6.13. Advanced configurations and tools

There is a set of additional packages (that replace the conventional ones) and tools that either improve the machine's security (recommended in hostile environments) or help to configure the network (and the system in general) in a more user-friendly style.

In this sense, we must examine:

• Advanced TCP/IP configuration: the sysctl command can be used to modify the parameters of the kernel during execution or at start up, to adjust them to the needs of the system. The parameters that may be modified are the ones in the /proc/sys/ directory and they can be consulted with sysctl -a. The simplest way of modifying these parameters is through the /etc/syscntl.conf. configuration file. After carrying out the modification, we must restart the network:

  /etc/init.d/networking restart

  In this section, we will examine some modifications for improving the network's performance (improvements depending on conditions) or the system's security (consult the references for more details) [Mou01]:

  net.ipv4.icmp_echo_ignore_all = 1

• Does not respond to ICMP packages, such as the ping command for example, which could mean that there is a denial-of-service (DoS) attack.

  net.ipv4.icmp_echo_ignore_broadcasts = 1

• Avoids congestion in the network not responding to the broadcast.

  net.ipv4.conf.all.accept_source_route = 0

  net.ipv4.conf.lo.accept_source_route = 0

  net.ipv4.conf.eth0.accept_source_route = 0

  net.ipv4.conf.default.accept_source_route = 0

• Inhibits the IP source routing packages, which could represent a security threat (in all the interfaces).

  net.ipv4.tcp_syncookies = 1

  net.ipv4.conf.all.accept_redirects = 0

• Permits the rejection of a DoS by SYNC packages, which would consume all the system's resources, forcing the user to reboot the machines.

  net.ipv4.conf.lo.accept_redirects = 0

  net.ipv4.conf.eth0.accept_redirects = 0

  net.ipv4.conf.default.accept_redirects = 0

• Useful for avoiding ICMP redirect acceptance attacks (these packages are used when the routing does not have the appropriate route) in all the interfaces.

  net.ipv4.icmp_ignore_bogus_error_responses = 1

• Sends alerts on all the error messages in the network.

  net.ipv4.conf.all.rp_filter = 1

  net.ipv4.conf.lo.rp_filter = 1

  net.ipv4.conf.eth0.rp_filter = 1

  net.ipv4.conf.default.rp_filter = 1

• Enables protection against IP spoofing in all the interfaces.

  net.ipv4.conf.all.log_martians = 1

  net.ipv4.conf.lo.log_martians = 1

  net.ipv4.conf.eth0.log_martians = 1

  net.ipv4.conf.default.log_martians = 1

  Generates a log of all the spoofed packets, source routed packets and redirect packets.

• The following parameters will permit the machine to attend the TCP connections faster and better.

  net.ipv4.tcp_fin_timeout = 40, By default, 60.

  net.ipv4.tcp_keepalive_time = 3600, By default, 7.200.

  net.ipv4.tcp_window_scaling = 0

  net.ipv4.tcp_sack = 0

  net.ipv4.tcp_timestamps = 0, By default, all at 1 (enabled).

• Iptables: the latest versions of GNU/Linux (kernel 2.4 or higher) include a new feature for building package filters called netfilter [Mou01]. This new feature is controlled by a tool called iptables that has better characteristics than its predecessor (ipchains). As we will see in the unit on security, it is extremely easy to build a firewall with this tool for detecting and warding off the most common attacks, such as DoS, IP/MAC spoofing etc. Before it is activated, we have to verify that the kernel is version 2.4 or later, which is the one that is configured to support ipfilter (which means that it is necessary to compile the kernel to activate the option network packet filtering [CONFIG_NETFILTER], and all the specific suboptions). The specific rules must be activated when booting (for example, through /etc/init.d and the appropriate link in the appropriate rc directory) and will have a format similar (check the references on capacities and complete syntax) to:

  iptables -A Type -i Interface -p protocol -s SourceIP --source-port Port -d DestinationIP --destination-port Port -j Action

