1 | <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> |
---|
2 | <html xmlns="http://www.w3.org/1999/xhtml"> |
---|
3 | <head> |
---|
4 | <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> |
---|
5 | <meta http-equiv="Content-Style-Type" content="text/css" /> |
---|
6 | <meta name="generator" content="pandoc" /> |
---|
7 | <title>Host Security Exercise</title> |
---|
8 | <style type="text/css">code{white-space: pre;}</style> |
---|
9 | <link href="data:text/css,%2F%2A%0A%20%20%20%20Buttondown%0A%20%20%20%20A%20Markdown%2FMultiMarkdown%2FPandoc%20HTML%20output%20CSS%20stylesheet%0A%20%20%20%20Author%3A%20Ryan%20Gray%0A%20%20%20%20Date%3A%2015%20Feb%202011%0A%20%20%20%20Revised%3A%2021%20Feb%202012%0A%20%20%20%0A%20%20%20%20General%20style%20is%20clean%2C%20with%20minimal%20re%2Ddefinition%20of%20the%20defaults%20or%20%0A%20%20%20%20overrides%20of%20user%20font%20settings%2E%20The%20body%20text%20and%20header%20styles%20are%20%0A%20%20%20%20left%20alone%20except%20title%2C%20author%20and%20date%20classes%20are%20centered%2E%20A%20Pandoc%20TOC%20%0A%20%20%20%20is%20not%20printed%2C%20URLs%20are%20printed%20after%20hyperlinks%20in%20parentheses%2E%20%0A%20%20%20%20Block%20quotes%20are%20italicized%2E%20Tables%20are%20lightly%20styled%20with%20lines%20above%20%0A%20%20%20%20and%20below%20the%20table%20and%20below%20the%20header%20with%20a%20boldface%20header%2E%20Code%20%0A%20%20%20%20blocks%20are%20line%20wrapped%2E%20%0A%20%0A%20%20%20%20All%20elements%20that%20Pandoc%20and%20MultiMarkdown%20use%20should%20be%20listed%20here%2C%20even%20%0A%20%20%20%20if%20the%20style%20is%20empty%20so%20you%20can%20easily%20add%20styling%20to%20anything%2E%0A%20%20%20%20%0A%20%20%20%20There%20are%20some%20elements%20in%20here%20for%20HTML5%20output%20of%20Pandoc%2C%20but%20I%20have%20not%20%0A%20%20%20%20gotten%20around%20to%20testing%20that%20yet%2E%0A%2A%2F%0A%20%0A%2F%2A%20NOTES%3A%0A%20%0A%20%20%20%20Stuff%20tried%20and%20failed%3A%0A%20%20%20%20%0A%20%20%20%20It%20seems%20that%20specifying%20font%2Dfamily%3Aserif%20in%20Safari%20will%20always%20use%20%0A%20%20%20%20Times%20New%20Roman%20rather%20than%20the%20user%27s%20preferences%20setting%2E%0A%20%20%20%20%0A%20%20%20%20Making%20the%20font%20size%20different%20or%20a%20fixed%20value%20for%20print%20in%20case%20the%20screen%20%0A%20%20%20%20font%20size%20is%20making%20the%20print%20font%20too%20big%3A%20Making%20font%2Dsize%20different%20for%20%0A%20%20%20%20print%20than%20for%20screen%20causes%20horizontal%20lines%20to%20disappear%20in%20math%20when%20using%20%0A%20%20%20%20MathJax%20under%20Safari%2E%0A%2A%2F%0A%20%0A%2F%2A%20%2D%2D%2D%2D%20Front%20Matter%20%2D%2D%2D%2D%20%2A%2F%0A%20%0A%2F%2A%20Pandoc%20header%20DIV%2E%20Contains%20%2Etitle%2C%20%2Eauthor%20and%20%2Edate%2E%20Comes%20before%20div%23TOC%2E%20%0A%20%20%20Only%20appears%20if%20one%20of%20those%20three%20are%20in%20the%20document%2E%0A%2A%2F%0A%20%0Adiv%23header%2C%20header%0A%20%20%20%20%7B%0A%20%20%20%20%2F%2A%20Put%20border%20on%20bottom%2E%20Separates%20it%20from%20TOC%20or%20body%20that%20comes%20after%20it%2E%20%2A%2F%0A%20%20%20%20border%2Dbottom%3A%201px%20solid%20%23aaa%3B%0A%20%20%20%20margin%2Dbottom%3A%200%2E5em%3B%0A%20%20%20%20%7D%0A%20%0A%2Etitle%20%2F%2A%20Pandoc%20title%20header%20%28h1%2Etitle%29%20%2A%2F%0A%20%20%20%20%7B%0A%20%20%20%20text%2Dalign%3A%20center%3B%0A%20%20%20%20%7D%0A%20%0A%2Eauthor%2C%20%2Edate%20%2F%2A%20Pandoc%20author%28s%29%20and%20date%20headers%20%28h2%2Eauthor%20and%20h3%2Edate%29%20%2A%2F%0A%20%20%20%20%7B%0A%20%20%20%20text%2Dalign%3A%20center%3B%0A%20%20%20%20%7D%0A%20%0A%2F%2A%20Pandoc%20table%20of%20contents%20DIV%20when%20using%20the%20%2D%2Dtoc%20option%2E%0A%20%20%20NOTE%3A%20this%20doesn%27t%20support%20Pandoc%27s%20%2D%2Did%2Dprefix%20option%20for%20%23TOC%20and%20%23header%2E%20%0A%20%20%20Probably%20would%20need%20to%20use%20div%5Bid%24%3D%27TOC%27%5D%20and%20div%5Bid%24%3D%27header%27%5D%20as%20selectors%2E%0A%2A%2F%0A%20%0Adiv%23TOC%2C%20nav%23TOC%0A%20%20%20%20%7B%0A%20%20%20%20%2F%2A%20Put%20border%20on%20bottom%20to%20separate%20it%20from%20body%2E%20%2A%2F%0A%20%20%20%20border%2Dbottom%3A%201px%20solid%20%23aaa%3B%0A%20%20%20%20margin%2Dbottom%3A%200%2E5em%3B%0A%20%20%20%20%7D%0A%20%0A%40media%20print%0A%20%20%20%20%7B%0A%20%20%20%20div%23TOC%2C%20nav%23TOC%0A%20%20%20%20%20%20%20%20%7B%0A%20%20%20%20%20%20%20%20%2F%2A%20Don%27t%20display%20TOC%20in%20print%20%2A%2F%0A%20%20%20%20%20%20%20%20display%3A%20none%3B%0A%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%7D%0A%20%0A%2F%2A%20%2D%2D%2D%2D%20Headers%20and%20sections%20%2D%2D%2D%2D%20%2A%2F%0A%20%0Ah1%2C%20h2%2C%20h3%2C%20h4%2C%20h5%2C%20h6%0A%7B%0A%20%20%20%20font%2Dfamily%3A%20%22Helvetica%20Neue%22%2C%20Helvetica%2C%20%22Liberation%20Sans%22%2C%20Calibri%2C%20Arial%2C%20sans%2Dserif%3B%20%2F%2A%20Sans%2Dserif%20headers%20%2A%2F%0A%20%0A%20%20%20%20%2F%2A%20font%2Dfamily%3A%20%22Liberation%20Serif%22%2C%20%22Georgia%22%2C%20%22Times%20New%20Roman%22%2C%20serif%3B%20%2F%2A%20Serif%20headers%20%2A%2F%0A%20%0A%20%20%20%20page%2Dbreak%2Dafter%3A%20avoid%3B%20%2F%2A%20Firefox%2C%20Chrome%2C%20and%20Safari%20do%20not%20support%20the%20property%20value%20%22avoid%22%20%2A%2F%0A%7D%0A%20%0A%2F%2A%20Pandoc%20with%20%2D%2Dsection%2Ddivs%20option%20%2A%2F%0A%20%0Adiv%20div%2C%20section%20section%20%2F%2A%20Nested%20sections%20%2A%2F%0A%20%20%20%20%7B%0A%20%20%20%20margin%2Dleft%3A%202em%3B%20%2F%2A%20This%20will%20increasingly%20indent%20nested%20header%20sections%20%2A%2F%0A%20%20%20%20%7D%0A%20%0Ap%20%7B%7D%0A%20%0Ablockquote%0A%20%20%20%20%7B%20%0A%20%20%20%20font%2Dstyle%3A%20italic%3B%0A%20%20%20%20%7D%0A%20%0Ali%20%2F%2A%20All%20list%20items%20%2A%2F%0A%20%20%20%20%7B%0A%20%20%20%20%7D%0A%20%0Ali%20%3E%20p%20%2F%2A%