In this chapter, we will discuss the following:
The security policy of Linux
Configuring password protection
Configuring server security
Conducting integrity checks of the installation medium using checksum
Using the LUKS disk encryption
Making use of sudoers – configuring sudo access
Scanning hosts with Nmap
Gaining a root on a vulnerable Linux system
A Linux machine is only as secure as an administrator configures it to be. Once we are done with the installation of the Linux OS and we remove its unnecessary packages after the installation has been completed, we can start working on the security aspect of the software and the services provided by the Linux machine.
A security policy is a definition that outlines the rules and practices to be followed to set up the computer network security in an organization. How the organization should manage, protect, and distribute sensitive data is also defined by the security policy.
When creating a security policy, we should keep in mind that it should be simple and easy for all users. The objective of the policy should be to protect data while keeping the privacy of users intact.
It should be developed around these points:
Accessibility to the system
Software installation rights on the system
Recovery from failure
When developing a security policy, a user should use only those services for which permission has been granted. Anything that is not permitted should be restricted in the policy.
In any system, the password plays a very important role in terms of security. A poor password may lead to an organization's resources being compromised. The password protection policy should be adhered to by everyone in the organization, from users to the administrator level.
Follow the given rules when selecting or securing your password.
A user should not use the same password for all the accounts in an organization
All access-related passwords should not be the same
Any system-level account should have a password that's different from any other account held by the same user
A password is something that needs to be treated as sensitive and confidential information. Hence, it should not be shared with anyone.
Passwords should not be shared through any electronic communication, such as e-mails.
Never reveal a password on your phone or questionnaire.
Do not use password hints that could provide clues to an attacker.
Never share company passwords with anyone, including administrative staff, managers, colleagues, and even family members.
Don't use the Remember Password feature of applications.
For the change policy, follow these rules:
A major reason for malicious attacks on Linux servers has been poorly implemented security or existing vulnerabilities. When configuring a server, security policies need to be implemented properly, and ownership needs to be taken in order to properly customize the server.
The administration of all the internal servers in an organization is the responsibility of a dedicated team, which should also keep a look out for any kind of compliance. If any compliance takes place, the team should accordingly implement or review the security policy.
When configuring internal servers, they must be registered in such a way that the servers can be identified on the basis of the following information:
Location of the server
The operating system version and its hardware configuration
Services and applications that are being run
Any service or application not being used should be disabled wherever possible.
All access to the services and applications on the server should be monitored and logged. They should also be protected through access-control methods. An example of this will be covered in Chapter 3, Local Filesystem Security.
The system should be kept updated, and any recent security patches, if available, should be installed as soon as possible.
Avoid using a root account to the maximum extent. It's preferable to use security principles that require the least amount of access to perform a function.
The server should be accessed in a controlled environment.
For a period of 1 month, all security-related logs should be kept online
For a period of 1 month, daily backups as well as weekly backups should be retained
For minimum of 2 years, full monthly backups should be retained
Any event related to security being compromised should be reported to the InfoSec team. They shall then review the logs and report the incident to the IT department.
A few examples of security-related events are as follows:
Following the preceding policy helps in the base configuration of the internal server that is owned or operated by the organization. Implementing the policy effectively will minimize any unauthorized access to sensitive and proprietary information.
Whenever we download an image file of any Linux distribution, it should always be checked for correctness and safety. This can be achieved by doing an MD5 checksum of the downloaded image with the MD5 value of the correct image.
This helps in checking the integrity of the downloaded file. Any changes to the files can be detected by the MD5 hash comparison.
Whenever any changes take place in the downloaded files, the MD5 hash comparison can detect it. The larger the file size, the higher the possibility of changes in the file. It is always recommended to do the MD5 hash comparison for files such as operating system installation files on a CD.
The MD5 checksum is normally installed on most Linux distributions, so installation is not required.
md5sumcommand will then print the calculated hash in a single line, as shown here:
Now, we can compare the hash calculated by the preceding command with the hash on the UbuntuHashes page (https://help.ubuntu.com/community/UbuntuHashes). After opening the UbuntuHashes page, we just need to copy the preceding hash that has been calculated in the Find box of the browser (by pressing Ctrl + F).
If the calculated hash and the hash on the UbuntuHashes page match, then the downloaded file is not damaged. If the hashes don't match, then there might be a problem with either the downloaded file or the server from where the download was made. Try downloading the file again. If the issue still persists, it is recommended that you report the issue to the administrator of the server.
Here's something extra in case you want to go the extra mile: try out the GUI checksum calculator that is available for Ubuntu
Sometimes, it's really inconvenient to use a terminal in order to perform checksums. You need to know the right directory of the downloaded file and also the exact filename. This makes it difficult to remember the exact commands.
You can download the tool from http://gtkhash.sourceforge.net/, and install it using this command:
sudo apt-get install gtkhash
In enterprises such as small businesses and government offices users may have to secure their systems in order to protect their private data, which includes customers details, important files, contact details, and so on. To do so, Linux provides good number of cryptographic techniques, which can be used to protect data on physical devices such as hard disks or a removable media. One such cryptographic technique uses the Linux Unified Key Setup-on-disk-format (LUKS). This technique allows for the encryption of Linux partitions.
