Description: Candidates should know how to review system configuration to ensure host security in accordance with local security policies.
Key Knowledge Areas:
Audit a system to find files with the suid/sgid bit set
Set or change user passwords and password aging information
Being able to use nmap and netstat to discover open ports on a system
Set up limits on user logins, processes and memory usage
Determine which users have logged in to the system or are currently logged in
Basic sudo configuration and usage
Terms and Utilities:
who, w, last
In this lesson we just take a look at basic security audits. First we review several commands we have learned from the security perspective and then get introduced to some other new commands.
We have learned about suid/guid when we talked about managing file permissions and owner ship, as a quick review see table bellow:
executes with permissions of file owner
executes with the permissions of group
new files have group membership of directory
only owner can delete files
There are some security concerns while using suid/guid such as, what will happen if a destructive program has suid/guid permission set on it? Why should dangerous programs such as rm has suid permission? To search for all suid/guid files we use find command:
sudo find / -perm -u+s
sudo find / -perm -g+s
[email protected]:~# find / -perm -u+s/bin/ping/bin/fusermount/bin/ping6/bin/mount/bin/su/bin/ntfs-3g/bin/umountfind: ‘/run/user/1001/gvfs’: Permission denied/usr/bin/chsh/usr/bin/passwd/usr/bin/gpasswd/usr/bin/pkexec/usr/bin/newgrp/usr/bin/sudo/usr/bin/chfn/usr/lib/x86_64-linux-gnu/oxide-qt/chrome-sandbox/usr/lib/snapd/snap-confine/usr/lib/policykit-1/polkit-agent-helper-1/usr/lib/eject/dmcrypt-get-device/usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper/usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper/usr/lib/dbus-1.0/dbus-daemon-launch-helper/usr/lib/openssh/ssh-keysign/usr/lib/xorg/Xorg.wrap/usr/sbin/pppd...[email protected]:~# find / -perm -g+sfind: ‘/run/user/1001/gvfs’: Permission denied/run/log/journal/run/log/journal/b4f9fc6cf1ca4724b56e6e4235c77155/usr/bin/wall/usr/bin/crontab/usr/bin/bsd-write/usr/bin/chage/usr/bin/expiry/usr/bin/ssh-agent/usr/bin/mlocate/usr/share/ppd/custom...
obviously going to each of these files and finding out what they do is beyond the scope of this course, but we should keep our eyes open to find if any of these don't make sense, like thing might be find in home directory of users. It is recommended to save this list for future comparing and detecting new changes.
It is important to verify which ports are listening on the server’s network interfaces. Below are the different categories of ports:
0-1023 – the Well Known Ports, also referred to as System Ports.
1024-49151 – the Registered Ports, also known as User Ports.
49152-65535 – the Dynamic Ports, also referred to as the Private Ports.
We need to pay attention to open ports to detect an intrusion. Apart from an intrusion, for troubleshooting purposes, it may be necessary to check if a port is already in use by a different application on our servers. For example, we may install Apache and Nginx server on the same system!
This section provides steps to use the netstat, lsof and nmap command to check the ports in use and view the application that is utilizing the port.