20Loosely%20spaced%20list%20item%20%2A%2F%0A%20%20%20%20%7B%0A%20%20%20%20margin%2Dtop%3A%201em%3B%20%2F%2A%20IE%3A%20lack%20of%20space%20above%20a%20%3Cli%3E%20when%20the%20item%20is%20inside%20a%20%3Cp%3E%20%2A%2F%0A%20%20%20%20%7D%0A%20%0Aul%20%2F%2A%20Whole%20unordered%20list%20%2A%2F%0A%20%20%20%20%7B%0A%20%20%20%20%7D%0A%20%0Aul%20li%20%2F%2A%20Unordered%20list%20item%20%2A%2F%0A%20%20%20%20%7B%0A%20%20%20%20%7D%0A%20%0Aol%20%2F%2A%20Whole%20ordered%20list%20%2A%2F%0A%20%20%20%20%7B%0A%20%20%20%20%7D%0A%20%0Aol%20li%20%2F%2A%20Ordered%20list%20item%20%2A%2F%0A%20%20%20%20%7B%0A%20%20%20%20%7D%0A%20%0Ahr%20%7B%7D%0A%20%0A%2F%2A%20%2D%2D%2D%2D%20Some%20span%20elements%20%2D%2D%2D%20%2A%2F%0A%20%0Asub%20%2F%2A%20Subscripts%2E%20Pandoc%3A%20H%7E2%7EO%20%2A%2F%0A%20%20%20%20%7B%0A%20%20%20%20%7D%0A%20%0Asup%20%2F%2A%20Superscripts%2E%20Pandoc%3A%20The%202%5End%5E%20try%2E%20%2A%2F%0A%20%20%20%20%7B%0A%20%20%20%20%7D%0A%20%20%20%20%0Aem%20%2F%2A%20Emphasis%2E%20Markdown%3A%20%2Aemphasis%2A%20or%20%5Femphasis%5F%20%2A%2F%0A%20%20%20%20%7B%0A%20%20%20%20%7D%0A%20%20%20%20%0Aem%20%3E%20em%20%2F%2A%20Emphasis%20within%20emphasis%3A%20%2AThis%20is%20all%20%2Aemphasized%2A%20except%20that%2A%20%2A%2F%0A%20%20%20%20%7B%0A%20%20%20%20font%2Dstyle%3A%20normal%3B%0A%20%20%20%20%7D%0A%20%0Astrong%20%2F%2A%20Markdown%20%2A%2Astrong%2A%2A%20or%20%5F%5Fstrong%5F%5F%20%2A%2F%0A%20%20%20%20%7B%0A%20%20%20%20%7D%0A%20%0A%2F%2A%20%2D%2D%2D%2D%20Links%20%28anchors%29%20%2D%2D%2D%2D%20%2A%2F%0A%20%0Aa%20%2F%2A%20All%20links%20%2A%2F%0A%20%20%20%20%7B%0A%20%20%20%20%2F%2A%20Keep%20links%20clean%2E%20On%20screen%2C%20they%20are%20colored%3B%20in%20print%2C%20they%20do%20nothing%20anyway%2E%20%2A%2F%0A%20%20%20%20text%2Ddecoration%3A%20none%3B%0A%20%20%20%20%7D%0A%20%0A%40media%20screen%0A%20%20%20%20%7B%0A%20%20%20%20a%3Ahover%0A%20%20%20%20%20%20%20%20%7B%0A%20%20%20%20%20%20%20%20%2F%2A%20On%20hover%2C%20we%20indicate%20a%20bit%20more%20that%20it%20is%20a%20link%2E%20%2A%2F%0A%20%20%20%20%20%20%20%20text%2Ddecoration%3A%20underline%3B%0A%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%7D%0A%20%0A%40media%20print%0A%20%20%20%20%7B%0A%20%20%20%20a%20%20%20%7B%0A%20%20%20%20%20%20%20%20%2F%2A%20In%20print%2C%20a%20colored%20link%20is%20useless%2C%20so%20un%2Dstyle%20it%2E%20%2A%2F%0A%20%20%20%20%20%20%20%20color%3A%20black%3B%0A%20%20%20%20%20%20%20%20background%3A%20transparent%3B%0A%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%20%20%20%20%0A%20%20%20%20a%5Bhref%5E%3D%22http%3A%2F%2F%22%5D%3Aafter%2C%20a%5Bhref%5E%3D%22https%3A%2F%2F%22%5D%3Aafter%0A%20%20%20%20%20%20%20%20%7B%0A%20%20%20%20%20%20%20%20%2F%2A%20However%2C%20links%20that%20go%20somewhere%20else%2C%20might%20be%20useful%20to%20the%20reader%2C%0A%20%20%20%20%20%20%20%20%20%20%20so%20for%20http%20and%20https%20links%2C%20print%20the%20URL%20after%20what%20was%20the%20link%20%0A%20%20%20%20%20%20%20%20%20%20%20text%20in%20parens%0A%20%20%20%20%20%20%20%20%2A%2F%0A%20%20%20%20%20%20%20%20content%3A%20%22%20%28%22%20attr%28href%29%20%22%29%20%22%3B%0A%20%20%20%20%20%20%20%20font%2Dsize%3A%2090%25%3B%0A%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%7D%0A%20%0A%2F%2A%20%2D%2D%2D%2D%20Images%20%2D%2D%2D%2D%20%2A%2F%0A%20%0Aimg%0A%20%20%20%20%7B%0A%20%20%20%20%2F%2A%20Let%20it%20be%20inline%20left%2Fright%20where%20it%20wants%20to%20be%2C%20but%20verticality%20make%20%0A%20%20%20%20%20%20%20it%20in%20the%20middle%20to%20look%20nicer%2C%20but%20opinions%20differ%2C%20and%20if%20in%20a%20multi%2Dline%20%0A%20%20%20%20%20%20%20paragraph%2C%20it%20might%20not%20be%20so%20great%2E%20%0A%20%20%20%20%2A%2F%0A%20%20%20%20vertical%2Dalign%3A%20middle%3B%0A%20%20%20%20%7D%0A%20%0Adiv%2Efigure%20%2F%2A%20Pandoc%20figure%2Dstyle%20image%20%2A%2F%0A%20%20%20%20%7B%0A%20%20%20%20%2F%2A%20Center%20the%20image%20and%20caption%20%2A%2F%0A%20%20%20%20margin%2Dleft%3A%20auto%3B%0A%20%20%20%20margin%2Dright%3A%20auto%3B%0A%20%20%20%20text%2Dalign%3A%20center%3B%0A%20%20%20%20font%2Dstyle%3A%20italic%3B%0A%20%20%20%20%7D%0A%20%0Ap%2Ecaption%20%2F%2A%20Pandoc%20figure%2Dstyle%20caption%20within%20div%2Efigure%20%2A%2F%0A%20%20%20%20%7B%0A%20%20%20%20%2F%2A%20Inherits%20div%2Efigure%20props%20by%20default%20%2A%2F%0A%20%20%20%20%7D%0A%20%0A%2F%2A%20%2D%2D%2D%2D%20Code%20blocks%20and%20spans%20%2D%2D%2D%2D%20%2A%2F%0A%20%0Apre%2C%20code%20%0A%20%20%20%20%7B%0A%20%20%20%20background%2Dcolor%3A%20%23fdf7ee%3B%0A%20%20%20%20%2F%2A%20BEGIN%20word%20wrap%20%2A%2F%0A%20%20%20%20%2F%2A%20Need%20all%20the%20following%20to%20word%20wrap%20instead%20of%20scroll%20box%20%2A%2F%0A%20%20%20%20%2F%2A%20This%20will%20override%20the%20overflow%3Aauto%20if%20present%20%2A%2F%0A%20%20%20%20white%2Dspace%3A%20pre%2Dwrap%3B%20%2F%2A%20css%2D3%20%2A%2F%0A%20%20%20%20white%2Dspace%3A%20%2Dmoz%2Dpre%2Dwrap%20%21important%3B%20%2F%2A%20Mozilla%2C%20since%201999%20%2A%2F%0A%20%20%20%20white%2Dspace%3A%20%2Dpre%2Dwrap%3B%20%2F%2A%20Opera%204%2D6%20%2A%2F%0A%20%20%20%20white%2Dspace%3A%20%2Do%2Dpre%2Dwrap%3B%20%2F%2A%20Opera%207%20%2A%2F%0A%20%20%20%20word%2Dwrap%3A%20break%2Dword%3B%20%2F%2A%20Internet%20Explorer%205%2E5%2B%20%2A%2F%0A%20%20%20%20%2F%2A%20END%20word%20wrap%20%2A%2F%0A%20%20%20%20%7D%0A%20%0Apre%20%2F%2A%20Code%20blocks%20%2A%2F%0A%20%20%20%20%7B%0A%20%20%20%20%2F%2A%20Distinguish%20pre%20blocks%20from%20other%20text%20by%20more%20than%20the%20font%20with%20a%20background%20tint%2E%20%2A%2F%0A%20%20%20%20padding%3A%200%2E5em%3B%20%2F%2A%20Since%20we%20have%20a%20background%20color%20%2A%2F%0A%20%20%20%20border%2Dradius%3A%205px%3B%20%2F%2A%20Softens%20it%20%2A%2F%0A%20%20%20%20%2F%2A%20Give%20it%20a%20some%20definition%20%2A%2F%0A%20%20%20%20border%3A%201px%20solid%20%23aaa%3B%0A%20%20%20%20%2F%2A%20Set%20it%20off%20left%20