Top

A Linux User Reference

Search tips
  • search ignores words that are less than 4 characters in length
  • searches are case insensitve
  • if a search does not return anything try it in Boolean mode then Query expansion mode by checking the appropriate radio button e.g. searching for 'cron' in just the Administration category returns nothing - presumably because the 50% threshold is reached. Boolean mode ignores this threshold so a search for 'cron' returns several hits
  • in Boolean mode preceding a word with a '+' means the result must include that word, a '-' means it must not
  • in Boolean mode '+crontab -anacron' means match articles about crontab that DO NOT mention anacron
  • to match a phrase e.g. 'manage system' check the Boolean mode radio button and enclose the phrase in quotes "some phrase ..."
  • in Query expansion mode the search context is expanded beyond the keywords you entered - relevancy of hits may well be degraded

SECURITY

Intrusion detection

  • Fail2ban
    • Fail2ban's main function is to block IP addresses that it 'believes' may be trying to breach the system's security.
    • It monitors logfiles to ascertain host IPs that make too many login attempts or perform defined unwanted actions within a time frame.
    • It can be configured to monitor any service that writes login attempts to a log file.
    • It can use 'iptables' and /etc/hosts.deny to block an IP.
    • It's configuration file is /etc/fail2ban/jail.conf
    • Whenever changes are made to jail.conf the application needs to be restarted for the changes to take affect.

    Starting and stopping

    # /etc/init.d/fail2ban [stop | start | restart | ...]
    
  • Fail2ban configuration examples
    - /etc/fail2ban/jail.conf

    Some configuration options

    ignoreip               A space-separated list of IP addresses that cannot be blocked. 
    bantime                Time in seconds that a host is blocked (600 seconds = 10 minutes).
    maxretry               Max. number of failed login attempts before a host is blocked.
    filter                 Use this filter file in /etc/fail2ban/filter.d.
    action                 Use this action file in /etc/fail2ban/action.d.
    logpath                Log file to check for failed login attempts.
    

    Sample configuration file entries

    [DEFAULT]
    # Applies to all other sections unless the options within/below
    # it are overridden in another section(s).
    # "ignoreip" can be an IP address, a CIDR mask or a DNS host
    ignoreip = 127.0.0.1 192.168.0.99           
    bantime  = 600
    maxretry = 3
    
    # "backend" specifies the backend used to get files modification.
    # Available options are "gamin", "polling" and "auto".
    #   gamin:     requires Gamin (a file alteration monitor) to be installed.
    #              If not installed, Fail2ban will use polling.
    #   polling:   uses a polling algorithm which does not require external libraries.
    #   auto:      will choose Gamin if available and polling otherwise.
    backend = auto
    
    # Destination email address used solely for the interpolations in
    # jail.{conf,local} configuration files.
    destemail = root@localhost
    
    # Default action to take: ban only
    action = iptables[name=%(__name__)s, port=%(port)s]
    
    # A host is banned if it has generated "maxretry" during the last "findtime"
    # seconds.
    findtime  = 600
    
    #---------------------------------------------------------------------
    # This jail corresponds to the standard configuration in Fail2ban 0.6.
    # The mail-whois action sends a notification e-mail with a whois request
    # in the body.
    [ssh-iptables]
    enabled  = true                   # Monitor and control login attempts to this service
    filter   = sshd
    action   = iptables[name=SSH, port=ssh, protocol=tcp]
               sendmail-whois[name=SSH, dest=you@mail.com, sender=fail2ban@mail.com]
    logpath  = /var/log/messages
    maxretry = 5
    
    #---------------------------------------------------------------------
    # Here we use TCP-Wrappers instead of Netfilter/Iptables. "ignoreregex" is
    # used to avoid banning the user "myuser".
    [ssh-tcpwrapper]
    enabled     = false
    filter      = sshd
    action      = hostsdeny
                  sendmail-whois[name=SSH, dest=you@mail.com]
    ignoreregex = for myuser from
    logpath     = /var/log/messages
    
