110.1. Perform security administration tasks
110.1 Perform security administration tasks
Weight: 3
Description: Candidates should know how to review system configuration to ensure host security in accordance with local security policies.
Key Knowledge Areas:
Audit a system to find files with the suid/sgid bit set
Set or change user passwords and password aging information
Being able to use nmap and netstat to discover open ports on a system
Set up limits on user logins, processes and memory usage
Determine which users have logged in to the system or are currently logged in
Basic sudo configuration and usage
Terms and Utilities:
find
passwd
fuser
lsof
nmap
chage
netstat
sudo
/etc/sudoers
su
usermod
ulimit
who, w, last
In this lesson we just take a look at basic security audits. First we review several commands we have learned from the security perspective and then get introduced to some other new commands.
find suid/guid
We have learned about suid/guid when we talked about managing file permissions and owner ship, as a quick review see table bellow:
access mode
on file
on directory
SUID
executes with permissions of file owner
nothing
GUID
executes with the permissions of group
new files have group membership of directory
Sticky Bit
nothing
only owner can delete files
There are some security concerns while using suid/guid such as, what will happen if a destructive program has suid/guid permission set on it? Why should dangerous programs such as rm has suid permission? To search for all suid/guid files we use find command:
sudo find / -perm -u+s
sudo find / -perm -g+s
obviously going to each of these files and finding out what they do is beyond the scope of this course, but we should keep our eyes open to find if any of these don't make sense, like thing might be find in home directory of users. It is recommended to save this list for future comparing and detecting new changes.
looking for open ports
It is important to verify which ports are listening on the server’s network interfaces. Below are the different categories of ports:
0-1023 – the Well Known Ports, also referred to as System Ports.
1024-49151 – the Registered Ports, also known as User Ports.
49152-65535 – the Dynamic Ports, also referred to as the Private Ports.
We need to pay attention to open ports to detect an intrusion. Apart from an intrusion, for troubleshooting purposes, it may be necessary to check if a port is already in use by a different application on our servers. For example, we may install Apache and Nginx server on the same system!
This section provides steps to use the netstat, lsof and nmap command to check the ports in use and view the application that is utilizing the port.
netstat
One of netstat command line tool usage is for monitoring network incoming and outgoing connections. By default, netstat displays a list of open sockets which is not very usefull so we usually use it along with -tuna
switches.
netstat switch
usage
-t
show tcp ports
-u
show udp ports
-n
Show numerical addresses instead of trying to determine symbolic host, port or user names
-a
Show both listening and non-listening (for TCP this means established connections)
Before a TCP connection can be opened, we need to have a server with a listener. The listener will listen on incoming connections on a specific port, This state is represented as LISTEN
. If everything worked properly, the connection is marked as ESTABLISHED
on both end-point. In these tables 0.0.0.0
dictates any address or any interface.
lsof
lsof meaning ‘LiSt Open Files’ is used to find out which files are open by which process. As we know, in Linux everything is a file, so we can even check the files that are opened by some network connections in the system using lsof command with -i switch, -i list all network connections:
this command shows the command, PID, user running it and source and destination IP and tells of if this is a LISTENING or STABLISHED connection.
lsof switch
usage
-iTCP or -iUDP
just show TCP or UDP Connections
-i 4 or -i 6
you can have IPv4 and IPv6 files displayed separately
-n
Do not use DNS name
-P
do not convert port numbers to port names
If we want to check which process is using specific port , we can grep the output of any above commands or simply use the fuser
command.
fuser
The fuser command is a very smart utility used to find which process is using a file, a directory or a socket.
The following command creates a tcp listener on port 8080:
Since a tcp server is listening on port 8080, the fuser utility can be used to find the process which is using the server’s socket. The -v
option is used to put the fuser utility in verbose mode and the -n
option is used to select the tcp protocol as a name space:
By default, the fuser tool will look in both IPv6 and IPv4 sockets, but the default option can be changed with the -4 and -6 options.
nmap
The Nmap aka Network Mapper is an open source and a very versatile tool for Linux system/network administrators. Nmap is used for exploring networks, perform security scans, network audit and finding open ports on local or remote machine.