and%20right%2C%20seems%20to%20look%20a%20bit%20nicer%20when%20we%20have%20a%20background%20%2A%2F%0A%20%20%20%20margin%2Dleft%3A%20%200%2E5em%3B%0A%20%20%20%20margin%2Dright%3A%200%2E5em%3B%0A%20%20%20%20%7D%0A%20%0A%40media%20screen%0A%20%20%20%20%7B%0A%20%20%20%20pre%0A%20%20%20%20%20%20%20%20%7B%0A%20%20%20%20%20%20%20%20%2F%2A%20On%20screen%2C%20use%20an%20auto%20scroll%20box%20for%20long%20lines%2C%20unless%20word%2Dwrap%20is%20enabled%20%2A%2F%0A%20%20%20%20%20%20%20%20white%2Dspace%3A%20pre%3B%0A%20%20%20%20%20%20%20%20overflow%3A%20auto%3B%0A%20%20%20%20%20%20%20%20%2F%2A%20Dotted%20looks%20better%20on%20screen%20and%20solid%20seems%20to%20print%20better%2E%20%2A%2F%0A%20%20%20%20%20%20%20%20border%3A%201px%20dotted%20%23777%3B%0A%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%7D%0A%20%0Acode%20%2F%2A%20All%20inline%20code%20spans%20%2A%2F%0A%20%20%20%20%7B%0A%20%20%20%20%7D%0A%20%0Ap%20%3E%20code%2C%20li%20%3E%20code%20%2F%2A%20Code%20spans%20in%20paragraphs%20and%20tight%20lists%20%2A%2F%0A%20%20%20%20%7B%0A%20%20%20%20%2F%2A%20Pad%20a%20little%20from%20adjacent%20text%20%2A%2F%0A%20%20%20%20padding%2Dleft%3A%20%202px%3B%0A%20%20%20%20padding%2Dright%3A%202px%3B%0A%20%20%20%20%7D%0A%20%20%20%20%0Ali%20%3E%20p%20code%20%2F%2A%20Code%20span%20in%20a%20loose%20list%20%2A%2F%0A%20%20%20%20%7B%0A%20%20%20%20%2F%2A%20We%20have%20room%20for%20some%20more%20background%20color%20above%20and%20below%20%2A%2F%0A%20%20%20%20padding%3A%202px%3B%0A%20%20%20%20%7D%0A%20%0A%2F%2A%20%2D%2D%2D%2D%20Math%20%2D%2D%2D%2D%20%2A%2F%0A%20%0Aspan%2Emath%20%2F%2A%20Pandoc%20inline%20math%20default%20and%20%2D%2Djsmath%20inline%20math%20%2A%2F%0A%20%20%20%20%7B%0A%20%20%20%20%2F%2A%20Tried%20font%2Dstyle%3Aitalic%20here%2C%20and%20it%20messed%20up%20MathJax%20rendering%20in%20some%20browsers%2E%20Maybe%20don%27t%20mess%20with%20at%20all%2E%20%2A%2F%0A%20%20%20%20%7D%0A%20%20%20%20%0Adiv%2Emath%20%2F%2A%20Pandoc%20%2D%2Djsmath%20display%20math%20%2A%2F%0A%20%20%20%20%7B%0A%20%20%20%20%7D%0A%20%20%20%20%0Aspan%2ELaTeX%20%2F%2A%20Pandoc%20%2D%2Dlatexmathml%20math%20%2A%2F%0A%20%20%20%20%7B%0A%20%20%20%20%7D%20%0A%20%0Aeq%20%2F%2A%20Pandoc%20%2D%2Dgladtex%20math%20%2A%2F%0A%20%20%20%20%7B%0A%20%20%20%20%7D%20%0A%20%0A%2F%2A%20%2D%2D%2D%2D%20Tables%20%2D%2D%2D%2D%20%2A%2F%0A%20%0A%2F%2A%20%20A%20clean%20textbook%2Dlike%20style%20with%20horizontal%20lines%20above%20and%20below%20and%20under%20%0A%20%20%20%20the%20header%2E%20Rows%20highlight%20on%20hover%20to%20help%20scanning%20the%20table%20on%20screen%2E%0A%2A%2F%0A%20%0Atable%0A%20%20%20%20%7B%0A%20%20%20%20border%2Dcollapse%3A%20collapse%3B%0A%20%20%20%20border%2Dspacing%3A%200%3B%20%2F%2A%20IE%206%20%2A%2F%0A%20%0A%20%20%20%20border%2Dbottom%3A%202pt%20solid%20%23000%3B%0A%20%20%20%20border%2Dtop%3A%202pt%20solid%20%23000%3B%20%2F%2A%20The%20caption%20on%20top%20will%20not%20have%20a%20bottom%2Dborder%20%2A%2F%0A%20%0A%20%20%20%20%2F%2A%20Center%20%2A%2F%0A%20%20%20%20margin%2Dleft%3A%20auto%3B%0A%20%20%20%20margin%2Dright%3A%20auto%3B%0A%20%20%20%20%7D%0A%20%20%20%20%0Athead%20%2F%2A%20Entire%20table%20header%20%2A%2F%0A%20%20%20%20%7B%0A%20%20%20%20border%2Dbottom%3A%201pt%20solid%20%23000%3B%0A%20%20%20%20background%2Dcolor%3A%20%23eee%3B%20%2F%2A%20Does%20this%20BG%20print%20well%3F%20%2A%2F%0A%20%20%20%20%7D%0A%20%0Atr%2Eheader%20%2F%2A%20Each%20header%20row%20%2A%2F%0A%20%20%20%20%7B%0A%20%20%20%20%7D%20%0A%20%0Atbody%20%2F%2A%20Entire%20table%20%20body%20%2A%2F%0A%20%20%20%20%7B%0A%20%20%20%20%7D%0A%20%0A%2F%2A%20Table%20body%20rows%20%2A%2F%0A%20%0Atr%20%20%7B%0A%20%20%20%20%7D%0Atr%2Eodd%3Ahover%2C%20tr%2Eeven%3Ahover%20%2F%2A%20Use%20%2Eodd%20and%20%2Eeven%20classes%20to%20avoid%20styling%20rows%20in%20other%20tables%20%2A%2F%0A%20%20%20%20%7B%0A%20%20%20%20background%2Dcolor%3A%20%23eee%3B%0A%20%20%20%20%7D%0A%20%20%20%20%0A%2F%2A%20Odd%20and%20even%20rows%20%2A%2F%0Atr%2Eodd%20%7B%7D%0Atr%2Eeven%20%7B%7D%0A%20%0Atd%2C%20th%20%2F%2A%20Table%20cells%20and%20table%20header%20cells%20%2A%2F%0A%20%20%20%20%7B%20%0A%20%20%20%20vertical%2Dalign%3A%20top%3B%20%2F%2A%20Word%20%2A%2F%0A%20%20%20%20vertical%2Dalign%3A%20baseline%3B%20%2F%2A%20Others%20%2A%2F%0A%20%20%20%20padding%2Dleft%3A%20%20%200%2E5em%3B%0A%20%20%20%20padding%2Dright%3A%20%200%2E5em%3B%0A%20%20%20%20padding%2Dtop%3A%20%20%20%200%2E2em%3B%0A%20%20%20%20padding%2Dbottom%3A%200%2E2em%3B%0A%20%20%20%20%7D%0A%20%20%20%20%0A%2F%2A%20Removes%20padding%20on%20left%20and%20right%20of%20table%20for%20a%20tight%20look%2E%20Good%20if%20thead%20has%20no%20background%20color%2A%2F%0A%2F%2A%0Atr%20td%3Alast%2Dchild%2C%20tr%20th%3Alast%2Dchild%0A%20%20%20%20%7B%0A%20%20%20%20padding%2Dright%3A%200%3B%0A%20%20%20%20%7D%0Atr%20td%3Afirst%2Dchild%2C%20tr%20th%3Afirst%2Dchild%20%0A%20%20%20%20%7B%0A%20%20%20%20padding%2Dleft%3A%200%3B%0A%20%20%20%20%7D%0A%2A%2F%0A%20%0Ath%20%2F%2A%20Table%20header%20cells%20%2A%2F%0A%20%20%20%20%7B%0A%20%20%20%20font%2Dweight%3A%20bold%3B%20%0A%20%20%20%20%7D%0A%20%0Atfoot%20%2F%2A%20Table%20footer%20%28what%20appears%20here%20if%20caption%20is%20on%20top%3F%29%20%2A%2F%0A%20%20%20%20%7B%0A%20%20%20%20%7D%0A%20%0Acaption%20%2F%2A%20This%20is%20for%20a%20table%20caption%20tag%2C%20not%20the%20p%2Ecaption%20Pandoc%20uses%20in%20a%20div%2Efigure%20%2A%2F%0A%20%20%20%20%7B%0A%20%20%20%20caption%2Dside%3A%20top%3B%0A%20%20%20%20border%3A%20none%3B%0A%20%20%20%20font%2Dsize%3A%200%2E9em%3B%0A%20%20%20%20font%2Dstyle%3A%20italic%3B%0A%20%20%20%20text%2Dalign%3A%20center%3B%0A%20%20%20%20margin%2Dbottom%3A%200%2E3em%3B%20%2F%2A%20Good%20for%20when%20on%20top%20%2A%2F%0A%20%20%20%20padding%2Dbottom%3A%200%2E2em%3B%0A%20%20%20%20%7D%0A%20%0A%2F%2A%20%2D%2D%2D%2D%20Definition%20lists%20%2D%2D%2D%2D%20%2A%2F%0A%20%0Adl%20%2F%2A%20The