LinuxCBT feat. SUSE 10 Enterprise Edition
Training Notes – 20061002.01
Table of Contents
Boot Process 4
Basic GNU/Linux/UNIX Command Line Interface (CLI) Utilities 4
Standard Linux Shell Rules 5
Secure Shell (SSH) 5
Virtual Network Computing (VNC) 6
RDesktop Client (RDP) 6
Name Resolution Utilities 7
NETSTAT 7
IFCONFIG 8
RPM 8
User & Group Creation/Management 8
File Permissions 8
Symbolic Links (Shortcuts) 10
Provisioning of additional file systems/mount points 10
RAID Partitions 11
Logical Volume Management - Disk Aggregation Mechanism 11
SWAP Storage Provisioning 12
SYSLOG-NG Implementation 12
Log Rotation 13
Cron - System Scheduler 13
Network Time Protocol (NTP) 14
BIND DNS Configuration 14
DHCPD - Server 15
Samba Services - Integrates Windows with Unix/Linux 16
Samba Web Administration Tool (SWAT) 16
Network File System (NFS) 17
Remote Synchronization (RSYNC) 18
Apache HTTPD - Web Server 18
Apache Logging 21
Virtual Hosts (VHOSTS) 21
MySQL Implementation 22
PHPMyAdmin - Implementation 25
Postfix MTA 25
Courier-MTA - IMAP 26
SquirrelMail - Web-based Mail integration 27
Pure-FTPD 27
Xen Virtualization 28
XINETD - Super Server 28
TCP Wrappers - tcpd 29
IPTables Implementation & Operation 30
IPTables Usage 30
Network Mapper (Nmap) 31
Nessus - Vulnerability Scanner 31
TCPDump - Packet Sniffer 32
Ethereal - Network Analysis Tool 32
Snort Network Intrusion Detection System (NIDS) 33
BASE Installation 34
Boot Process
1. BIOS - Initializes hardware
2. Grand Unified Boot Loader (GRUB) - Stage 1(Master Boot Record - 512 bytes) -> Stage 1.5(File system drivers (XFS,EXT2,EXT3,ReiserFS))
3. OS (Linux) Kernel - Initializes/Detects/provides support for hardware
4. INIT(PID=1) - Loads services for various run levels (cumulative)
###INIT - The First User-mode Process###
/etc/inittab
Runlevel (0-6) Definitions:
0 - shutdown
1 - single user mode - NO Netwo***ng
2 - Multi-user, minus NFS & netwo***ng
3 - Multi-user
4 - Unused, reserved for ISVs, or for customization
5 - Multi-user with graphics (X11/X.org)
/etc/init.d/runlevel directory (/etc/init.d/rc5.d)
- Contains symlinks to programs in /etc/init.d
prefixed with K(Kill) or S(Started)
- Each service/daemon is started/killed in numerical order; i.e. K01acpid, K09apmd
Basic GNU/Linux/UNIX Command Line Interface (CLI) Utilities
tty = reveals current Teletype Terminal (TTY)
w = reveals currently logged-in sessions
ls/dir(alias to ls -l)
ls -lF - returns long format and ''/'' at the end of directories
ls -lF | grep /
touch - creates empty files / updates time stamps(atime/mtime) on objects
rm - removes objects (files/directories/etc.)
echo - echoes values and variables
echo $? - returns exit status of previously-executed command
set || env - reveals current shell variables
pwd - returns wo***ng directory
cd - changes directories; with no options, places us in HOME directory
mkdir - creates a directory
whoami - returns currently logged-in user
su - switches users
BASH communicates user-status (privilged/non-privileged) via the prompt:
1. prompt that terminates with ''#'' reflects ''root'' user
2. non ''#'' prompt indicates non-root user
id - reveals id information (uid,gid,groups)
cp - copies files(files/directories)
mv - moves/renames files, and tries to preserve timestamp
stat - returns properties (size,inode,atime,mtime,ctime,perms,etc.) of files
Standard Linux Shell Rules
STDIN - Standard In - Default = Keyboard - ''<''
STDOUT - Standard Out - Default = Monitor - ''>''
STDERR - Standard Error - Default = STDOUT - ''2>''
ls deano.txt 2> error.txt
grep linuxcbt 2>&1
File Descriptors:
0 = STDIN
1 = STDOUT
2 = STDERR
Piping - permits the connection of STDOUT & STDIN
cat test2.txt | grep directories | grep removes
Command Chaining - permits execution of multiple commands
command1 && command2 - runs command2 IF command1 is successful (logical AND)
command1 || command2 - runs command2 IF command1 fails
command1 ; command2 ; command2 - all commands execute
###More Key Shell Commands###
file - determines the type of file queried
which - identifies location in path of queried program
history - returns list of recently-run commands up to $HISTSIZE=1000
~/.bash_history - stores the user''s history of commands
ps -ef - returns ALL running programs - UID,PID,PPID,STIME,etc.
