Novell Course 3058 SUSE Linux Security WorkBook

SUSE LINUX Security
Novell Training Services

SELF-STUDY WORKBOOK
COURSE 3058
w w w. n o v e l l . c o m
Version 1
Proprietary Statement
Copyright 2005 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express prior consent of the publisher. This manual, and any portion thereof, may not be copied without the express written permission of Novell, Inc. Novell, Inc. 1800 South Novell Place Provo, UT 84606-2399
Trademarks
Novell, Inc. has attempted to supply trademark information about company names, products, and services mentioned in this manual. The following list of trademarks was derived from various sources.
Novell, Inc. Trademarks

NetWare, the N-Design, and Novell are registered trademarks of Novell, Inc. in the United States and other countries. CNA, CDE, CNI, NAEC, and Novell Authorized Education Center are service marks and CNE is a registered service mark of Novell, Inc. in the United States and other countries. ConsoleOne, DirXML, and eDirectory are trademarks of Novell, Inc. GroupWise is a registered trademark of Novell, Inc. Hot Fix, and IPX is a trademark of Novell, Inc. NDS, Novell Directory Services, and NDPS are registered trademarks of Novell, Inc. NetWire is a registered service mark of Novell, Inc. in the United States and other countries. NLM and Novell Certificate Server are trademarks of Novell, Inc. Novell Client, Novell Cluster Services, and Novell Distributed Print Services are trademarks of Novell, Inc. ZENworks is a registered trademark of Novell, Inc.
Disclaimer
Novell, Inc. makes no representations or warranties with respect to the contents or use of this manual, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to revise this publication and to make changes in its content at any time, without obligation to notify any person or entity of such revisions or changes. Further, Novell, Inc. makes no representations or warranties with respect to any NetWare software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to make changes to any and all parts of NetWare software at any time, without obligation to notify any person or entity of such changes. This Novell Training Manual is published solely to instruct students in the use of Novell networking software. Although third-party application software packages are used in Novell training courses, this is for demonstration purposes only and shall not constitute an endorsement of any of these software applications. Further, Novell, Inc. does not represent itself as having any particular expertise in these application software packages and any use by students of the same shall be done at the students own risk.
Other Trademarks
Adaptec is a registered trademark of Adaptec, Inc. AMD is a trademark of Advanced Micro Devices. AppleShare and AppleTalk are registered trademarks of Apple Computer, Inc. ARCserv is a registered trademark of Cheyenne Software, Inc. Btrieve is a registered trademark of Pervasive Software, Inc. EtherTalk is a registered trademark of Apple Computer, Inc. Java is a trademark or registered trademark of Sun Microsystems, Inc. in the United States and other countries. Linux is a registered trademark of Linus Torvalds. LocalTalk is a registered trademark of Apple Computer, Inc. Lotus Notes is a registered trademark of Lotus Development Corporation. Macintosh is a registered trademark of Apple Computer, Inc. Netscape Communicator is a trademark of Netscape Communications Corporation. Netscape Navigator is a registered trademark of Netscape Communications Corporation. Pentium is a registered trademark of Intel Corporation. Solaris is a registered trademark of Sun Microsystems, Inc. The Norton AntiVirus is a trademark of Symantec Corporation. TokenTalk is a registered trademark of Apple Computer, Inc. Tru64 is a trademark of Digital Equipment Corp. UNIX is a registered trademark of the Open Group. WebSphere is a trademark of International Business Machines Corporation. Windows and Windows NT are registered trademarks of Microsoft Corporation.
Software Piracy
Throughout the world, unauthorized duplication of software is subject to both criminal and civil penalties. If you know of illegal copying of software, contact your local Software Antipiracy Hotline. For the Hotline number for your area, access Novells World Wide Web page at http://www.novell.com and look for the piracy page under Programs. Or, contact Novells anti-piracy headquarters in the U.S. at 800-PIRATES (7472837) or 801-861-7101.
Contents
Contents
SUSE LINUX Security Self-Study Workbook
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Intro-1 SUSE LINUX Enterprise Server 9 Setup Instructions . . . . . . . . . . . . . . . . . . . . . . . Intro-2

Access the SUSE LINUX Enterprise Server 9 as a VMware Server . . . . . . . . . . . . . . Intro-2 Install the SUSE LINUX Enterprise Server 9 Student Server with AutoYaST . . . . . . Intro-8
Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Intro-11
SECTION 2 Host Security Exercise 2-1 Install SLES 9 with a Customized Partition Scheme. . . . . . . . . . . . . . . . . . . . . 2-2 Exercise 2-2 Change PAM Configuration to Disable Graphical Root Login. . . . . . . . . . . . . 2-6 Exercise 2-3 Subscribe to the SUSE Security Announcements . . . . . . . . . . . . . . . . . . . . . . . 2-8 Exercise 2-4 Use nmap to Scan for Open Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-9 Exercise 2-5 Run a nessus Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-10 SECTION 3 Cryptography: Basics and Practical Application Exercise 3-1 Create a CA and Certificates on the Command Line. . . . . . . . . . . . . . . . . . . . . 3-2 Exercise 3-2 (optional) Create a Root CA and Certificates Using YaST . . . . . . . . . . . . . . . . 3-5 Exercise 3-3 (optional) Work with GPG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-6 SECTION 4 Network Security Exercise 4-1 Configure the TCP Wrapper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2 Exercise 4-2 Use stunnel to Secure POP3 with SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5 SECTION 6 Packet Filters Exercise 6-1 Get Familiar with Basic iptables Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2 Exercise 6-2 Modify the Script to Set and Delete iptables Rules . . . . . . . . . . . . . . . . . . . . . 6-15 Exercise Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-19
Version 1
Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.
1-1
SUSE LINUX Administration/Self-Study Workbook
SECTION 7
Application-level Gateway Exercise 7-1 Install and Configure Squid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2 Exercise 7-2 Configure SSL in Squid. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-7 Exercise 7-3 Configure Proxy Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-10 Exercise 7-4 Configure Content Filtering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-14 Exercise 7-5 Analyze Squid Log File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-17 Exercise 7-6 Use Dante. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-19 Exercise 7-7 Configure rinetd. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-25
SECTION 8
Virtual Private Networks Exercise 8-1 Establish a VPN Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2 Exercise 8-2 (optional) Create a VPN Configuration Using YaST . . . . . . . . . . . . . . . . . . . . 8-6 Exercise 8-3 (optional) Filter IPSec Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-8
SECTION 9
Intrusion Detection and Incident Response Exercise 9-1 Log to a Remote Host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-2 Exercise 9-2 Use Argus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-4
SECTION 10
LifeFire Exercise
Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-2 Section 1 Section 2 Section 3 Section 4 Section 5 Set Up the Application-Level Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-4 Set Up the Screening Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-5 Set Up a Web Server in the DMZ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-6 Set Up the Mail Server in the LAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-7 Set Up the VPN Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-8
1-2
Version 1
This workbook is designed to help you practice the skills associated with Course 3058 (SUSE LINUX Security) objectives outside of a classroom.
Introduction
The skills introduced in this workbook are critical for performing administrative tasks with regard to security with SUSE LINUX Enterprise Server 9, and are necessary for passing the Novell CLE9 (Certied Linux Engineer) practicum. The exercises in this workbook are the same as those included in your Course 3058 SUSE LINUX Security manual, but with modications and notes to help you perform the exercises on a single computer without relying on an instructor or partner SUSE LINUX Enterprise Server 9 server.
If you experience any problems using the SUSE LINUX Enterprise Server 9 VMware Server DVD or the Self-Study Workbook, please email your questions or comments to EDCustomer@novell.com.
Version 1
Workbook Intro-1
SUSE LINUX Security/Self-Study Workbook
SUSE LINUX Enterprise Server 9 Setup Instructions

