WIXLIB

Color profile: Generic CMYK printer profileComposite Default screen270Module 9:Begin8 / Red Hat Linux Administration: A Beginner’s Guide / Turner & Shah/ 222631-5 / 9Blind Folio 9:270Securing an Individual ServerBy default, the kernel-related packages are not automatically downloaded, so there should alreadybe an entry in the skip list. You can add additional exceptions if you wish, but don’t do thisunless you have a good reason. The whole point of this tool is to keep your system up to date.NOTEYou can also initiate system upgrades via the RHN web interface at http://rhn.redhat.com.The systems will need to be entitled and running the rhnsd daemon for this to workproperly, but it can be more convenient than having to touch each of many systems toperform updates. Of course, running rhnsd itself may have security implications, but ifyou’ve got to choose, rhnsd is the lesser of two evils.Manually Performing Security UpdatesYou don’t have to be a Red Hat Network subscriber or use the up2date command to keep yoursystem up to date. Instead, you can track Red Hat Linux 8.0 security updates from Red Hat’sweb site at https://rhn.redhat.com/errata/rh8-errata.html. Follow these steps to update yoursystem the manual way:1. Find the packages you need on the web site.2. Download them from the web site to your system.3. Verify their authenticity by checking their GNU Privacy Guard keys using therpm –K *.rpm command in the download directory.4. Run the package upgrades as described in Module 4.Project 9-1Getting Your System up2dateYou’ve seen the screens in this module; now see them on your very own Linux server’sscreen. In the course of this project, you will create a Red Hat Network account, register yourcomputer, and update its packages. Even if you have already burned your one demonstrationrun of up2date, you can make this project a reality by registering another account name.Step by Step1. Run the up2date program to set up your account and register your Red Hat Linux 8.0system (if you haven’t already).2. Select at least one, but not all, of the available packages for download.3. Once the packages have been downloaded, install them.P:\010Comp\Begin8\631-5\ch09.vpTuesday, December 17, 2002 2:44:12 PM

Begin8 / Red Hat Linux Administration: A Beginner’s Guide / Turner & Shah/ 222631-5 / 9Blind Folio 9:271Red Hat Linux Administration: A Beginner’s Guide4. Now that you’ve used the “manual” version of the up2date process, check to see if theRHN daemon process is activated. If it isn’t, start it up.5. Log onto your account at http://rhn.redhat.com and find your registered system. Set it up toperform the remainder of the upgrade installations.6. The RHN daemon process checks for updates every two hours by default. Track theprogress of the update you scheduled using the Red Hat Network web site.7. Once the packages are listed as having been updated, check a list of the locally installedpackages and look for the updated versions.8. If the kernel has been upgraded during this process, reboot and ensure that the system still2719Securing an Individual ServerColor profile: Generic CMYK printer profileComposite Default screencomes up properly.Project SummaryNow that was an easy project. Maintaining packages on a Red Hat Linux server is not difficult,because of the automation that the Red Hat Network provides. If you do lots of customizationof startup scripts or make other significant changes, you may run into problems becausecertain packages won’t be upgraded (otherwise they would clobber your changes). This cancascade into a larger problem if the nonupgrading packages are required for other upgrades tobe installed. Fortunately, this problem can be avoided by using tools to change the startupscripts, rather than moving them around willy-nilly.CRITICAL SKILL9.2Understanding TCP/IPand Network SecurityThis module assumes you have experience configuring a system for use on a TCP/IP network.Because the focus here is on network security and not an introduction to networking, thissection discusses only those parts of TCP/IP affecting your system’s security.The Importance of Port NumbersEvery host on an IP-based network has at least one IP address. In addition, every Linux-basedhost has many individual processes running. Each process has the potential to be a networkclient, a network server, or both. Obviously, if a packet’s destination were identified with theIP address alone, the operating system would have no way of knowing to which process thepacket’s contents should be delivered.P:\010Comp\Begin8\631-5\ch09.vpTuesday, December 17, 2002 2:44:12 PMProject9-1