%20whole%20list%20%2A%2F%0A%20%20%20%20%7B%0A%20%20%20%20border%2Dtop%3A%202pt%20solid%20black%3B%0A%20%20%20%20padding%2Dtop%3A%200%2E5em%3B%0A%20%20%20%20border%2Dbottom%3A%202pt%20solid%20black%3B%0A%20%20%20%20%7D%0A%20%0Adt%20%2F%2A%20Definition%20term%20%2A%2F%0A%20%20%20%20%7B%0A%20%20%20%20font%2Dweight%3A%20bold%3B%0A%20%20%20%20%7D%0A%20%0Add%2Bdt%20%2F%2A%202nd%20or%20greater%20term%20in%20the%20list%20%2A%2F%0A%20%20%20%20%7B%0A%20%20%20%20border%2Dtop%3A%201pt%20solid%20black%3B%0A%20%20%20%20padding%2Dtop%3A%200%2E5em%3B%0A%20%20%20%20%7D%0A%20%20%20%20%0Add%20%2F%2A%20A%20definition%20%2A%2F%0A%20%20%20%20%7B%0A%20%20%20%20margin%2Dbottom%3A%200%2E5em%3B%0A%20%20%20%20%7D%0A%20%0Add%2Bdd%20%2F%2A%202nd%20or%20greater%20definition%20of%20a%20term%20%2A%2F%0A%20%20%20%20%7B%0A%20%20%20%20border%2Dtop%3A%201px%20solid%20black%3B%20%2F%2A%20To%20separate%20multiple%20definitions%20%2A%2F%0A%20%20%20%20%7D%0A%20%20%20%20%0A%2F%2A%20%2D%2D%2D%2D%20Footnotes%20%2D%2D%2D%2D%20%2A%2F%0A%20%0Aa%2Efootnote%2C%20a%2EfootnoteRef%20%7B%20%2F%2A%20Pandoc%2C%20MultiMarkdown%20footnote%20links%20%2A%2F%0A%20%20%20%20font%2Dsize%3A%20small%3B%20%0A%20%20%20%20vertical%2Dalign%3A%20text%2Dtop%3B%0A%7D%0A%20%0Aa%5Bhref%5E%3D%22%23fnref%22%5D%2C%20a%2Ereversefootnote%20%2F%2A%20Pandoc%2C%20MultiMarkdown%2C%20%3F%3F%20footnote%20back%20links%20%2A%2F%0A%20%20%20%20%7B%0A%20%20%20%20%7D%0A%20%0A%40media%20print%0A%20%20%20%20%7B%0A%20%20%20%20a%5Bhref%5E%3D%22%23fnref%22%5D%2C%20a%2Ereversefootnote%20%2F%2A%20Pandoc%2C%20MultiMarkdown%20%2A%2F%0A%20%20%20%20%20%20%20%20%7B%0A%20%20%20%20%20%20%20%20%2F%2A%20Don%27t%20display%20these%20at%20all%20in%20print%20since%20the%20arrow%20is%20only%20something%20to%20click%20on%20%2A%2F%0A%20%20%20%20%20%20%20%20display%3A%20none%3B%0A%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%7D%0A%20%20%20%20%0Adiv%2Efootnotes%20%2F%2A%20Pandoc%20footnotes%20div%20at%20end%20of%20the%20document%20%2A%2F%0A%20%20%20%20%7B%0A%20%20%20%20%7D%0A%20%20%20%20%0Adiv%2Efootnotes%20li%5Bid%5E%3D%22fn%22%5D%20%2F%2A%20A%20footnote%20item%20within%20that%20div%20%2A%2F%0A%20%20%20%20%7B%0A%20%20%20%20%7D%0A%20%0A%2F%2A%20You%20can%20class%20stuff%20as%20%22noprint%22%20to%20not%20print%2E%20%0A%20%20%20Useful%20since%20you%20can%27t%20set%20this%20media%20conditional%20inside%20an%20HTML%20element%27s%20%0A%20%20%20style%20attribute%20%28I%20think%29%2C%20and%20you%20don%27t%20want%20to%20make%20another%20stylesheet%20that%20%0A%20%20%20imports%20this%20one%20and%20adds%20a%20class%20just%20to%20do%20this%2E%0A%2A%2F%0A%20%0A%40media%20print%0A%20%20%20%20%7B%0A%20%20%20%20%2Enoprint%0A%20%20%20%20%20%20%20%20%7B%0A%20%20%20%20%20%20%20%20display%3Anone%3B%0A%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%7D%0A" rel="stylesheet" type="text/css" /> |
---|
10 | </head> |
---|
11 | <body> |
---|
12 | <div id="header"> |
---|
13 | <h1 class="title">Host Security Exercise</h1> |
---|
14 | <h3 class="date">Security Topics</h3> |
---|
15 | </div> |
---|
16 | <div id="TOC"> |
---|
17 | <ul> |
---|
18 | <li><a href="#introduction"><span class="toc-section-number">1</span> Introduction</a></li> |
---|
19 | <li><a href="#goals"><span class="toc-section-number">2</span> Goals</a></li> |
---|
20 | <li><a href="#notes"><span class="toc-section-number">3</span> Notes</a></li> |
---|
21 | <li><a href="#lets-install-a-few-tools-first"><span class="toc-section-number">4</span> Let's install a few tools first</a></li> |
---|
22 | <li><a href="#whats-running"><span class="toc-section-number">5</span> What's running?</a></li> |
---|
23 | <li><a href="#how-were-running-processes-spawned"><span class="toc-section-number">6</span> How were running processes spawned?</a></li> |
---|
24 | <li><a href="#disabling-uninstalling-services"><span class="toc-section-number">7</span> Disabling, uninstalling services</a></li> |
---|
25 | <li><a href="#which-network-services-are-running"><span class="toc-section-number">8</span> Which network services are running?</a></li> |
---|
26 | <li><a href="#scan-your-machine-remotely-using-nmap"><span class="toc-section-number">9</span> Scan your machine remotely using nmap</a></li> |
---|
27 | <li><a href="#install-a-filesystem-integrity-checker"><span class="toc-section-number">10</span> Install a filesystem integrity checker</a><ul> |
---|
28 | <li><a href="#fcheck"><span class="toc-section-number">10.1</span> fcheck</a><ul> |
---|
29 | <li><a href="#fcheck-installs-postfix."><span class="toc-section-number">10.1.1</span> fcheck installs "PostFix".</a></li> |
---|
30 | </ul></li> |
---|
31 | <li><a href="#incrond"><span class="toc-section-number">10.2</span> incrond</a></li> |
---|
32 | </ul></li> |
---|
33 | <li><a href="#turn-on-automatic-installation-of-security-updates"><span class="toc-section-number">11</span> Turn on automatic installation of security updates</a></li> |
---|
34 | <li><a href="#run-a-rootkit-checker"><span class="toc-section-number">12</span> Run a rootkit checker</a></li> |
---|
35 | <li><a href="#run-another-rootkit-checker"><span class="toc-section-number">13</span> Run another rootkit checker!</a></li> |
---|
36 | <li><a href="#enable-system-accounting"><span class="toc-section-number">14</span> Enable System Accounting</a></li> |
---|
37 | </ul> |
---|
38 | </div> |
---|
39 | <h1 id="introduction"><span class="header-section-number">1</span> Introduction</h1> |
---|
40 | <p>These exercices demonstrate some of the tools used for tasks that every system administrator should perform when installing or hardening a system.</p> |
---|
41 | <h1 id="goals"><span class="header-section-number">2</span> Goals</h1> |
---|
42 | <ul> |
---|
43 | <li>Learn to figure out which services are running</li> |