Before starting the exercises in this workbook, you need to set up a SUSE LINUX Enterprise Server 9 server with the same conguration as that provided in the classroom. There are two solutions provided for you:
Access the SUSE LINUX Enterprise Server 9 as a VMware Server on Intro-2 Install the SUSE LINUX Enterprise Server 9 Student Server with AutoYaST on Intro-8
Access the SUSE LINUX Enterprise Server 9 as a VMware Server

If you want to avoid dedicating a computer to a SUSE LINUX Enterprise Server 9 installation, you can use the SUSE LINUX Enterprise Server 9 VMware virtual server provided on the SUSE LINUX Enterprise Server 9 VMware Server DVD. The following guides you through installing and using the SUSE LINUX Enterprise Server 9 VMware server:

Check Setup Prerequisites Install the SUSE LINUX Enterprise Server 9 VMware Server Configure the SUSE LINUX Enterprise Server 9 VMware Server Start the SUSE LINUX Enterprise Server 9 VMware Server VMware Workstation Tips
Workbook Intro-2
Version 1
Check Setup Prerequisites
The following items are required to run the SUSE LINUX Enterprise Server 9 VMware server on your computer: Table Intro-1
Item Memory Hard Drive Space DVD-ROM Drive Requirement 256 MB RAM (minimum) 3.4 GB For reading the SUSE LINUX Enterprise Server 9 Self-Study Server DVD and other CDs required for the exercises. VMware Workstation 5 or later (Windows or Linux) Contains the SUSE LINUX Enterprise Server 9 VMware Server les
Software
SUSE LINUX Enterprise Server 9 Self-Study Server DVD
Although you can run the SUSE LINUX Enterprise Server 9 VMware server with 256 MB of RAM, processing time for performing some Linux administration tasks (such as using YaST) can be signicantly reduced by increasing memory for the VMware server. If you do not own a copy of VMware Workstation (or have a version earlier than 5), you can download and install a VMware Workstation 5 30-day evaluation copy from www.vmware.com.
Version 1
Workbook Intro-3
Install the SUSE LINUX Enterprise Server 9 VMware Server
Once you have VMware Workstation 5 installed on your host computer, do the following to install the SUSE LINUX Enterprise Server 9 VMware server:
1.
Insert the SUSE LINUX Enterprise Server 9 Self-Study Server DVD in your DVD-ROM drive. Copy the VMware server files on the DVD to a directory on your hard drive. We recommend creating a specic directory (such as /tmp/vmware/SLES9_3058) to store the les.
2.
3. 4. 5.
Start VMware Workstation 5. Select File > Open ... Browse to and open the sles.vmx file. The SLES9_3058 VMware server opens in VMware Workstation and is ready to start.
6.
Some exercises require a second computer. Create a second VMware machine by creating another directory (like /tmp/vmware/SLES9_3058-2) on the VMware host and repeat Steps 2 - 5. To avoid mixing up the machines, you could give the second machine another hostname.
Workbook Intro-4
Version 1
Congure the SUSE LINUX Enterprise Server 9 VMware Server
Before starting SUSE LINUX Enterprise Server 9, do the following:

1.
Select VM > Settings. A Virtual Machine Settings dialog appears. From this dialog you can adjust the settings for several devices such as memory, oppy drive, and network adaptor before starting the virtual server.
2.
Check the following device settings:
Memory. This memory setting indicates the amount of memory used by the SUSE LINUX Enterprise Server 9 virtual server on the host computer. Although you can run the SUSE LINUX Enterprise Server 9 virtual server with 256 MB of memory, we recommend increasing the amount (when possible) to increase the speed of certain administrative tasks (such as starting X Window or using the GUI version of YaST).
DVD/CD-ROM. This is the DVD drive on your host computer, and should be set as a physical drive. We recommend leaving the default setting at auto detect for Windows. If you are running VMware Workstation on Linux, enter the device name of the DVD drive (such as /dev/hdc). You can normally select the device name from the drop-down list for the Device eld.
Floppy Drive. This is the oppy drive on your host computer. The default is set to A: for a Windows computer. If you are running VMware Workstation on Linux, change the setting to the device for the oppy drive (such as /dev/fd0).
Version 1
Workbook Intro-5
Network Adaptor. The NAT network connection default setting provides a VMware Workstation DHCP server for the SUSE LINUX Enterprise Server 9 server (which is congured to use DHCP). While you can select another setting (such as Bridged), these have not been tested and can cause problems completing the exercises. We recommend keeping the default NAT setting.
The rest of the settings should work properly to provide you with the access you need to devices for USB, sound, and mouse control. If not, return to this dialog to make the necessary adjustments to the settings.
3.
When you finish reviewing the virtual server configuration, save any changes and close the dialog by selecting OK. During the exercises, you use Ctrl + Alt to access features such as terminal consoles. VMware Workstation also uses this hot key combination to switch you out of the virtual server to the host machine.
4.
To change the VMware hot key configuration, select Edit > Preferences. A Preferences dialog appears.
5.
Select the Hot keys tab; then select the Ctrl-Shift-Alt option. Once you start the SUSE LINUX Enterprise Server 9 VMware server, you can press Ctrl + Shift + Alt to access the host machine, including the VMware Workstation menu options.
6.
Save the change by selecting OK.
Workbook Intro-6
Version 1
Start the SUSE LINUX Enterprise Server 9 VMware Server
Do the following:
1.
Start the SUSE LINUX Enterprise Server 9 VMware server by selecting the Power On Button (or select Start this virtual machine). The SUSE LINUX Enterprise Server 9 server starts booting. (conditional) If you cannot see the entire SUSE LINUX Enterprise Server 9 window on your monitor, select the VMware Workstation full screen mode. After starting the SUSE LINUX Enterprise Server 9 services, a blank screen is displayed while the X Window GUI interface is loaded. Depending on the amount of memory allocated to the virtual server, loading the GUI interface can take almost a minute.
2. 3.
4.
The VMware Tools package enhances the graphics resolution and color depth capabilities of your virtual server. This package is already installed in the SUSE LINUX Enterprise Server 9 VMware image on the Student CD. No action is needed on your part to install it.
5.
Click in the virtual server window to switch keyboard and mouse functionality from the host computer to the virtual server. You are ready to start Exercise 2-2 Change PAM Conguration to Disable Graphical Root Login. (Exercise 2-1 Install SLES 9 with a Customized Partition Scheme is not needed if you use the VMware image as above.)
Version 1
Workbook Intro-7
VMware Workstation Tips
Although we rely on your experience with VMware Workstation to complete the exercises in a virtual server environment, the following are some tips that can help you when using the SUSE LINUX Enterprise Server 9 virtual server:
If you cannot use the keyboard to enter text, try selecting the virtual server window with the mouse or try pressing Shift + Tab. If you need to switch keyboard and mouse focus from the virtual server to the host computer, press Ctrl + Shift + Alt; then select the virtual window again to switch focus back. If you want to save a copy of the SUSE LINUX Enterprise Server 9 virtual server before continuing on with an exercise or the next exercise, use the Snapshot feature (VM > Snapshot > Take Snapshot). Before powering off the SUSE LINUX Enterprise Server 9 virtual server, make sure you shut down the server to avoid any problems caused by not shutting down the server cleanly.
Install the SUSE LINUX Enterprise Server 9 Student Server with AutoYaST
If you want to install the SUSE LINUX Enterprise Server 9 student server on an available computer, the 3058_Course_CD includes an AutoYaST le (/setup/student.xml) that automatically congures SUSE LINUX Enterprise Server 9 for you during installation. All you need to do is swap CDs during the installation.
By installing SUSE LINUX Enterprise Server 9 with AutoYaST, you remove the existing operating system and all les on your hard drive. Before starting the installation, make sure you back up any important les you want to keep.
Workbook Intro-8
Version 1
To install and congure SUSE LINUX Enterprise Server 9 on your computer with AutoYaST, do the following:
1.
Check to make sure your computer meets the following hardware requirements:

A Pentium III or AMD 750 Mhz or faster computer 512 MB RAM (256 minimum) 20 GB hard disk CD-ROM drive
Internet access is optional for completing the exercises.