Color profile: Generic CMYK printer profileComposite Default screen272Module 9:Begin8 / Red Hat Linux Administration: A Beginner’s Guide / Turner & Shah/ 222631-5 / 9Blind Folio 9:272Securing an Individual ServerTo solve this problem, TCP/IP adds a component identifying a TCP (or UDP) port. Everyconnection from one host to another has a source port and a destination port. Each port islabeled with an integer between 0 and 65535.In order to identify every unique connection possible between two hosts, the operatingsystem keeps track of four pieces of information: the source IP address, the destination IPaddress, the source port number, and the destination port number. The combination of thesefour values is guaranteed to be unique for all host-to-host connections. (Actually, the operatingsystem tracks a myriad pieces of connection information, but only these four elements areneeded to uniquely identify a connection.)The host initiating a connection specifies the destination IP address and port number.Obviously, the source IP address is already known. But the source port number, the valuethat will make the connection unique, is assigned by the source operating system. It searchesthrough its list of already open connections and assigns the next available port number. Byconvention, this number is always greater than 1024 (port numbers from 0 to 1023 are reservedfor system uses). Technically, the source host can also select its source port number. In orderto do this, however, another process cannot have already taken that port. Generally, mostapplications let the operating system pick the source port number for them.Knowing this arrangement, you can see how source Host A can open multiple connectionsto a single service on destination Host B. Host B’s IP address and port number will always beconstant, but Host A’s port number will be different for every connection. The combination ofsource and destination IPs and port numbers (a 4-tuple) is therefore unique, and both systemscan have multiple independent data streams (connections) between each other.Port DangersFor a server to offer services, it must run programs that listen to specific port numbers. Manyof these port numbers are called well-known services because the port number associated witha service is an approved standard. For example, port 80 is the well-known service port for theHTTP protocol.All these ports allowing incoming connects are not just an opportunity for productive,predictable use of your system, they’re also an opportunity for the unscrupulous or cluelessto gain unintended access on your system. Legitimate users’ systems know the default portnumbers for the services you’ll offer, but so will crackers’ tools. So by default, you’ll wantto restrict access as much as possible, allowing only your real users to access your system.In “Using the netstat Command,” later in this module, you’ll look at the netstat commandas an important tool for network security. When you have a firm understanding of what portnumbers represent, you’ll be able to easily identify and interpret the network security statisticsprovided by the netstat command.P:\010Comp\Begin8\631-5\ch09.vpTuesday, December 17, 2002 2:44:13 PM

Begin8 / Red Hat Linux Administration: A Beginner’s Guide / Turner & Shah/ 222631-5 / 9Blind Folio 9:273Red Hat Linux Administration: A Beginner’s GuideFor More Information on TCP/IPThere are many great books that discuss TCP/IP in greater detail. The Network Administrator’sReference by Tere’ Parnell and Christopher Null (/McGraw-Hill/Osborne, 1999) is a goodplace to start. This book discusses network administration from a high-level point of viewand is a solid text all by itself (despite being very Windows NT–centric). It discusses TCP/IPbut doesn’t get too far into the nuts and bolts.The ultimate TCP/IP “bible” (referenced by network developers and administratorsaround the world) is W. Richard Stevens’ TCP/IP Illustrated series (Addison-Wesley,1994–96). These books step you through TCP/IP and related services in painstaking detail.As a systems administrator, you’ll be interested mostly in Volume 1: The Protocols, whichaddresses the suite of protocols and gives a strong explanation of IP stacks. If there’s akernel-hacker inside of you who’s curious about TCP/IP implementation, check out Stevens’line-by-line analysis of the BSD network code in Volume 2: The Implementation. (Althoughthere’s little resemblance between Linux’s networking code and the code documented inVolume 2, the general guidance and philosophy offered are still invaluable.)Another excellent book, TCP/IP Network Administration by Craig Hunt (O’Reilly &Associates, 2002), is a solid network administration reference. It has a much greater breadthof topics (but less technical depth) than Stevens’ Volume 1.Finally, if you’re responsible for implementing a firewall (and I recommend you doimplement one), the O’Reilly & Associates text on firewall design, Building InternetFirewalls (O’Reilly & Associates, 2000), edited by D. Brent Chapman, et al., is a good one.CRITICAL SKILL9.3Using Tracking ServicesThe services provided by a server are what make it a server. These services are provided byprocesses that bind to network ports and listen to incoming requests. For example, a webserver might start a process that binds to port 80 and listens for requests to download the pagesof a site. Unless a process exists to listen to a specific port, Linux will simply ignore packetssent to that port.P:\010Comp\Begin8\631-5\ch09.vpTuesday, December 17, 2002 2:44:13 PM2739Securing an Individual ServerColor profile: Generic CMYK printer profileComposite Default screen