Please note that scanning websites from Nmap is not legal, in some cases if you are trying to too much in deep then you will need written permissions from the owner of the website and the IP holder.
By default, Nmap scans the most common 1,000 ports for each protocol.
nmap Target selection
Description
nmap 192.168.10.151
scan a single IP
nmap scanme.nmap.org
scan a host
nmap 192.168.10.150-155
scan a range of IPs
nmap 192.168.10.0/24
scan a subnet
nmap -iL myserverlist.txt
scan targets from a text file
nmap -6 [IP-V6-HERE]
enables IP v6 scanning
nmap has lots of switches to gain more information about hosts.
nmap switch
usage
-v
gives more detailed information
-p <port#>
scan for information regarding a specific port
-A
discover the operating system information
-O
reveal further operating system information
examine sudo configuration
su vs sudo
sudo and su, the very important and mostly used commands in Linux. It is very important for a Linux user to understand these two to increase security and prevent unexpected things that a user may have to go through. Firstly we will see what these commands do then we’ll know the difference between both of them. So let’s get started.
before beginning, in some distributions like ubuntu the default root password is not set by default when you install a fresh os, so set it usingsudo passwd root
command first.
su
The Linux command ‘su’ is used to switch from one account to another. User will be prompted for the password of the user switching to.
Users can also use su to switch to root account. If user types only ‘su’ without any option then It will be considered as root and user will be prompted to enter root user password.
what's the difference between 'su' and 'su -' ?
Well, difference is environment variables. su - change environment, su don't. the su keeps the environment of the old/original user even after the switch to root has been made, while the su - creates a new environment (as dictated by the ~/.bashrc of the root user), similar to the case when you explicitly log in as root user from the log-in screen.
plaese note that -, -l, --login
switches are all the same.
sudo
As we all know, Linux in many ways protects users’ computer being used for bad purposes by some nasty people around us. Using sudo is one of those good ways. Whenever a user tries to install, remove and change any piece of software, the user has to have the root privileges to perform such tasks. sudo, linux command is used to give such permissions to any particular command that a user wants to execute. sudo requires the user to enter user password to give system based permissions. For example user wants to update the operating system by passing command:
This error is due to not having root privileges to the user ‘payam’. The root privileges can be required by passing sudo at the very beginning, like below:
/etc/sudoers
but how sudo knows who should has root permission? which command could be run under root privilages? sudo keeps its configurations in /etc/sudoers file:
The syntax specification for a rule in the sudoers
file is:
user (host)=(user:group) commands
the 3 important lines:
(root ALL=(ALL) ALL) just lets root do everything on any machine as any user.
(%admin ALL=(ALL) ALL) lets anybody in the admin group run anything as any user.
%sudo ALL=(ALL:ALL) ALL all users in the sudo group have the privileges to run any command
note: In CentOS, the wheel group is often found instead of sudo group.
The difference between wheel/sudo group and sudo user
In CentOS and Debian, a user belonging to the wheel /sudo group can execute su and directly ascend to root. Meanwhile, a sudo user would have use the sudo su first. Essentially, there is no real difference except for the syntax used to become root, and users belonging to both groups can use the sudo command.
How to edit /etc/sudors
file ? If you use a plain editor, mess up the syntax, and save... sudo
will (probably) stop working, and, since /etc/sudoers
is only modifiable by root
, you're stuck! so we use visudo instead. visudo edits the sudoers
file in a safe fashion, by doing two things:
visudo checks the file syntax before actually overwriting the
sudoers
file.Additionally, visudo locks the
sudoers
file against multiple simultaneous edits. This locking is important if you need to ensure nobody else can mess up your carefully considered config changes.
Managing system resources
Linux operating systems have the ability to limit the amount of various system resources available to a user process. These limitations include how many files a process can have open, how large of a file the user can create, and how much memory can be used by the different components of the process. ulimit is the command used to accomplish this.
ulimit
The ulimit command provides control over the resources available to the shell and/or to processes started by it.
To get the report in details, add the “-a” flag at the end. This will print all the resource limits for the current user.