2.
Copy the file student.xml (on your 3058 Setup CD) to the root of a floppy diskette. Boot the server from SUSE LINUX Enterprise Server 9 CD 1. When the GRUB installation screen appears, highlight the Installation option. You have 20 seconds to highlight the option before GRUB boots from the hard drive.
3. 4.
5.
Set the display resolution by pressing F2; then select a display resolution of at least 1024x768. If a resolution of 1024x768 is not available, select the highest resolution available (such as 640x480).
6.
Insert the floppy diskette with the file student.xml into the server diskette drive. In the Boot Options field (bottom of the screen), type the following: autoyast=oppy:///student.xml Make sure you enter 3 forward slashes (///) or the installation program will not be able to nd the le student.xml.
7.
8.
When you are ready to begin installation, press Enter.
Version 1
Workbook Intro-9
The kernel loads and the SUSE LINUX Enterprise Server 9 installation program detects the available hardware. A Novell Software License Agreement dialog appears. YaST takes care of accepting this agreement and interfacing with all other dialogs during installation.
9.
At certain points, YaST requests a particular SUSE LINUX Enterprise Server 9 installation CD. Insert the requested SUSE LINUX Enterprise Server 9 CD; then continue by selecting OK. Continue swapping CDs as indicated by the YaST installation program. The installation screen keeps you updated on the installation progress (time remaining and percentage completed). After copying les from the CDs, YaST performs tasks such as updating the conguration, copying les to the installed system, installing the boot manager, and preparing for an initial system boot. When these tasks are completed, YaST reboots the system.
10. Remove the student.xml diskette and the last SUSE LINUX
Enterprise Server 9 CD from the computer drives, and then wait for the system to boot. After the system automatically reboots and nishes conguring, a GUI login screen appears.
11. Log in as geeko with a password of N0v3ll (a zero, not an
uppercase O).
Workbook Intro-10
Version 1
Scenario
The Digital Airlines management has made the decision to secure access from the local networks to the Internet with rewalls consisting of packet lters and application level gateways. The Digital Airlines ofces will be connected using a VPN based on IPSec. To implement various components of this network topology, you need additional experience in the following areas:

System administration with a strong focus on security Using cryptography to secure network services Setting up packet filters Setting up application-level gateways Connecting networks using VPN technology
You decide to set up test servers in the lab to enhance your skills in these areas.
Version 1
Workbook Intro-11
Workbook Intro-12
Version 1
Host Security
SECTION 2
Host Security
In this section of the workbook, you learn how to do the following:

Install SLES 9 with a Customized Partition Scheme on 2-2 Change PAM Configuration to Disable Graphical Root Login on 2-6 Subscribe to the SUSE Security Announcements on 2-8 Use nmap to Scan for Open Ports on 2-9 Run a nessus Scan on 2-10
Version 1
Workbook 2-1
Exercise 2-1
Before you start to work on this exercise, think about which partitioning scheme makes sense to use for which server purpose.
Install SLES 9 with a Customized Partition Scheme

The purpose of this exercise is to show how security can be improved by selecting an appropriate partitioning scheme for the harddisk. During the exercises of this section, you will install the SLES9 server you will be using during the rest of the course. As this exercise assumes you are familiar with installation of SLES 9 in general, not every single step is described. To partition the hard disk, do the following:
1.
Turn on your machine and insert SLES 9 CD 1 in the CD ROM drive. Select Installation in the installation menu. Follow the installation workflow until the Installation Settings screen appears. Remove any partitions from the hard drive by doing the following: a. b. c. Select Partitioning. Select Create custom partition setup; then select Next. Select Custom Partitioning -- for experts; then select Next.
2.
3.
d. Remove any existing partitions by selecting the device /dev/hda; then select Delete. A dialog appears asking if you really want to delete all the partitions on /dev/hda. e. Conrm the deletion by selecting Yes. All partitions are removed from the list.
Workbook 2-2
Version 1
Host Security
4.
Create new partitions according to the partitioning scheme which has been outlined by the instructor. If you are a self study student, you can use the following scheme:

swap (1GB) / (3GB) /usr (3GB) /opt (3GB) /var (2GB) /tmp (2GB) /home (1GB) /srv (Rest of the harddisc)
The sizes will vary depending on the disk space available and the purpose of the server. The following is the basic procedure to create partitions in the expert partitioner:
1. 2.
Select Create. Choose Primary Partition or Extended Partition. (You can create the first three partitions as Primary Partitions. Then you need to create one Extended Partition. In this Extended Partition you can then create further Logical Partitions.) Select the Format checkbox and choose a filesystem. Select Swap for the swap partition and Reiser for all other partitions. Adjust the End Cylinder Value. Type for example +3GB for a 3GB partition. Select a mount point for the partition according to your partitioning scheme. You dont have to select a Mount Point for the Swap partition. Select OK, and start again with step1 for the next partition.
3.
4.
5.
6.
Version 1
Workbook 2-3
5.
When you have created all partitions, close the Expert Partitioner and return to the Installation Settings overview. In the Installation Settings overview window select Software. a. b. c. Select Minimum graphical system (without KDE) and then Detailed selection If you prefer to use a desktop environment select KDE or GNOME. Select Analyzing Tools, as you will be using several of these during the course.
6.
d. Select Accept.
7.
If a Automatic Changes dialog pops up, select Continue. Note: You will install further packages during this course to perform the exercises.
Software installation takes some time.

8.
Once all settings have been made in the Installation Settings dialog, select Accept and then Yes, install. Proceed with the installation: There is no need to create a CA at this point, as this will be done later in the course. Therefore, select Skip conguration at this point. Do not activate LDAP, use local authentication. When prompted for the root password, select Expert Options and choose the encryption type Blowsh. Use novell as root password for the purpose of this course. Create a user geeko with the password N0v3ll. Unless the instructor tells you otherwise, use DHCP in the networking setup; domainname is digitalairlines.com; use 10.0.0.254 as default gateway.
9.
Workbook 2-4
Version 1
Host Security
When done with the installation, log in to the graphical user interface as geeko.
(End of Exercise)
Version 1
Workbook 2-5
Exercise 2-2
Change PAM Configuration to Disable Graphical Root Login In this exercise, you change the PAM conguration by doing the following:
1. 2.
Log out of the KDE desktop environment. When the KDM login screen appears, log in with the following:

Username: root Password: novell
Notice that you can log in as root without a root entry in the login screen.
3. 4. 5. 6. 7.
Log out again from the KDE desktop environment. Log in as geeko with a password of N0v3ll. Open a terminal window and su to root. Open the file /etc/pam.d/xdm in a text editor. Add the following as the second line of the file: auth required pam_securetty.so
8. 9.
Save and close the file. Log out and try to log in as root user at the KDM login screen again. The root login is denied.
10. Log in as geeko again.
If you cannot log in as geeko, restart the X server by pressing Ctrl + Alt + Backspace and try again. You might also need to reboot your server.
11. Open a terminal window and su to root.
Workbook 2-6
Version 1
Host Security
12. Open the file /etc/pam.d/xdm in a text editor and remove or
comment out the following line (the line you added): auth required pam_securetty.so
13. Save and close the file. 14. Log out and try to log in as root at the KDM login screen again.
You can now log in as root.
If you cannot log in as root, restart the X-server using Ctrl + Alt + Backspace and try again.
15. Log out of the KDE desktop environment and log back in as
geeko.
(End of Exercise)
Version 1
Workbook 2-7
Exercise 2-3
Subscribe to the SUSE Security Announcements In this exercise, you subscribe to the SUSE security mailing list. This means that Novell/SUSE will inform you by email about current security issues of SUSE Linux products. If you don't want to receive these messages, skip this exercise. Do the following:
1. 2.
From the KDE start menu, select Internet > Web Browser. In the address bar of the browser, enter the following: http://www.suse.com/en/business/mailinglists.html
3.
Scroll down to the entry suse-security-announce; then select the check box for that entry. Scroll down to the bottom of that page. In the E-mail Address field, enter your email address. Subscribe to the list by selecting OK. Close the web browser window.
4.
5. 6.
(End of Exercise)
Workbook 2-8
Version 1
Host Security
Exercise 2-4
Use nmap to Scan for Open Ports

