LPI Linux Certification in a Nutshell - LightNovelsOnl.com
You're reading novel online at LightNovelsOnl.com. Please use the follow button to get notifications about your favorite novels and its latest chapters so you can come back anytime and won't miss anything.
-n Don't do DNS resolution.
-sS Perform a TCP SYN scan (the default).
-sU Perform a UDP scan.
-p port_range port_range Scan only the specified ports.
-sV Perform a service or version scan on open ports. This is useful when attempting to determine what software is running on the remote machine.
-O Attempt to determine the operating system of the system being scanned.
Example 1 Perform a "standard" TCP scan on a remote system: #nmap192.168.1.220
StartingNmap5.00(http://nmap.org)at2010-01-1421:11CST Interestingportsonserver.domain.com(192.168.1.220): Notshown:979closedports PORTSTATESERVICE 42/tcpopennameserver 53/tcpopendomain 80/tcpopenhttp 88/tcpopenkerberos-sec 135/tcpopenmsrpc 139/tcpopennetbios-ssn 389/tcpopenldap 445/tcpopenmicrosoft-ds 464/tcpopenkpa.s.swd5 593/tcpopenhttp-rpc-epmap 636/tcpopenldapssl 1025/tcpopenNFS-or-IIS 1029/tcpopenms-lsa 1084/tcpopenansoft-lm-2 1090/tcpopenunknown 1094/tcpopenunknown 1121/tcpopenunknown 3268/tcpopenglobalcatLDAP 3269/tcpopenglobalcatLDAPssl 3389/tcpopenms-term-serv 10000/tcpopensnet-sensor-mgmt MACAddress:00:07:E9:82:6B:D8(Intel)
Nmapdone:1IPaddress(1hostup)scannedin1.39seconds nmap performs its work relatively quickly, and lets us know that of the 1,700 or so common ports that were scanned, 21 ports were found open that performs its work relatively quickly, and lets us know that of the 1,700 or so common ports that were scanned, 21 ports were found open that nmap nmap considers "interesting." If you want to scan every possible open TCP port (from 1 to 65535), give the considers "interesting." If you want to scan every possible open TCP port (from 1 to 65535), give the p p option: option: #nmap-p1-65535192.168.1.220
StartingNmap5.00(http://nmap.org)at2010-01-1421:15CST Interestingportsonserver.domain.com(192.168.1.220): Notshown:65512closedports PORTSTATESERVICE 42/tcpopennameserver 53/tcpopendomain 80/tcpopenhttp 88/tcpopenkerberos-sec 135/tcpopenmsrpc 139/tcpopennetbios-ssn 389/tcpopenldap 445/tcpopenmicrosoft-ds 464/tcpopenkpa.s.swd5 593/tcpopenhttp-rpc-epmap 636/tcpopenldapssl 1025/tcpopenNFS-or-IIS 1029/tcpopenms-lsa 1084/tcpopenansoft-lm-2 1090/tcpopenunknown 1094/tcpopenunknown 1121/tcpopenunknown 3268/tcpopenglobalcatLDAP 3269/tcpopenglobalcatLDAPssl 3389/tcpopenms-term-serv 4601/tcpopenunknown 9675/tcpopenunknown 10000/tcpopensnet-sensor-mgmt MACAddress:00:07:E9:82:6B:D8(Intel)
Nmapdone:1IPaddress(1hostup)scannedin17.80seconds This scan took a little bit longer, but it showed us an additional three open TCP ports that the default scan did not show.
Example 2 Attempt to perform an "OS fingerprint" on a remote system: #nmap-O192.168.1.220
StartingNmap5.00(http://nmap.org)at2010-01-1421:18CST Interestingportsonserver.domain.com(192.168.1.220): Notshown:979closedports PORTSTATESERVICE 42/tcpopennameserver <...outputtruncated...> 10000/tcpopensnet-sensor-mgmt MACAddress:00:07:E9:82:6B:D8(Intel) Devicetype:generalpurpose Running:MicrosoftWindows2003 OSdetails:MicrosoftWindowsServer2003SP1orSP2 NetworkDistance:1hop
OSdetectionperformed.Pleasereportanyincorrectresults athttp://nmap.org/submit/.
nmap performs some interesting manipulations of the standard TCP connection states in an attempt to guess what operating system the scanned host is running. For more information, visit the performs some interesting manipulations of the standard TCP connection states in an attempt to guess what operating system the scanned host is running. For more information, visit the nmap site.
