System scanning

Linux services, called daemons, are the programs that run on a system and serve up various services and applications for users.

• Internet services — such as the Apache web server (httpd), Telnet (telnetd), and FTP (ftpd) — may give away too much information about the system, including software versions, internal IP addresses, and usernames. This information could allow hackers to exploit a known weakness in the system.
• TCP and UDP small services — such as echo, daytime, and chargen — may be enabled by default and don’t need to be.

The vulnerabilities inherent in your Linux systems depend on what services are running. You can perform basic port scans to glean information about what’s running.

The NetScanTools Pro results in Figure 13-1 show many potentially vulnerable services on this Linux system, such as the services of SSH, DNS, and TFTP.

In addition to NetScanTools Pro, you can run a vulnerability scanner such as Nexpose against the system to try to gather more information. Note all the missing patches in this macOS High Sierra system shown in Figure 13-2.

Keep in mind that you’re going to find the most vulnerabilities in Linux and macOS by performing authenticated vulnerability scans, which is particularly important to do because it shows you what’s exploitable by users or malware on your systems. Even Linux and macOS are susceptible to malware! You’ll want to run such scans at least once per year or after any major application or OS upgrades on your workstations and servers.

Figure 13-3 shows the awesome feature of Nexpose that allows you to test your login credentials before kicking off a vulnerability scan of your network.

What’s the big deal about this feature, you say? Well, first, it can be a whole lot of hassle to think that you’re entering the proper login credentials into the scanner, only to find out hours later that the logins weren’t successful, which can invalidate the scan you ran. It can also be a threat to your budget (or wallet, if you work for yourself) if you’re charged by the scan only to discover that you have to rescan hundreds or even thousands of network hosts. I’ve been down that road many times, and it’s a real pain, to say the least.

You can use free tools to go a step further and find out the exact distribution and kernel version by running an OS fingerprint scan with the Nmap command nmap –sV –O, as shown in Figure 13-4.

The Windows-based NetScanTools Pro can also determine the version of Linux that’s running, as shown in Figure 13-5.

Countermeasures against system scanning

Although you can’t prevent system scanning, you can implement the following countermeasures to keep the bad guys from gleaning too much information about your systems and using it against you somehow:

• Protect the systems with either:
  • A firewall, such as iptables, that’s built into the OS
  • A host-based intrusion prevention system (IPS) such as PortSentry (https://sourceforge.net/projects/sentrytools), a local agent such as Snare (https://www.snaresolutions.com/products/snare-agents), or McAfee Host Intrusion Prevention for Server (https://www.mcafee.com/us/products/host-ips-for-server.aspx) that ties into a larger security incident and event management system that monitors for and correlates network events, anomalies, and breaches.
• Disable the services you don’t need, including RPC, HTTP, FTP, Telnet, and the small UDP and TCP services — anything for which you don’t have a true business need. This practice keeps the services from showing up in a port scan, which gives an attacker less information (and presumably less incentive to break in to your system).
• Make sure that the latest software updates are installed to reduce the chance of exploitation if an attacker determines what services you’re running.

Searches

Several security tools can uncover vulnerabilities in your Linux systems. These tools may not identify all applications down to the version number, but they’re a powerful way of collecting system information.

Tools

The following tools can perform in-depth analysis beyond port scanning to enumerate your Linux systems and see what others can see:

• Nmap can check for specific versions of the services loaded, as shown in Figure 13-6. Simply run Nmap with the -sV command-line switch.
• netstat shows the services running on a local machine. Enter this command while logged in:

  netstat –anp

• List Open Files (lsof) displays processes that are listening and files that are open on the system.

To run lsof, log in and enter this command at a Linux command prompt: lsof. aTons of options are available via lsof –h, such as lsof –I +D /var/log to show which log files are currently being used over which network connections. The lsof command can come in handy when you suspect that malware has found its way onto the system.

Countermeasures against attacks on unneeded services

You can and should disable the unneeded services on your Linux systems, which is one of the best ways to keep your Linux system secure. Like reducing the number of entry points (such as open doors and windows) in your house, the more entry points you eliminate, the fewer places an intruder can break in.

Disabling unneeded services

The best method of disabling unneeded services depends on whether the daemon is loaded in the first place. You have several places to disable services, depending on the version of Linux you're running.

If you don’t need to run a particular service, take the safe route: Turn it off! Just give people on the network ample warning of what you’re going to do in the event that someone needs the service for work.