    #---------------------------------------------------------------------
    # The hosts.deny path can be defined with the "file" argument if it is
    # not in /etc.
    [postfix-tcpwrapper]
    enabled  = true
    filter   = postfix
    action   = hostsdeny
               sendmail[name=Postfix, dest=you@mail.com]
    logpath  = /var/log/mail
    bantime  = 300
    
    #---------------------------------------------------------------------
    # Do not ban anybody. Just report information about the remote host.
    # A notification is sent at most every 600 seconds (bantime).
    [vsftpd-notification]
    enabled  = false
    filter   = vsftpd
    action   = sendmail-whois[name=VSFTPD, dest=you@mail.com]
    logpath  = /var/log/messages
    maxretry = 5
    bantime  = 1800
    
    # Same as above but with banning the IP address.
    [vsftpd-iptables]
    enabled  = false
    filter   = vsftpd
    action   = iptables[name=VSFTPD, port=ftp, protocol=tcp]
               sendmail-whois[name=VSFTPD, dest=you@mail.com]
    logpath  = /var/log/messages
    maxretry = 5
    bantime  = 1800
    
    #---------------------------------------------------------------------
    # Ban hosts which agent identifies spammer robots crawling the web
    # for email addresses. The mail outputs are buffered.
    [apache-badbots]
    enabled  = true
    filter   = apache-badbots
    action   = iptables-multiport[name=BadBots, port="http,https"]
               sendmail-buffered[name=BadBots, lines=5, dest=you@mail.com]
    logpath  = /var/log/apache2/access_log
    bantime  = 172800
    maxretry = 1
    
    #---------------------------------------------------------------------
    [courierpop3]
    enabled  = true
    port     = pop3
    filter   = courierlogin
    action   = iptables[name=%(__name__)s, port=%(port)s]
    logpath  = /var/log/mail
    maxretry = 5
    
    [courierimap]
    enabled  = true
    port     = imap2
    filter   = courierlogin
    action   = iptables[name=%(__name__)s, port=%(port)s]
    logpath  = /var/log/mail
    maxretry = 5
    
    #---------------------------------------------------------------------
    [apache]
    enabled = true
    port    = http
    filter  = apache-auth
    logpath = /var/log/apache*/*error.log
    maxretry = 5
    
    [apache-noscript]
    enabled = false
    port    = http
    filter  = apache-noscript
    logpath = /var/log/apache*/*error.log
    maxretry = 5
    
    #---------------------------------------------------------------------
    [proftpd]
    enabled  = true
    port     = ftp
    filter   = proftpd
    logpath  = /var/log/auth.log
    failregex = proftpd: \(pam_unix\) authentication failure; .* rhost=<HOST>
    maxretry = 5
    
    #---------------------------------------------------------------------
    [sasl]
    enabled  = true
    port     = smtp
    filter   = sasl
    failregex = warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed
    logpath  = /var/log/mail.log
    maxretry = 5
    
  • Snort
    • A lightweight network intrusion detection system capable of performing real-time traffic analysis and packet logging on IP networks.
    • Configuration involves creating a configuration file containing rules.
    • Specify the configuration file containing the rules using snort's "-c " option.
    • See <a class="article_link" href=http://www.snort.org/" target="_blank">Snort website.

    A sample rule

    alert tcp any any -> 192.168.1.0/24 111 (content:"|00 01 86 a5|"; msg: "mountd access";)
    

    Snort rules are divided into two logical sections:

    Rule header

    Contains the action, protocol, source and destination IP addresses and netmasks, and the source and destination ports information.

    Text up to the first parenthesis

    alert tcp any any -> 192.168.1.0/24 111
    
    Rule options

    Contains alert messages and information on which parts of the packet should be inspected to determine if the rule action should be taken.

    Text enclosed by parenthesis ( ... )

    content:"|00 01 86 a5|"; msg: "mountd access";
    

    Rule option keywords are words that appear before a ':' within the rule options

    content, msg
    
    • All of the elements in the rule must be true for the indicated rule action to be taken - logical AND.
    • The various rules in a Snort rule's library file can be considered to form a large logical OR statement.
  • Snort cmd-line examples

    All examples from the snort documentation.

