Friday, March 16, 2012

ubuntu default root password

You may not login as root user in newly installed ubuntu or debian desktop server because you don't know the default root password. The thing is there is no default root password. You can set the root password as.

Login as the normal user u created doing the installation with the password you specified. Then run

$sudo passwd root
then it will prompt for your logged users password. Entering the password the system will prompt for the credentials for the root password. Give the password you want to set.

Wednesday, March 14, 2012

Securing tmp in centos linux


Securing /tmp is very important. /tmp is world writable directory. So if some intruders get acces to /tmp, its a potential threat. The main thing we have to do is disabling running of scripts in this directory. Now we will see how to harden or secure /tmp /vr/tmp and /dev/shm in centos linux. This tutorial has examples also.

First of all before doing any changes, create a back up file. Make this a habit
cp /etc/fstab /etc/fstab.bak

Securing /tmp:
Create a 5Gb file for /tmp partition (you can adjust the size according to your needs)
dd if=/dev/zero of=/var/tempFS bs=1024 count=5000000

Make ext3 filesystem in the file we just created. Because we are going to use this file to store data.
mkfs.ext3 /var/tempFS

Create  current bckup of the /tmp directory
cp -Rpf /tmp /tmp.bkp

Now mount the newly created file as /tmp
mount -o loop,noexec,nosuid,rw /var/tempFS /tmp

Because /tmp directory is universly writable and nobody can delete files created by others we will set permission 777 + sticky bit =1777
chmod 1777 /tmp

Copy the old data to new /tmp
cp -Rpf /tmp.bkp/* /tmp/
If the old /tmp was empty, it might throw some errors. Don't worry.

Now you can edit fstable and make changes for the /tmp entry
vi /etc/fstab
/var/tempFS  /tmp ext3 loop,nosuid,noexec,rw 0 0

Remount the /tmp for making effects.
mount -o remount /tmp

Securing /var/tmp:
move the /var/tmp directory to some other name
mv /var/tmp /var/tmp.bkp

Now create a link /var/tmp and point it to /tmp. The command is as follows
ln -s /tmp /var/tmp

cp /var/tmp.bkp/* /tmp/
If the old /var/tmp was empty, it might throw some errors. Don't worry

Securing /dev/shm:
vi /etc/fstab
add nosuid and noexec to mount options
tmpfs     /dev/shm    tmpfs   defaults,nosuid,noexec     0 0
save the file

Remount to make the effect
mount -o remount /dev/shm

Monday, March 12, 2012

configuring iptables in linux


iptables is a user space application program that allows a system administrator to configure the tables provided by the Linux kernel firewall (implemented as different Netfilter modules) and the chains and rules it stores.

This article is a tutorial regarding how to configure or implement firewall using Linux security firewall iptables. This article explains and give examples of default and user defined iptables tables, chains, acl syntax, writing deleting and replacing iptables rules, blocking or allowing hosts or ip addresses and ports, port or ip redirection, logging options, using linux box as router using iptables, Masquerading, Network address translation (NAT), source-nat (SNAT), destination-nat (DNAT) and netmap

iptables mainly operates at Layers 3 & 4. Layer 3 deals with Source & Destination IP addresses and layer 4 deals with protocols and ports

To Check whether IPTables is enabled or not in the kernel,
#cat /boot/config* | grep CONFIG_NETFILTER
CONFIG_NETFILTER=y

The Main structure of the iptables is as follows.
Tables->Chains->Rules
Tables may contains a number of chains and each chain may contail a number of rules.

Main Tables
There are mainly three tables.

Mangle  -   Allows altering of packats TOS,TTL etc
NAT     -   Network Address Translation. Allow changing sourse destination IP addresses and ports.
Filter     -   Allows IP Packet filtering. [INPUT,FORWARD,OUTPUT]

Iptables rule syntax
1. command
2. tables
3. chain
4. protocol
5. source or destination
6. Jump target

eg:
iptables -t filter -I INPUT -p tcp -s 192.168.1.100 -j ACEEPT

Example :
Blocks any communication to OUR machine from source 192.168.1.77.
iptables -A INPUT -s 192.168.1.77 -j DROP

[root@vm1 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
DROP       all  --  192.168.1.77         anywhere

