSH level as well.
PermitRootLogin no

# You may also want to prevent SSH from setting up TCP port and X11 forwarding if you don’t need it.
AllowTcpForwarding no
X11Forwarding no

# Ensure to have privilege separation enabled where the daemon is split into two parts. With privilege separation a small part of the code runs as root and the rest of the code runs in a chroot jail environment.
UsePrivilegeSeparation yes

# Ensure the StrictModes directive is enabled which checks file permissions and ownerships of some important files in the user’s home directory like ~/.ssh, ~/.ssh/authorized_keys etc. If any checks fail, the user won’t be able to login.
StrictModes yes

# Ensure that all host-based authentications are disabled. These methods should be avoided as primary authentication.
IgnoreRhosts yes
HostbasedAuthentication no
RhostsRSAAuthentication no

# Disable sftp if it’s not needed.
# Subsystem sftp /usr/lib/misc/sftp-server

# This is an additional rule if necessary.
RSAAuthentication no
AuthorizedKeysFile .ssh/authorized_keys # Needed, if you applying “Public Key” & “Private Key” on SSH system.
PasswordAuthentication no
PermitEmptyPasswords no
Login GraceTime 300
ClientAliveInterval 60
ClientAliveCountMax 5
MaxStartups 5

# End of file.

Defense against ARP spoofing in Linux

December 1, 2009

ARP spoofing, also know as ARP Poisoning is one of the mechanisms commonly used in denial of services attacks. We are only able to prevent or minimize these attacks. In this article I tried to summarize some points that are practical and easy to apply to the Linux-based server systems regardless of whether the subject security update to the kernel and applications installed.

Some of these points in practice I will describe below:

1. Essential configuration files in “/etc/host.conf” as shown below.

order hosts,bind
multi on
nospoof on
spoofalert on

2. The below are some tweaks that can be done in “/etc/sysctl.conf” nor “/proc/sys/net/ipv4/…” to avoid make kinds of attacks. They pretty simple yet effective.

» Turn on Source Address Verification in all interfaces to prevent some spoofing attacks.

echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter

» Disables TCP Window Scaling (http://lkml.org/lkml/2008/2/5/167)

echo 1 > /proc/sys/net/ipv4/tcp_syncookies

» Do not accept ICMP redirects (prevent MITM attacks)

echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/default/accept_redirects

» Ignore ICMP broadcasts will stop gateway from responding to broadcast pings.

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

» Ignore bogus ICMP errors.

echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

» Do not send ICMP redirects.

echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects

» Do not accept IP source route packets.

echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo 0 > /proc/sys/net/ipv4/conf/default/accept_source_route

» Turn on log Martian Packets with impossible addresses.

echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
echo 1 > /proc/sys/net/ipv4/conf/default/log_martians

3. Use the DHCP service on the server to provide IP restrictions based on the client MAC address.

4. MAC address list of each client and its IP address defined by the following instructions.

arp -s 192.168.0.24 00:9a:7c:3d:15:8f

or can be defined in the file “/etc/ethers” like this.

192.168.0.24 00:9a:7c:3d:15:8f
192.168.0.25 00:e9:18:7c:15:78
192.168.0.26 00:18:15:3d:78:8c

… etc and execute with command “arp -f

If your server has two network cards and one of them functioned as a DMZ connected to the internet, please add it manually like this.

» assumed “eth1” as a DMZ interface.

arp -i eth1 -s 210.20.152.30 00:03:19:db:8a:58

ensure defined IP and MAC address each client network card is persistent every time the server reboot.

5. Make sure the rules in your packet filtering using IPTables to block the following network address.

Private Networks (RFC 1918) --
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16

IANA Reserved --
0.0.0.0/8 - Historical Broadcast
127.0.0.0/8 - Loopback
169.254.0.0/16 - Link Local Networks
192.0.2.0/24 - TEST-NET
240.0.0.0/5 - Class E Reserved
248.0.0.0/5 - Unallocated
255.255.255.255/32 - Broadcast

Example:

iptables -A INPUT -j DROP -s 0.0.0.0/8
iptables -A INPUT -j DROP -d 0.0.0.0/8
iptables -A FORWARD -j DROP -s 0.0.0.0/8
iptables -A FORWARD -j DROP -d 0.0.0.0/8
iptables -A OUTPUT -j DROP -d 0.0.0.0/8

6. Done.

This article deals only with the things that the fundamental only, please improvise to complete it.

SSH brute-force combat script

November 28, 2009
#!/bin/sh
# rc.turkey
# http://twitter.com/kokikode

# File "/etc/hosts.rogues" will be applied to "/etc/hosts.allow" as an exception, like this sample.
# ALL: 127.0.0.1/32
# ALL: 192.168.0.0/24
# sshd: ALL EXCEPT /etc/hosts.rogues

# Then don't forget to configure the file "/etc/hosts.deny" like this.
# ALL: ALL

hosts_rogues() {
grep $rawline /etc/hosts.rogues > /dev/null 2>&1
if [ "$?" -ne "0" ]; then
   echo "$rawline/32" >> /etc/hosts.rogues
fi
}

# Additional commands if needed.
# /sbin/iptables -A FORWARD -j DROP -s $rawline
# /sbin/iptables -A FORWARD -j DROP -d $rawline
# /sbin/iptables -A OUTPUT -j DROP -d $rawline

resist_attack() {
/sbin/iptables -L -v -n | grep $rawline > /dev/null 2>&1
if [ "$?" -ne "0" ]; then
   /sbin/iptables -A INPUT -j DROP -s $rawline
   /sbin/iptables -A INPUT -j DROP -d $rawline
fi
}

route_to_blackhole() {
/bin/ip route list type blackhole | grep $rawline > /dev/null 2>&1 
if [ "$?" -ne "0" ]; then
   /bin/ip route add blackhole $rawline
fi
}

echo `date` > /var/log/lastlog.turkey

# Please add the rules in IPTables-based firewall as one of the requirements to run this script, such as the following example.
# iptables -A INPUT -j ACCEPT -p tcp --dport 22 --syn -m state --state NEW -m limit --limit 1/m --limit-burst 1
# iptables -A INPUT -j LOG -p tcp --dport 22 --syn -m --state NEW --log-level debug
# iptables -A INPUT -j DROP -p tcp --dport 22 --syn -m state --state NEW

cat /var/log/debug | grep "IN=eth1" | grep "DPT=22" | cut -f5 -d= | sed 's/DST//g' | sort -u | while read rawline; do
   if [ -n "$rawline" ]; then
      cat /var/log/auth.log | grep "sshd" | grep "Invalid user" | grep $rawline > /tmp/$rawline
      if [ -s /tmp/$rawline ]; then
         hosts_rogues
         resist_attack
         route_to_blackhole
      fi
      rm /tmp/$rawline
      cat /var/log/auth.log | grep "sshd" | grep "Failed password" | grep $rawline > /tmp/$rawline
      if [ -s /tmp/$rawline ]; then
         hitcount=$(grep -c $rawline /tmp/$rawline)
         if [ $hitcount -gt 2 ]; then
            hosts_rogues
            resist_attack
            route_to_blackhole
         fi
      fi
      rm /tmp/$rawline
      cat /var/log/auth.log | grep "sshd" | grep "POSSIBLE BREAK-IN ATTEMPT" | grep $rawline > /tmp/$rawline
      if [ -s /tmp/$rawline ]; then
         hosts_rogues
         resist_attack
         route_to_blackhole
      fi
      rm /tmp/$rawline
   fi
done

exit 0

I put this script in crontab and run every 5 minutes.