Network Security - Part II

The course is part of this learning path

Linux Security and Hardening
7
4
Start course
Overview
Difficulty
Intermediate
Duration
1h 7m
Students
100
Ratings
5/5
starstarstarstarstar
Description

In this course, you'll learn some techniques and strategies to secure network services. You'll also learn how the local firewall works in Linux and how to configure it. We'll talk about information leakage and ways to prevent it. Next, you'll learn how to test for open ports and perform port scans. You'll also learn about xinetd, what it does, and how to secure it. We'll also cover how to secure SSH. This course includes some guided demonstrations so that you can see the concepts being used in real-world environments.

Learning Objectives

  • Learn how to secure SSH
  • Understand the fundamentals of Linux firewall security, including configuring a firewall from the command line and setting up firewall rules
  • Learn how to use TCP wrappers to secure your Linux system

Intended Audience

This course is intended for anyone who wants to understand how to secure their Linux systems.

Prerequisites

To get the most out of this course, you should already have a good working knowledge of Linux. If you want to brush up on your Linux skills, consider taking our Learn Linux in 5 Days learning path first.

Transcript

Avoid information leakage wherever possible. Some network services will report their exact name and version number. An attacker could use this information to look for security holes for that specific application and version. The common example of this is when a web server reports it's name, version and sometimes the operating system that it's running on in the server response field of an HTTP header. Another place information can be leaked is in the message of the day file /etc/motd which gets displayed when the user logs onto a system. Another place is the etc issue file, which is displayed before a login prompt on the Linux console. Although it's not commonly used today, there may be similar information stored in /etc/issue.net. Historically, this was used for Telnet sessions although you may find some SSH configurations that reference it. We've talked about services and only running the services that you intend to use. So how do you tell what services are currently running on your system and how do you disable them if you want to? If you're using system D, run the systemctl command and it will give you a list of the running services. Not everything listed as a network service but it gives you an idea of what's running on your system. Here's just a snippet of some systemctl output. It shows that a web server is running as well as an SSH server. If you want to stop a system decontrolled service, run systemctl stop followed by the name of the service. To disable a service run systemctl disable followed by the name of the service. Stopping a service stops it for now but if it's enabled, then it will start again when the system reboots. To prevent that from happening, disable the service. One way to find out which services are running on your system is to use the netstat command. You can see that I've supplied the nutlp options and displays the output in numeric format. No IP addresses will be translated into host names. U tells netstat to include the UDP protocol. Likewise T tells netstat to include TCP. The L option tells netstat to display only listening sockets. Finally, the P option displays the PID and name of the process that is doing the listening. You'll need to run this command with root privileges. The sample output on your screen shows that the SSHD program is listening on port 22 on all IP addresses. That's what 0.0.0.0 represents. However, the master program is listening on the 127.0.0.1 IP address on port 25. That process is part of the postfix mail server and it's listening on the SMTP port, which is 25. This service will only handle mail for the local system since it's listening on the loop back IP of 127.0.0.1. This is a good practice and it's something I encourage you to do. If a network service is only going to be used by the local host, bind it to the loop back address so the service is not available over the outside network. Also, this output shows that the DHC client process is listening on UDP port 68. Another way to tell if something is listening on your system is to port scan it. One popular tool for doing that is nmap. If you are testing your system from the inside itself, you can port scan the local host or you can port scan your host from the outside. In the simplest form nmap is called with an IP address or host name as an argument. It will then scan for open ports and report back what it finds. Here's a sample run of nmap against the loop back address. It shows that ports 22, 25 and 80 are open. Those are ports for SSH, SMTP and HTTP. Here is some output from the nmap command run against the public IP address of the server. Notice that port 25 is not listed. That's because the mail service is only listening on the loop back address and not on the public address. Yet another way to look for services on your system is to use the lsof command. LSOF stands for list open files. To do this, use the lsof command with a -i option. Remember practically everything on a Linux system is represented as a file so we can list the network file, so to speak. So run lsof -i and it will display all the listening and established network connections. If you want to see if a specific port is reachable, you can use the Telnet command, supply the host name or IP address you want to connect to and then the port number. Historically Telnet was used to log into systems, but you can still use this tool to connect to a port. Once connected, you can even send data over that port by typing in text. You can test some plain text protocols like HTTP or SMTP using this method. You can also use the nc or netcat command to attempt a connection to an open port. Run nc -v followed by the host name or IP address to connect to and then what port to connect to. The -v option is for verbose and using it will cause netcat to clearly print out whether the connection succeeded or failed. Although it's less and less common, you may encounter a service that is controlled by xinetd. If you see an xinetd process listing on a port when a connection to that port is made, xinetd will actually start the process that is responsible for that port and hand the connection over to that process. To see a list xinetd supported services, look in the /etc/xinetd.d'directory. Each service will have its own configuration file. To disable one of those services, ensure that there is a disabled equals yes line in the file. To disable xinetd itself, stop the process and make sure it doesn't start on boot. For a system decontrolled system run systemctl stop xinetd and then run systemctl disable xinetd.

About the Author
Avatar
Jason Cannon
Founder, Linux Training Academy
Students
3315
Courses
60
Learning Paths
7

Jason is the founder of the Linux Training Academy as well as the author of "Linux for Beginners" and "Command Line Kung Fu." He has over 20 years of professional Linux experience, having worked for industry leaders such as Hewlett-Packard, Xerox, UPS, FireEye, and Amazon.com. Nothing gives him more satisfaction than knowing he has helped thousands of IT professionals level up their careers through his many books and courses.