Saving and restoring iptables rules :
Rules will go if we restart without saving it . So we have to save those rules.
To save the IPTables rules
iptables-save > iptables_rules.txt

To restore the IPTables rules
iptables-restore < iptables_rules.txt

Flushing iptables rules
iptables -F

or you can save the rules by just run
service iptables save
or
/etc/init.d/iptables save
it will save the rules tp /etc/sysconfig/iptables permenantly. if you restart iptables it'll read the rules from this file

Filter table has three chains
1. INPUT
2. OUTPUT
3. FORWARD

Nat table has  three chains
1. PREROUTING
2. POSTROUTING
3. OUTPUT

Filter table has four chains
1. PREROUTING2. INPUT
3. OUTPUT
4. FORWARD
-----------------------------------------------------
[root@vm1 ~]# iptables -L -t filter
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
-----------------------------------------------------
[root@vm1 ~]# iptables -L -t nat
Chain PREROUTING (policy ACCEPT) --before routing occurs -nat
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT) --aftet routing deteremined
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
-----------------------------------------------------
[root@vm1 ~]# iptables -L -t mangle
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
-----------------------------------------------------

-t option is for listing a particular table chains and rules.
filter table is the default one.

[root@vm1 ~]# iptables -L -v
list packet details to and from through a chain

[root@vm1 ~]# iptables -L -v --line-numbers
list the rules with line numbers

[root@vm1 ~]# iptables -L -n
lists the numeric values (IP), Disables the resolutions.[Host and Service]

iptables rule for accepting ssh connections
[root@vm1 ~]# iptables -A INPUT -p tcp --dport 22 -j ACCEPT    

iptables rule for blocking telnet connections
[root@vm1 ~]# iptables -A INPUT -p tcp --dport telnet -j DROP

iptables rule for blocking telnet connections and insert it as rule 1
[root@vm1 ~]# iptables -I  INPUT 1 -p tcp --dport telnet -j DROP

Appending adds the rule to the end. But with inserting you can insert a rule to anywhere in the list. Means to any position[number] in the list.

Deleting an iptables Rule
-D INPUT NUM

[root@vm1 ~]# iptables -D INPUT 3
deletes the rule number 3 from INPUT chain of defalt table.

Or we can delete like this.
iptables -D INPUT -p tcp --dport 22 -j ACCEPT

Replacing an iptables Rule
-R Chain_name NUM

To replace the 1st rule
[root@vm1 ~]# iptables -R INPUT 1 -p tcp --dport telnet -j ACCEPT
IPTables rules are Dynamic. The ssh/telnet connection will be freezed if rules applied in b/w.

Flushing the rules
iptables -F
Flushing will erase all the existing rules in iptables. If you don't save the rules before flushing all rules will be lost.

[root@vm1 ~]# iptables -L INPUT -v
listing rules only in the INPUT chain with packet counts

iptables -Z INPUT
will  zero all the packet counters

Creating  new chains and Renaming exsisting ones
To create User defined chains
-N Chain_name

[root@vm1 ~]# iptables -N ITS
Created a new chain ITS

Rename chains
-E Old_name New_name

[root@vm1 ~]# iptables -E ITS SPARTANZ

Drop Policy of iptables.
Dropping a policy will drop all the traffic through that chain

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

Writing rules for only one ethernet device:
To filter all the input through eth0
iptables -A INPUT -i eth0 -j DROP

Negation: (!)
iptables -A INPUT -s ! 192.168.1.55 -j DROP
it Drops all other inputs except from 192.168.1.55

example of TCP:
iptables -A INPUT -i eth+ -p tcp --dport telnet -j DROP
Blocks telnet though both or all ethernet devices

example of UDP:
TFTP, SysLog, NTP, DHCP
-p udp, --protocol udp
--sport 123 --dport 123 for NTP

ICMP (Internet Control Messaging Protocol):
Echo request -PING
Echo reply - Pong

-p icmp, --protocol icmp
--icmp-type name/number

iptables -p icmp --help
for getting help about icmp-types

Disabling ping using iptables.
To deny echo-replies from all hosts
iptables -A INPUT -p icmp --icmp-type echo-reply -j DROP

To drop echo-replies from our host
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j DROP