---|
44 | <li>Disable unnecessary services</li> |
---|
45 | <li>Scan ports to see how the machine is seen by others</li> |
---|
46 | <li>Configure automatic updates</li> |
---|
47 | <li>Use file integrity and rootkit checking tools to detect possible compromises</li> |
---|
48 | <li>Install a tool to keep a log of executed commands</li> |
---|
49 | </ul> |
---|
50 | <h1 id="notes"><span class="header-section-number">3</span> Notes</h1> |
---|
51 | <ul> |
---|
52 | <li>Commands preceded with "$" imply that you should execute the command as a general user - not as root.</li> |
---|
53 | <li>Commands preceded with "#" imply that you should be working as root.</li> |
---|
54 | <li>Commands with more specific command lines (e.g. "RTR-GW>" or "mysql>") imply that you are executing commands on remote equipment, or within another program.</li> |
---|
55 | </ul> |
---|
56 | <h1 id="lets-install-a-few-tools-first"><span class="header-section-number">4</span> Let's install a few tools first</h1> |
---|
57 | <pre><code># apt-get install lsof psmisc</code></pre> |
---|
58 | <h1 id="whats-running"><span class="header-section-number">5</span> What's running?</h1> |
---|
59 | <p>First you can see what is running on your machine by typing something like:</p> |
---|
60 | <pre><code>$ ps auxwww</code></pre> |
---|
61 | <p>You will see lots and lots of stuff go by. So, let's look at this a bit more closely:</p> |
---|
62 | <pre><code>$ ps auxwww | less</code></pre> |
---|
63 | <p>(press [spacebar] to go one page down, and [b] to go one page up)</p> |
---|
64 | <p>Now, browsing through all this we can see there are a bunch of initial system processes that start to support our hardware (items in "[ ]"). Let's filter all of this out and see what we are left with:</p> |
---|
65 | <pre><code>$ ps auxwww | grep -v "\["</code></pre> |
---|
66 | <p>(Hint: You might want to copy and paste this in to a command window)</p> |
---|
67 | <p>What's left?</p> |
---|
68 | <p>Have a look and see if you can identify everything in the remaining list. Your list of processes should look something like:</p> |
---|
69 | <pre><code>USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND |
---|
70 | root 1 0.8 0.4 4452 2348 ? Ss 18:38 0:00 /sbin/init |
---|
71 | root 163 0.0 0.2 4916 1340 ? S 18:38 0:00 mountall --daemon |
---|
72 | root 264 0.0 0.1 3008 616 ? S 18:38 0:00 upstart-udev-bridge --daemon |
---|
73 | root 269 0.0 0.2 12160 1488 ? Ss 18:38 0:00 /lib/systemd/systemd-udevd --daemon |
---|
74 | message+ 312 0.0 0.1 4232 972 ? Ss 18:38 0:00 dbus-daemon --system --fork |
---|
75 | root 347 0.0 0.3 4212 1620 ? Ss 18:38 0:00 /lib/systemd/systemd-logind |
---|
76 | syslog 352 0.0 0.2 30476 1068 ? Ssl 18:38 0:00 rsyslogd |
---|
77 | root 383 0.0 0.1 3012 640 ? S 18:38 0:00 upstart-file-bridge --daemon |
---|
78 | root 448 0.0 0.3 5508 1852 ? Ss 18:38 0:00 dhclient -1 -v -pf /run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.eth0.leases eth0 |
---|
79 | root 622 0.0 0.1 4168 808 tty4 Ss+ 18:38 0:00 /sbin/getty -8 38400 tty4 |
---|
80 | root 623 0.0 0.1 4168 812 tty5 Ss+ 18:38 0:00 /sbin/getty -8 38400 tty5 |
---|
81 | root 628 0.0 0.1 4168 816 tty2 Ss+ 18:38 0:00 /sbin/getty -8 38400 tty2 |
---|
82 | root 629 0.0 0.1 4168 808 tty3 Ss+ 18:38 0:00 /sbin/getty -8 38400 tty3 |
---|
83 | root 631 0.0 0.1 4168 812 tty6 Ss+ 18:38 0:00 /sbin/getty -8 38400 tty6 |
---|
84 | root 667 0.0 0.4 7796 2436 ? Ss 18:38 0:00 /usr/sbin/sshd -D |
---|
85 | root 679 0.0 0.1 2192 600 ? Ss 18:38 0:00 acpid -c /etc/acpi/events -s /var/run/acpid.socket |
---|
86 | root 681 0.0 0.1 3052 768 ? Ss 18:38 0:00 cron |
---|
87 | root 721 0.0 0.1 3264 920 ? S 18:38 0:00 upstart-socket-bridge --daemon |
---|
88 | root 729 0.0 0.4 5608 2508 ? Ss 18:38 0:00 /usr/sbin/apache2 -k start |
---|
89 | www-data 732 0.0 0.3 228240 1972 ? Sl 18:38 0:00 /usr/sbin/apache2 -k start |
---|
90 | www-data 733 0.0 0.3 228240 1972 ? Sl 18:38 0:00 /usr/sbin/apache2 -k start |
---|
91 | root 812 0.0 0.1 4168 816 tty1 Ss+ 18:38 0:00 /sbin/getty -8 38400 tty1 |
---|
92 | root 813 0.0 0.1 2416 736 ttyS0 Ss+ 18:38 0:00 /sbin/getty -L 115200 ttyS0 xterm |
---|
93 | sysadm 849 0.0 0.3 11192 1812 ? S 18:38 0:00 sshd: sysadm@pts/0 |
---|
94 | sysadm 850 0.0 0.3 5176 1860 pts/0 Ss 18:38 0:00 -bash |
---|
95 | sysadm 861 0.0 0.2 4740 1112 pts/0 R+ 18:39 0:00 ps auxwww</code></pre> |
---|
96 | <p>You can type "man" or search in Google to figure out what all this is. For instance:</p> |
---|
97 | <pre><code>$ man acpid |
---|
98 | $ man getty |
---|
99 | $ man cron |
---|
100 | $ man sshd</code></pre> |
---|
101 | <h1 id="how-were-running-processes-spawned"><span class="header-section-number">6</span> How were running processes spawned?</h1> |
---|
102 | <p>When investigating a security incident or suspicious process, one of the most important things you will want to know is how a process was started.</p> |
---|
103 | <p>To visualize the relationships between processes use 'pstree'.</p> |
---|
104 | <pre><code># pstree</code></pre> |
---|
105 | <ul> |
---|
106 | <li>Processes on the left are called "parent" processes, processes on the right are called "child" processes.</li> |
---|
107 | </ul> |
---|
108 | <pre><code>init---acpid |
---|
109 | |-apache2---2*[apache2---26*[{apache2}]] |
---|
110 | |-avahi-daemon---avahi-daemon |
---|
111 | |-cron |
---|
112 | |-cups-browsed |
---|
113 | |-dbus-daemon |
---|
114 | |-dhclient |
---|
115 | |-7*[getty] |
---|
116 | |-mountall |
---|
117 | |-rsyslogd---3*[{rsyslogd}] |
---|
118 | |-snmpd |
---|
119 | |-sshd---sshd---sshd---bash---sudo---su---bash---pstree |
---|
120 | |-systemd-logind |
---|
121 | |-systemd-udevd |
---|
122 | |-upstart-file-br |
---|
123 | |-upstart-socket- |
---|