An entire block device can be encrypted using LUKS. It's well suited to protecting data on removable storage media or laptop disk drives.
Once encrypted, the contents of the encrypted block devices are random, thus making it useful for the encryption of swap devices.
LUKS uses an existing device mapper kernel subsystem.
It also provides a passphrase strengthener, which helps in protecting against dictionary attacks.
For the following process to work, it is necessary that
/home is created on a separate partition while installing Linux.
Move to Run level 1. Type the following command in the shell prompt or terminal:
Now, unmount the current /home partition using this command:
The previous command might fail if there is any process controlling
/home. Find and kill any such process using the
fuser -mvk /home
Check to confirm that the
/homepartition is not mounted now:
grep home /proc/mounts
Now, put some random data into the partition:
shred -v --iterations=1 /dev/MYDisk/home
Once the previous command completes, initialize the partition:
cryptsetup --verbose --verify-passphrase luksFormat /dev/MYDisk/home
Open the newly created encrypted device:
cryptsetup luksOpen /dev/MYDisk/home
Check to confirm that the device is present:
ls -l /dev/mapper | grep home
Now create a filesystem:
Then, mount the new filesytem:
mount /dev/mapper/home /home
Confirm that the filesystem is still visible:
df -h | grep home
Enter the following line in the
home /dev/MYDisk/home none
Make changes in the
/etc/fstabfile to delete the entry for
/homeand add the following line:
/dev/mapper/home /home ext3 defaults 1 2
Once completed, run this command to restore the default SELinux security settings:
/sbin/restorecon -v -R /home
Reboot the machine:
shutdown -r now
After rebooting, the system will prompt us for the LUKS passphrase on boot. You can log in as the root now and restore your backup.
Congratulations! You have successfully created an encrypted partition. Now you can keep all your data safe even when your computer is off.
We first move into running level 1 and unmounting the
/home partition. Once unmounted, we fill some random data in the
/home partition. Then, we initialize the partition, using the
cryptsetup command to encrypt it.
Once the encryption is done, we mount the filesystem back again, and then make an entry of the partition in the
/etc/crypttab file. Also, the
/etc/fstab file is edited to add an entry for the preceding encrypted partition.
After completing all the steps, we have restored the default settings of SELinux.
Doing this, the system will always ask for the LUKS passphrase on boot.
Once the user is given access using the
sudo mechanism, they can execute any administrative command by preceding it with
sudo. Then, the user will be asked to enter their own password. After this, the administrative command will be executed in the same way as run by the root user.
As the file for the configuration is predefined and the commands used are inbuilt, nothing extra needs to be configured before starting these steps.
We will first create a normal account and then give it
sudoaccess. Once done, we will be able to use the
sudocommand from the new account and then execute the administrative commands. Follow the steps given to configure the
sudoaccess. Firstly, use the root account to login to the system. Then, create a user account using the
useraddcommand, as shown in the following figure:
USERNAMEwith any name of your choice in the preceding command.
Once the file is open in the editor, search for the following lines, which allow
sudoaccess to the users in the
We can enable the given configuration by deleting the comment character (
#) at the beginning of the second line. Once the changes are made, save the file and exit from the editor. Now, using the
usermodcommand, add the previously created user to the
To switch to the newly created user account, use the
Now, use the
groupscommand to confirm the presence of the user account in the
Finally, run the
sudofrom the new account. As we have executed a command that uses
sudofor the first time, using this new user account, the default banner message will be displayed for the
sudocommand. The screen will also ask for the user account password to be entered.
The last line of the preceding output is the username returned by the
sudois configured correctly, this value will be
When we create a new account, it does not have permission to run administrator commands. However, after editing the
/etc/sudoers file and making an appropriate entry to grant
sudo access to the new user account, we can start using the new user account to run all the administrator commands.
Here is an extra measure that you can take to ensure total security.
A vulnerability assessment is the process of auditing our network and system security through which we can know about the confidentiality, integrity, and availability of our network. The first phase in the vulnerability assessment is reconnaissance, and this further leads to the phase of system readiness in which we mainly check for all known vulnerabilities in the target. The next phase is reporting, where we group all the vulnerabilities found into categories of low, medium, and high risk.
Nmap is one of the most popular tools included in Linux that can be used to scan a network. It has been in existence for many years, and to date, it is one of the most preferable tools to gather information about a network.
When doing a vulnerability assessment, Nmap is surely a tool that can't be missed.
Most Linux versions have Nmap installed. The first step is to check whether you already have it using this command:
If Nmap exists, you should see an output similar to what is shown here:
If Nmap is not already installed, you can download and install it from https://nmap.org/download.html
The most common use of Nmap is to find all online hosts within a given IP range. The default command used to do this takes some time to scan the complete network, depending on the number of hosts present in the network. However, we can optimize the process in order to scan the range faster.
