System scanning

Linux services — called daemons — are the programs that run on a system and serve up various services and applications for users.

• Internet services, such as the Apache web server (httpd), telnet (telnetd), and FTP (ftpd), often give away too much information about the system, including software versions, internal IP addresses, and usernames. This information could allow hackers to exploit a known weakness in the system.
• TCP and UDP small services, such as echo, daytime, and chargen, are often enabled by default and don’t need to be.

The vulnerabilities inherent in your Linux systems depend on what services are running. You can perform basic port scans to glean information about what’s running.

The NetScanTools Pro results in Figure 13-1 show many potentially vulnerable services on this Linux system, including the confirmed services of SSH, HTTP, and HTTPS.

In addition to NetScanTools Pro, you can run another scanner, such as Nexpose, against the system to try to gather more information, including a server running SSL version 3 with weak encryption ciphers, as shown in Figure 13-2.

Keep in mind that you’re going to find the most vulnerabilities in Linux and Mac OS X by performing authenticated vulnerability scans. This is particularly important to do because it shows you what’s exploitable by users — or malware — on your systems. And, yes, even Linux and Mac OS X are susceptible to malware! You’ll want to run such scans at least once per year or after any major application or OS upgrades on your workstations and servers.

Figure 13-3 shows the absolutely amazing feature in Nexpose that allows you to actually test your login credentials before kicking off a vulnerability scan of your network.

What’s the big deal about this feature, you say? Well, first off, it can be a whole lot of hassle to think you’re entering the proper login credentials into the scanner only to find out hours later that the logins were not successful, which can invalidate the scan you ran. It can also be a threat to your budget (or wallet, if you work for yourself) if you’re charged by the scan only to discover that you have to re-scan hundreds, even thousands, of network hosts. I’ve been down that road many times and it’s a real pain, to say the least.

You can use free tools to go a step further and find out the exact distribution and kernel version by running an OS fingerprint scan with the Nmap command nmap –sV –O, as shown in Figure 13-4.

The Windows-based NetScanTools Pro also has the capability to determine the version of Linux that’s running, as shown in Figure 13-5.

Countermeasures against system scanning

Although you can’t completely prevent system scanning, you can still implement the following countermeasures to keep the bad guys from gleaning too much information about your systems and using it against you somehow:

• Protect the systems with either:
  • A firewall, such as iptables, that’s built into the OS
  • A host-based intrusion prevention system, such as PortSentry (http://sourceforge.net/projects/sentrytools), a local agent such as Snare (www.intersectalliance.com/our-product/snare-agent), or McAfee Host Intrusion Prevention for Server (www.mcafee.com/us/products/host-ips-for-server.aspx) that ties into a larger security incident and event management (SIEM) system that monitors for and correlates network events, anomalies, and breaches.
• Disable the services you don’t need, including RPC, HTTP, FTP, telnet, and the small UDP and TCP services — anything for which you don’t have a true business need. This keeps the services from showing up in a port scan, which gives an attacker less information — and presumably less incentive — to break in to your system.
• Make sure the latest software updates are installed to reduce the chance of exploitation if an attacker determines what services you’re running.

Searches

Several security tools can help uncover vulnerabilities in your Linux systems. These tools might not identify all applications down to the exact version number, but they’re a very powerful way of collecting system information.

Tools

The following tools can perform more in-depth information beyond port scanning to enumerate your Linux systems and see what others can see:

• Nmap can check for specific versions of the services loaded, as shown in Figure 13-6. Simply run Nmap with the -sV command-line switch.
• netstat shows the services running on a local machine. Enter this command while logged in:

  netstat –anp

• List Open Files (lsof) displays processes that are listening and files that are open on the system.

  To run lsof, log in and enter this command at a Linux command prompt: lsof. There are tons of options available via lsof –h, such as lsof –I +D /var/log to show which log files are currently in use over which network connections. The lsof command can come in handy when you suspect that malware has found its way onto the system.

Countermeasures against attacks on unneeded services

You can and should disable the unneeded services on your Linux systems. This is one of the best ways to keep your Linux system secure. Like reducing the number of entry points (such as open doors and windows) into your house, the more entry points you eliminate, the fewer places an intruder can break in.

Disabling unneeded services

The best method of disabling unneeded services depends on whether the daemon is loaded in the first place. You have several places to disable services, depending on the version of Linux you’re running.