Color profile: Generic CMYK printer profileComposite Default screen274Module 9:Begin8 / Red Hat Linux Administration: A Beginner’s Guide / Turner & Shah/ 222631-5 / 9Blind Folio 9:274Securing an Individual ServerNOTERemember that when a process makes a request to another server, it opens aconnection on a port, as well. The process is, in effect, listening to data comingin from that port. However, on the client the process knows to whom it’s talkingbecause it initiated the request. The client process will automatically ignore anypackets sent to it that do not originate from the server to which it’s connected.This section discusses the usage of the netstat command, a tool for tracking networkconnections (among other things) in your system. It is, without a doubt, one of the most usefuldebugging tools in your arsenal for troubleshooting security and day-to-day network problems.Using the netstat CommandTo track what ports are open and what ports have processes listening to them, you use thenetstat command. For example:[root@tedford /root]# netstat -natuActive Internet connections (servers and established)Proto Recv-Q Send-Q Local AddressForeign 0000P:\010Comp\Begin8\631-5\ch09.vpTuesday, December 17, 2002 2:44:13 .5:80 CLOSE WAIT199.184.252.5:80 CLOSE WAIT199.97.226.1:21CLOSE WAIT192.168.1.1:1052 ESTABLISHED192.168.1.1:6000 N0.0.0.0:*LISTEN0.0.0.0:*LISTEN0.0.0.0:*

Begin8 / Red Hat Linux Administration: A Beginner’s Guide / Turner & Shah/ 222631-5 / 9Blind Folio 9:275Red Hat Linux Administration: A Beginner’s Guideudpudpudp0000 192.168.1.1:530 127.0.0.1:530 d /root]#By default (with no parameters), netstat will provide all established connections for bothnetwork and domain sockets. That means you’ll see not only the connections that are actuallyworking over the network, but also the interprocess communications (which, from a securitymonitoring standpoint, are not useful). So in the command illustrated, you have asked netstat toshow you all ports (–a), whether they are listening or actually connected, for TCP (–t) and UDP(–u). You have told netstat not to spend any time resolving hostnames from IP addresses (–n).In the netstat output, each line represents either a TCP or UDP network port, as indicatedby the first column of the output. The Recv-Q (receive queue) column lists the number ofbytes received by the kernel but not read by the process. Next, the Send-Q column tells youthe number of bytes sent to the other side of the connection but not acknowledged.The fourth, fifth, and sixth columns are the most interesting in terms of system security.The Local Address column tells you your own server’s IP address and port number. Rememberthat your server recognizes itself as 127.0.0.1 and 0.0.0.0 as well as its normal IP address. Inthe case of multiple interfaces, each port being listened to will show up on both interfaces andthus as two separate IP addresses. The port number is separated from the IP address by a colon.In the output from the preceding netstat example, one Ethernet device has the IP address192.168.1.1, and the PPP connection has the address 209.179.251.53. (Your IP addresses willvary depending on your setup.)The fifth column, Foreign Address, identifies the other side of the connection. In the caseof a port that is being listened to for new connections, the default value will be 0.0.0.0:*. ThisIP address means nothing, since you’re still waiting for a remote host to connect to you!The sixth column tells you the State of the connection. The man page for netstat lists allof the states, but the two you’ll see most often are LISTEN and ESTABLISHED. The LISTENstate means there is a process on your server listening to the port and ready to accept newconnections. The ESTABLISHED state means just that—a connection is established betweena client and server.Security Implications of netstat’s OutputBy listing all of the available connections, you can get a snapshot of what the system is doing.You should be able to explain and justify all ports listed. If your system is listening to a portthat you cannot explain, this should raise suspicions.If you’ve been using your memory cells for other purposes and haven’t memorized theservices and their associated port numbers, you can look up the matching info you need in theP:\010Comp\Begin8\631-5\ch09.vpTuesday, December 17, 2002 2:44:13 PM2759Securing an Individual ServerColor profile: Generic CMYK printer profileComposite Default screen

