[ Pobierz całość w formacie PDF ]
Ethernet LAN), that is it can reset connections, spy on them and do otherwise naughty
things. It also includes a variety of ARP based attacks and other mischievous sources of fun,
You can get HUNT at: http://www.cri.cz/kra/index.html.
45
PPP security
PPP provides TCP-IP (as well as IPX/SPX, and NetBEUI) connections over serial lines
(which can of course be attached to modems). It is the primary method most people use to
connect to the Internet (virtually all dial-up accounts are PPP). A PPP connection essentially
consists of two computing devices (computer, a Palm Pilot, a terminal server, etc) connected
over a serial link (usually via modems), both ends invoke PPP, authentication is handled (one
of several ways), and the link is brought up. PPP has no real support for encryption, so if you
require a secure link you must invest in some from of VPN software. Most systems invoke
PPP in a rather kludgy way, you 'log in' to the equipment (terminal server, etc) and then as
your login shell PPP is invoked, this of course means your username and password are sent in
clear text over the line, and you must have an account on that piece of equipment, in this case
PPP does not handle the authentication at all. A somewhat safer way of handling this is to use
PAP (Password Authentication Protocol), where the authentication is handled by PPP, so you
do not require a real account on the server, however the username and password is still sent in
clear text, but the system at least is somewhat safer. The third (and best) method for
authentication is to use CHAP (Challenge Handshake Authentication Protocol), each side
exchanges a public key, and uses it to encrypt data sent for the authentication, thus your
username and password are relatively safe from snooping, however actual data transfers are
sent normally. One caveat with CHAP, Microsoft's implementation uses DES instead of
MD5, making it slightly 'broken' if connecting with a Linux client, there are patches available
however to fix this. PPP ships with almost every Linux distribution as a core part of the OS,
the Linux PPP-HOWTO is available at: http://www.interweft.com.au/other/ppp-howto/ppp-
howto.html.
46
Basic network service security
What is running and who is it talking to?
You can t start securing services until you know what is running. For this task ps and netstat
are invaluable, ps will tell you what is currently running (httpd, inetd, etc), netstat will tell you
what the status of ports are (at this point we re interested in ports that are open and listening,
that is waiting for connections), and finally we can take a look at the various config files that
control services.
PS Output
The program ps shows us process status (information available in the /proc/ virtual
filesystem). The options most commonly used are -xau, which show pretty much all the
information you d ever want to know, please note these options vary across UNIX systems,
Solaris, SCO, etc all behave differently (which is incredibly annoying). The following is
typical output from a machine.
USER PID %CPU %MEM SIZE RSS TTY STAT START TIME COMMAND
bin 320 0.0 0.6 760 380 ? S Feb 12 0:00 portmap
daemon 377 0.0 0.6 784 404 ? S Feb 12 0:00 /usr/sbin/atd
named 2865 0.0 2.1 2120 1368 ? S 01:14 0:01 /usr/sbin/named -u named -g named -
t /home/named
nobody 346 0.0 18.6 12728 11796 ? S Feb 12 3:12 squid
nobody 379 0.0 0.8 1012 544 ? S Feb 12 0:00 (dnsserver)
nobody 380 0.0 0.8 1012 540 ? S Feb 12 0:00 (dnsserver)
nobody 383 0.0 0.6 916 416 ? S Feb 12 0:00 (dnsserver)
nobody 385 0.0 0.8 1192 568 ? S Feb 12 0:00 /usr/bin/ftpget -S 1030
nobody 392 0.0 0.3 716 240 ? S Feb 12 0:00 (unlinkd)
nobody 1553 0.0 1.8 1932 1200 ? S Feb 14 0:00 httpd
nobody 1703 0.0 1.8 1932 1200 ? S Feb 14 0:00 httpd
root 1 0.0 0.6 776 404 ? S Feb 12 0:04 init [3]
root 2 0.0 0.0 0 0 ? SW Feb 12 0:00 (kflushd)
root 3 0.0 0.0 0 0 ? SW Feb 12 0:00 (kswapd)
root 4 0.0 0.0 0 0 ? SW Feb 12 0:00 (md_thread)
root 64 0.0 0.5 736 348 ? S Feb 12 0:00 kerneld
root 357 0.0 0.6 800 432 ? S Feb 12 0:05 syslogd
root 366 0.0 1.0 1056 684 ? S Feb 12 0:01 klogd
root 393 0.0 0.7 852 472 ? S Feb 12 0:00 crond
root 427 0.0 0.9 1272 592 ? S Feb 12 0:19 /usr/sbin/sshd
root 438 0.0 1.0 1184 672 ? S Feb 12 0:00 rpc.mountd
root 447 0.0 1.0 1180 644 ? S Feb 12 0:00 rpc.nfsd
root 458 0.0 1.0 1072 680 ? S Feb 12 0:00 /usr/sbin/dhcpd
root 489 0.0 1.7 1884 1096 ? S Feb 12 0:00 httpd
root 503 0.0 0.4 724 296 2 S Feb 12 0:00 /sbin/mingetty tty2
root 505 0.0 0.3 720 228 ? S Feb 12 0:02 update (bdflush)
root 541 0.0 0.4 724 296 1 S Feb 12 0:00 /sbin/mingetty tty1
root 1372 0.0 0.6 772 396 ? S Feb 13 0:00 inetd
root 1473 0.0 1.5 1492 1000 ? S Feb 13 0:00 sendmail: accepting connections on
port 25
root 2862 0.0 0.0 188 44 ? S 01:14 0:00 /usr/sbin/holelogd.named
/home/named/dev/log
root 3090 0.0 1.9 1864 1232 ? S 12:16 0:02 /usr/sbin/sshd
root 3103 0.0 1.1 1448 728 p1 S 12:16 0:00 su -
root 3104 0.0 1.3 1268 864 p1 S 12:16 0:00 -bash
root 3136 0.0 1.9 1836 1212 ? S 12:21 0:04 /usr/sbin/sshd
47
The interesting ones are: portmap, named, squid (and it s dnsserver, unlinkd and ftpget
children processes), httpd, syslogd, sshd, rpc.mountd, rpc.nfsd, dhcpd, inetd, and sendmail
(this server appears to be providing gateway services, email and NFS file sharing). The easiest
way to learn how to read ps output is go over the ps man page and learn what the various
fields are (most are self explanatory, such as %CPU, some like SIZE are a bit obscure (SIZE
[ Pobierz całość w formacie PDF ]