Increase security with extended file attributes - CHATTR
The chattr command allows to set the files to unchangeable (immutable). This can be used to secure the key configuration files.
#/usr/bin/chattr is the path of the binary. To change the attributes, in case of normal users the user should need to have the owner ship.
#/usr/bin/lsattr is used to reveal the extended attributes on files.
Setting up the attributes:
This will show the attributes list for the file
Now set the bit
#chattr +i sshd_config
Now check the file with lsattr can see that the "i" has been set to file.Thus this file became immutable(even as a root we will be unable to modify the file).
#chattr -i sshd_config to remove the attribute.
There are some programs that will update some configuration files once if a new package installation happens. So this feature can be exploited by the cracker. In such a case this feature is useful. One more example is, if any malicious programs has been installed and changes the resolv.conf then they can redirect all the requests to any phishing websites. So using this feature make very much sense.
SNIFFING the clear text based communication using TCPDUMP.
The data passes through the wire can be sniffed and can reveal almost all the information. Here will show the sniffing of data send through TELNET the same method can be follow to sniff the communication between FTP.
Sniffing Telnet session between 2 machines
Now pretend to be a Man in Middle and start sniffing data. (Ethereal is another tool to sniff the network)
# /usr/sbin/tcpdump -i eth0 -w tcpdump.log dst port 23
This will start capture all packets in eth0 coming having the destination port of 23 in promiscuos mode and will log to file tcpdump.log
Now start analysing the data that has been sniffed.
# tcpdump -r tcpdump.log
Use switch -A for more details. We can use the ethreal tool to analys the same file captured by tcpdump.
# ethereal -gnome (Open the same file captured by tcpdump)
Using Ethreal we can "follow the TCP Stream" by right click of any Telnet stream to find out all the communication including the credentials and the commands exicuted.
But for SSH we can see everything has been encrypted.
So have to insist on the encryption based communication. And user password less authentication, which is more secure than password based authentication. Because the credentials are not passed through the wire in this case.