124 | |-upstart-udev-br</code></pre> |
---|
125 | <ul> |
---|
126 | <li>Which processes did you spawn?</li> |
---|
127 | <li>Which process is the a parent of all the processes in the tree?</li> |
---|
128 | </ul> |
---|
129 | <h1 id="disabling-uninstalling-services"><span class="header-section-number">7</span> Disabling, uninstalling services</h1> |
---|
130 | <p>Once you feel pretty comfortable with what's running on your system you might consider if you need each item. If there is something running that is unnecessary, then you should consider uninstalling or disabling the service.</p> |
---|
131 | <p>To uninstall a service, use the APT package manager's "remove" function:</p> |
---|
132 | <pre><code># apt-get remove <pkg_name></code></pre> |
---|
133 | <p>The way a service is disabled at startup depends on which mechanism the developers used to initialized it.</p> |
---|
134 | <p>A service can be started using the traditional System V init script:</p> |
---|
135 | <pre><code># update-rc.d <pkg_service> remove</code></pre> |
---|
136 | <p>Services can also be via a system called "upstart". To find out if a service was started by upstart issue the following command:</p> |
---|
137 | <pre><code># ls -alh /etc/init | grep <pkg_service></code></pre> |
---|
138 | <p>If you see a .conf file that corresponds with the service you want to disable, the service is controlled by upstart.</p> |
---|
139 | <p>To disable a service initialized by upstart, issue the following command:</p> |
---|
140 | <pre><code># echo "manual" > /etc/init/<pkg_service>.override</code></pre> |
---|
141 | <h1 id="which-network-services-are-running"><span class="header-section-number">8</span> Which network services are running?</h1> |
---|
142 | <p>The next step is to see if any of these services are listening to the network for connections:</p> |
---|
143 | <pre><code># lsof -i</code></pre> |
---|
144 | <p>You'll see something like:</p> |
---|
145 | <pre><code>COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME |
---|
146 | sshd 1005 root 3u IPv4 5150 0t0 TCP *:ssh (LISTEN) |
---|
147 | sshd 1005 root 4u IPv6 5152 0t0 TCP *:ssh (LISTEN) |
---|
148 | cupsd 1063 root 5u IPv6 5318 0t0 TCP localhost:ipp (LISTEN) |
---|
149 | cupsd 1063 root 6u IPv4 5319 0t0 TCP localhost:ipp (LISTEN) |
---|
150 | sshd 10340 root 3r IPv4 18747 0t0 TCP pc4.pacnog.bluesky.as:\ |
---|
151 | ssh->noc.pacnog.bluesky.as:34634 (ESTABLISHED)</code></pre> |
---|
152 | <p>Again, Google and man to figure out what is going on:</p> |
---|
153 | <pre><code>$ man sshd |
---|
154 | $ man cupsd</code></pre> |
---|
155 | <p>What's cupsd? is this necessary on every server?</p> |
---|
156 | <p>Notice that sshd is listening to all incoming connection requests (the "*"). This is a typical, potential security hole.</p> |
---|
157 | <p>In our case, we will leave ssh up, but we are aware they are running and need to be patched for security updates as they come out.</p> |
---|
158 | <p>For example, it is a good idea to lock down sshd a bit by not allowing the root user to log in with a passwords.</p> |
---|
159 | <p>As you are not printing, let's turn off the cups printing service. Do you remember how to do this?</p> |
---|
160 | <pre><code># ls /etc/init.d <-- to find the service script name |
---|
161 | # service cups stop |
---|
162 | # lsof -i</code></pre> |
---|
163 | <p>Now we only see:</p> |
---|
164 | <pre><code>COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME |
---|
165 | sshd 1005 root 3u IPv4 5150 0t0 TCP *:ssh (LISTEN) |
---|
166 | sshd 1005 root 4u IPv6 5152 0t0 TCP *:ssh (LISTEN) |
---|
167 | sshd 10340 root 3r IPv4 18747 0t0 TCP pc4.pacnog.bluesky.as:\ |
---|
168 | ssh->noc.pacnog.bluesky.as:34634 (ESTABLISHED)</code></pre> |
---|
169 | <p>To prevent this service to start when the machine is rebooted, type:</p> |
---|
170 | <pre><code># echo "manual" > /etc/init/cups.override</code></pre> |
---|
171 | <h1 id="scan-your-machine-remotely-using-nmap"><span class="header-section-number">9</span> Scan your machine remotely using nmap</h1> |
---|
172 | <p>It's usually a good idea to see how your machine looks to other users.</p> |
---|
173 | <p>Log in to a PC different than yours. For example:</p> |
---|
174 | <pre><code>$ ssh sysadm@pcX</code></pre> |
---|
175 | <p>Make sure that nmap is installed by doing:</p> |
---|
176 | <pre><code># apt-get install -y nmap</code></pre> |
---|
177 | <p>Now let's scan your machine using the nmap command:</p> |
---|
178 | <pre><code># nmap -sV pcX [Where "pcX" is _your_ pc]</code></pre> |
---|
179 | <p>You should see something like:</p> |
---|
180 | <pre><code>Starting Nmap 5.00 ( http://nmap.org ) at 2010-06-30 09:59 SST |
---|
181 | Interesting ports on pc2.pacnog.bluesky.as (67.218.55.102): |
---|
182 | Not shown: 998 closed ports |
---|
183 | PORT STATE SERVICE VERSION |
---|
184 | 22/tcp open ssh OpenSSH 5.1p1 Debian 6ubuntu2 (protocol 2.0) |
---|
185 | 25/tcp open smtp Postfix smtpd |
---|
186 | MAC Address: 00:0F:1F:E6:62:94 (WW Pcba Test) |
---|
187 | Service Info: Host: pc2.pacnog.bluesky.as; OS: Linux |
---|
188 | |
---|
189 | Service detection performed. Please report any incorrect results at \ |
---|
190 | http://nmap.org/submit/ . |
---|
191 | Nmap done: 1 IP address (1 host up) scanned in 1.76 seconds</code></pre> |
---|
192 | <p>This looks reasonable. The machine is exposing smtp and ssh to the world as well as the type of OS that it is running.</p> |
---|
193 | <p>Now let's scan a bit more aggressively:</p> |
---|
194 | <pre><code># nmap -A -T4 pcX</code></pre> |
---|
195 | <p>Take a look at the information presented. This will take some time, but it will contain more detail.</p> |
---|
196 | <p>Now, remember to log out of your classmate's PC!</p> |
---|
