|[Home] [Credit Search] [Category Browser] [Staff Roll Call]||The LINUX.COM Article Archive|
|Originally Published: Tuesday, 2 October 2001||Author: Jeff McClure and Katharine McCoy|
|Published to: enchance_articles_security/Advanced Security Articles||Page: 1/1 - [Std View]|
A Beginner's Introduction to Network Security
Linux.com writers McClure and McCoy write "We hate to break it to you, but crackers don't just hack the important stuff, they hack whatever networks or boxes they can get into, just because they can." As you may already know it is as important to "lock" your computer as it is to lock your front door, especially if you live on an "always on" broadband connection. But where to start? Well, start here.
Lately, the word "security" has been tossed around a lot in the news, IRC channels and elsewhere in the community. It seems that there's no end to viruses and script kiddies out there just waiting to get through the security on your network and damage something, or use your network to help with the latest denial-of-service attack. When someone breaks into your network, not only is it an inconvenience to you, but also a potential problem for others in the Internet community. What? You said you don't have security on your network? Gasp! Well, that's what we're here to talk about. We're going to share some reasons why you want security on your box along with a few pointers on how to secure your network. We're not going to go into great detail (that's for later articles). Our aim is to make you more aware of why you need to secure your network and then point you in the right direction.
Before we get into the thick of this discussion, let's start off by providing some simplified explanations for a few terms that will be used in the article. If you're familiar with these terms already, just skip ahead.
In general, when one computer connects to another across a network to use a resource (or service) such as a web server, it needs two major pieces of information: the IP address of the server computer and the port number on which the service runs. A computer with a single IP address can be running any number of these services (web, FTP, Telnet, etc.). The port number decides which service will be contacted. You can use these port numbers to help control access to your computer.
A port scan is a technique used by would-be crackers to determine a computer's vulnerabilities. It's called a port scan because it involves attempting to connect to a range of different port numbers on the same computer. Depending on the results, the attacker can learn more about a computer and what methods he can use to attack it.
A firewall is software or hardware which stands between an "external" network and an "internal" network (or a single "internal" computer). Its job is to control the flow of network traffic between these two networks. It does so by looking at information contained in each network packet (including IP address and port number) and deciding what action(s) to take. Common actions include passing the packet to the other network, refusing the packet (and sending a refusal response to the sender), dropping the packet with no response, and noting the packet in a log file.
When talking about networked computers, the term vulnerability often surfaces. When used in this sense, a vulnerability indicates a means by which the security of a system (usually its software) might be breached. Vulnerabilities can go unnoticed for long periods of time, and the existence of a vulnerability does not necessarily imply the existence of a working exploit of that vulnerability.
An exploit (in our context) is a known way to take advantage of a vulnerability in a networked system (again, usually its software).
Network security is the type of security we are covering in this article. It means security measures designed to protect against attacks which originate from the network.
Quite a different security concept is internal security. This type of security involves protecting a computer against attacks which originate from the computer itself (often initiated by one of its users). This is an important aspect of security (it can help protect your computer if network security fails), but it's not the focus of this article.
You may ask, "Why do I need security on my network? There are no national secrets here. Nothing important for anyone to hack into." We hate to break it to you, but crackers don't just hack the important stuff, they hack whatever networks or boxes they can get into, just because they can. Just because the information on your computer isn't valuable to an attacker doesn't mean that he won't delete it just for fun. Also, your computer can be used by a cracker to attack others. This very concept makes possible the huge distributed denial-of-service attacks that have been seen lately.
With broadband Internet connections becoming more available to the general public, crackers now have more and easier targets. How? A cable modem or DSL modem provides you with an always-on, high speed pipe to the Internet. This has both its good and bad points. The same broadband connection that allows you to connect to the Internet faster and more freely can also allow others on the Internet to connect to your computer faster and more freely. Broadband providers don't usually filter their users' connections, so you cannot depend on your provider to protect you from attacks. Computers on broadband connections are part of large, well-known, consecutive blocks of IP addresses. Attackers use this fact to run easy port scans on entire blocks of broadband users in the hopes of finding a few computers that have exploitable vulnerabilities. Software exploit tools are readily available to allow even experienced attackers to take advantage of these vulnerabilities.
Compounding this problem, some distributions of Linux install with lots of services enabled by default. The more services that are enabled (even the ones not being used), the more chance that the attacker will be able to find one with a vulnerability he can exploit.
Now that we've established some of the reasons that you would want to secure your network, let's talk about ways to actually do it. In the interest of space and keeping these tips distribution- neutral, we're only going to discuss general concepts here. If there is enough interest, we can go into greater detail in later articles.
