NetSecL

Introduction

(Written by Iuri Stanchev)

I'm often asked what security features come with NetSecL, what tools does NetSecL include and what they do. I alone, can't possibly cover everything included. I categorized the most important security features and security-related tools. This document describes the configuration of Grsecurity and includes description of the most important security-related tools.

1. Local security

   Local security is one of the many factors on which your system's security depends.

   1. Physical access

      NetSecL provides security features that can protect your system, but that alone is not enough. A very important factor is the physical access. If someone gains physical access to your machine that means it is just a matter of time until he/she gets your data. To secure your machine you may want to lock the case of your machine to ensure nobody can get your HDD and make a image of it. The best thing if you ask me – invest in a N GB USB Flash encrypt your sensitive data and store it on your Flash and carry it with you.

   2. Grsecurity

   Grsecurity is an innovative approach to security utilizing a multi-layered detection, prevention, and containment model. It is licensed under the GPL. It offers among many other features:

• An intelligent and robust Role-Based Access Control (RBAC) system that can generate least privilege policies for your entire system with no configuration

• Change root (chroot) hardening

• /tmp race prevention

• Extensive auditing

• Prevention of entire classes of exploits related to address space bugs (from the PaX project)

• Additional randomness in the TCP/IP stack

• A restriction that allows a user to only view his/her processes

• Every security alert or audit contains the IP address of the person that caused the event

  You can enable/disable many of the options through the /proc filesystem or via sysctl.

  The example below shows an excerpt of a typical /etc/sysctl.conf: kernel.grsecurity.chroot_deny_sysctl = 1

  kernel.grsecurity.chroot_caps = 1

  kernel.grsecurity.chroot_execlog = 0

  kernel.grsecurity.chroot_restrict_nice = 1

  kernel.grsecurity.chroot_deny_mknod = 1

  kernel.grsecurity.chroot_deny_chmod = 1

  kernel.grsecurity.chroot_enforce_chdir = 1

  kernel.grsecurity.chroot_deny_pivot = 1

  kernel.grsecurity.chroot_deny_chroot = 1

  kernel.grsecurity.chroot_deny_fchdir = 1

  kernel.grsecurity.chroot_deny_mount = 1

  kernel.grsecurity.chroot_deny_unix = 1

  kernel.grsecurity.chroot_deny_shmat = 1

  You can enable or disable settings at will using the sysctl command:

  (Toggling the exec_logging feature ON)

  # sysctl -w kernel.grsecurity.exec_logging = 1

  (Toggling the exec_logging feature OFF)

  # sysctl -w kernel.grsecurity.exec_logging = 0

  There is a very important sysctl setting pertaining to grsecurity, namely kernel.grsecurity.grsec_lock. When set, you are not able to change any setting anymore.

  # sysctl -w kernel.grsecurity.grsec_lock = 1

  Grsecurity features which are not built within then kernel can be enabled in /etc/sysctl.conf using the mentioned values in the kernel itself with menuconfig as showed on the screen-shot.

PaX features can be controlled by two tools paxctl and chpax. By default PaX is set to Soft Mode – this is made to prevent some problems with applications. The RBAC feature can be controlled by gradm you can read the gradm documentation in /usr/doc/gradm/

Gradm is a tool which allows you to administer and maintain a policy for your system. With it, you can enable or disable the RBAC system, reload the RBAC roles, change your role, set a password for admin mode, etc.

When you install gradm a default policy will be installed in /etc/grsec/policy:

By default, the RBAC policies are not activated. Before activating the RBAC system you should set an admin password.