The following screenshot shows you an example of this:
In the preceding example, the time taken to complete the scan was 6.67 seconds when scanning 100 hosts. If the whole IP range for a particular network is to be scanned, it would take a lot more time.
Now, let's try to speed up the process. The
nswitch tells Nmap not to perform the DNS resolution of the IP addresses, hence making the process faster. The
Tswitch tells Nmap what speed to operate at. Here,
T1is the slowest and
T5is the fastest. The
max-rtt-timeoutoption specifies the maximum time required to wait for the response.
Now, the same command is shown in this example:
This time, Nmap scanned the complete IP range in 1.97 seconds. Pretty good, right?
Port scanning using Nmap helps us discover services that are online, such as finding FTP servers. To do this, use the following command:
The preceding command of Nmap shall list out all the IP addresses that have port 21 open.
Not only FTP, other services can also be discovered by matching the port numbers on which they run. For example, MySQL runs on port 3306. The command will now look like this:
Nmap checks for services that are listening by testing the most common network communication ports. This information helps the network administrator to close down any unwanted or unused services. The preceding examples show you how to use port scanning and Nmap as powerful tools to study the network around us.
Nmap also has scripting features using which we can write custom scripts. These scripts can be used with Nmap to automate and extend its scanning capabilities. You can find more information about Nmap on its official home page at https://nmap.org/
When trying to learn how to scan and exploit a Linux machine, one major problem we encounter is where to try learning it. For this purpose, the Metasploit team has developed and released a VMware machine called Metasploitable. This machine has been made vulnerable purposefully and has many services running unpatched. Due to this, it becomes a great platform to practice or develop penetration testing skills. In this section, you will learn how to scan a Linux system, and then using the scanning result, find a service that is vulnerable. Using this vulnerable service, we shall gain root access to the system.
Backtrack 5R2 and the Metasploitable VMware system will be used in this section. The image file of Metasploitable can be downloaded from http://sourceforge.net/projects/metasploitable/files/Metasploitable2/.
Follow these steps to gain root access to a vulnerable Linux system:
First, open the Metasploit console on the backtrack system by following this menu: navigate to Main Menu | Backtrack | Exploitation Tools | Network Exploitation Tools | Metasploit Framework | Msfconsole.
This figure shows the output of the command that is executed:
In the preceding command, the
-Ssoption allows us to perform a stealth scan, and the
-Aoption tries to discover the version information of the OS and service.
Also, in the preceding command, we can see that there are many services running on different ports. Among them is Samba, which runs on ports 139 and 445.
Once we are able to locate the Samba service, we will just focus on it now. From the preceding output, we can see that Samba is running version 3.x. Now, we shall try to get more specific information about the service. To do this, we will use any of the auxiliary modules of Metasploit, such as the scanner section, and look for the SMB protocol.
We can see that the scanner section has a SMB version detector. Now, we'll get the exact version of Samba using the SMB detector program. If we search online for all the vulnerabilities of the particular version of Samba, we will find the username map script.
We can now search in the list of exploits available in Metasploit to check whether an exploit exists for the
map scriptusername using the
Now, use the map script username to gain a root level shell in the system.
Now, we shall gain root-level access to the system using the preceding exploit. Once we choose the exploit and configure it with the target IP address (in this case,
192.168.0.1), we will execute a command to run the exploit. Doing this will create and give us a remote session on the target system and also open a command shell. Now, run the
id command in the remote shell. This will give a result—
uid=0(root)gid=0(root). This confirms that we have remote root access to the target system.
We first performed an Nmap scan to check for running services and open ports and found the Samba service running. Then, we tried to find the version of the SMB service. Once we got this information, we searched for any exploit available for Samba. Using the exploit, we tried to attack the target system and got the root shell on it.
Let's learn about a few more exploits and attacks that are peculiar to Linux.
In this section, we shall go through a few of the common exploits and attacks that Linux is vulnerable to. However, in this section, will not cover any recipes to deal with the attacks. This section is just to let you know about the common exploits used in Linux.
Often, administrators use default passwords that are provided to them by a vendor or they may even leave the administrative password blank. This happens mainly while configuring devices, such as routers, and also in BIOSes. Even some services running on Linux can contain the default administrator password. It is always recommended that you change the default password and set a new one that is only known to the administrator.
An attacker can find vulnerabilities on our systems and servers, and using these, they can install background programs or attack a network. This can be done if the attacker connects his system to our network in a way that makes it appear as though there's a node in the local network. There are various tools available to assist crackers while performing IP spoofing.
An attacker can collect data passing between two active nodes that communicate on a network by eavesdropping. This type of attack works mostly with protocols such as Telnet, FTP, and HTTP. Attacks of this kind can be done when the remote attacker already has access to any system on the network. This can be made possible using other attacks such as the Man in the Middle Attack.
Administrators should stay updated about any patches or updates that are available for any service or application running on the network system.
When an attacker sends unauthorized packets to the target system, which could be a server, router, or a workstation, in large numbers, it forces the resource to become unavailable to legitimate users.
The packets being sent by the attacker are usually forged, making the investigation process difficult.