One of netstat command line tool usage is for monitoring network incoming and outgoing connections. By default, netstat displays a list of open sockets which is not very usefull so we usually use it along with
show tcp ports
show udp ports
Show numerical addresses instead of trying to determine symbolic host, port or user names
Show both listening and non-listening (for TCP this means established connections)
[email protected]:~# netstat -tunaActive Internet connections (servers and established)Proto Recv-Q Send-Q Local Address Foreign Address Statetcp 0 0 127.0.1.1:53 0.0.0.0:* LISTENtcp 0 0 0.0.0.0:22 0.0.0.0:* LISTENtcp 0 0 127.0.0.1:631 0.0.0.0:* LISTENtcp 0 0 0.0.0.0:445 0.0.0.0:* LISTENtcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTENtcp 0 0 0.0.0.0:139 0.0.0.0:* LISTENtcp 0 0 192.168.52.144:41270 188.8.131.52:80 ESTABLISHEDtcp 0 0 192.168.52.144:43418 184.108.40.206:80 TIME_WAITtcp 0 0 192.168.52.144:43416 220.127.116.11:80 TIME_WAITtcp 0 0 127.0.0.1:631 127.0.0.1:52720 ESTABLISHED...udp 0 0 0.0.0.0:45821 0.0.0.0:*udp 14400 0 0.0.0.0:51238 0.0.0.0:*udp 11520 0 127.0.1.1:53 0.0.0.0:*udp 10880 0 0.0.0.0:68 0.0.0.0:*udp 0 0 0.0.0.0:631 0.0.0.0:*udp 24576 0 192.168.52.255:137 0.0.0.0:*udp 0 0 192.168.52.144:137 0.0.0.0:*udp 52224 0 0.0.0.0:137 0.0.0.0:*udp 34560 0 192.168.52.255:138 0.0.0.0:*udp 0 0 192.168.52.144:138 0.0.0.0:*udp 7680 0 0.0.0.0:138 0.0.0.0:*udp 6144 0 0.0.0.0:5353 0.0.0.0:*...
Before a TCP connection can be opened, we need to have a server with a listener. The listener will listen on incoming connections on a specific port, This state is represented as
LISTEN. If everything worked properly, the connection is marked as
ESTABLISHED on both end-point. In these tables
0.0.0.0 dictates any address or any interface.
lsof meaning ‘LiSt Open Files’ is used to find out which files are open by which process. As we know, in Linux everything is a file, so we can even check the files that are opened by some network connections in the system using lsof command with -i switch, -i list all network connections:
[email protected]:~# lsof -iCOMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAMEavahi-dae 791 avahi 12u IPv4 24139 0t0 UDP *:mdnsavahi-dae 791 avahi 13u IPv6 24140 0t0 UDP *:mdnsavahi-dae 791 avahi 14u IPv4 24141 0t0 UDP *:45821avahi-dae 791 avahi 15u IPv6 24142 0t0 UDP *:57596mysqld 967 mysql 27u IPv4 27331 0t0 TCP localhost:mysql (LISTEN)sshd 979 root 3u IPv4 468063 0t0 TCP *:ssh (LISTEN)sshd 979 root 4u IPv6 468070 0t0 TCP *:ssh (LISTEN)nmbd 1745 root 16u IPv4 31466 0t0 UDP *:netbios-nsnmbd 1745 root 17u IPv4 31467 0t0 UDP *:netbios-dgmnmbd 1745 root 21u IPv4 468314 0t0 UDP 192.168.52.136:netbios-nsnmbd 1745 root 24u IPv4 468315 0t0 UDP 192.168.52.255:netbios-nsnmbd 1745 root 25u IPv4 468316 0t0 UDP 192.168.52.136:netbios-dgmnmbd 1745 root 26u IPv4 468317 0t0 UDP 192.168.52.255:netbios-dgmsmbd 1761 root 34u IPv6 31629 0t0 TCP *:microsoft-ds (LISTEN)smbd 1761 root 35u IPv6 31630 0t0 TCP *:netbios-ssn (LISTEN)smbd 1761 root 36u IPv4 31631 0t0 TCP *:microsoft-ds (LISTEN)smbd 1761 root 37u IPv4 31632 0t0 TCP *:netbios-ssn (LISTEN)cupsd 3683 root 10u IPv6 41942 0t0 TCP ip6-localhost:ipp (LISTEN)cupsd 3683 root 11u IPv4 41943 0t0 TCP localhost:ipp (LISTEN)cups-brow 3685 root 8u IPv4 41958 0t0 UDP *:ippgvfsd-smb 14071 user1 13u IPv4 465267 0t0 TCP 192.168.52.144:60122->192.168.52.144:netbios-ssn (ESTABLISHED)gvfsd-smb 14071 user1 14u IPv4 465449 0t0 TCP 192.168.52.144:60124->192.168.52.144:netbios-ssn (ESTABLISHED)dnsmasq 14148 nobody 4u IPv4 466564 0t0 UDP ubuntu:domaindnsmasq 14148 nobody 5u IPv4 466565 0t0 TCP ubuntu:domain (LISTEN)dnsmasq 14148 nobody 11u IPv4 466600 0t0 UDP *:44999dhclient 14166 root 6u IPv4 466685 0t0 UDP *:bootpc
this command shows the command, PID, user running it and source and destination IP and tells of if this is a LISTENING or STABLISHED connection.
