Security

  • Security Theory : security is road and not a destination. Ongoing cycle of Reacting, Detering, Predicting, and Preventing Security Breaches.
  • Low level cryptograhic primitives (building blocks) include DES, 3DES, AES)
  • You put together these building blocks to build higher level protocols like Digital Signatures, Certificates,
  • One Time Pad: When you can use a key only once. (throwaway key - offers perfect secrecy)
  • Block Ciphers : Takes input in blocks (64 bit/128 bit) DES,3DES, AES (Reveals patterns in the ciphertext)
  • Stream Cipher: Encrypts one bit or byte at a time. (RC4 is an example and it uses modular arithemetic) RC4 is 1)X faster than DES>
  • Public Key PRIMITIVES (Asymetric Encryption Techniques): Diffie Hellman, DSS, RSA
  • Higher Level Proticols using Public Key Primitives : GPG, PGP, IKE, SSL,TLS, SSH. These protcols employ public key primitives.
  • SEcure Hash Function : is a cryptograhic primitive that takes an input "X" and created a Message Digest MD=h(M). M is the message and H is some has function. (MD5, SHA1 are examples)
  • Certificate : Binds a public key to someone's identity in some unforgeable way. The Certificate Authority has a public/private key pair (PublicKey(CA)&SecretKey(CA)
  • Digital Certificates :Certificates on documents that are digitally signed by a CA.
  • PKI: public key infrastructure (PKI) is an arrangement which provides for third-party vetting of, and vouching for, user identities. It also allows binding of public keys to users. This is usually carried out by software at a central location together with other coordinated software at distributed locations. The public keys are typically in certificates. A set of hardware, software, organizational infrastructures required to used Public-key cryptosystems including Certificate Authorities.
    1. Authentication : Verification of someone's identity (THe ability to prove who you are). (ie a login name & password, an IP address of a computer system, or a digital certificate)
    2. Authorization: Verifies a users authority. People can accomplish what they are authorized to do and unauthorized people cannot do what they should not. (File and directory permissions, shost files, trusted hosts, ACLs,)
    3. Confidentiality: Keep the Contents of a communication secret. (Usually acomplished with cryptography, steganography)
    4. Message & Data Integrity: Has the data been tampered with or were there any unauthorized modifications or deletions ? (acomplished with hashing, checksums, MD5)
    5. Accountability: The goal of accountability is to hold someone accountable for thier actions with logging and audit trails. (Triwire, BSM, syslog, praudit)
    6. Availability: Involveds ensuring that attackers cannot stop legitimate users from access the system. (ie web server response time, dial tone a phone, any kind of DOS attack including filling up /var/tmp etc)
    7. Non-Repudiation: Non-Redudiation is Undeniability. Non-repudiation services provide unforgeable evidence that a specific action occurred. (a digitally signed statement, a video recording of a transaction)
  • US DOD Orange Book Security Specifications :
    1. D : Minimal protection is provided.
    2. C1 : Discretionary access control and access permissions. Logins with passwords are required.
    3. C2 : Auditing and authentication events are audited. Authentication events are kept in a secure place.
    4. B1 : Mandatory access control and labeled output. Acces based on labels.
    5. B2 : Configuration control, facility management, and system configuration must be documented and controlled; All administrative and security operator functions are seperated.
    6. B3 : Access control lists and full system documentation are provide. Access is based on lists of users plus labels.
    7. A : Formal proof of the security of the system is required.
  • Xinetd Security Options
  • Sample xinetd service w/some security optionsym
    service rsync
    {
            disable = yes
            socket_type     = stream
            wait            = no
            user            = root
            server          = /usr/bin/rsync
            server_args     = --daemon
            log_on_failure  += USERID
         
            instances = 4  : Limit 4 concurrent instances of myserver
            cps = 10 30   : (Prevent DOS Attacks) Limit 10 connections per second or sleep for 30 seconds.
            max_load = 3.0  : Reject new requests if the one minute load system avg exceeds 3.0.
    	access_times = 8:00-16:00  : Restrict service Usage by time
            only_from += 192.162.2.0   : (only accept traffic from)
            no_access = badguy.evil.org  : (explicitly block a server (everyone except)) 
    }
    
    
  • Redirect a service with xinetd
    {
    	...
    	server=/usr/sbin/ssh
     	redirect=192.168.1.26 22
    }
    
  • Libwrap support (tcpwrappers / etc/hosts.allow, /etc/hosts.deny
  • SSH
  • Chroot Jails (Invoking a chroot jail from xinetd)
  • Prohibiting root Logins on Terminal Devices
    1. /etc/securetty (remove pseudo-devices etc)
  • SSL:a communication protocol that provides authentication and communication privacy. The client sends a hello message, some random bits, and supported asynchronous ciphers. Server senda a hello with a public key for a cipher they both support. The cline encrypts the random key with the server's public key and a secure session using symetrical encryption is established.
  • Authenticating by Public Key w/SSH
    • Running the commands below will generate a public key and an encrypted private key pair. (You can optionally leave the private key unencrypted, at your own risk). You can use the openssl command (See above) to decrypt the encrypted private dsa key.
    • mkdir ~/.ssh
    • chmod 700 ~/.ssh
    • cd ~/.ssh
    • ssh-keygen -t dsa (will prompt you for a password - a null password means an unencrypted private key !)
      Saving the key failed: /hello/.ssh/.
      [root@localhost hello]# ssh-keygen  -t dsa
      [root@localhost hello]# ssh-keygen  -t dsa
      Generating public/private dsa key pair.
      Enter file in which to save the key (/root/.ssh/id_dsa): /hello/id_dsa
      Enter passphrase (empty for no passphrase): 
      Enter same passphrase again: 
      Your identification has been saved in /hello/id_dsa.
      Your public key has been saved in /hello/id_dsa.pub.
      The key fingerprint is:
      ca:21:90:3f:25:5d:51:60:49:96:83:ba:9f:8d:e9:6a root@localhost.localdomain
      [root@localhost hello]# cd /hello/id_dsa
      