Example 3 Discover what hosts are "up" on a subnet (or at least which ones are responding to ping ping). This example was run on a different machine, so the version of nmap nmap and the IP subnet are different from the previous example: and the IP subnet are different from the previous example: #nmap-sP10.0.0.0/24
StartingNmap4.52(http://insecure.org)at2010-01-1421:21CST Host10.0.0.1appearstobeup.
Host10.0.0.100appearstobeup.
MACAddress:00:1B:EA:F2:C4:70(NintendoCo.) Host10.0.0.101appearstobeup.
MACAddress:00:21:00:9E:45:15(Unknown) Host10.0.0.102appearstobeup.
MACAddress:00:21:00:72:54:4A(Unknown) Host10.0.0.103appearstobeup.
MACAddress:00:21:85:C2:2D:A5(Unknown) Host10.0.0.104appearstobeup.
MACAddress:00:19:21:27:8E:83(ElitegroupComputerSystemCo.) Host10.0.0.106appearstobeup.
MACAddress:00:14:22:61:E3:D9(Dell) Hostrouter(10.0.0.210)appearstobeup.
MACAddress:00:12:17:30:B4:9C(Cisco-Linksys) Nmapdone:256IPaddresses(8hostsup)scannedin4.928seconds
Name lsof Syntax lsof[options][names]
Description lsof lists open files. Since everything in Linux is a file, this tool can tell you a fantastic amount of information about your running system. It is primarily used to tell what processes have what files open, but it can also be used to view TCP and UDP connection information, among other things. lists open files. Since everything in Linux is a file, this tool can tell you a fantastic amount of information about your running system. It is primarily used to tell what processes have what files open, but it can also be used to view TCP and UDP connection information, among other things.
Frequently used options -c x x Only show files that are open by processes whose executable starts with the character(s) specified by x x.
-i x x Instead of showing open files, show sockets whose Internet address is x x. If x x is not specified, show all IP connections. This is functionally equivalent to is not specified, show all IP connections. This is functionally equivalent to netstat anp netstat anp.
-u username username Show only the files that username username has open. has open.
-P Do not convert port numbers to port names (for example, show 25 25 instead of instead of smtp smtp).
Example 1 The lsof lsof command is often used to determine what processes have files open on removable media so they can be terminated, allowing the media to be unmounted: command is often used to determine what processes have files open on removable media so they can be terminated, allowing the media to be unmounted: #pwd /public #umount/public umount:/public:deviceisbusy #lsof|grep"/public"
smbd17728adamhcwdDIR8,6581925/public bash21712rootcwdDIR8,6581925/public lsof21841rootcwdDIR8,6581925/public grep21842rootcwdDIR8,6581925/public lsof21843rootcwdDIR8,6581925/public This shows us that the smbd smbd process (controlled by user process (controlled by user adamh adamh) and a bash bash, lsof lsof, and grep grep process all have the file handle for the directory process all have the file handle for the directory /public /public open. Now we'll change directories and run open. Now we'll change directories and run lsof lsof again: again: #cd/ #lsof|grep"/public"
smbd17728adamhcwdDIR8,6581925/public We see now that only smdb smdb has a file open on the has a file open on the /public /public directory. directory.
Example 2 In this example, we'll see how lsof lsof can be used to determine what connections exist between a machine and a remote host. Our machine in this case has an IP address of 10.0.0.1 and is running the Samba daemon ( can be used to determine what connections exist between a machine and a remote host. Our machine in this case has an IP address of 10.0.0.1 and is running the Samba daemon (smbd). The remote machine at 10.0.0.104 is connected to the Samba daemon: [email protected] COMMANDPIDUSERFDTYPEDEVICESIZENODENAME smbd1329root5uIPv4252713TCP10.0.0.1:139-> 10.0.0.104:1568(ESTABLISHED) The machine at 10.0.0.104 is connected to TCP port 139 on 10.0.0.1, and is communicating with the processes named smbd smbd, which has a PID of 1329.