-iTCP or -iUDP
just show TCP or UDP Connections
-i 4 or -i 6
you can have IPv4 and IPv6 files displayed separately
Do not use DNS name
do not convert port numbers to port names
If we want to check which process is using specific port , we can grep the output of any above commands or simply use the
The fuser command is a very smart utility used to find which process is using a file, a directory or a socket.
The following command creates a tcp listener on port 8080:
[email protected]:~# nc -l -p 8080
Since a tcp server is listening on port 8080, the fuser utility can be used to find the process which is using the server’s socket. The
-v option is used to put the fuser utility in verbose mode and the
-n option is used to select the tcp protocol as a name space:
[email protected]:~# fuser -v -n tcp 8080USER PID ACCESS COMMAND8080/tcp: root 15663 F.... nc
By default, the fuser tool will look in both IPv6 and IPv4 sockets, but the default option can be changed with the -4 and -6 options.
The Nmap aka Network Mapper is an open source and a very versatile tool for Linux system/network administrators. Nmap is used for exploring networks, perform security scans, network audit and finding open ports on local or remote machine.
[email protected]:~# nmap localhostStarting Nmap 7.01 ( https://nmap.org ) at 2020-03-18 00:47 +0330Nmap scan report for localhost (127.0.0.1)Host is up (0.000025s latency).Not shown: 995 closed portsPORT STATE SERVICE22/tcp open ssh139/tcp open netbios-ssn445/tcp open microsoft-ds631/tcp open ipp3306/tcp open mysqlNmap done: 1 IP address (1 host up) scanned in 1.62 seconds
By default, Nmap scans the most common 1,000 ports for each protocol.
nmap Target selection
scan a single IP
scan a host
scan a range of IPs
scan a subnet
nmap -iL myserverlist.txt
scan targets from a text file
nmap -6 [IP-V6-HERE]
enables IP v6 scanning
nmap has lots of switches to gain more information about hosts.
gives more detailed information
scan for information regarding a specific port
discover the operating system information
reveal further operating system information
sudo and su, the very important and mostly used commands in Linux. It is very important for a Linux user to understand these two to increase security and prevent unexpected things that a user may have to go through. Firstly we will see what these commands do then we’ll know the difference between both of them. So let’s get started.
The Linux command ‘su’ is used to switch from one account to another. User will be prompted for the password of the user switching to.
Users can also use su to switch to root account. If user types only ‘su’ without any option then It will be considered as root and user will be prompted to enter root user password.
[email protected]:/home/user1$ suPassword:[email protected]:/home/user1# pwd/home/user1[email protected]:/home/user1# exitexit
As we all know, Linux in many ways protects users’ computer being used for bad purposes by some nasty people around us. Using sudo is one of those good ways. Whenever a user tries to install, remove and change any piece of software, the user has to have the root privileges to perform such tasks. sudo, linux command is used to give such permissions to any particular command that a user wants to execute. sudo requires the user to enter user password to give system based permissions. For example user wants to update the operating system by passing command:
[email protected]:~$ apt-get updateReading package lists... DoneW: chmod 0700 of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory (1: Operation not permitted)E: Could not open lock file /var/lib/apt/lists/lock - open (13: Permission denied)E: Unable to lock directory /var/lib/apt/lists/W: Problem unlinking the file /var/cache/apt/pkgcache.bin - RemoveCaches (13: Permission denied)W: Problem unlinking the file /var/cache/apt/srcpkgcache.bin - RemoveCaches (13: Permission denied)
This error is due to not having root privileges to the user ‘payam’. The root privileges can be required by passing sudo at the very beginning, like below:
[email protected]:~$ sudo apt-get update[sudo] password for payam:Hit:1 http://ppa.launchpad.net/peek-developers/stable/ubuntu xenial InReleaseHit:2 http://archive.ubuntu.com/ubuntu xenial InReleaseGet:3 http://archive.ubuntu.com/ubuntu xenial-updates InRelease [109 kB]Get:4 http://archive.ubuntu.com/ubuntu xenial-backports InRelease [107 kB]Get:5 http://archive.ubuntu.com/ubuntu xenial-security InRelease [109 kB]0% [5 InRelease 240 B/109 kB 0%]...