INETD.CONF (OR XINETD.CONF)

If it makes good business sense to do so (that is, if you don’t need the services), disable unneeded services by commenting out the loading of daemons you don’t use. Follow these steps:

1. Enter the following command at the Linux prompt:

   ps -aux

   The process ID (PID) for each daemon, including inetd, is listed onscreen. In Figure 13-7, the PID for the sshd (Secure Shell daemon) is 646.

2. Make note of the PID for inetd.
3. Open /etc/inetd.conf in the Linux text editor vi by entering the command:

   vi /etc/inetd.conf

   or

   /etc/xinetd.conf

4. When you have the file loaded in vi, enable the insert (edit) mode by pressing I.

5. Move the cursor to the beginning of the line of the daemon that you want to disable, such as httpd (web server daemon), and type # at the beginning of the line.

   This step comments out the line and prevents it from loading when you reboot the server or restart inetd. It’s also good for record keeping and change management.

6. To exit vi and save your changes, press Esc to exit the insert mode, type :wq, and then press Enter.

   This step tells vi that you want to write your changes and quit.

7. Restart inetd by entering this command with the inetd PID:

   kill –HUP PID

CHKCONFIG

If you don’t have an inetd.conf file (or if it's empty), your version of Linux is probably running the xinetd program — a more-secure replacement for inetd — to listen for incoming network application requests. You can edit the /etc/xinetd.conf file in this case. For more information on the use of xinetd and xinetd.conf, enter man xinetd or man xinetd.conf at a Linux command prompt. If you're running Red Hat 7.0 or later, you can run the /sbin/chkconfig program to turn off the daemons you don’t want to load.

You can also enter chkconfig --list at a command prompt to see what services are enabled in the xinetd.conf file.

If you want to disable a specific service, such as snmp, enter the following:

chkconfig --del snmpd

You can use the chkconfig program to disable other services, such as FTP, Telnet, and web server.

Hacks using the hosts.equiv and .rhosts files

If hackers can capture a user ID and password by using a network analyzer or can crash an application and gain access via a buffer overflow, one thing they look for is what users are trusted by the local system. For that reason, it’s critical to assess these files yourself. The /etc/hosts.equiv and .rhosts files list this information.

Countermeasures against .rhosts and hosts.equiv file attacks

Use both of the following countermeasures to prevent hacker attacks against the .rhosts and hosts.equiv files in your Linux system.

Disabling commands

A good way to prevent abuse of these files is to disable the BSD r-commands. You can disable these commands in two ways:

• Comment out the lines starting with shell, login, and exec in inetd.conf.
• Edit the rexec, rlogin, and rsh files located in the /etc/xinetd.d directory. Open each file in a text editor, and change disable=no to disable=yes, as shown in Figure 13-8.

In Red Hat Enterprise Linux, you can disable the BSD r-commands with the setup program:

1. Enter setup at a command prompt.
2. Enter system-config-services.
3. Select the appropriate services.
4. Click Disable.

NFS hacks

If NFS was set up improperly or its configuration was been tampered with — namely, the /etc/exports file, which contains a setting that allows the world to read the entire file system — remote hackers can easily obtain remote access and do anything they want on the system. Assuming that no access control list is in place, all it takes is a line, such as the following, in the /etc/exports file:

/ rw

This line says that anyone can mount the root partition remotely in a read-write fashion. The following conditions must also be true:

• The NFS daemon (nfsd) must be running, along with the portmap daemon that would map NFS to RPC.
• The firewall must allow the NFS traffic through.
• The remote systems that are allowed into the server running the NFS daemon must be placed in the /etc/hosts.allow file.

This remote-mounting capability is easy to misconfigure. It's often related to a Linux administrator’s misunderstanding what it takes to share NFS mounts and resorting to the easiest way to get it working. If someone can gain remote access, the system is theirs.

Countermeasures against NFS attacks

The best defense against NFS hacking depends on whether you need the service running.

• If you don’t need NFS, disable it.
• If you need NFS, implement the following countermeasures:
  • Filter NFS traffic at the firewall — typically UDP port 111 (the port-mapper port) if you want to filter all RPC traffic.
  • Add network access control lists to limit access to specific hosts.
  • Make sure that your /etc/exports and /etc/hosts.allow files are configured properly to keep the world outside your network.

File permission hacks

By default, rogue programs that run with root privileges can be easily hidden. An external attacker or malicious insider might do this to hide hacking files, such as rootkits, on the system. This can be done with SetUID and SetGID coding in hacking programs.