Color profile: Generic CMYK printer profileComposite Default screen276Module 9:Begin8 / Red Hat Linux Administration: A Beginner’s Guide / Turner & Shah/ 222631-5 / 9Blind Folio 9:276Securing an Individual Server/etc/services file. However, some services (most notably those that use the portmapper) don’thave set port numbers but are valid services. To see which process is associated with a port,use the –p option with netstat. Be on the lookout for odd or unusual processes using the network.For example, if the BASH shell is listening to a network port, you can be fairly certain thatsomething odd is going on.Finally, remember that you are interested only in the destination port of a connection; thistells you which service is being connected to and whether it is legitimate. Unfortunately, netstatdoesn’t explicitly tell you who originated a connection, but you can usually figure it out if yougive it a little thought. Of course, becoming familiar with the applications that you do run andtheir use of network ports is the best way to determine who originated a connection to where.In general, you’ll find that the rule of thumb is that the side whose port number is greater than1024 is the side that originated the connection. Obviously, this general rule doesn’t apply toservices typically running on ports higher than 1024, such as X (port 6000).Shutting Down ServicesOne purpose for the netstat command is to determine what services are enabled on yourservers. Making Linux easier to install and manage right out of the box has led to more andmore default settings that are unsafe, so keeping track of services is especially important.When you’re evaluating which services should stay and which should go, answer thefollowing questions:1. Do I need the service? The answer to this question is very important. In most situations,you should be able to disable a great number of services that start up by default. A standalone Web server, for example, should not need to run NFS.2. If I do need the service, is the default setting secure? This question can also help youeliminate some services—if they aren’t secure and they can’t be made secure, then chancesare they should be removed. The Telnet service, for instance, is often a candidate for earlyremoval because it requires that passwords be sent over the network without encryption.3. Does the service software need updates? All software needs updates from time to time,such as that on web and FTP servers. This is because as features get added, new securityproblems creep in. So be sure to remember to track the server software’s development andget upgrades installed as soon as security bulletins are posted.Shutting Down an xinetd ServiceTo shut down a service that is started via the xinetd program, simply edit the service’sconfiguration file in /etc/xinetd and set disable equal to Yes. See Module 8 for moreP:\010Comp\Begin8\631-5\ch09.vpTuesday, December 17, 2002 2:44:13 PM

Begin8 / Red Hat Linux Administration: A Beginner’s Guide / Turner & Shah/ 222631-5 / 9Blind Folio 9:277Red Hat Linux Administration: A Beginner’s Guideinformation on xinetd. Send a SIGUSR2 signal to reload xinetd. Red Hat Linux makes thissimple using the following command:[root@tedford /root]# service xinetd reloadNOTEIf you have a system using the older inetd, edit the /etc/inetd.conf file and commentout the service you no longer want. To designate the service as a c

Red Hat Linux Administration: A Beginner’s Guide 269 Begin8 / Red Hat Linux Administration: A Beginner’s Guide / Turner & Shah/ 222631-5 / 9 Blind Folio 9:269 9 Securing an Individual Server Figure 9-4 Configure package retrieval and installation options in up2date-config. Figure 9-5