Yes, that's right, everything. Every running service is another possible entry point. What do we mean by services? Some of the better-known services are FTP, Telnet, and web (e.g. Apache) servers. Some lesser-known examples include SMTP servers like Sendmail, the finger server, network time servers, and NFS (which actually runs under another commonly-enabled service known as the RPC portmapper). To find out just what services your computer is offering, try running the "netstat" command with the '-a' switch and look under the "Active Internet connections" section. You may be surprised by just how long that list is.
The bad news is that many distributions of Linux come with most or all of these services enabled unless you specify otherwise. The method for disabling services varies depending on the service and the distribution, but the first choice is to use your distribution's package management system (e.g. RPM) to remove the service altogether. If that doesn't work, there are other methods. A standalone service is disabled by preventing its daemon from running. Usually a system startup script runs the daemon at boot time. Check your distribution's documentation for information on how to modify the startup scripts. Services that don't have standalone daemons are started by a program called "inetd". Disabling these services involves editing the file "/etc/inetd.conf". For a decent explanation of these issues, check out section 5.8 of the Linux Networking HOWTO, at: http://www.linuxdoc.org/HOWTO/Net-HOWTO/index.html
If you must make some services available to the network, be sure to understand them so that you can make them as secure as possible. One of the most common causes of security breaches is incorrect configuration. Things like mis-configured anonymous FTP servers have brought down many systems. Most of the commonly-used network servers have extensive documentation, often included right in the configuration files. Read it. Learn it. Live it. If you don't understand how a particular service works, you're inviting trouble. Pay special attention to how the service passes its data over the network. Does the service require users to log in? If so, are the usernames and passwords encrypted? FTP and Telnet are examples of services which pass usernames and passwords over the network in clear text. That means anyone along the way can sniff those sessions and use them to log into your computer. That's why we recommend using SSH instead of Telnet and something like SCP instead of FTP.
Once you've researched and properly configured your services, keep them updated. Our recommendation is to use the latest stable version of each service you use. If the service was installed using your distribution's package manager, keep an eye on the web site for your distribution for updates. While you're watching for new versions of the software, keep your eyes open for new information about those services. Watch a few security-related web sites for new alerts.
Even though your provider doesn't filter your connection, that doesn't mean that you can't. One of the great strengths of Linux is its highly-configurable networking system. Virtually all recent Linux distributions come with the correct kernel and the right software tools to allow you to filter your network traffic based on IP address, port, interface, and other parameters. For a good (but perhaps a bit dated) explanation of filtering (or "firewalling") take a look at the Linux Firewall and Proxy Server HOWTO: http://www.linuxdoc.org/HOWTO/Firewall-HOWTO.html
The method for setting up the firewall depends on what version of kernel is running. For those running version 2.2.x kernels, the tool is called "ipchains." A great source of information for this tool is located in the Linux IPCHAINS-HOWTO: http://www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO.html
For 2.4.x kernels, the tool is called "iptables." I have yet to find a really simple guide for using iptables. However, it accomplishes the same purpose as the ipchains tool, so the URL above will probably be helpful. For iptables-specific information, check out: http://netfilter.filewatcher.org/unreliable-guides/index.html
Finally, for lots of network security issues in general I find the TrinityOS document at http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS/cHTML/TrinityOS-c.html to be very helpful. In this document, David Ranch basically shows the entire configuration for his own machine. Take a look at section 10 in particular, where David gives some really good ideas on firewall construction.
Most Linux distributions are set up to log a whole host of system-related events to log files. The details of what is logged and where is up to the distribution, but a good place to start is in the "/var/log" directory. Take a look at the files that are available and keep an eye on them periodically. They can tell you about someone that's trying to attack and about many other events that can jeopardize your system. There are even tools available (a popular one is called "Tripwire") which can help watch your logs for you, but these tools require careful setup.
One of the most important rules to security is that no security is perfect. It doesn't matter how well you try to protect your computer, unless you lock it inside a steel vault with no access to the outside (not very useful), there is always some risk of being attacked. We're not suggesting you go that far. Just learn to balance the need for network connectivity with the need for network security. We've given some really general tips in this article. If the interest is there, we can continue this series with articles that are a lot more specific about certain topics.
Many attacks can be prevented by taking measures which don't affect usability at all. Thoroughly evaluate the services you need and disable those you don't. Keep your software and your knowledge updated. Set up packet filtering. Keep an eye on your system logs. With a bit of thought and a lot of learning, that wide-open pipe to the Internet can be a lot safer for your computer.