On the ExamThe lsof lsof command is an important tool for any good system administrator to have in his a.r.s.enal. Be prepared to answer questions about its general usage, and be familiar with common options, including viewing socket information and files open by process name and username. command is an important tool for any good system administrator to have in his a.r.s.enal. Be prepared to answer questions about its general usage, and be familiar with common options, including viewing socket information and files open by process name and username.
Chapter23.Set Up Host Security (Topic 110.2)
This chapter describes the practical steps one needs to take to begin to secure a Linux system. The important thing to remember regarding security is that it is a process, not a destination. Maintaining a secure system is a job that is never complete. This chapter covers the second objective of Topic 110: Objective 2: Set Up Host Security Candidates should know how to set up a basic level of host security. Weight: 3.
Objective 2: Set Up Host Security As mentioned previously, the key to good host security is knowledge. A good system administrator knows at all times what is happening on systems he manages, and has processes in place to tell him when things stray from the norm.
Previous chapters have covered the topics of shadow pa.s.swords, knowledge of the /proc /proc filesystem, maintaining startup services in filesystem, maintaining startup services in /etc/rc.d /etc/rc.d, and other areas of host-based security. This chapter will finish this topic by discussing the inetd inetd and xinetd services, and their role in system security. and xinetd services, and their role in system security.
The Super-Server Modern Linux systems are often asked to perform many functions. Because of the broad appeal of Linux, its use is in everything from firewalls to set-top boxes. Because of this, there are many network services that are commonly seen on a Linux system. These services oftentimes do not see constant use, but need to be active and available when the need arises. Some examples of these important but often seldom used services are ftp ftp, finger finger, telnet telnet, imap imap, and pop3 pop3.
You may notice that these examples all represent network services that are considered relatively "old" (at least in terms of modern day computing). This is essentially true. Years ago, when hardware was more expensive and harder to come by, the amount of system resources, especially memory, that each process consumed was of great importance. The problem was that administrators wanted to consolidate a lot of their network services on one Linux machine, but were running into memory limitations. The solution was to come up with a listening service, or "super-server," that handled incoming connections and started the correct networking service to handle them. Thus the inetd inetd service was born. service was born.
The inetd inetd service has two important characteristics: It is a single process that can listen on multiple ports for incoming connections, starting the appropriate service when a connection comes in and connecting the inbound connection with the service. Also, service has two important characteristics: It is a single process that can listen on multiple ports for incoming connections, starting the appropriate service when a connection comes in and connecting the inbound connection with the service. Also, inetd inetd supports a sophisticated security scheme for allowing and disallowing access to these "simpler" networking services, many of which don't have advanced access controls built into them. So the creation of supports a sophisticated security scheme for allowing and disallowing access to these "simpler" networking services, many of which don't have advanced access controls built into them. So the creation of inetd inetd solved two problems: limited memory was conserved, and administrators gained a finer level of control over what systems or networks could access their services. solved two problems: limited memory was conserved, and administrators gained a finer level of control over what systems or networks could access their services.
inetd syntax The main configuration file for inetd inetd is is /etc/inetd.conf /etc/inetd.conf. An example looks like this: #echostreamtcpnowaitrootinternal #echodgramudpwaitrootinternal #discardstreamtcpnowaitrootinternal #discarddgramudpwaitrootinternal #daytimestreamtcpnowaitrootinternal #daytimedgramudpwaitrootinternal #chargenstreamtcpnowaitrootinternal #chargendgramudpwaitrootinternal #timestreamtcpnowaitrootinternal #timedgramudpwaitrootinternal # #Thesearestandardservices.
# ftpstreamtcpnowaitroot/usr/sbin/tcpdin.ftpd-l-a telnetstreamtcpnowaitroot/usr/sbin/tcpdin.telnetd # #Sh.e.l.l,login,exec,comsatandtalkareBSDprotocols.