    • scp the da.pub key to the remote server
    • cat id_dsa.pub >> ~/ssh/authorized_keys (append to authorized key list on the remote server)
    • In addition to the step above, you can limit a user to issuing particular commands for more granular level of security as such :
      ~ssh/authorized_keys:
      command="/usr/local/bin/apachectl restart" ssh-dss AAABBGHQsrrf(rest of key
      
  • Trusted Hosts and SSH
    • vi /etc/ssh/sshd_config on the server and change the following lines and restart sshd:
      HostbasedAuthentication yes
      IgnoreUserKnownHosts no
      
    • Enable trusted host authentication on the client in /etc/ssh/ssh_config by creating a stanza like this:
      Host remoteserver
           HostName remoteserver
           HostbasedAuthentication yes
      
    • Insert the clients host keys, /etc/ssh/host_dsa_key.pub and /etc/ssh/ssh_host_rsa_key.pub into the servers known host database , /etc/ssh/ssh_known_hosts
    • modify the .shosts file and give authorization to the client to connect.
  • SSH Agent : The ssh agent, controlled by the programs, ssh-agent and the ssh-add, maintains a cache of private keys on your local machine. SSH clients query the agent for passwords instead of you.
  • Symetric Encryption (shared keys between sender & receiver)
  • gpg -c somefile encrypt a file symetrically
  • gpg somefile decrypt a file symetrically

    Asymetric encryption

  • gpg --gen-key (generate a GnuPG key pair.)
  • This creates the following files and directories :
    /root/.gnupg
    [root@localhost .gnupg]# ls -la
    total 20
    drwx------    2 root     root         4096 Jan 26 14:30 .
    drwxr-x---   22 root     root         4096 Jan 26 14:28 ..
    -rw-------    1 root     root         7695 Jan 26 14:28 gpg.conf
    -rw-------    1 root     root            0 Jan 26 14:30 pubring.gpg (public key)
    -rw-------    1 root     root          600 Jan 26 14:29 random_seed
    -rw-------    1 root     root            0 Jan 26 14:30 secring.gpg (secret key)
    
  • Encrypting a file asymetrically with someone else's public key file.
  • gpg -e -r recipients_public_key myfile (generates an encrypted file myfile.gpg)
  • The receiver would then, decrypt the message you just encrypted with his public key as follows :
  • gpg --decrypt /tmp/myfile.gpg
  • Signing and Encrypting a File (Most Important):
  • gpg -c -s -r receiver_public_key file (encrypt a file and sign it with someone elses public key)
  • The receiver would decrypt the file similiar to above.
  • You can verify a signature : gpg --verify myfile.gpg
  • Finally, upload your public key up to a public pgp key server (pgp.mit.edu). This is only a common key store and does not assure ownership of keys!)

  • Digital Signatures
  • 1. Provide a way to verify authenticity - used with public key cryptography. (Signing a certificate is essentially adding a digital signiture to a file)

  • Certificate Creation Process
       1. The merchant generates a private/public key pair.
       2. The merchant must then prove their identity to a CA and provide their public key to the CA.
       3. The CA then creates a one-way hash of the following information:
    
              * The CA's identity.
              * The merchant's identity.
              * The merchant's public key.
              * Period of validity.
    
       4. The one-way has is then encrypted with the CA's private key creating a detached digital signature.
       5. The digital certificate is made up of the combined information above and the detached digital signature.
       6. The CA then issues this to the merchant.
    
  • Auditing on Linux
    1. psacct package (Process accounting package)
    2. It was originally used for process accounting -but is a useful tool nowadays for historical information.
    3. Common commands include :
    4. aaccton /var/account/pacct (start ps accounting)
    5. lastcomm -f /var/account/pacct (prints command name, CPU time by command, start time, user who can a command, and the controlling terminal if any)

  • C2 Level - BSM for Linux
  • Kernel Module (Linux recompile-patch your current kernel and create a device file in /dev) + auditd daemon. Information is stored in a binary format and you usr the praudit command to read the files.

  • Tripwire
  • Tripwire is an open source integrity checker. It stores a snaphot of your system in a known state, so you can periodically compare the files against the snapshot to discover discrepancies.
  • 2 main concepts are a policy and a database. THe policy lists all the files and directories that tripwire should snapshot and rules around identifying violations and the database contains the database itself. You periodically run integrity checks and generate integrit check reports.
  • tripwire --init (starts tripwire for 1st time)
  • twadmin is used to generate the policy files, generate site keys etc.
  • tripwire --check (run an integrity check against the db.