If you don’t need to run a particular service, take the safe route: Turn it off! Just give people on the network ample warning that it’s going to happen in the event someone needs the service for their work.

inetd.conf (or xinetd.conf)

If it makes good business sense — that is, if you don’t need them — disable unneeded services by commenting out the loading of daemons you don’t use. Follow these steps:

1. Enter the following command at the Linux prompt:

   ps -aux

   The process ID (PID) for each daemon, including inetd, is listed on the screen. In Figure 13-7, the PID for the sshd (Secure Shell daemon) is 646.

2. Make note of the PID for inetd.
3. Open /etc/inetd.conf in the Linux text editor vi by entering the following command:

   vi /etc/inetd.conf

   Or

   /etc/xinetd.conf

4. When you have the file loaded in vi, enable the insert (edit) mode by pressing I.

5. Move the cursor to the beginning of the line of the daemon that you want to disable, such as httpd (web server daemon), and type # at the beginning of the line.

   This step comments out the line and prevents it from loading when you reboot the server or restart inetd. It’s also good for record keeping and change management.

6. To exit vi and save your changes, press Esc to exit the insert mode, type :wq, and then press Enter.

   This tells vi that you want to write your changes and quit.

7. Restart inetd by entering this command with the inetd PID:

   kill –HUP PID

chkconfig

If you don’t have an inetd.conf file (or it’s empty), your version of Linux is probably running the xinetd program — a more secure replacement for inetd — to listen for incoming network application requests. You can edit the /etc/xinetd.conf file if this is the case. For more information on the usage of xinetd and xinetd.conf, enter man xinetd or man xinetd.conf at a Linux command prompt. If you’re running Red Hat 7.0 or later, you can run the /sbin/chkconfig program to turn off the daemons you don’t want to load.

You can also enter chkconfig --list at a command prompt to see what services are enabled in the xinetd.conf file.

If you want to disable a specific service, say snmp, enter the following:

chkconfig --del snmpd

You can use the chkconfig program to disable other services, such as FTP, telnet, and web server.

Hacks using the hosts.equiv and .rhosts files

If hackers can capture a user ID and password by using a network analyzer or can crash an application and gain root access via a buffer overflow, one thing they look for is what users are trusted by the local system. That’s why it’s critical to assess these files yourself. The /etc/hosts.equiv and .rhosts files list this information.

Countermeasures against .rhosts and hosts.equiv file attacks

Use both of the following countermeasures to prevent hacker attacks against the .rhosts and hosts.equiv files in your Linux system.

Disabling commands

A good way to prevent abuse of these files is to disable the BSD r-commands. This can be done in two ways:

• Comment out the lines starting with shell, login, and exec in inetd.conf.
• Edit the rexec, rlogin, and rsh files located in the /etc/xinetd.d directory. Open each file in a text editor and change disable=no to disable=yes, as shown in Figure 13-8.

In Red Hat Enterprise Linux, you can disable the BSD r-commands with the setup program:

1. Enter setup at a command prompt.
2. Enter system-config-services.
3. Select the appropriate services and click Disable.

NFS hacks

If NFS was set up improperly or its configuration has been tampered with — namely, the /etc/exports file containing a setting that allows the world to read the entire file system — remote hackers can easily obtain remote access and do anything they want on the system. Assuming no access control list (ACL) is in place, all it takes is a line, such as the following, in the /etc/exports file:

/ rw

This line says that anyone can remotely mount the root partition in a read-write fashion. Of course, the following conditions must also be true:

• The NFS daemon (nfsd) must be running, along with the portmap daemon that would map NFS to RPC.
• The firewall must allow the NFS traffic through.
• The remote systems that are allowed into the server running the NFS daemon must be placed into the /etc/hosts.allow file.

This remote-mounting capability is easy to misconfigure. It’s often related to a Linux administrator’s misunderstanding of what it takes to share out the NFS mounts and resorting to the easiest way possible to get it working. If someone can gain remote access, the system is theirs.

Countermeasures against NFS attacks

The best defense against NFS hacking depends on whether you actually need the service running.

• If you don’t need NFS, disable it.
• If you need NFS, implement the following countermeasures:
  • Filter NFS traffic at the firewall — typically, UDPport 111 (the portmapper port) if you want to filter all RPC traffic.
  • Add network ACLs to limit access to specific hosts.
  • Make sure that your /etc/exports and /etc/hosts.allow files are configured properly to keep the world outside your network.