but how sudo knows who should has root permission? which command could be run under root privilages? sudo keeps its configurations in /etc/sudoers file:
[email protected]:~# cat /etc/sudoers## This file MUST be edited with the 'visudo' command as root.## Please consider adding local content in /etc/sudoers.d/ instead of# directly modifying this file.## See the man page for details on how to write a sudoers file.#Defaults env_resetDefaults mail_badpassDefaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"# Host alias specification# User alias specification# Cmnd alias specification# User privilege specificationroot ALL=(ALL:ALL) ALL# Members of the admin group may gain root privileges%admin ALL=(ALL) ALL# Allow members of group sudo to execute any command%sudo ALL=(ALL:ALL) ALL# See sudoers(5) for more information on "#include" directives:#includedir /etc/sudoers.d
The syntax specification for a rule in the
sudoers file is:
user (host)=(user:group) commands
the 3 important lines:
(root ALL=(ALL) ALL) just lets root do everything on any machine as any user.
(%admin ALL=(ALL) ALL) lets anybody in the admin group run anything as any user.
%sudo ALL=(ALL:ALL) ALL all users in the sudo group have the privileges to run any command
note: In CentOS, the wheel group is often found instead of sudo group.
How to edit
/etc/sudors file ? If you use a plain editor, mess up the syntax, and save...
sudo will (probably) stop working, and, since
/etc/sudoers is only modifiable by
root, you're stuck! so we use visudo instead. visudo edits the
sudoers file in a safe fashion, by doing two things:
visudo checks the file syntax before actually overwriting the
Additionally, visudo locks the
sudoers file against multiple simultaneous edits. This locking is important if you need to ensure nobody else can mess up your carefully considered config changes.
Linux operating systems have the ability to limit the amount of various system resources available to a user process. These limitations include how many files a process can have open, how large of a file the user can create, and how much memory can be used by the different components of the process. ulimit is the command used to accomplish this.
The ulimit command provides control over the resources available to the shell and/or to processes started by it.
[email protected]:~$ ulimitunlimited
To get the report in details, add the “-a” flag at the end. This will print all the resource limits for the current user.