# #sh.e.l.lstreamtcpnowaitroot/usr/sbin/tcpdin.rshd #loginstreamtcpnowaitroot/usr/sbin/tcpdin.rlogind #execstreamtcpnowaitroot/usr/sbin/tcpdin.rexecd #comsatdgramudpwaitroot/usr/sbin/tcpdin.comsat #talkdgramudpwaitroot/usr/sbin/tcpdin.talkd #ntalkdgramudpwaitroot/usr/sbin/tcpdin.ntalkd #dtalkstreamtcpwaitn.o.body/usr/sbin/tcpdin.dtalkd # #Popandimapmailservicesetal # #pop-2streamtcpnowaitroot/usr/sbin/tcpdipop2d #pop-3streamtcpnowaitroot/usr/sbin/tcpdipop3d imapstreamtcpnowaitroot/usr/sbin/tcpdimapd # #TheInternetUUCPservice.
# #uucpstreamtcpnowaituucp/usr/sbin/tcpd/usr/lib/uucp/uucico-l # #Tftpserviceisprovidedprimarilyforbooting.Mostsites #runthisonlyonmachinesactingas"bootservers."Donotuncomment #thisunlessyou*need*it.
# #tftpdgramudpwaitroot/usr/sbin/tcpdin.tftpd #bootpsdgramudpwaitroot/usr/sbin/tcpdbootpd # #Finger,systatandnetstatgiveoutuserinformationwhichmaybe #valuabletopotential"systemcrackers."Manysiteschoosetodisable #someoralloftheseservicestoimprovesecurity.
# #fingerstreamtcpnowaitroot/usr/sbin/tcpdin.fingerd #cfingerstreamtcpnowaitroot/usr/sbin/tcpdin.cfingerd #systatstreamtcpnowaitguest/usr/sbin/tcpd/bin/ps-auwwx #netstatstreamtcpnowaitguest/usr/sbin/tcpd/bin/netstat-finet # #Authentication # #authstreamtcpnowaitn.o.body/usr/sbin/in.identdin.identd-l-e-o # #Endofinetd.conf Like most Linux configuration files, a line starting with a # # symbol denotes a comment. In this example, only the symbol denotes a comment. In this example, only the ftp ftp, telnet telnet, and imap imap services are active. Each line of the file describes a unique service and is made up of seven sections, described in services are active. Each line of the file describes a unique service and is made up of seven sections, described in Table23-1 Table23-1.
Table23-1.Fields in /etc/inetd.conf
Field position Name Description 1 Service name The name of the service, which must correspond to a name in the file /etc/services. This determines what port inetd inetd will listen on for requests to this service. will listen on for requests to this service.
2 Socket type One of stream, dgram dgram, raw raw, or seqpacket seqpacket. TCP services use stream stream, whereas UDP services use dgram dgram.
3 Protocol One of the following: tcp,tcp4 = TCP IPv4 = TCP IPv4 udp,udp4 = UDP IPv4 = UDP IPv4 tcp6 = TCP IPv6 = TCP IPv6 udp6 = UDP IPv6 = UDP IPv6 tcp46 = Both TCP IPv4 and v6 = Both TCP IPv4 and v6 udp46 = Both UDP IPv4 and v6 = Both UDP IPv4 and v6 4 Connection options {wait|nowait}[/max-child[/max-connections-per-ip-per-minute[/max-child-per-ip]]]
The wait wait or or nowait nowait option defines how option defines how inted inted handles the incoming connection. If handles the incoming connection. If wait wait is indicated, is indicated, inetd inetd will hand off multiple incoming requests to a single daemon, whereas will hand off multiple incoming requests to a single daemon, whereas nowait nowait means that means that inetd inetd should start a new server process for each incoming connection. should start a new server process for each incoming connection.
/max-child limits the amount of connections that will be accepted at one time. limits the amount of connections that will be accepted at one time.
/max-connections-per-ip-per-minute and and /max-child-per-ip /max-child-per-ip are optional limits you can place on this resource, to prevent abuse and denial of service attacks. are optional limits you can place on this resource, to prevent abuse and denial of service attacks.