    Dump TCP/IP packets to the screen - sniffer mode

    # snort -v
    01/07-16:22:12.746540 192.168.2.8:1024 -> 192.168.2.1:53
    UDP TTL:64 TOS:0x0 ID:13581 IpLen:20 DgmLen:60 DF
    Len: 40
    =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
    01/07-16:22:12.750346 192.168.2.1:53 -> 192.168.2.8:1024
    UDP TTL:64 TOS:0x0 ID:58826 IpLen:20 DgmLen:422
    Len: 402
    =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
    .....
    

    Show application data - sniffer mode

    # snort -vd
    01/07-16:21:17.979586 192.168.2.8:1024 -> 192.168.2.1:53
    UDP TTL:64 TOS:0x0 ID:8105 IpLen:20 DgmLen:60 DF
    Len: 40
    57 35 01 00 00 01 00 00 00 00 00 00 03 77 77 77  W5...........www
    06 64 65 62 69 61 6E 03 6F 72 67 00 00 01 00 01  .debian.org.....
    =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
    

    Create directories based on the host - packet-logger mode

    # snort -dev -l ./snortlog
    snortlog/:
    drwx------    2 root     root         1024 Jan  8 09:56 192.168.2.8
    drwx------    2 root     root         1024 Jan  8 09:56 198.186.203.20
    drwx------    2 root     root         1024 Jan  8 09:56 80.89.228.10
    -rw-------    1 root     root          528 Jan  8 09:56 ARP
    snortlog/192.168.2.8:
    -rw-------    1 root     root         3698 Jan  8 09:56 ICMP_ECHO
    -rw-------    1 root     root         3295 Jan  8 09:56 UDP:1024-53
    

    Detect intrusions - network-intrusion detection mode

    # snort -d -h 192.168.2.0/24 -l ./snortlog -c snort.con
    
  • Portsentry
    • Designed to detect and respond in real-time to port scans against a target host's TCP and UDP sockets.
    • Has an internal state engine to remember hosts that connected previously, this allows the setting of a trigger value to prevent false alarms and detect "random" port probing.
    • Can report all violations to the local or remote syslog daemons indicating the system name, time of attack, attacking host IP and the TCP or UDP port a connection attempt was made to.
    • When used in conjunction with Logcheck it will provide an alert to administrators through e-mail.
    Black hole feature

    Once a scan is detected portsentry can turn the target system into a 'black hole' - disappearing from the attacker. This feature stops most attacks cold.

    Host blocking

    The blocking of a host in real-time is done through configured options. These either:

    • drop the local route back to the attacker by using the Linux 'ipfwadm', 'ipchains', 'iptables', BSD 'ipfw' commands and or
    • drop the attacker's host IP into a TCP Wrappers hosts.deny file.
  • Portsentry installation and configuration steps

    Good chance you can install via your distibutions package manager. If not the 'Sentry Tools' article on this page contains a like that can be used to download the program.

    Ubuntu package

    $ apt-cache search portsentry
    .....
    portsentry - Portscan detection daemon
    

    Installing from source:

    (1) Check, read your versions documention

    (2) Verify (change if applicable) the contents of the 'portsentry_config.h' file

    CONFIG_FILE               Path to the PortSentry configuration file.
    WRAPPER_HOSTS_DENY        Path and name of TCP wrapper hosts.deny file.
    SYSLOG_FACILITY           Syslog facility for PortSentry to use.
    SYSLOG_LEVEL              Syslog level to send messages.
    