To set ulimit value on a parameter use the below command:
ulimit -<letter Option> <NewValue>
as an example lets put limits on file size in the current shell:
[email protected]:~$ ulimit -f 0[email protected]:~$ ulimit -a | grep filecore file size (blocks, -c) 0file size (blocks, -f) 0open files (-n) 1024file locks (-x) unlimited[email protected]:~$ vim new.txtVim: Caught deadly signal XFSZVim: Finished.File size limit exceeded (core dumped)
For the ulimits to persists across reboots we need to set the ulimit values in the configuration file /etc/security/limits.conf. it is also used for system wide limits:
[email protected]:~# cat /etc/security/limits.conf# /etc/security/limits.conf##Each line describes a limit for a user in the form:##<domain> <type> <item> <value>##Where:#<domain> can be:# - a user name# - a group name, with @group syntax# - the wildcard *, for default entry# - the wildcard %, can be also used with %group syntax,# for maxlogin limit# - NOTE: group and wildcard limits are not applied to root.# To apply a limit to the root user, <domain> must be# the literal username root.##<type> can have the two values:# - "soft" for enforcing the soft limits# - "hard" for enforcing hard limits##<item> can be one of the following:# - core - limits the core file size (KB)# - data - max data size (KB)# - fsize - maximum filesize (KB)# - memlock - max locked-in-memory address space (KB)# - nofile - max number of open files# - rss - max resident set size (KB)# - stack - max stack size (KB)# - cpu - max CPU time (MIN)# - nproc - max number of processes# - as - address space limit (KB)# - maxlogins - max number of logins for this user# - maxsyslogins - max number of logins on the system# - priority - the priority to run user process with# - locks - max number of file locks the user can hold# - sigpending - max number of pending signals# - msgqueue - max memory used by POSIX message queues (bytes)# - nice - max nice priority allowed to raise to values: [-20, 19]# - rtprio - max realtime priority# - chroot - change root to directory (Debian-specific)##<domain> <type> <item> <value>##* soft core 0#root hard core 100000#* hard rss 10000#@student hard nproc 20#@faculty soft nproc 20#@faculty hard nproc 50#ftp hard nproc 0#ftp - chroot /ftp#@student - maxlogins 4# End of file
There are two types of limits: A soft limit is like a warning and hard limit is a real max limit. For example, following will prevent anyone in the faculty group from having more than 50 processes, and a warning will be given at 20 processes.
note: soft limit cannot be higher than the hard limit.
ulimits is a part of pluggable authentication module(PAM) system which will be discussed in lpic-2 book.
As a system administrator, you may want to know who is on the system at any give point in time. You may also want to know what they are doing. In this article let us review 3 different methods to identify who is on your Linux system.
w command in Linux is used to show who is logged on and what they are doing. This command shows the information about the users currently on the machine and their processes.
[email protected]:~# w01:24:45 up 4:33, 4 users, load average: 0.00, 0.00, 0.00USER TTY FROM [email protected] IDLE JCPU PCPU WHATuser1 tty7 :0 15:11 10:13m 40.45s 0.27s /sbin/upstart -payam pts/19 127.0.0.1 01:11 12:47 0.04s 0.04s -bashuser2 pts/21 127.0.0.1 01:24 13.00s 0.04s 0.04s -bashroot pts/22 192.168.52.133 01:16 3:41 0.03s 0.03s -bash
The output of the w command contains the following columns:
The header shows, in this order, the current time, how long the system has been running, how many users are currently logged on, and the system load averages for the past 1, 5, and 15 minutes.
The following entries are displayed for each user:
Name of the user
User’s machine number or tty number
Remote machine address
User’s Login time
Idle time (not usable time)
Time used by all processes attached to the tty (JCPU time)
Time used by the current process (PCPU time)
Command currently getting executed by the users
w has some options, try
w --help to see them.
The who command is used to get information about currently logged in user on to system.
[email protected]:~# whouser1 tty7 2020-03-22 15:11 (:0)payam pts/19 2020-03-23 01:11 (127.0.0.1)user2 pts/21 2020-03-23 01:24 (127.0.0.1)root pts/22 2020-03-23 01:16 (192.168.52.133)
The who command displays the following information for each user currently logged in to the system if no option is provided :
Login name of the users
Terminal line numbers
Login time of the users in to system
Remote host name of the user
who has lots of option try
so we need another command to get information about logged out people, and that is
The last command in Linux is used to display the list of all the users logged in and out.
[email protected]:~# lastuser2 pts/21 127.0.0.1 Mon Mar 23 01:24 still logged inroot pts/22 192.168.52.133 Mon Mar 23 01:16 still logged inuser2 pts/21 127.0.0.1 Mon Mar 23 01:13 - 01:21 (00:08)payam pts/19 127.0.0.1 Mon Mar 23 01:11 still logged inwtmp begins Mon Mar 23 01:11:58 2020
The output of this command contains the following columns:
Tty device number
Login date and time
Total working time
last also gives us information about latest system reboots, do not forget to take a look at
https://blog.confirm.ch/tcp-connection-states/ (tcp 3-way handshake)