LPIC-1 102-110.2 Setup host security

08.Jun.2017

passwd -l maria; # disables account maria
passwd: password expiry information changed.

grep maria /etc/shadow
maria:!$6$w9DaelrP$/tJiXC2PU0B.XOupP0sFTySis5VfkMwv0DnoFy3.d.nC8gXJU.DSbU0Uryyex40P67keCFoQuxEjZ8RD9kDGU0:17325:0:99999:7:::

passwd -u maria; # enable account maria
passwd: password expiry information changed.

/etc/passwd

grep /bin/bash /etc/passwd; # output all interactive user accounts that use bash as shell

grep /bin/sh /etc/passwd; # output all interactive user accounts that use sh as shell

grep /bin/false /etc/passwd; # output all service accounts that can not used to login

usermod -s /bin/false maria; # change login-shell of maria to /bin/false (no login shell)

inted vs xinted vs iptables vs netfilter

is xinetd still in use?

most functionality of xinetd is replaed by stateful firewalling, through iptables/netfilter… but xinetd still exists and can be used.

yes – suse12 and centos7 come with xinetd pre-installed. debian8 is using neither xinetd nor inetd – just iptables.

inted: OpenBSD Internet Superserver

main config file /etc/inetd.conf

(if installed: apt-get install openbsd-inetd; # debian8)

# you can check if the inetd.conf is correct with

tcpdchk

The inetd server is a network daemon program that specializes in managing incoming network connections.

Its configuration file tells it what program needs to be run when an incoming connection is received.

Any service port may be configured for either of the tcp or udp protocols.

This is a port of the OpenBSD daemon with some debian-specific features.

This package supports IPv6, built-in libwrap access control, binding to specific addresses, UNIX domain sockets and socket buffers tuning.

https://packages.debian.org/en/jessie/openbsd-inetd

xinetd

xinetd.man.txt

replacement for inetd with many enhancements

xinetd has access control mechanisms, extensive logging capabilities, the ability to make services available based on time, and can place limits on the number of servers that can be started, among other things.

It has the ability to redirect TCP streams to a remote host and port.

This is useful for those of that use IP masquerading, or NAT, and want to be able to reach your internal hosts.

It also has the ability to bind specific services to specific interfaces.

This is useful when you want to make services available for your internal network, but not the rest of the world. Or to have a different service running on the same port, but different interfaces.

https://packages.debian.org/en/jessie/xinetd

apt-get update && apt-get install xinetd; # first you will need to install xinetd on debian8, in suse12 and centos7 come with xinetd pre-installed

root@Debian8:~# ll /etc/xinetd.d/
total 20K
-rw-r–r– 1 root root 640 Oct 26 2013 chargen
-rw-r–r– 1 root root 502 Oct 26 2013 daytime
-rw-r–r– 1 root root 391 Oct 26 2013 discard
-rw-r–r– 1 root root 422 Oct 26 2013 echo
-rw-r–r– 1 root root 569 Oct 26 2013 time

[root@CentOS7 ~]# ll /etc/xinetd.d
insgesamt 60K
drwxr-xr-x.   2 root root 242 4. Mai 17:13 .
drwxr-xr-x. 111 root root 8,0K 8. Jun 12:15 ..
-rw——-.   1 root root 1,2K 5. Nov 2016 chargen-dgram
-rw——-.   1 root root 1,2K 5. Nov 2016 chargen-stream
-rw——-.   1 root root 1,2K 5. Nov 2016 daytime-dgram
-rw——-.   1 root root 1,2K 5. Nov 2016 daytime-stream
-rw——-.   1 root root 1,2K 5. Nov 2016 discard-dgram
-rw——-.   1 root root 1,2K 5. Nov 2016 discard-stream
-rw——-.   1 root root 1,2K 5. Nov 2016 echo-dgram
-rw——-.   1 root root 1,2K 5. Nov 2016 echo-stream
-rw——-.   1 root root 1,2K 5. Nov 2016 tcpmux-server
-rw-r–r–.   1 root root 518 5. Nov 2016 tftp
-rw——-.   1 root root 1,2K 5. Nov 2016 time-dgram
-rw——-.   1 root root 1,2K 5. Nov 2016 time-stream