File permission hacks

By default, rogue programs that run with root privileges can be easily hidden. An external attacker or malicious insider might do this to hide hacking files, such as rootkits, on the system. This can be done with SetUID and SetGID coding in their hacking programs.

Countermeasures against file permission attacks

You can test for rogue programs by using both manual and automated testing methods.

Attacks

In a buffer overflow attack, the attacker either manually sends strings of information to the victim Linux machine or writes a script to do so. These strings contain the following:

• Instructions to the processor to basically do nothing.
• Malicious code to replace the attacked process. For example, exec ("/bin/sh") creates a shell command prompt.
• A pointer to the start of the malicious code in the memory buffer.

If an attacked application (such as FTP or RPC) is running as root (certain programs do), this situation can give attackers root permissions in their remote shells. Specific examples of vulnerable software running on Linux are Samba, MySQL, and Firefox. Depending on the version, this software can be exploited using commercial or free tools such as Metasploit (www.metasploit.com) to obtain remote command prompts, add backdoor user accounts, change ownership of files, and more. I cover Metasploit in Chapter 12.

Countermeasures against buffer overflow attacks

Three main countermeasures can help prevent buffer-overflow attacks:

• Disable unneeded services.
• Protect your Linux systems with either a firewall or a host-based intrusion prevention system (IPS).

• Enable another access control mechanism, such as TCP Wrappers, that authenticates users with a password.

  Don’t just enable access controls via an IP address or hostname. That can easily be spoofed.

As always, make sure that your systems have been updated with the latest kernel and software updates.

Physical security hacks

If an attacker is at the system console, anything goes, including rebooting the system (even if no one is logged in) by pressing Ctrl+Alt+Delete. After the system is rebooted, the attacker can start it in single-user mode, which allows the hacker to zero out the root password or possibly even read the entire shadow password file. I cover password cracking in Chapter 8.

Countermeasures against physical security attacks

Edit your /etc/inittab file and comment out (place a # sign in front of) the line that reads ca::ctrlaltdel:/sbin/shutdown -t3 -r now, shown in the last line of Figure 13-9. These changes will prevent someone from rebooting the system by pressing Ctrl+Alt+Delete. Be forewarned that this will also prevent you from legitimately using Ctrl+Alt+Delete.

For Linux-based laptops, use disk encryption software, such as WinMagic (www.winmagic.com) and Symantec (www.symantec.com). If you don’t, when a laptop is lost or stolen, you could very well have a data breach on your hands and all the state, federal, compliance, and disclosure law requirements that go along with it. Not good!

If you believe that someone has recently gained access to your system, either physically or by exploiting a vulnerability, such as a weak password or buffer overflow, you can use last, the program, to view the last few logins into the system to check for strange login IDs or login times. This program peruses the /var/log/wtmp file and displays the users who logged in last. You can enter last | head to view the first part of the file (the first ten lines) if you want to see the most recent logins.

Distribution updates

The distribution process is different on every distribution of Linux. You can use the following tools, based on your specific distribution:

• Red Hat: The following tools update Red Hat Linux systems:
  • RPM Packet Manager, which is the GUI-based application that runs in the Red Hat GUI desktop. It manages files with an .rpm extension that Red Hat and other freeware and open source developers use to package their programs. RPM Packet Manager was originally a Red Hat-centric system but is now available on many versions of Linux.
  • up2date, a command-line, text-based tool that’s included in Red Hat, Fedora, and CentOS.
• Debian: You can use the Debian package management system (dpkg) included with the operating system to update Debian Linux systems.
• Slackware: You can use the Slackware Package Tool (pkgtool) included with the operating system to update Slackware Linux systems.
• SUSE: SUSE Linux includes YaST2 software management.

In addition to Linux kernel and general operating system updates, make sure you pay attention to Apache, OpenSSL, OpenSSH, MySQL, PHP, and other software on your systems. They may have weaknesses that you don’t want to overlook.

Multi-platform update managers

Commercial tools have additional features, such as correlating patches with vulnerabilities and automatically deploying appropriate patches. Commercial tools that can help with Linux patch management include ManageEngine (www.manageengine.com/products/desktop-central/linux-management.html), GFI LanGuard (www.gfi.com/products-and-solutions/network-security-solutions/gfi-languard/specifications/patch-management-for-operating-systems), and Dell KACE Systems Management Appliance (http://software.dell.com/products/kace-k1000-systems-management-appliance/patch-management-security.aspx).