Countermeasures against file permission attacks

You can test for rogue programs by using both manual and automated testing methods.

Attacks

In a buffer-overflow attack, the attacker manually sends strings of information to the victim Linux machine or writes a script that does so. These strings contain the following:

• Instructions to the processor to do nothing.
• Malicious code to replace the attacked process. exec ("/bin/sh") creates a shell command prompt, for example.
• A pointer to the start of the malicious code in the memory buffer.

If an attacked application (such as FTP or RPC) is running as root, this situation can give attackers root permissions in their remote shells. Specific examples of vulnerable software running on Linux are Samba, MySQL, and Mozilla Firefox. Depending on the version, this software can be exploited with commercial or free tools such as Metasploit (https://www.metasploit.com) to obtain remote command prompts, add backdoor user accounts, change ownership of files, and more. I cover Metasploit in Chapter 12.

Countermeasures against buffer overflow attacks

Three main countermeasures can help prevent buffer-overflow attacks:

• Disable unneeded services.
• Protect your Linux systems with a firewall or a host-based IPS.

• Enable another access control mechanism, such as TCP Wrappers, that authenticates users with a password.

  Don't just enable access controls via an IP address or host name, which can easily be spoofed.

As always, make sure that your systems have been updated with the latest kernel and software updates.

Physical security hacks

If an attacker is at the system console, anything goes, including rebooting the system (even if no one is logged in) by pressing Ctrl+Alt+Delete. After the system is rebooted, the attacker can start it in single-user mode, which allows him to zero out the root password or possibly read the entire shadow password file. I cover password cracking in Chapter 8.

Countermeasures against physical security attacks

Edit your /etc/inittab file, and comment out (place a # sign in front of) the line that reads ca::ctrlaltdel:/sbin/shutdown -t3 -r now, shown in the last line of Figure 13-9. These changes prevent someone from rebooting the system by pressing Ctrl+Alt+Delete. Be forewarned that this change also prevents you from legitimately pressing Ctrl+Alt+Delete.

For Linux-based laptops, use disk-encryption software from WinMagic (https://www.winmagic.com) or Symantec EndPoint Encryption (https://www.symantec.com/products/endpoint-encryption). If you don't, when a laptop is lost or stolen, you could very well have a data breach on your hands, not to mention the state and federal compliance, and disclosure-law requirements that go along with it. Not good!

If you believe that someone recently gained access to your system, physically or by exploiting a vulnerability such as a weak password or buffer overflow, you can use a program called last to view the last few logins into the system to check for strange login IDs or login times. This program peruses the /var/log/wtmp file and displays the users who logged in last. You can enter last | head to view the first part of the file (the first ten lines) if you want to see the most recent logins.

Distribution updates

For Linux, the process is different in every distribution. You can use the following tools, based on your specific distribution:

• Red Hat: The following tools update Red Hat Linux systems:
  • RPM Packet Manager, which is the graphical user interface (GUI) application that runs in the Red Hat GUI desktop. It manages files with an .rpm extension that Red Hat and other freeware and open-source developers use to package their programs. RPM Packet Manager was originally a Red Hatsystem but is now available for many versions of Linux.
  • up2date, a command-line, text-based tool that's included in Red Hat, Fedora, and CentOS.
• Debian: You can use the Debian package management system (dpkg) included with the OS to update Debian Linux systems.
• Slackware: You can use the Slackware Package Tool (pkgtool) included with the OS to update Slackware Linux systems.
• SUSE: SUSE Linux includes YaST2 software management.

In addition to Linux kernel and general operating system updates, make sure to pay attention to Apache, OpenSSL, OpenSSH, MySQL, PHP, and other software programs on your systems. They may have weaknesses that you don’t want to overlook.

For macOS, the updates are pushed to the computer locally, and unfortunately, it’s up to the user to install the updates by default.

Multiplatform update managers

Commercial patch-management tools have additional features, such as correlating patches with vulnerabilities and automatically deploying appropriate patches. Commercial tools that can help with Linux and macOS patch management include ManageEngine (https://www.manageengine.com/products/desktop-central/mac-management.html), GFI LanGuard (https://www.gfi.com/products-and-solutions/network-security-solutions/gfi-languard/specifications/patch-management-for-operating-systems), and KACE Systems Management Appliance (https://www.quest.com/products/kace-systems-management-appliance).