The purpose of this exercise is to familiarize you with nmap and port scans. You will work with another student in this exercise. Do the following:
1.
Open a terminal window an sux - to root with a password of novell. Perform a TCP connect scan on the computer of your partner by entering the following command: nmap -sT <host_of_partner>. Compare the result with the output of netstat -patune on his or her computer.
2.
3. 4. 5. 6. 7. 8.
Start Ethereal by typing ethereal. Select Capture > Start. Select OK. Let your partner scan your computer with nmap. Select Stop in the ethereal capture dialog. Have a look at the packet list in ethereal. Can you identify the packets nmap used for the port scan?
(End of Exercise)
Version 1
Workbook 2-9
Exercise 2-5
Run a nessus Scan

The purpose of this exercise is to show you how to set up nessusd and nessus client to scan hosts in the network. You will work with a partner. Do the following:
1.
Open a terminal window an sux - to root with a password of novell. Create a certificate for the nessusd and add a user who might access nessusd by entering: nessus-mkcert nessus-adduser Answer any questions appropriately. Use geeko as the user to add. When prompted to enter rules within the adduser-script press CTRL-D without entering any rules.
2.
3.
Start nessusd by entering: rcnessussd start
4.
Start the user interface by entering nessus Log in as geeko with the password you provided within the script. Enter the IP address of your partners computer as the target host and scan it. View the report by selecting the entries shown in the report window.
5.
6.
7.
(End of Exercise)
Workbook 2-10
Version 1
Cryptography: Basics and Practical Application
SECTION 3

Create a CA and Certificates on the Command Line on 3-2 (optional) Create a Root CA and Certificates Using YaST on 3-5 (optional) Work with GPG on 3-6
Version 1
Workbook 3-1
Exercise 3-1
The certificates created in this exercise are used later in the Network Security section of this course. Complete the exercise succesfully and do not delete the certificates after the exercise.
Create a CA and Certicates on the Command Line

The purpose of this exercise is to familiarize you with the openssl command. The certicates created in this exercise can be used in an exercise in the next section. Do the following:
1.
Open a terminal window and su - to root with a password of novell. Create the necessary directory structure in roots home directory, (using your hostname instead of daxx) and change the permissions for the private directory: mkdir -p DAxx-ca/{certs,newcerts,private,crl} cd DAxx-ca chmod 700 private
2.
3.
Edit the file /etc/ssl/openssl.conf with a text editor and change variables and company entries appropriately, like /root/DAxx-CA for dir and Digitalairlines as company
Workbook 3-2
Version 1
The following is the example for the system da10. Please adjust your settings to your environment..
# This definition # defined. HOME = ... dir = certs = crl_dir = database = unique_subject = stops the following lines choking if HOME isn't /root/DA10-CA
new_certs_dir certificate serial #crlnumber
/root/DA10-CA # Where everything is kept $dir/certs # Where the issued certs are kept $dir/crl # Where the issued crl are kept $dir/index.txt # database index file. yes # Set to 'no' to allow creation of # several certificates with same # subject. = $dir/newcerts # default place for new certs. = $dir/da10-cacert.pem = $dir/serial = $dir/crlnumber # The CA certificate # The current serial number # the current crl number # must be commented out to leave a
V1 CRL crl = $dir/crl.pem # The current CRL private_key = $dir/private/da10-cakey.pem # The private key RANDFILE = $dir/private/.rand # private random number file ... [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = de countryName_min = 2 countryName_max = 2 stateOrProvinceName stateOrProvinceName_default localityName localityName_default ... = State or Province Name (full name) = Bavaria = Locality Name (eg, city) = Munich
4.
To create the self-signed root certificate of your CA, enter openssl req -newkey rsa:2048 -x509 -days 3650 \ -keyout private/daxx-cakey.pem -out daxx-cacert.pem Answer the questions.
Version 1
Workbook 3-3
5.
To view the certificate, entering: openssl x509 -in daxx-cacert.pem -text
6.
To create the files index.txt and serial, enter touch index.txt ; echo 01 > serial
7.
To create a certificate signing request for your machine, enter openssl req -new -keyout private/daxx_prv_key.pem \ -out certs/daxx_req.pem -days 365 Answer the questions.
The sequence of -out and -infiles is important. If -infiles is first, you get a not too helpful error message.
8.
To sign the certificate signing request and create the certificate, enter openssl ca -policy policy_anything -notext \ -out certs/daxxcert.pem -inles certs/daxx_req.pem
9.
View the files index.txt and serial with cat. server.digitalairlines.com.
10. Repeat steps 79 to create another certificate for 11. To revoke the certificate just created and create a certificate
revocation list enter openssl ca -revoke certs/servercert.pem openssl ca -gencrl -out crl/daxx-crl.pem
12. View the files index.txt and serial with cat.
(End of Exercise)
Workbook 3-4
Version 1
Exercise 3-2
(optional) Create a Root CA and Certicates Using YaST

The purpose of this exercise is to teach you how to manage a CA using YaST. Just a rough outline of steps is given here. Do the following:
1.
Start a terminal window and sux - to root with a password of novell. Start the YaST CA Management module by entering yast2 ca_mgm
2.
3.
Select Create Root CA and follow the steps of the wizard to create a root CA. Use values of your choice to ll in the dialogs.
4. 5. 6. 7.
Enter the root CA you just created. Export the CA certificate to a file. Create a server certificate. Export the server certificate.
(End of Exercise)
Version 1
Workbook 3-5
Exercise 3-3
(optional) Work with GPG

The purpose of this exercise is to familiarize you with some of the features of GPG and how keys are managed to exchange encrypted mail. Work with a partner to exchange keys and exchange encrypted mails or les. Do the following:
1.
Open a terminal window and create a public/private GPG-key pair by entering gpg --gen-key You have to answer several questions; the defaults will do for this exercise. When creating your personal key pair you might want to choose 2048 bits for the key length. Make sure that you remember the Real name you enter during the key creation process.
2.
To export your public key to a file, enter gpg -a --export real name > name.asc Choose a resonable name for the key le. Transfer this le to your partner using scp.
3.
To import the public key of your partner, enter gpg --import partners_name.asc
4.
No mail service is set up in the course room, so you will encrypt and transfer a file instead of mailing it. Write a message to a file, such as echo Hello, how are you > textle
5.
To encrypt that file, enter gpg -ea textle
Workbook 3-6
Version 1
You are prompted to enter a user ID. The name that is part of the key will do, or use the hexadecimal ID of the key if there are several keys with the same name.
6. 7.
View the file textfile.asc using cat. Transfer the file to your partner, get his encrypted file to your computer, using a descriptive filename to avoid overwriting each others files. To decrypt the file, enter gpg lename.asc ; cat lename To view the decrypted le directly on the screen, you can use gpg -o - lename
8.
9.
Sign the file with gpg --clearsign textle
10. Verify the signature with
gpg textle.asc
11. Load the file textfile.asc in vi and alter one letter of the message.
Save the changes and close vi. Verify the signature again.
(End of Exercise)
Version 1
Workbook 3-7
Workbook 3-8
Version 1
Network Security
SECTION 4
Network Security

Configure the TCP Wrapper on 4-2 Use stunnel to Secure POP3 with SSL on 4-5
Version 1
Workbook 4-1
Exercise 4-1
Congure the TCP Wrapper

In this exercise you work with a partner to practice conguring the TCP wrapper. The exercise consists of the following parts:

Part I: Secure the FTP Service Part II: Configure a Twist Part III: Configure Logging
Part I: Secure the FTP Service
In this part of the exercise, you secure the FTP service so that everyone in the classroom except your partner can access the FTP server on your system. Do the following:
1. 2. 3. 4. 5. 6. 7. 8. 9.
Use YaST to install the package vsftpd. Open a terminal window and su to the root user. Open the file /etc/xinetd.d/vsftpd with a text editor. Make sure the line disable = yes starts with a # character. Save and close the file. Restart xinetd with the command rcxinetd restart. Open the file /etc/hosts.deny in a text editor. Add the following to the end of the file: vsftpd : IP_of_partner
10. Save the file. 11. Have your partner attempt to ftp to your system; then have
another student in the classroom attempt to ftp to your host.