suse12:~ # ll /etc/xinetd.d/
insgesamt 76
-rw-r–r– 1 root root 313 23. Sep 2014 chargen
-rw-r–r– 1 root root 333 23. Sep 2014 chargen-udp
-rw-r–r– 1 root root 256 7. Jun 2016 cups-lpd
-rw-r–r– 1 root root 313 23. Sep 2014 daytime
-rw-r–r– 1 root root 333 23. Sep 2014 daytime-udp
-rw-r–r– 1 root root 313 23. Sep 2014 discard
-rw-r–r– 1 root root 332 23. Sep 2014 discard-udp
-rw-r–r– 1 root root 305 23. Sep 2014 echo
-rw-r–r– 1 root root 324 23. Sep 2014 echo-udp
-rw-r–r– 1 root root 492 21. Sep 2014 netstat
-rw-r–r– 1 root root 207 23. Sep 2016 rsync
-rw-r–r– 1 root root 332 23. Sep 2014 servers
-rw-r–r– 1 root root 334 23. Sep 2014 services
-rw-r–r– 1 root root 536 30. Mai 2016 systat
-rw-r–r– 1 root root 411 8. Jun 15:08 telnet
-rw-r–r– 1 root root 323 4. Mai 09:31 time
-rw-r–r– 1 root root 333 23. Sep 2014 time-udp
-rw-r–r– 1 root root 2685 14. Okt 2016 vnc
-rw——- 1 root root 916 8. Jun 2016 vsftpd

xinetd example

zypper –no-remote in telnet-server; # suse12: install telnet server on suse12 a highly insecure service

apt-get install telnetd; # debian8

# under suse12 a new config file will be created under /etx/xinetd.d

cat /etc/xinetd.d/telnet
# default: off
# description: Telnet is the old login server which is INSECURE and should \
#       therefore not be used. Use secure shell (openssh).
#       If you need telnetd not to “keep-alives” (e.g. if it runs over a ISDN \
#       uplink), add “-n”. See ‘man telnetd’ for more details.
service telnet
{
        disable     = yes
socket_type     = stream
protocol        = tcp
wait            = no
user            = root
server          = /usr/sbin/in.telnetd
}

suse12:~ # chkconfig telnet on

# will change config file to and remove the disabled = yes line

suse12:~ # vim /etc/xinetd.d/telnet; # open up xinetd config file for telnet and add this line

# default: off
# description: Telnet is the old login server which is INSECURE and should \
#       therefore not be used. Use secure shell (openssh).
#       If you need telnetd not to “keep-alives” (e.g. if it runs over a ISDN \
#       uplink), add “-n”. See ‘man telnetd’ for more details.
service telnet
{
socket_type     = stream
protocol        = tcp
wait            = no
user            = root
server          = /usr/sbin/in.telnetd
        only_from       = 127.0.0.1
}

suse12:~ # service xinetd restart; # restart xinetd to activate settings

suse12:~ #telnet localhost; # works

root@Debian8:# telnet suse12; # fails
Trying 172.20.0.25…
^C

# if you add

only_from = 172.20.0.0

# and debian8 has 172.20.0.12

# and you enabled telnet in the yast2 fireall

yast2 firewall; # modify firewall settings

# you should now also be able to login from a different machine

tcp wrapper (tcpd)

tcpd.man.txt

with: /etc/hosts.deny and /etc/hosts.allow

ldd $(which in.telnetd); # tcp wrapper only work with binaries that support libwrap.so.0

which in.telnetd
/usr/sbin/in.telnetd
root@Debian8:# ldd $(which in.telnetd)
linux-gate.so.1 (0xb7779000)
libutil.so.1 => /lib/i386-linux-gnu/i686/cmov/libutil.so.1 (0xb7762000)
libc.so.6 => /lib/i386-linux-gnu/i686/cmov/libc.so.6 (0xb75b5000)
/lib/ld-linux.so.2 (0x800eb000)

ldd $(which xinetd)
linux-gate.so.1 (0xb7712000)
libwrap.so.0 => /lib/i386-linux-gnu/libwrap.so.0 (0xb76f5000)

ldd $(which sshd)|grep libwrap
libwrap.so.0 => /lib/i386-linux-gnu/libwrap.so.0 (0xb76da000)

# install telnet and test if it works

apt-get install telnetd; # debian8

# confirmed telnet works

vim /etc/hosts.deny; # edit hosts.deny and add this line

# /etc/hosts.deny: list of hosts that are _not_ allowed to access the system.
#                  See the manual pages hosts_access(5) and hosts_options(5).
#
# Example:    ALL: some.host.name, .some.domain
#             ALL EXCEPT in.fingerd: other.host.name, .other.domain
#
# If you’re going to protect the portmapper use the name “rpcbind” for the
# daemon name. See rpcbind(8) and rpc.mountd(8) for further information.
#
# The PARANOID wildcard matches any host whose name does not match its
# address.
#
# You may wish to enable this to ensure any programs that don’t
# validate looked up hostnames still leave understandable logs. In past
# versions of Debian this has been the default.
# ALL: PARANOID

in.telnetd : ALL

# try to login via telnet again – does not work