    (3) Verify (change if applicable) the configuration file - portsentry.conf

    TCP_PORTS                 ',' delimited string of TCP ports to listen to. 
                              Default limit of 64.
    UDP_PORTS                 As TCP
    ADVANCED_PORTS_TCP        Any port *below* this number is then monitored. 
                              The default is 1024.
    ADVANCED_PORTS_UDP        As above, except for UDP.
    ADVANCED_EXCLUDE_TCP      ',' delimited string of TCP ports that should be manually 
                              excluded from monitoring in Advanced mode.
    ADVANCED_EXCLUDE_UDP      As above, except for UDP.
    IGNORE_FILE               Path to file that contains IP addresses of hosts you want to
                              always be ignored.
    BLOCKED_FILE              Path to the file that contains the IP addresses of blocked
                              hosts.
    RESOLVE_HOST              Turns off DNS resolution for hosts. If  slow DNS good idea.
    BLOCK_UDP                 Disables all automatic responses to UDP probes. UDP can be
                              easily forged, it may allow an attacker to start a denial
                              of service attack against the protected host.  "0" will 
                              disable all responses, although the connects are still 
                              logged. Useful for Internet exposed hosts. For internal 
                              hosts you should leave this enabled.
    BLOCK_TCP                 As above but for TCP. Packet forgery not as big a problem.
    KILL_ROUTE                Command to drop the offending route if an attack is detected 
                              i.e. /sbin/route with $TARGET$ macro substituting IP of
                              attacker, gateway should be a 'dead host' or 127.0.0.1.  
                              Can use -blackhole or -reject.  Example command:
                              KILL_ROUTE="/sbin/iptables -I INPUT -s $TARGET$ -j DROP"
    KILL_HOSTS_DENY           Format of the string to drop into the hosts.deny file that
                              TCP wrapper uses. Again the $TARGET$ macro is expanded out
                              to be the IP of the attacker and is required.
    KILL_RUN_CMD              A command to run *before* the route is dropped to the
                              attacker. $TARGET$, $PORT$ and $MODE$ macros are available.
    KILL_RUN_CMD_FIRST        "0" tells cmd above to run before the route is dropped.
                              "1" makes cmd run after the blocking has occurred.
    SCAN_TRIGGER              PortSentry has a state engine that will remember hosts that
                              have connected to it.  Setting this value will tell 
                              PortSentry to allow X number of grace port hits before it
                              reacts. The default is 0 which will react immediately. A 
                              setting of 1 or 2 will reduce false alarms, anything higher
                              is probably too much
    PORT_BANNER               Text banner you want displayed to the connecting host if
                              PortSentry is activated.
    

    (4) Edit portsentry.ignore file

    Add any host you want ignored if it connects to a tripwired port, should always contain at least the localhost (127.0.0.1) and the IP's of the local interfaces.

    # Format: <IP address>/<Netmask Bits>
    
    127.0.0.0/8
    192.168.2.0/24
    192.168.0.0/16
    

    Example 'portsentry.ignore' entries.

    (4) Compile the package

    • Default directory is /usr/local/psionic/portsentry.
    • Edit the Makefile and make sure your portsentry.conf and portsentry_config.h files reflect the new path then
    $ make
    $ sudo make install
    
  • Portsentry startup modes
    • PortSentry has six modes of operation.
    • Only one protocol mode type can be started at any one time.

    Basic port-bound - TCP mode

    # portsentry -tcp
    

    Checks the config files, binds to all TCP ports then goes into the background.

    Basic port-bound - UDP mode

    # portsentry -udp
    

    Checks the config files, binds to all UDP ports then goes into the background.

    Scan detection - Stealth TCP

    # portsentry -stcp
    

    Uses a raw socket to monitor all incoming packets. If an incoming packet is destined for a monitored port it will react to block the host.

    Scan detection - Advanced Stealth TCP

    # portsentry -atcp
    

    The most sensitive and the most effective of all the protection modes. It reacts to port probes with lightning speed as it does not wait for them to hit a tripwired port. Because it reacts so abruptly it may cut off legitimate traffic.

    Scan detection - Stealth UDP

    # portsentry -sudp
    

    Similar to the TCP stealth mode above. UDP ports need to be listed and are then monitored.

    Scan detection - Advanced Stealth UDP

    # portsentry -audp
    

    A very advanced option and can cause false alarms. Use this option with extreme caution. You need to be sure to put exclusions into the ADVANCED_EXCLUDE_UDP line (i.e., 520 [RIP]).

  • Sentry tools
    • The Sentry tools provide host-level security services for the Unix platform.
    • PortSentry, Logcheck/LogSentry, and HostSentry protect against portscans, automate log file auditing and detect suspicious login activity on a continuous basis.
    • A sourceforge project.
    • Download from project's sourceforge page.