197 | <pre><code>$ exit</code></pre> |
---|
198 | <p>You can use nmap to scan entire networks and find all the machines and services that are running. This is what network attack scripts do - but, they usually scan for a specific port and service, then they launch an attack when they find a service that they think they can break.</p> |
---|
199 | <p>Be careful with nmap! If you scan aggressively or against an entire network you will likely set off detection alarms and you could get in trouble. Let people know before you scan if you are not in charge of the remote machines.</p> |
---|
200 | <p>Now read about nmap to understand what -sV, -A, -T4 and -F are doing:</p> |
---|
201 | <pre><code>$ man nmap</code></pre> |
---|
202 | <h1 id="install-a-filesystem-integrity-checker"><span class="header-section-number">10</span> Install a filesystem integrity checker</h1> |
---|
203 | <h2 id="fcheck"><span class="header-section-number">10.1</span> fcheck</h2> |
---|
204 | <p>Let's install fcheck. This is an intrusion detection tool that is very simple to set up and is preconfigured to do most of what you want:</p> |
---|
205 | <pre><code># apt-get install fcheck</code></pre> |
---|
206 | <h3 id="fcheck-installs-postfix."><span class="header-section-number">10.1.1</span> fcheck installs "PostFix".</h3> |
---|
207 | <p>Choose default actions "Internet Site" and "pcX.ws.nsrc.org"</p> |
---|
208 | <p>Once this is done you can look around to see how fcheck is configured. By default Ubuntu installs and configures fcheck in a reasonable manner and you probably don't need to do anything else.</p> |
---|
209 | <pre><code>$ man fcheck</code></pre> |
---|
210 | <p>Configuration of check is in /etc/fcheck/fcheck.cfg. Let's have a look:</p> |
---|
211 | <pre><code># editor /etc/fcheck/fcheck.cfg</code></pre> |
---|
212 | <p>Read through the file to see what directories fcheck is checking, which directories are excluded, etc. The check process is run once every two hours on the 1/2 hour. You can view this by looking at:</p> |
---|
213 | <pre><code>$ less /etc/cron.d/fcheck</code></pre> |
---|
214 | <p>The text that reads:</p> |
---|
215 | <pre><code>30 */2 * * *</code></pre> |
---|
216 | <p>is telling our system cron process to run the long check command listed in the file once every 2 hours on the 1/2 hour.</p> |
---|
217 | <p>Now force fcheck to run for the first time and create a database:</p> |
---|
218 | <pre><code># fcheck -ac</code></pre> |
---|
219 | <p>Look at the baseline file that fcheck has created:</p> |
---|
220 | <pre><code># less /var/lib/fcheck/fcheck.dbf</code></pre> |
---|
221 | <p>Now let's make a change to a file in one of the directories that fcheck is checking.</p> |
---|
222 | <pre><code># editor /etc/hosts</code></pre> |
---|
223 | <p>Add a blank line at the end of the file. Save the file.</p> |
---|
224 | <p>Now do another forced run of fcheck:</p> |
---|
225 | <pre><code># fcheck -a</code></pre> |
---|
226 | <p>You'll see lots of stuff go by on the screen.</p> |
---|
227 | <p>you see something like:</p> |
---|
228 | <pre><code>PROGRESS: validating integrity of /etc/ |
---|
229 | STATUS: |
---|
230 | WARNING: [cv-macbook] /etc/hosts |
---|
231 | [Sizes: 257 - 258, Times: Jul 22 21:36 2010 - Mar 14 16:10 2012]</code></pre> |
---|
232 | <p>This tells you that the file /etc/hosts has changed. The cron job installed by Ubuntu will e-mail these kinds of reports to you.</p> |
---|
233 | <h2 id="incrond"><span class="header-section-number">10.2</span> incrond</h2> |
---|
234 | <p>Inotify in the kernel can provide real-time notification of filesystem changes. Install the incron package and configure incrond to monitor important filesystems.</p> |
---|
235 | <pre><code># apt-get install incron |
---|
236 | # tail /var/log/syslog |
---|
237 | # cd /etc/incron.d |
---|
238 | # editor globals |
---|
239 | |
---|
240 | add the following line (one line) to the globals file: |
---|
241 | |
---|
242 | /etc IN_MODIFY,IN_CLOSE_WRITE,IN_CREATE,IN_DELETE /usr/bin/logger -p news.warn "$% $@/$#"</code></pre> |
---|
243 | <p>For a description of the syntax of incron table files, see:</p> |
---|
244 | <pre><code>$ man 5 incrontab</code></pre> |
---|
245 | <p>That's it. The changes you make to incron are updated automatically. Because incron can recognize changes, it even recognizes when you change the configuration for incron, and it updates.</p> |
---|
246 | <p>Now add a file to the /etc directory:</p> |
---|
247 | <pre><code># touch /etc/dog</code></pre> |
---|
248 | <p>Take a look at /var/log/syslog. What does it say???</p> |
---|
249 | <pre><code># tail /var/log/syslog</code></pre> |
---|
250 | <p>From now on, any changes you make in the /etc directory will generate syslog messages.</p> |
---|
251 | <h1 id="turn-on-automatic-installation-of-security-updates"><span class="header-section-number">11</span> Turn on automatic installation of security updates</h1> |
---|
252 | <p>There is a meta package called unattended-upgrades to do this. To install:</p> |
---|
253 | <pre><code># apt-get install unattended-upgrades</code></pre> |
---|
254 | <p>That's it. Any time a security update is placed in the Ubuntu repositories it will be automatically installed on your system. You will probably want to look at how unattended-upgrades is configured.</p> |
---|
255 | <pre><code># cd /etc/apt/apt.conf.d</code></pre> |
---|
256 | <p>This package is configured in the file 50unattended-upgrades. Let's have a look and we will make a change to the configuration:</p> |
---|
257 | <pre><code># editor 50unattended-upgrades</code></pre> |
---|
258 | <p>Note at the very top of the file. If you were to change this:</p> |
---|
259 | <pre><code> |
---|
260 | Unattended-Upgrade::Allowed-Origins { |
---|