12. The connection for your partner is closed. However, others can
ftp to your server.
Workbook 4-2
Version 1
Network Security
13. Place a comment character (#) in front of the line you just added
to the file /etc/hosts.deny; then add the following line: ALL:ALL

14. Save the file and close the editor. 15. Set the same security restriction by editing the file
/etc/hosts.allow: Open the file /etc/hosts.allow in a text editor.

16. Add the following to the end of the file:
vsftpd : ALL EXCEPT IP-of-partner

17. Save and close the file. 18. Have your partner try to ftp to the system; then have another
student in the classroom attempt to ftp to your host. The results should be the same as with the le hosts.deny.
Part II: Congure a Twist
In this part of the exercise you congure TCP wrapper to execute another program than the respective daemon. Do the following:
1. 2.
Open a terminal window and su to the root user. Edit the ALL:ALL line in /etc/hosts.deny to reflect the following: ALL: ALL: twist (echo "This service is not accessible from %a!") Save and close the file. Have your partner try to ftp to the system to verify that the message is sent.
3. 4.
Version 1
Workbook 4-3
Part III: Congure Logging
In this part of the exercise you congure logging, using the spawn feature of TCP wrapper. Do the following:
1. 2.
Open a terminal window and su to the root user. At the bottom of the file /etc/hosts.allow, change the vsftpd line to reflect the following: vsftpd,vsftpd : ALL EXCEPT IP-of-partner : spawn (echo "%a accessed %s" >> /tmp/service-access.log) Save and close the file. Have someone in the class besides your partner attempt to ftp to the system to verify that the entry is logged. Verify that all of the activity to the services under xinetd have been logged in /var/log/xinetd.log by entering cat /var/log/xinetd.log.
3. 4.
5.
(End of Exercise)
Workbook 4-4
Version 1
Network Security
Exercise 4-2
Use stunnel to Secure POP3 with SSL

The purpose of this exercise is to practice securing a service with stunnel. Do the following:
1.
Open a terminal window and sux - to root using a password of novell. Install the packages stunnel and qpopper by entering yast -i stunnel qpopper and inserting the appropriate CD when requested.
2.
3.
Use a certificate and its corresponding private key created in the exercise Create a CA and Certificates on the Command Line on 3-2 or in the exercise (optional) Create a Root CA and Certificates Using YaST on 3-5. You can either
Use the certicate and private key created for your computer with openssl on the command line. In this case you need to create a copy of the private key that is not secured with a passphrase: openssl rsa < private/daxx_prv_key.pem \ > private/daxx_prv_key-unenc.pem Copy the certicate and the private key into one le: cat certs/daxx_cert.pem \ private/daxx_prv_key-unenc.pem \ >> /etc/stunnel/stunnel.pem Also copy the RootCA certicate to the directory /tmp. or
Use the certicate and private key created for your computer in the YaST CA Management module.
Version 1
Workbook 4-5
Export it to /etc/stunnel/stunnel.pem, selecting Certicate and Key Unencrypted in PEM Format in the Export dialog. Also export the RootCA certicate and save it in the directory /tmp.
4.
Limit access to the file /etc/stunnel/stunnel.pem by entering chmod 600 /etc/stunnel/stunnel.pem
5.
Using vi, modify the configuration of stunnel in the file /etc/stunnel/stunnel.conf to reflect the following entries (some lines need a comment symbol #, some need the comment symbol deleted, and other lines need to be added by youyou have to look through the file to find the lines): #chroot = /var/lib/stunnel/ #setuid = stunnel #setgid = nogroup ... [pop3s] accept = 995 # connect = 110 exec = /usr/sbin/popper execargs = popper -s
6.
Start stunnel by entering rcstunnel start. If there are any error messages, correct your conguration accordingly.
7.
Test your POP server by configuring a mail program of your choice to pick up mail of a local account (such as geeko) from localhost port 995. Make sure that you use the full hostname (daxx.digitalairlines.com) in the pop server eld, not just localhost.
Workbook 4-6
Version 1
Network Security
When finished with the configuration, actually try to pick up mail. You should see an error message that the server certicate failed the authenticity test. Do not accept the certicate at this point but select cancel (or whatever your mail program offers at this point).
8.
Import the CA certificate into your application. How this is done depends on your mail program. If you use KMail, you do that by starting konqueror and selecting Settings > Congure Konqueror > Crypto > SSL signers Tab > Import Change directory to /tmp and choose the CA certicate suitable for the stunnel certicate, either the OpenSSL or the YaST one.
9.
Connect again to your mailbox with your mail program. You should not get the same error message again, since the certicate can now be validated by the mail program. You might get a message that the certicate does not belong to the server if the common name in the certicate differs from the domain name you contacted. In this case you might want to create a new certicate with the correct name.
(End of Exercise)
Version 1
Workbook 4-7
Workbook 4-8
Version 1
Packet Filters
SECTION 6
Packet Filters

Get Familiar with Basic iptables Syntax on 6-2 Modify the Script to Set and Delete iptables Rules on 6-15
Version 1
Workbook 6-1
Exercise 6-1
In this exercise the computer that is used for testing should not have any iptables rules set. Otherwise the results also depend on the settings of this testing computer.
Get Familiar with Basic iptables Syntax

The purpose of this exercise is to familiarize you with the iptables syntax and to show the effect of some iptables rules. In the rst part, you use iptables on the command line only. Any rules set with iptables are lost with the next reboot. As rules dened on the command line are lost with the next reboot, the rules that make up the packet lter should be included in a shell script that is executed during system startup. Part II and the subsequent parts of this exercise deal with writing such a script to set and delete rules. There is no single right way to write such a script. Keep it as simple as possible so you dont inadvertently open security holes. Use comments within the script liberally so you can still understand it when you have to modify it later. The exercise will not cover every single step but will outline what needs to be done to create a working script. Work with a partner in this exercise. You will have to coordinate with each other regarding setting and testing of rules. If you both set rules at the same time and then test them, the test might not produce the expected result, as the rules on the testing computer might interfere with the test. This exercise consists of:

Part I: Set iptables Rules on the Command Line Part II: Prepare a Structure for a Script Part III: Define General Variables Part IV: Create a Section to Delete Any Existing Rules Part V: Create a Section to Display the Current Rule Set Part VI: Add Static Rules
Workbook 6-2
Version 1
Packet Filters
Part I: Set iptables Rules on the Command Line
The purpose of the rst part of this exercise is to show you how iptables is used and the effect the commands have. Do the following:
1.
Open a terminal window and su - to root with a password of novell. Check if there are any rules set already by entering iptables -v -L -n
2.
3.
If there are any rules in the INPUT, OUTPUT, or FORWARD chain, delete them by entering iptables -F
4.
Set a rule blocking all ICMP packets to your computer coming from other computers by entering iptables -A INPUT -i eth0 -p icmp -j DROP (This is only an example. Blocking all ICMP messages is generally not advisable.)
5.
Have your partner test this rule by sending an echo request (ping) to your computer. Try to send an echo request to your partners computer. Delete the rule you set in Step 4 by entering iptables -D INPUT -i eth0 -p icmp -j DROP
6. 7.
8.
Set a rule blocking all ICMP packets from your computer to other computers by entering iptables -A OUTPUT -o eth0 -p icmp -j DROP
9.
Have your partner test this rule by sending an echo request (ping) to your computer.
Version 1
Workbook 6-3
10. Try to send an echo request to your partners computer. (You will
notice a slightly different output of the ping command compared to Step 6 above.)
11. Delete the rule you set in Step 8 by entering
iptables -D OUTPUT -o eth0 -p icmp -j DROP