To set ulimit value on a parameter use the below command:
ulimit -<letter Option> <NewValue>
as an example lets put limits on file size in the current shell:
For the ulimits to persists across reboots we need to set the ulimit values in the configuration file /etc/security/limits.conf. it is also used for system wide limits:
There are two types of limits: A soft limit is like a warning and hard limit is a real max limit. For example, following will prevent anyone in the faculty group from having more than 50 processes, and a warning will be given at 20 processes.
note: soft limit cannot be higher than the hard limit.
ulimits is a part of pluggable authentication module(PAM) system which will be discussed in lpic-2 book.
checking the users in the system
As a system administrator, you may want to know who is on the system at any give point in time. You may also want to know what they are doing. In this article let us review 3 different methods to identify who is on your Linux system.
w
w command in Linux is used to show who is logged on and what they are doing. This command shows the information about the users currently on the machine and their processes.
The output of the w command contains the following columns:
The header shows, in this order, the current time, how long the system has been running, how many users are currently logged on, and the system load averages for the past 1, 5, and 15 minutes.
The following entries are displayed for each user:
Name of the user
User’s machine number or tty number
Remote machine address
User’s Login time
Idle time (not usable time)
Time used by all processes attached to the tty (JCPU time)
Time used by the current process (PCPU time)
Command currently getting executed by the users
w
has some options, try w --help
to see them.
who
The who command is used to get information about currently logged in user on to system.
The who command displays the following information for each user currently logged in to the system if no option is provided :
Login name of the users
Terminal line numbers
Login time of the users in to system
Remote host name of the user
who has lots of option try who --help
.
w and who reads their information from /var/run/utmp file. This file contains information about the users who are currently logged onto the system.
so we need another command to get information about logged out people, and that is last
.
last
The last command in Linux is used to display the list of all the users logged in and out.
The output of this command contains the following columns:
User name
Tty device number
Login date and time
Logout time
Total working time
the last command uses /var/log/wtmp file to display listing of last logged in users. This file is like history for utmp file, i.e. it maintains the logs of all logged in and logged out users (in the past).
/var/log/btmp keeps track of failed login attempts. So try last -f /var/log/btmp
to check last failed logins .
last
also gives us information about latest system reboots, do not forget to take a look at last --help
.
.
.
.
https://www.cyberciti.biz/faq/unix-linux-check-if-port-is-in-use-command/
https://www.tecmint.com/find-open-ports-in-linux/
https://blog.confirm.ch/tcp-connection-states/ (tcp 3-way handshake)
https://jadi.gitbooks.io/lpic1/content/1101_perform_security_administration_tasks.html
https://www.geeksforgeeks.org/lsof-command-in-linux-with-examples/
https://www.cyberciti.biz/faq/how-to-check-open-ports-in-linux-using-the-cli/
https://linux.die.net/man/8/lsof
https://www.digitalocean.com/community/tutorials/how-to-use-the-linux-fuser-command
https://www.tecmint.com/nmap-command-examples/
https://www.tecmint.com/nmap-command-examples/
https://phoenixnap.com/kb/nmap-command-linux-examples
https://www.linux.com/training-tutorials/how-use-sudo-and-su-commands-linux-introduction/
https://superuser.com/questions/580568/any-differences-between-su-vs-su-beside-the-pathing
https://www.howtoforge.com/tutorial/sudo-vs-su/
https://help.ubuntu.com/community/Sudoers
https://www.hostinger.com/tutorials/sudo-and-the-sudoers-file/
https://support.hostway.com/hc/en-us/articles/115001509750-How-To-Install-and-Configure-Sudo
https://www.computerhope.com/unix/visudo.htm
https://www.thegeekdiary.com/understanding-etc-security-limits-conf-file-to-set-ulimit/
http://geekswing.com/geek/quickie-tutorial-ulimit-soft-limits-hard-limits-soft-stack-hard-stack/
https://gerardnico.com/os/linux/limits.conf
https://www.thegeekstuff.com/2009/03/4-ways-to-identify-who-is-logged-in-on-your-linux-system/
https://www.geeksforgeeks.org/w-command-in-linux-with-examples/
https://www.geeksforgeeks.org/who-command-in-linux/
https://www.geeksforgeeks.org/last-command-in-linux-with-examples/
.
Last updated