5 User What user account the service should start as.
6 Server Full path to the service that inetd should start. should start.
7 Server options Command-line arguments (if any) that should be pa.s.sed to the server.
Using this table as a guide, if we want to enable the imap imap service in our service in our inetd inetd configuration but limit configuration but limit imap imap to a maximum of 10 concurrent connections and prevent more than 5 concurrent connections from a single IP address, the line would look like this: to a maximum of 10 concurrent connections and prevent more than 5 concurrent connections from a single IP address, the line would look like this: imapstreamtcpnowait/10/0/5root/usr/sbin/tcpdimapd Notice that we're not actually starting the imapd imapd service, but instead the server service, but instead the server /usr/sbin/tcpd /usr/sbin/tcpd with an argument of with an argument of imapd imapd. This is the TCP_WRAPPERS service, which is described later in this chapter.
The real advantage of inetd inetd comes into play only when you have many services enabled, thus maximizing the amount of memory you are saving by not running all of these little-used services all the time, listening for connections. comes into play only when you have many services enabled, thus maximizing the amount of memory you are saving by not running all of these little-used services all the time, listening for connections.
xinetd The original inetd inetd service is seldom seen in more recent Linux distributions. It has been replaced with service is seldom seen in more recent Linux distributions. It has been replaced with xinetd xinetd, the Extended Internet Daemon. xinetd xinetd improves upon the original goals of improves upon the original goals of inetd inetd by increasing the logging and access control ability around the managed services, in addition to adding defense mechanisms to protect against attacks, such as port scanners or denial of service. by increasing the logging and access control ability around the managed services, in addition to adding defense mechanisms to protect against attacks, such as port scanners or denial of service.
The xinetd xinetd configuration file is configuration file is /etc/xinetd.conf /etc/xinetd.conf, but most services are configured as individual files in the directory /etc/xinetd.d /etc/xinetd.d. This makes adding and removing services much easier for a distribution's package management utility. The /etc/xinetd.conf /etc/xinetd.conf file contains global configuration options, as seen in this example: file contains global configuration options, as seen in this example: #Thisisthemasterxinetdconfigurationfile.Settingsinthe #defaultsectionwillbeinheritedbyallserviceconfigurations #unless.e.xplicitlyoverriddenintheserviceconfiguration.See #xinetd.confinthemanpagesforamoredetailedexplanationof #theseattributes.
defaults { #Thenexttwoitemsareintendedtobeaquickaccessplaceto #temporarilyenableordisableservices.
# #enabled= #disabled=
#Definegeneralloggingcharacteristics.
log_type=SYSLOGdaemoninfo log_on_failure=HOST log_on_success=PIDHOSTDURATIONEXIT
#Defineaccessrestrictiondefaults # #no_access= #only_from= #max_load=0 cps=5010 instances=50 per_source=10
#Addressandnetworkingdefaults # #bind= #mdns=yes v6only=no
#setupenvironmentalattributes # #pa.s.senv= groups=yes umask=002
#Generally,bannersarenotused.Thissetsuptheirglobaldefaults # #banner= #banner_fail= #banner_success= }
includedir/etc/xinetd.d As you can see, xinetd xinetd offers some more advanced configuration options, such as offers some more advanced configuration options, such as cps cps (connections per second) and the ability to set the (connections per second) and the ability to set the umask umask for files created by the managed services. Here is the example for files created by the managed services. Here is the example imap imap configuration file at configuration file at /etc/xinetd.d/imap /etc/xinetd.d/imap: serviceimap { socket_type=stream wait=no user=root server=/usr/sbin/imapd log_on_success+=HOSTDURATION log_on_failure+=HOST disable=no } Table23-2 describes the different popular configuration options available in these service files. For a complete list of options, consult the manpage for describes the different popular configuration options available in these service files. For a complete list of options, consult the manpage for xinetd.conf xinetd.conf.
Table23-2.Popular fields in /etc/xinetd.d/servicename /etc/xinetd.d/servicename
Field name Description id Name of the service.
flags Common flags are: NORETRY = Don't retry in case of a service failure.
KEEPALIVE = Set the keepalive flag on the TCP socket.