# gradm -P admin

Setting up grsecurity RBAC password

Password: (Enter a well-chosen password)

Re-enter Password: (Enter the same password for confirmation)

Password written in /etc/grsec/pw

# gradm -E

To disable the RBAC system, run gradm -D. If you are not allowed to, you first need to switch to the admin role:

# gradm -a admin

Password: (Enter your admin role password)

# gradm -D

If you want to leave the admin role, run gradm -u admin

The RBAC system comes with a great feature called "learning mode". The learning mode can generate an anticipatory least privilege policy for your system. To use the learning mode, activate it using gradm:

# gradm -F -L /etc/grsec/learning.log

Now use your system, do the things you would normally do. Try to avoid rsyncing, running locate of any other heavy file i/o operation as this can really slow down the processing time. When you believe you have used your system sufficiently to obtain a good policy, let gradm process them and propose roles under /etc/grsec/learning.roles:

# gradm -F -L /etc/grsec/learning.log -O /etc/grsec/learning.roles

Audit the /etc/grsec/learning.roles and save it as /etc/grsec/policy (mode 0600) when you are finished. You will now be able to enable the RBAC system with your new learned policy.

2. Encryption

   Worth mentioning is the tool called aespipe

   aespipe - encryption tool that reads from standard input and writes to standard output. It uses the AES (Rijndael) cipher. It can be used as an encryption filter, to create and restore encrypted tar/cpio backup archives and to read/write and convert loop-AES compatible encrypted images. Aespipe can be used for non-destructive in-place encryption of existing disk partitions for use with the loop-AES encrypted loopback kernel module. For examples look in the documentation of this tool.

   Another alternative is gnupg which everybody knows:

   First generate a private key:

   gpg --gen-key

Encrypting files for your personal use is quite easy. Encrypt a file called foo.txt. The argument to the -r option should be the all or part of the name you used when generating your private key

gpg -e -r Name foo.txt

The encrypted version of the file will by default be named foo.txt.gpg. You can modify that behavior using the --output (-o) option.

Decrypt the encrypted file. You’ll be asked to provide the passphrase you used when generating your private key. If you don’t use the --output option, the contents of the encrypted file will be sent to standard output.

gpg --output foo.txt --decrypt foo.txt.gpg

2. Remote security

   1. Authentication

      Here are several implementation for well known Authentication services. On NetSecL, gaim was recompiled to take use of GnuTLS, KDE was also recompiled to take use of Kerberos and Cyrus SASL.

      Cyrus SASL API implementation:

      It can be used on the client or server side to provide authentication and authorization services. See RFC 2222 for more information. Short part form RFC 2222: The mechanism name associated with Kerberos version 4 is "KERBEROS_V4" The first challenge consists of a random 32-bit number in network byte order. The client responds with a Kerberos ticket and an authenticator for the principal "service.hostname@realm". The encrypted checksum field included within the Kerberos authenticator contains the server provided challenge in network byte order.

      GnuTLS:

      This is a TLS (Transport Layer Security) 1.0 and SSL (Secure Sockets Layer) 3.0 implementation for the GNU project.

      Kerberos:

      The Kerberos system authenticates individual users in a network environment. After authenticating yourself to Kerberos, you can use network utilities such as rlogin, rcp and rsh without having to present passwords to remote hosts and without having to bother with .rhosts files. Note that these utilities will work without passwords only if the remote machines you deal with support the Kerberos system.

   2. Scanners

      1. Port Scanners

         Nmap ("Network Mapper") is an open source utility for network exploration or security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (ports) they are offering, what operating system (and OS version) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. Nmap runs on most types of computers, and both console and graphical versions are available.

      2. Vulnerability Scanners

         Nessus:

         The Nessus Security Scanner is a security auditing tool made up of two parts: a server, and a client. The server, nessusd is in charge of the attacks, whereas the client nessus provides an interface to the user.

      3. Passive Scanners

         PADS is a libpcap based detection engine used to passively detect network assets. It is designed to complement IDS technology by providing context to IDS alerts.

      4. Specialized Scanners

         Amap is a scanning tool that allows you to identify the applications that are running on a specific port or ports.

         ike-scan - Discover and fingerprint IKE hosts (IPsec VPN Servers)

   3. Sniffers

      Kismet is an 802.11 layer 2 wireless network detector, sniffer, and intrusion detection system. It will work with any wireless card which supports raw monitoring (rfmon) mode, and can sniff 802.11b, 802.11a, and 802.11g traffic. It identifies networks by passively collecting packets and detecting standard named networks, detecting (and given time, decloaking) hidden networks, and inferring the presence of nonbeaconing networks via data traffic.