261 | "${distro_id}:${distro_codename}-security"; |
---|
262 | // "${distro_id}:${distro_codename}-updates"; |
---|
263 | // "${distro_id}:${distro_codename}-proposed"; |
---|
264 | // "${distro_id}:${distro_codename}-backports"; |
---|
265 | }; |
---|
266 | </code></pre> |
---|
267 | <p>To look like:</p> |
---|
268 | <pre><code> |
---|
269 | Unattended-Upgrade::Allowed-Origins { |
---|
270 | "${distro_id}:${distro_codename}-security"; |
---|
271 | "${distro_id}:${distro_codename}-updates"; |
---|
272 | // "${distro_id}:${distro_codename}-proposed"; |
---|
273 | // "${distro_id}:${distro_codename}-backports"; |
---|
274 | };</code></pre> |
---|
275 | <p>then all software package updates would be installed as well. You may, or may not, want to do this. This is generally safer for user desktops than for servers.</p> |
---|
276 | <p>Let's change this line:</p> |
---|
277 | <pre><code>//Unattended-Upgrade::Mail "root";</code></pre> |
---|
278 | <p>To be:</p> |
---|
279 | <pre><code>Unattended-Upgrade::Mail "root@localhost";</code></pre> |
---|
280 | <p>That way your root account will get an email when an update is installed.</p> |
---|
281 | <p>Note that you can even have your machine automatically reboot if required after an update by editing the following stanza.</p> |
---|
282 | <pre><code> |
---|
283 | // Automatically reboot *WITHOUT CONFIRMATION* |
---|
284 | // if the file /var/run/reboot-required is found after the upgrade |
---|
285 | //Unattended-Upgrade::Automatic-Reboot "false"; |
---|
286 | </code></pre> |
---|
287 | <p>Save the file and exit.</p> |
---|
288 | <p>That's it. If a security update is applied you will be notified.</p> |
---|
289 | <h1 id="run-a-rootkit-checker"><span class="header-section-number">12</span> Run a rootkit checker</h1> |
---|
290 | <p>There is a nice tool called "chkrootkit" - This is used to see if a machine has been compromised with known software kits that install once security has been breached. You can read about this software here: <a href="http://www.chkrootkit.org/" class="uri">http://www.chkrootkit.org/</a></p> |
---|
291 | <p>To install, do this:</p> |
---|
292 | <pre><code># apt-get install chkrootkit</code></pre> |
---|
293 | <p>To use it, do:</p> |
---|
294 | <pre><code># chkrootkit</code></pre> |
---|
295 | <p>"chrootkit" will find one file it thinks is infected:</p> |
---|
296 | <pre><code>Searching for Suckit rootkit... Warning: /sbin/init INFECTED</code></pre> |
---|
297 | <p>This file probably isn't infected, but tests positive due to Ubuntu's configuration.</p> |
---|
298 | <p>You should not see anything found or infected (hopefully!). However, it's possible for the tool to give you some false positives. You can go back to the http://www.chkrootkit.org/ web site for more information in the README and FAQ pages and you should use Google. If you don't see other people reporting false positivies like yours, then you probably need to format your hard drive, reinstall and restore data from backups.</p> |
---|
299 | <p>Let's do something to make chkrootkit give you a warning:</p> |
---|
300 | <p>Place your ethernet interfaces in to promiscuous mode (i.e. it listens for <em>all</em> packets on the network, not just packets coming to your machine).</p> |
---|
301 | <pre><code># ifconfig lo promisc</code></pre> |
---|
302 | <p>Now let's re-run chkrootkit:</p> |
---|
303 | <pre><code># chkrootkit</code></pre> |
---|
304 | <p>and you will see that it detects that the loopback network interface (lo) is now in promiscuous mode. To just see this vs. all the other messages do:</p> |
---|
305 | <pre><code># chkrootkit | grep PROMISC</code></pre> |
---|
306 | <p>If your PC is running a DHCP client daemon, you may also see that eth0 is in promiscuous mode:</p> |
---|
307 | <pre><code>eth0: PROMISC PACKET SNIFFER(/sbin/dhclient3[564])</code></pre> |
---|
308 | <p>Turn off promiscuous mode for lo:</p> |
---|
309 | <pre><code># ifconfig lo -promisc</code></pre> |
---|
310 | <h1 id="run-another-rootkit-checker"><span class="header-section-number">13</span> Run another rootkit checker!</h1> |
---|
311 | <p>"rkhunter" is another rootkit checker like "chkrootkit" - This is used to see if a machine has been compromised with known software kits that install once security has been breached. You can read about this software here: <a href="http://rkhunter.sourceforge.net/" class="uri">http://rkhunter.sourceforge.net/</a></p> |
---|
312 | <p>To install, do this:</p> |
---|
313 | <pre><code># apt-get install rkhunter</code></pre> |
---|
314 | <p>To use it, do:</p> |
---|
315 | <pre><code># rkhunter -c</code></pre> |
---|
316 | <p>On Ubuntu rkhunter might find a suspicious file "/usr/bin/unhide.rb". It also may find suspicious or hidden files or directories in the filesystem check. This is because Ubuntu is designed differently than many other distributions of Linux</p> |
---|
317 | <h1 id="enable-system-accounting"><span class="header-section-number">14</span> Enable System Accounting</h1> |
---|
318 | <p>System accounting gives us logs of all the commands that have run and terminated on the system. Let's see if we have the acct package:</p> |
---|
319 | <pre><code>$ which sa</code></pre> |
---|
320 | <p>Did "which" find the command? If not install the package:</p> |
---|
321 | <pre><code># apt-get install acct |
---|
322 | |
---|
323 | $ which sa</code></pre> |
---|
324 | <p>Let's run a command and see if acct records it.</p> |
---|
325 | <pre><code>$ whoami |
---|
326 | |
---|
327 | # sa -u</code></pre> |
---|
328 | <p>Did "sa" show a record for the command?</p> |
---|
329 | <p>Let's try the "lastcomm" command as well:</p> |
---|
330 | <pre><code># lastcomm root</code></pre> |
---|
331 | </body> |
---|
332 | </html> |
---|