top - returns top running programs
Common Clients - FTP,LFTP,Wget,SSH
FTP - interactive client used to connect to FTP servers
LFTP - supports many protocols (HTTP/FTP/HTTPS/etc.) and runs interactively/non-interactively(scripted)
Wget - supports many protocols, however, runs non-interactively
wget http://192.168.1.197/SUSE10/suse/i586/MozillaFirefox-1.5.0.4-1.9.i586.rpm
wget ftp://linuxcbt:abc123@linuxcbtmedia1/1million.txt
###Other basic utilities###
tar with gzip & bzip2 support
tar -czvf 1million.tgz 1million.txt
tar -cjvf 1million.bz2 1million.txt
Secure Shell (SSH)
SSH - provides encrypted communications for Telnet/FTP-like sessions
First outbound SSH connection yields ~/.ssh/known_hosts (lists trusted hosts)
File is appended as new connections are established
PKI - Password-less Login
Must generate RSA/DSA PKI (Public/Private) keys - ''ssh-keygen''
Note: public key is used to encrypt information to recipient
Note: private key is used decrypt information received
Note: keys are user and host specific
ssh-copy-id -i ~/.ssh/id_rsa.pub linuxcbtsuse2
SCP - SFTP - SSH
SCP - performs non-interactive, LFTP/Wget-like, file transfers
scp source_file destination_file:
scp linuxcbtsuse2:path_to_file local_path (.//tmp)
SFTP - performs interactive, FTP-like transfers
sftp linuxcbtsuse2 - connects as ''linuxcbt'' to remote system
sftp root@linuxcbtsuse2 - connects as ''root'' to remote system
ALL sessions/transports are encrypted
Virtual Network Computing (VNC)
Note: Cross-platform capable
- client (Windows/MAC OS X/Linux/Solaris/Unix)
- client can differ from server
vncviewer - primary VNC client application
RDesktop Client (RDP)
- Permits easy connections to Windows 2000/2003/TS4/XP Boxes
rdesktop -g 640x480 -a 16 192.168.1.102
Other key network utilities/clients
PING - uses ICMP to probe hosts on local and/or remote subnets
- Default in Linux is to PING continuously
- Default PING size = 64 bytes
- Default interval = 1 second
- Default Time To Live (TTL) = 64
- PING sends ICMP(Echo) Packets & expects ICMP(Echo Reply) in return
- ping linuxcbtsuse2
Traceroute - maps the network between 2 hosts by displaying routers
Note: traceroute determines that host is router when the TTL is decremented,
and, indicates as such in its output
traceroute destination - traceroute 192.168.1.102
Note: some firewalls will NOT decrement the TTLs in ICMP packets
Matt''s Traceroute (MTR)
Address Resolution Protocol (ARP) - reveals ARP table - layer-2 addresses
arp
ARP resolution example:
linuxcbtsuse2 (Layer-4) -> 192.168.1.197 (Layer-3) -> 00:12:3F:10:C6:93 (Layer-2)
www.insecure.org - Nmap - to find list of security utilities
Name Resolution Utilities
/etc/nsswitch.conf - controls the resolution source/order
ping linuxcbtsuse2 -> hosts(/etc/hosts) -> DNS
/etc/nsswitch.conf
-hosts: files(/etc/hosts) dns(/etc/resolv.conf)
DIG - dig
- queries standard DNS servers
- dig linuxcbtsuse2.linuxcbt.internal
- dig www.linuxcbt.com - queries local DNS server for this forward record
- dig linuxcbt.com mx - returns MX record type
- dig -x 192.168.1.100 - performs reverse query
- dig @ns1.linuxgenius.com www.linuxcbt.com
- host www.linuxcbt.com - returns A|CNAME records & IP address
- hostname - returns local short hostname
- hostname -f returns Fully-Qualified Domain Name (FQDN)
NETSTAT
- displays open sockets - client(1)SYN -> server(2)SYN-ACK -> client(3)ACK -> ESTABLISHED
Usage:
- netstat - displays open sockets with name resolution
- netstat -n displays open sockets without name resolution
Note: names are resolved using a combination of /etc/hosts & DNS
Note: services(ftp/http/etc.) are resolved via /etc/services
Note: protocols(tcp/ip/udp/unix/etc.) are resolved via /etc/protocols
client <-> server
man netstat - explore socket states
Important states:
- ESTABLISHED
- LISTEN
- SYN_SENT - waiting for SYNACK from remote system
- SYN_RECV - unable to respond to SYN_SENT
- FIN_WAIT1 - awaiting shutdown of socket
-netstat -a - reveals ALL protocols
-netstat -i - displays network interfaces
-netstat -s - displays protocol stats
-netstat -rn
-netstat -nl - netstat -ntl - netstat -nul
IFCONFIG
-ifconfig eth2 down - downs the eth2 interface
-ifconfig -a - displays ALL(active/inactive) interfaces
-ifconfig eth2 172.20.10.1
Note: changes to inactive interfaces usually activates the interface
Note: ommitting the subnet mask when defining an interface will cause Linux to derive both subnet mask and broadcast addresses based on class rules.
-ifconfig eth2 172.20.10.1 netmask 255.255.255.0
Alias/sub-interface configuration:
-ifconfig eth0:1 192.168.1.41 /24 - 255.255.255.0
-ifconfig eth0:2 192.168.1.42
Note: /etc/sysconfig/network - stores interface and global network configuration files
RPM
- permits the categorization/installation/upgrade/freshen/removal of packages
Query existing packages:
-rpm -qa - lists ALL installed packages
- rpm -ql name_of_package; i.e. rpm -ql rdesktop
- rpm -qpl package_name - queries package on file system
Install packages:
-rpm -ivh - installs packages
6. Download & configure BASE
1. make clean && ./configure --with-mysql --enable-dynamicplugin
2. make && make install
$HOME_NET 192.168.1.0/24
$RULE_PATH /etc/snort/rules
ouput database: log, mysql...
mysql
- create database snort;
- grant ALL on snort.* to snort@localhost identified by ''snortabc123'';
- grant ALL on snort.* to snort identified by ''snortabc123'';
mysql -pabc123 < create_mysql snort
NIDS Mode Invocation
/usr/local/bin/snort -c /etc/snort.conf -i eth0 -g snort -D -daemonizes
Download and extract rules files to /etc/snort/rules
BASE Installation
Requirements:
1. php support for MySQL
2. php gd support - optional
3. adodb - sourceforge.net - /srv/www/adodb
Note: BASE extends ''snort'' DB schema
|