      Dsniff is a collection of tools for network auditing and penetration testing. dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data (passwords, e-mail, files, etc.). arpspoof, dnsspoof, and macof facilitate the interception of network traffic normally unavailable to an attacker (e.g, due to layer-2 switching). sshmitm and webmitm implement active monkey-in-the-middle attacks against redirected SSH and HTTPS sessions by exploiting weak bindings in ad-hoc PKI.

      Ettercap is a network sniffer/interceptor/logger for ethernet LANs. It supports active and passive dissection of many protocols (even ciphered ones, like SSH and HTTPS). Data injection in an established connection and filtering on the fly is also possible, keeping the connection synchronized. Many sniffing modes were implemented to give you a powerful and complete sniffing suite. Plugins are supported. It has the ability to check whether you are in a switched LAN or not, and to use OS fingerprints (active or passive) to let you know the geometry of the LAN.

   4. IDS

      Snort is a open source network intrusion detection system

      Tripwire an Open Source Security, Intrusion Detection, Damage Assessment and Recovery, Forensics software.

3. Passwords

   1. Brute force

      Tip: Some of the password crackers can be found here: /usr/penetration/decypher/

      I will introduce now 3 tools. Hydra is a network brute-forcer. The other two tools deal with passwords locally.

      Hydra is a login hacker tool which supports various protocols: TELNET, FTP, HTTP, HTTPS, HTTP-PROXY, LDAP, SMB, SMBNT, MS-SQL, MYSQL, REXEC, SOCKS5, VNC, POP3, IMAP, NNTP, PCNFS, ICQ, SAP/R3, Cisco auth, Cisco enable, SMTP-AUTH, SSH2, SNMP, CVS, Cisco AAA.

      Ophcrack is a windows password cracker based on the faster time-memory trade-off using rainbow tables. It cracks 99.9% of passwords of length 1 to 14 containing uppercase letters, lowercase letters and numbers. The Rainbow-tables can be downloaded from the page http://lasecwww.epfl.ch/~oechslin/projects/ophcrack

      John the Ripper is a password cracker, currently available for UNIX, DOS,WinNT/Win95. Its primary purpose is to detect weak UNIX passwords. It has been tested with Linux x86/Alpha/SPARC, FreeBSD x86, OpenBSD x86, Solaris 2.x SPARC and x86, Digital UNIX, AIX, HP-UX, and IRIX.

   2. Generating passwords

      APG (Automated Password Generator) is a tool set for generating random passwords. A standalone tool generates some random words of the required type and prints them to standard output. A networked client/server following RFC972 is also provided.

4. Penetration test

   1. Exploits

      The “penetration” package Set of Penetration tools, includes metasploit, decyphers, and exploits. The directory where the tools from this package are located is:

      /usr/penetration/

      Most things are categorized so you can find what you need faster.

   2. Tools

      hping is a network tool able to send custom ICMP/UDP/TCP packets and to display target replies like ping do with ICMP replies. Using hping2 you are able at least to perform the following jobs: Test firewall rules; [spoofed] port scanning; Test net performance using differents protocols, packet size, TOS (type of service) and fragmentation; Path MTU discovery; Files trasfering even between really fascist firewall rules; Traceroute like under different protocols; Firewalk like usage; Remote OS fingerprint; TCP/IP stack auditing; A lot of others.

      rdesktop is a client for Microsoft Windows NT Terminal Server, Windows 2000, Terminal Services, Windows 2003 Terminal Services/ Remote Desktop, Windows XP Remote Desktop, and possibly other Terminal Services products. rdesktop currently implements the RDP version 4 and 5 protocols

      Yersinia is a framework for performing layer 2 attacks.The following protocols have been implemented in Yersinia current version: Spanning Tree Protocol(STP),IVirtual Trunking Protocol (VTP), Hot Standby Router Protocol (HSRP), Dynamic Trunking Protocol (DTP), IEEE 802.1Q, Cisco Discovery Protocol (CDP) and finally, the Dynamic Host Configuration Protocol (DHCP). Some of the attacks implemented will cause a DoS in a network, other will help to perform any other more advanced attack, or both.