MULTIPORT: (-m multiport)
-p tcp --dport 8080 or --dport web-cache

iptables -A INPUT -p tcp -m multiport --dport 8080,23 -j DROP

MAC ADDRESS FILTERING: ( -m mac --mac-source or --mac-destination )
Better than using IP addresses because ip addresses can be changed but not mac

Denying a host by mac address using iptables
iptables -I INPUT -m mac --mac-source 00:00:00:00:00:00 -j REJECT

Iptables and states :

in INPUT
iptables -I ITS  -m state --state ESTABLISHED -j ACCEPT
Allows communication in already established services

in INPUT
iptables -I ITS  -m state --state NEW,ESTABLISHED -j ACCEPT
Allows new connections and established connections from the system

Jump Targets in iptables :
ACCEPT -> Sends packets to other rules or processes
DROP -> Packet will be dropped
REJECT -> Sends a courtesy message back
REDIRECT -> Redirect from one destination to another. must be used with pre-routing in NAT. Local ports only.
LOG -> Allows us to log using SysLog

Logging  :
Creating and enabling iptables log using syslog

iptables logs are kernel logs type. So we have to enable this in syslog.conf as follows
vi /etc/syslog.conf
kern.* /var/log/firewall

Create the log file.
touch /var/log/firewall

Restart the syslog service.
service syslog restart

and logging can be enabled as
iptables -I ITS 1 -p tcp --dport ssh -j LOG

ROUTING
You can use linux box as  router with the help of iptables. First we have to enable packet forwarding in the server we are using as router. This can be done by setting  the sysctl variable as follows

vi /etc/sysctl.conf
net.ipv4.ip_forward = 1
Save the file

Reload the sysctl.conf
sysctl -p

NETWORK ADDRESS TRANSLATION [NAT]

Three types:
Basic NAT. This involves IP address translation only, not port mapping.
PAT : Port Address Translation. This involves the translation of both IP addresses and port numbers.
NAPT : Network Address Port Translation.

SNAT and Masquerading can be done in POSTROUTING chain in nat table.
But DNAT is done in PREROUTING chain in nat table.

SNAT - Source NAT: Translation of Source IP Address. Use when u've only one static IP Address and many systems in local network.

DNAT - Destination NAT: Translation of the destination IP address. Used when traffice comes from internet to local systems.

Three default chains are there in nat table which cannot be deleted.
PREROUTING    - Packet that are destined to a system that is accessible to the local router. [DNAT] Internet to Local area network
POSTROUTING   - If we want to change the local ips to something that is routable. [SNAT/MASQUERADING]
OUTPUT        - Locally sourced!!

Masquerading:
this is also similar to snat but uses when dhcp is used rather having static local ip address.

iptables -t nat -A POSTROUTING -j MASQUERADE -s 10.0.0.0/8 -d 192.168.1.0/24
now if u r pinging for 10.0.0.10 to 192.168.1.100 it appears to be pinging from 192.168.1.37 [Ip address of  the system in network 192.168.1.0]

Note:
Masquerading listen to the interface. if dhcp changes the ip of interface, it automatically changes the affect.
Masquerading uses primary interface. Not sub[duplicate] ip addresses.

iptables -t nat -R POSTROUTING 1 -p tcp -j MASQUERADE --to-ports 1024-10240
allows communication only through that port range.

Some examples of nat
iptables -t nat -R POSTROUTING 1 -p tcp -j SNAT --to-source 192.168.1.37:1024-10240 -s 10.0.0.0/8
Do same as the last rule in Masquerading. Uses only if u've a static ip. It fails when ip changes.

iptables -t nat -A POSTROUTING -p tcp -j SNAT --to-source 192.168.1.37 -d 10.0.0.10 -s 192.168.1.100
iptables -t nat -A POSTROUTING -p tcp -j SNAT --to-source 10.0.0.1 -d 192.168.1.100 -s 10.0.0.10

Destination Network Address Translation: INBOUND

DNAT - permits connection to unexposed hosts. Its exact reverse of SNAT.
Rules will be written in PREROUTING.
iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 3389 -to-destination 192.168.1.101 -d 192.168.1.37 -s 10.0.0.10
this will redirect the connection to port 3389@192.168.1.37 to same port @ 192.168.1.101 from 10.0.0.10