• GnuPG: this tool makes it possible to encrypt data for subsequent sending (emails, for example) or storage, it can also generate digital signatures (it meets the RFC2440 standard) and it does not use patented algorithms, which means that is open source, but we lose compatibility with other tools (for example, PGP 2.0), which use algorithms such as IDEA and RSA. For compiling and/or installing the tool, follow the instructions of the programmers at http://www.gnupg.org/. Firstly, we must create a pair of keys (public and private) by executing, in root, the gpg --gen-key command twice and answering the questions that appear. Generally, these keys will be stored in /root. Then we export (to a website, for example) the public key so that other users can use it to encrypt the mail/information that may only be seen by the user that generated the public key. For this, we must use gpg --export -ao UID , which will generate an ASCII file of the UID user's public key.

  In order to import another user's public key, we can use gpg --import filename, and to sign a key (which is to tell the system that we are satisfied that the signed key is from who it says it is), we can use gpg --sign-key UID. To verify a key, we can use gpg --verify file/data and to encrypt/decrypt a key, gpg -sear UID file g, gpg -d file, respectively. [Gnu]

• Logcheck: one of a network administrator's main tasks is to check the log files daily (more than once a day) to detect any possible attacks/intrusions or events that may be evidence of these questions. This tool selects compressed information on problems and potential risks (from the log files) and then sends this information to the corresponding administrator, by email, for example. The package includes utilities for executing in independent mode and remembering the last entry verified for the subsequent executions. For information on the configuration/installation, you may consult the references. [Log]

• PortSentry and Tripwire: these tools help the network administrator to carry out their security tasks. PortSentry makes it possible to detect and respond to port searching processes (the preliminary step before attacking or spamming) in real time and to make various decisions with regard to the actions that are being performed. Tripwire is a tool that will help administrators by warning them of possible modifications and changes in the files, to avoid possible (severe) damage. This tool compares the differences between the current files and a database previously generated to detect changes (insertions and deletions), which is very useful for detecting possible modifications to vital files such as, for example, configuration files. Consult the references on the installation/configuration of these tools. [Tri]

• Xinetd: this tool significantly improves the efficiency and performance of inetd and tcp-wrappers. One of the biggest advantages of xinetd is that it can avoid denial-of-access (DoA) attacks through the control mechanisms for services based on the identification of client addresses, during the accessing time and (logging) time. It should not be assumed that Xinetd is the most appropriate option for all the services (for example, it is better if FTP and SSH execute only as daemons), as many of these processes will overload the system and there are secure access mechanisms that do not create interruptions in the system's security. [Xin]

  Compiling and/or installing is simple; we only have to configure two files: /etc/xinetd.conf (the configuration file of Xinetd) and /etc/rc.d/init.d/xinetd (the Xinetd startup file). The first file contains two sections: defaults, which is where we find the parameters that will apply to all the services, which will be the ones that activate through Xinetd.

A typical example of the configuration might be:

# xinetd.conf

# The default configuration options that are applied to all the

# servers may be modified for each service

defaults

{

instances = 10

log_type = FILE /var/log/service.log

log_on_success = HOST PID

log_on_failure = HOST RECORD

}

# The name of the service must be located in /etc/services to obtain

# the right port

# If the server/Port is not a standard one, use "port = X"

service ftp

{

socket_type = stream

protocol = tcp

wait = no

user = root

server = /usr/sbin/proftpd

}

#service telnet

#{

# socket_type = stream

# protocol = tcp

# wait = no

# user = root

# no_access = 0.0.0.0

# only_from = 127.0.0.1

# banner_fail = /etc/telnet_fail

# server = /usr/sbin/in.telnetd

#}

service ssh

{

socket_type = stream

protocol = tcp

wait = no

user = root

port = 22

server = /usr/sbin/sshd

server_args = -i

}

service http

{

socket_type = stream

protocol = tcp

wait = no

user = root

server = /usr/local/apache/bin/httpd

}

#service finger

#{

# socket_type = stream

# protocol = tcp

# wait = no

# user = root

# no_access = 0.0.0.0

# only_from = 127.0.0.1

# banner_fail = /etc/finger_fail

# server = /usr/sbin/in.fingerd

# server_args = -l

#}

# End of /etc/xinetd.conf

The above mentioned services (#) will not be available. In the defaults section, we can install parameters such as maximum number of simultaneous service requests, the type of registry (log) that we require, from which nodes the requests will be received by default, the maximum number of IP requests that will be attended or the services that execute as superservers (imapd or popd), such as:

default {

instances = 20

log_type = SYSLOG

authpriv log_on_success = HOST

log_on_failure = HOST

only_from = 192.168.0.0/16

per_source = 3

enabled = imaps

}

The service section, one for each service, such as:

service imapd {

socket_type = stream

wait = no

user = root

server = /usr/sbin/imapd

only_from = 0.0.0.0/0 #allows every client

no_access = 192.168.0.1

instances = 30

log_on_success += DURATION USERID

log_on_failure += USERID

nice = 2

redirect = 192.168.1.1 993 #Makes it possible to redirect the traffic of port 993

to node 192.168.1.1

bind = 192.168.10.4

#Makes it possible to indicate the interface to which the service is associated to avoid service spoofing problems.

}

The /etc/init.d/xinetd file makes it possible to start up the server (with the appropriate link, according to the selected runlevel, for example, 3, 4 and 5). It is convenient to change the attributes of both files to guarantee that they are not subsequently modified or disabled with: chmod 700 /etc/init.d/xinetd; chown 0.0 /etc/init.d/xconfig; chmod 400 /etc/xinetd.conf; chattr +i /etc/xinetd.conf.

• Linuxconf: this is a configuration and administration tool of a GNU/Linux system, but it is considered obsolete for most popular distributions, although it can still be found in some distributions. More information at http://www.solucorp.qc.ca/linuxconf/.

• Webmin: this is another tool (webmin-core, webmin-dhcp, webmin-inetd, webmin-sshd packages etc.) that makes it possible to configure and add aspects related to the network through a web interface (we must have installed the Apache server, for example). Although it is still being developed in many distributions, it is not included by default. For more information, please visit http://www.webmin.com/. To execute the tool after it has been installed from a browser, call the URL https://localhost:10000, which will ask you to accept the SSL certificate and the username (root user initially) and the corresponding password.

• System-config-*: in Fedora, there are a variety of graphic tools that are called system-config-"something" and where "something" is what they have been designed for. In general, if we are in a graphical environment, we can reach each of them using a menu; however, each of these tools means we have to remember the menu. One tool that centralises all the system configs is system-config-control in one single entry in the menu and one single graphical interface from which we can make our selections using a set of icons. For this, we have to go to Applications -> Add/Remove Software and this will start up, in root mode, in the graphical interface of the Pirut software (the Fedora Extras repository must be enabled). In the Pirut interface, the available packages can be searched for using, for example, system-config-*; make the selection for the system-config-control* and click on Apply. Among other options, we can configure almost all of the features of the network and services here.

• Networkmanager: it is a tool that makes it possible to manage wireless networks and cable networks easily, simply and without any complications, but it is not the most appropriate for servers (only for desktops). Installing the tool is very easy: apt-get install network-manager-xx, where xx is gnome or kde depending on the installed desktop. To configure the tool, we must fill in all the entries in (Debian) /etc/network/interfaces except for the loopback interface, for example, by only leaving:

  auto lo

  iface lo inet loopback

  This step is not obligatory but it does make the process for discovering networks/interfaces quicker. On Debian, there is an extra step that must be taken, as the user must integrate within the netdev group, for reasons related to the permissions. To do this, we must execute (as the root user, or if not, with the sudo command first) adduser current_user netdev and reboot the system (or restart the network with /etc/init.d/networking restart and logging out and back in, so that the current user is included in the netdev group).

• Other tools: (some of these are explained in the unit on security) Nmap(explore and audit for network security purposes), Nessus(evaluate the network security remotely), Wireshark http://www.wireshark.org/download.html (ex-Ethereal) (network protocols analyser), Snort(intrusion detection system, IDS), Netcat(simple and powerful utility for debugging and exploring a network), TCPDump(monitoring networks and information acquisition), Hping2(generates and sends ICMP/UDP/TCP packages to analyse how a network works).