12. Set a rule blocking all ICMP packets in the FORWARD chain by
entering iptables -A FORWARD -p icmp -j DROP If there is only one NIC in your computer you cannot test this rule. However you can test if this rule affects trafc to and from your computer (which it shouldnt) by asking your partner to ping your computer and by sending an echo request to your partners computer.
13. Flush your rules by entering
iptables -F
14. Find out what happens when you use ssh to connect to your
partners ssh port by entering ssh geeko@partner_IP When prompted, enter the password N0v3ll. After you have successfully logged in, logout again by pressing Ctrl-D.
15. Create an iptables rule that drops TCP packets addressed to port
22 (SSH) by entering iptables -A INPUT -i eth0 -p tcp --dport 22 -j DROP

16. After your partner sets the rule on his or her computer, try again
to login to your partners computer and notice the difference from the results in Step 14.
17. Change the rule from Step 15 to use REJECT as its target instead
of DROP.
Workbook 6-4
Version 1
Packet Filters
You can either delete the rule and create a new one, or replace the rule by entering iptables -R INPUT 1 -i eth0 -p tcp --dport 22 -j REJECT
18. View the current ruleset by entering
iptables -v -L -n
19. After your partner sets the rule on his or her computer, try again
to ssh to your partners computer and find out if there is any difference to before. If yes, why is that?
20. Change the rule from Step 17 once more to reject with a TCP
reset instead of the ICMP message port unreachable by entering (on one line) iptables -R INPUT 1 -i eth0 -p tcp --dport 22 -j REJECT --reject-with tcp-reset
21. View the current ruleset by entering
iptables -v -L -n
22. After your partner sets the rule on his or her computer, again
connect to your partners computer using ssh and find out if there is any difference to before.
23. Flush your ruleset by entering
iptables -F
Part II: Prepare a Structure for a Script

This exercise will take quite some time. If you do not have some experience with shell scripts, you will have difficulty doing this exercise.
Because any packet lter rules set with iptables are lost with the next reboot, it is common practice to write a script to set them. In addition to setting the rules (start), such a script should allow to delete the rules (stop) and to show the currently active rules (status). It should also allow integration into the runlevel concept.
Version 1
Workbook 6-5
The le /etc/init.d/skeleton gives an outline of how such a script could be structured. The purpose of this and the following parts of this exercise is to show you the basic elements of such a script to set up and delete iptables rules. Do the following:
1.
Open a terminal window and su - to root with a password of novell. Change directory to /etc/init.d/. Copy the file skeleton to fw-script. Change the permissions so that the script can be executed by entering chmod 744 /etc/init.d/fw-script
2. 3. 4.
5. 6.
Open the file fw-script in a text editor. Keep the sections on init info and the case sections start, stop, status, and *. Delete the comments and sections you do not need.
Workbook 6-6
Version 1
Packet Filters
Your result could look similar to the following:

#! /bin/sh # # /etc/init.d/fw-script and its symbolic link # /(usr/)sbin/rcfw-script # ### BEGIN INIT INFO # Provides: packetfilter # Required-Start: $syslog $network # Required-Stop: $syslog $network # Default-Start: 3 5 # Default-Stop: 0 1 2 6 # Short-Description: Sets packet filter rules # Description: Sets packet filter rules ### END INIT INFO # . /etc/rc.status # Reset status of this service rc_reset case "$1" in start|restart|reload) echo -n "Starting Firewall " # Remember status and be verbose rc_status -v ;; stop) echo -n "Shutting down Firewall " # Remember status and be verbose rc_status -v ;; status) echo "Current Firewall-rules " rc_status -v ;; *) echo "Usage: $0 {start|stop|status|restart|reload}" exit 1 ;; esac rc_exit
Version 1
Workbook 6-7
(A template similar to the above can be found on the student CD in the directory for this section.)
Part III: Dene General Variables
The use of variables makes it easier to maintain the script. Do the following:
1.
Within the start section, define the following variables: EXT_IF=eth0 EXT_IP=<your_IP> INT_IF= INT_IP=
Because the computers in the class room might have only one NIC, this exercise is limited to dening rules for the INPUT and OUTPUT chains. The variables INT_IF and INT_IP can be used for a second NIC and rules for the FORWARD chain. You can also dene variables for the IP address of the nameserver and other computers. Using variables facilitates later changes, as you only have to change the variable at one point, not the IP within various rules.
2.
Also in the start section, set kernel parameters like
Workbook 6-8
Version 1
Packet Filters
# echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv4/tcp_syncookies echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo 1 >\ /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses # Protect from ICMP redirect packets: for f in /proc/sys/net/ipv4/conf/*/accept_redirects do echo 0 > $f done # Block source routed packets for f in /proc/sys/net/ipv4/conf/*/accept_source_route do echo 0 > $f done ... (If you dont want to type this, have a look at the les on the student CD.)
To see a brief explanation of these and other parameters, start the YaST Powertweak module and select the Networking options. The above values can also be set within the Powertweak module instead of this script.
3.
Add comments to your definition of variables and kernel parameter settings.
Version 1
Workbook 6-9
Part IV: Create a Section to Delete Any Existing Rules
This makes sure that you can delete any rules you set. Go to the stop section within the case statement and add iptables commands to delete any existing rules:
1.
Add an informative message to be displayed when the script is called with the stop parameter. Flush the chains by typing iptables -F iptables -t nat -F
2.
3.
Delete any user-defined chains by typing iptables -X
4.
Set the policy of the built in chains to accept by typing iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT
5.
You can also reset the kernel parameters to previous settings in the stop section as needed.
Part V: Create a Section to Display the Current Rule Set
Viewing the current rule set helps in debugging. Do the following:

1.
Go to the status section within the case statement to add iptables commands to display the currently active rules. Add the following lines to the status section iptables -v -n -L iptables -v -n -t nat -L POSTROUTING iptables -v -n -t nat -L PREROUTING
2.
Workbook 6-10
Version 1
Packet Filters
Part VI: Add Static Rules
Now the main part: The rules themselves. To add static rules, do the following:
1.
Go to the start section within the case statement to add your rules with iptables commands. Set the default policy to DROP by typing iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP
2.
3.
Flush existing rules and delete existing user defined chains by typing iptables -F iptables -t nat -F iptables -X If you do not ush the rules in the beginning, each call of the script with the parameter start adds the rules again to the chain.
4.
Allow all traffic from and to the loopback interface by typing iptables -A OUTPUT -o lo -j ACCEPT iptables -A INPUT -i lo -j ACCEPT
5.
Define rules to allow others to access the ssh server on your computer by typing iptables -A INPUT -p TCP -i $EXT_IF --dport 22 \ -j ACCEPT iptables -A OUTPUT -p TCP -o $EXT_IF --sport 22 \ -j ACCEPT
6.
(Optional) Limit the above INPUT rule to a destination IP address as well as certain source IP addresses and source ports. Add a rule that logs packets that are dropped in the INPUT chain by typing
7.
Version 1
Workbook 6-11
iptables -A INPUT -j LOG --log-prex INPUT-DROP

8.
Add a rule that rejects packets instead of having them dropped by the default policy of the chain by typing iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
9.
Start your script by entering in a terminal window (as root) /etc/init.d/fw-script start If there are any error messages, correct any mistakes in the syntax within your script.
10. Have your partner try to access your ssh daemon.
If he cannot do so, it could be because there is something wrong with your rules or because rules on his or her computer do not allow him or her to contact another server (or both). Find out what the problem is by looking at /var/log/messages with less or tail -f on both computers. It is actually a good idea to have a separate terminal window with tail -f /var/log/messages constantly open while testing the rules. If it turns out his rules forbid him to contact your computer, have him call his script with the parameter stop and try again. Correct any errors in your own script.
11. Test if your script actually blocks traffic to other services.
Start the Apache web server with rcapache2 start and have your partner try to access your computer with a browser. You should see log entries for dropped packets in /var/log/messages.
Workbook 6-12
Version 1
Packet Filters
! --syn prevents other computers from establishing a TCP connection from port 22. The first packet of a TCP handshake originating at port 22 is discarded by this rule.
12. If your partner asked you if you could reach his or her ssh
daemon and you tried with the current rules active, you would notice that your current rules do not allow you to do that. Dene rules that allow you to contact the ssh daemon on other computers by entering iptables -A INPUT -p TCP -i $EXT_IF ! --syn --sport 22 \ -j ACCEPT iptables -A OUTPUT -p TCP -o $EXT_IF --dport 22 \ -j ACCEPT Why should you add ! --syn?
13. Add another ruleset like the one in Step 12 allowing you to
contact web servers (port 80) on other computers.

