Wednesday, October 7, 2009

Linux Securirty Notes 7: CHATTR & TCPDUMP

Increase security with extended file attributes - CHATTR
    The chattr command allows to set the files to unchangeable (immutable). This can be used to secure the key configuration files.

#/usr/bin/chattr is the path of the binary. To change the attributes, in case of normal users the user should need to have the owner ship.
#/usr/bin/lsattr is used to reveal the extended attributes on files.

Setting up the attributes:
#lsattr /etc/ssh/sshd_config
    This will show the attributes list for the file
Now set the bit
#chattr +i sshd_config
    Now check the file with lsattr can see that the "i" has been set to file.Thus this file became immutable(even as a root we will be unable to modify the file).
#chattr -i sshd_config to remove the attribute.
    There are some programs that will update some configuration files once if a new package installation happens. So this feature can be exploited by the cracker. In such a case this feature is useful. One more example is, if any malicious programs has been installed and changes the resolv.conf then they can redirect all the requests to any phishing websites. So using this feature make very much sense.

SNIFFING the clear text based communication using TCPDUMP.

    The data passes through the wire can be sniffed and can reveal almost all the information. Here will show the sniffing of data send through  TELNET the same method can be follow to sniff the communication between FTP.

Sniffing Telnet session between 2 machines

Now pretend to be a Man in Middle and start sniffing data. (Ethereal is another tool to sniff the network)

# /usr/sbin/tcpdump -i eth0 -w tcpdump.log dst port 23
    This will start capture all packets in eth0 coming having the destination port of 23 in promiscuos mode and will log to file tcpdump.log

Now start analysing the data that has been sniffed.
# tcpdump -r tcpdump.log
    Use switch -A for more details. We can use the ethreal tool to analys the same file captured by tcpdump.

# ethereal -gnome (Open the same file captured by tcpdump)
Using Ethreal we can "follow the TCP Stream" by right click of any Telnet stream to find out all the communication including the credentials and the commands exicuted.
But for SSH we can see everything has been encrypted.
    So have to insist on the encryption based communication. And user password less authentication, which is more secure than password based authentication. Because the credentials are not passed through the wire in this case.

No comments:

Post a Comment

tag ur valuable ideas below