14. Add a rule that logs packets that are dropped in the OUTPUT
chain by entering iptables -A OUTPUT -j LOG --log-prex \ OUTPUT-DROP

15. Activate your rules by entering /etc/init.d/fw-script start (your
current rules will be replaced by the new ones).

16. Try to contact the sshd on your partners computer. 17. Try to contact a web server. 18. Try to ping your partners computer and watch the log file. 19. Have him turn off his rules and then have him ping you.
Watch your log le.

20. Add rules allowing incoming and outgoing ICMP messages.
Version 1
Workbook 6-13
21. Restart your script.
Ping your partners computer and have him ping yours.

22. Add comments to describe what your rules are supposed to do.
(End of Exercise)
Workbook 6-14
Version 1
Packet Filters
Exercise 6-2
Modify the Script to Set and Delete iptables Rules

The script developed in the last exercise uses static ltering rules only. In this exercise you will modify the script to include dynamic ltering rules and you will create and use a user-dened chain.

Part I: Use Stateful Packet Filtering Part II: User-Defined Chains Part III: (optional) View the SuSEFirewall2 Configuration and Script
Part I: Use Stateful Packet Filtering
The state module helps to simplify the script and thus make it less error prone. And it adds the feature of statful inspection to the computer. To replace the rules defined so far for TCP connections, do the following:
1.
Put a comment sign in front of those six rules (Two each for ssh in and out, and www). Define rules for the second and all subsequent packets of a connection using the connection tracking module: # INPUT-Chain iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # OUTPUT-Chain iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
2.
3.
Define a rule allowing the first packet of a connection to the ssh daemon on your computer by entering
Version 1
Workbook 6-15
iptables -A INPUT -i $EXT_IF -p tcp --syn --dport 22 -m state --state NEW -j ACCEPT
4.
Set the new rules by entering /etc/init.d/fw-script start Have your partner access the ssh daemon on your computer. Watch the log le.
5.
View the entry tracking the connections in the /proc file system by entering cat /proc/net/ip_conntrack
6.
Add rules that allow you to access the sshd and web servers on other computers. Test this and the access to the web server running on your computer to see if it is still blocked as intended.
7.
Add useful comments to your script.
Part II: User-Dened Chains
User-dened chains can help reduce the number of rules packets have to run through before a hit or make the script easier to understand (or both). The user-defined chain has to exist before any rule uses the chain as a target. Therefore, these rules should appear in the script above the rules for the built in chains. In this part, you will set up a user-defined chain for UDP packets. You may have noticed that the script so far does not allow any name resolution.
Workbook 6-16
Version 1
Packet Filters
Do the following:
1.
Locate an appropriate point in the script to insert the lines and create the chain udp-rules by typing iptables -N udp-rules
2.
Create a rule for a packet querying a nameserver by entering (on one line) iptables -A udp-rules -o $EXT_IF -p udp --dport 53 -m state --state NEW -j ACCEPT (There is no need for a rule for the answer packets because they are covered by the rule from Part I covering second and subsequent packets.)
Under certain circumstances there is a fallback to TCP for name resolution. Therefore, a similar rule is needed for TCP port 53.
3.
Packets that do not match any of the rules in the user-defined chain continue down the built-in chain they came from. This is not what is intended here; therefore, insert a rule to log packets and another to reject them by entering iptables -A udp-rules -j LOG --log-prex REJECT-udp iptables -A udp-rules -j REJECT Because this last rule matches all packets, none return to the previous chain.
4.
The rule to end all UDP packets from the output chain to the user-defined chain has to be inserted after the general rules for second and subsequent packets, as otherwise the answers to the UDP packets your computer sends out will be discarded. Add this rule by typing at the appropriate point in the script iptables -A OUTPUT -p upd -j udp-rules
Version 1
Workbook 6-17
x
5.
If you want to allow incoming UDP trafc, a similar rule is needed for the INPUT chain. Within the user-dened chain you can distinguish incoming and outgoing trafc by the -i and -o options.
Set the rules by entering /etc/init.d/fw-script start Find out if name resolution is now functional.
6.
(optional) Create another user-defined chain that takes care of the logging. Instead of logging packets in built-in or other user-dened chains, send those packets to a separate user-dened chain to be logged and then dropped or rejected.
7.
(optional). Watch the log file for a while. You will see all kinds of entries for packets being rejected. Write rules allowing IP trafc that is needed for proper computer operation.
8.
(optional). Have your partner test your filter rules with nmap from his computer.
Part III: (optional) View the SuSEFirewall2 Conguration and Script
The purpose of this exercise is to show you a sophisticated setup and its complexity. Do the following:
1. 2.
View /etc/sysconfig/SuSEfirewall2 by using less. View the script /sbin/SuSEfirewall2 by using less.
Workbook 6-18
Version 1
Packet Filters
3.
View the scripts /etc/init.d/SuSEfirewall2_* by using less.
(End of Exercise)
Exercise Answers
Exercise 6-1 Get Familiar with Basic iptables Syntax, Part VI: Add Static Rules on 6-11: 12. Why should you add ! --syn? The rule iptables -A INPUT -p TCP -i $EXT_IF ! --syn --sport 22 \ -j ACCEPT allows all TCP packets from port 22 exept the rst packet of a TCP connection which has only the syn bit set. ! --syn prevents TCP connections starting from port 22 of another computer. In this way it is possible for you to contact other SSH servers and to receive their answers, but it is not possible to initiate a connection from port 22 of another computer to your computer, as the rst packet of the TCP handshake is discarded.
(End of Exercise)
Version 1
Workbook 6-19
Workbook 6-20
Version 1
Application-level Gateway
SECTION 7

Install and Configure Squid on 7-2 Configure SSL in Squid on 7-7 Configure Proxy Authentication on 7-10 Configure Content Filtering on 7-14 Analyze Squid Log File on 7-17 Use Dante on 7-19 Configure rinetd on 7-25
Version 1
Workbook 7-1
Exercise 7-1
Use Mozilla in all Squid exercises. Konqueror does not handle proxy authentication very well, which might lead to confusing error messages.
Install and Congure Squid

In this exercise you install and congure Squid and congure a web browser to test your Squid setup. For some parts of the exercise you will work with a partner. The exercise consists of the following parts:

Part I: Install Squid and Mozilla Part II: Configure Squid Part III: Configure Mozilla to Use the Proxy Part IV: Monitor Access to Squid Part V: Test Your Partners Proxy
Part I: Install Squid and Mozilla
To install Squid, do the following:

1. 2.
Start YaST by selecting Start > System > YaST. When prompted for the root password, enter novell; then select OK. Start Package Manager by selecting Install and Remove Software on the right side of the YaST dialog.
3.
4.
In Package Manager, make sure that the Filter menu in the upper left corner is set to Search. Enter squid in the Search field; then select Search. On the right side, select the check box before the squid entry in the Results list. In the Search field, enter mozilla; then select Search.
5. 6.
7.
Workbook 7-2
Version 1
8.
On the right side, select the check box before the mozilla entry in the Results list. In the lower right corner of Package Manager, select Accept. select OK.
9.
10. When YaST displays a dialog about package dependencies, 11. After all packages have been installed, close YaST by selecting
Close.
Part II: Congure Squid
To congure Squid, do the following:

1. 2. 3.
Open a terminal and su to the root user. Open the file /etc/squid/squid.conf in a text editor. Find the configuration tag http_port. Remove the # before the tag. Set the value 8080 for the tag. The line should look like the following:
http_port 8080
4.
Look for the section where the acl tags are defined. Insert a new line after acl all src 0.0.0.0/0.0.0.0. The line should look like the following:
acl local_net src 10.0.0.0/24
5. 6.
Look for the section where the http_access tags are defined. After http_access allow localhost, insert a new line and enter http_access allow local_net
Version 1
Workbook 7-3
7. 8.
Save the file and close the text editor. Start Squid by entering rcsquid start
9.
Monitor the output of the start script. The output should end with
Starting WWW-proxy squid
done
Part III: Congure Mozilla to Use the Proxy
To congure Mozilla to use the proxy, do the following:

1.
Start Mozilla by selecting Start > Internet > Web Browser > Mozilla
2. 3.
In Mozilla, select Edit > Preferences. On the left side of the Configuration dialog select Advanced > Proxies.
4. 5.
Select Manual Proxy Configuration. In the HTTP Proxy and the SSL Proxy line, enter the IP_address_of_your_system and the port number 8080. Close the dialog by selecting OK. Close the Mozilla preferences dialog by selecting OK. In the address bar, enter http://www.novell.com/. The web site should be loaded.
6. 7. 8.
Workbook 7-4
Version 1
Part IV: Monitor Access to Squid
To monitor access to Squid, do the following:

1.
Make sure Mozilla is configured to use the proxy server as described in Part III. Open a terminal and su - to the root user with the password of novell. To view the content of the Squid log file, enter tail -f /var/log/squid/access.log
2.
3.
4. 5.
Press Enter a few times to insert some empty lines. Open Mozilla by selecting Start > Internet > Web Browser > Mozilla. In the address bar, enter http://www.novell.com/. Wait until the site is loaded.
6.
7.
Switch to the terminal window and look at the new entries that have been added to the log file. Every request made to the proxy server is logged in the log le.
Version 1
Workbook 7-5
Part V: Test Your Partners Proxy
Use the instructions in Part III to congure Mozilla so that it uses your partners proxy server. To test your partners proxy, do the following:
1.
Wait until you partner is looking at the Squid log file as described in Part IV of this exercise. In the address bar of Mozilla, enter http://www.novell.com/. Ask your partner if your access shows up in the log files. Let your partner test your proxy.
2. 3. 4.
(End of Exercise)
Workbook 7-6
Version 1
Exercise 7-2
Congure SSL in Squid

This exercise assumes that Squid has been congured as described in the previous exercise and that Mozilla is using the proxy server that is installed on your system for all protocols. The exercise consists of the following parts:

Part I: Test the Current SSL Configuration Part II: Disable SSL in Your Squid Configuration Part III: Test if SSL Is Disabled Part IV: Re-Enable SSL in Squid
Part I: Test the Current SSL Conguration
To test the current SSL conguration, do the following:

1. 2. 3.
Select Start > Internet > Web Browser > Mozilla. In the address bar, enter http://www.novell.com. On the Novell web site, select My Acount in the top navigation. You are directed to the Novell Login screen.
4.
Make sure that the site is loaded doly and that the address in the address bar starts with https:// When the site loads correctly, this is a sign that SSL can be used over your Squid proxy at the moment.
5.
Version 1
Workbook 7-7
Part II: Disable SSL in Your Squid Conguration
Do the following:
1. 2. 3.
Open a terminal window and su to root user. Open the file /etc/squid/squid.conf in a text editor. Change the line http_access deny CONNECT !SSL_ports to http_access deny CONNECT
4.
Save the file and close the text editor. The connect method is now denied in general and not only to the hosts that are not dened in SSL_ports.
5.
Reload Squid by entering rcsquid reload.
Part III: Test if SSL Is Disabled
To test if SSL is disabled, do the following:

1.
Open a Mozilla window by selecting Start > Internet > Web Browser > Mozilla. In the address bar, enter http://www.novell.com. When the site is loaded, select the My Account link in the top navigation bar. The access to the site should be denied now, since SSL is disabled in the proxy conguration.
2. 3.
Workbook 7-8
Version 1
Part IV: Re-Enable SSL in Squid
To re-enable SSL in Squid, do the following:

1. 2. 3.
Open a terminal window and su to the root user. Open the file /etc/squid/squid.conf with a text editor. Change the line http_access deny CONNECT to http_access deny CONNECT !SSL_ports
4. 5. 6.
Save the file and close the text editor. Reload Squid by entering rcsquid reload. Check if SSL works again by repeating all steps in Part III.
(End of Exercise)
Version 1
Workbook 7-9
Exercise 7-3
Congure Proxy Authentication

In this exercise you can practice how to congure proxy authentication in Squid. To be able to work through this exercise, you need to have Squid and Mozilla congured as described in the previous exercises of this section. The exercise consists of the following parts:

Part I: Add a User to the Proxy System Part II: Configure Basic Authentication Part III: Test User Authentication Part IV: Configure digest Authentication
Part I: Add a User to the Proxy System
Do the following:
1. 2. 3. 4. 5. 6.
Select Start > System > YaST. On the left side, select Security and Users. On the right side, select Edit and Create Users. Make sure that Users is selected. Select Add. Enter the following information:

Full User Name: Peter Bear User Login: pbear Password: Novell Verify Password: Novell
7. 8.
Select Create. When YaST notifies you about a weak password, confirm the dialog by selecting Yes.
Workbook 7-10
Version 1
9.
Select Finish.
10. Select Close.
Part II: Congure Basic Authentication
Do the following:
1. 2. 3. 4.
Open a terminal window and su to the root user. Open the file /etc/squid/squid.conf with a text editor. Look for the auth_param section. Change the file so that only the following auth_param lines are active: auth_param basic program /usr/sbin/pam_auth auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours
5. 6.
Look for the acl section in the configuration file. Add the following acl line after the acl called all: acl allowed_user proxy_auth pbear
7. 8.
Look for the http_access section in the configuration file. Find the following two lines http_access allow localhost http_access allow local_net and add the new proxy_auth acl to those lines as in the following example: http_access allow localhost allowed_user http_access allow local_net allowed_user This way the IP address and the user name must match in both lines to grant access to the proxy.
9.
Save the file and close the text editor.
Version 1
Workbook 7-11
10. Restart Squid by entering rcsquid restart.
Part III: Test User Authentication
Do the following:
1. 2.
Select Start > Internet > Web Browser > Mozilla. Make sure your web browser is configured to use the proxy installed on your system. In the address bar, enter http://www.novell.com. When the authentication works, a password dialog should pop up.
3.
4.
Enter the following information:

User name: pbear Password: Novell
5.
Confirm the password dialog by selecting OK. The Novell web site should be loaded.
Part IV: Congure digest Authentication
Do the following:
1. 2.
Open a terminal window and su to the root user. Create a file with the name proxy_passwd in the directory /etc/squid/ Add the following line to the file pbear:SUSE
3.
4. 5.
Save the file and close the text editor. Change the owner of the file by entering chown squid /etc/squid/proxy_passwd
Workbook 7-12
Version 1
6.
Adjust the permissions of the file by entering chmod 600 /etc/squid/proxy_passwd
7. 8.
Open the file /etc/squid/squid.conf with a text editor. Change the files so that only the following auth_param lines are active auth_param digest program /usr/sbin/digest_pw_auth \ /etc/squid/proxy_passwd auth_param digest children 5 auth_param digest realm Squid proxy-caching web server auth_param digest nonce_garbage_interval 5 minutes auth_param digest nonce_max_duration 30 minutes auth_param digest nonce_max_count 50
9.
Save the file and close the text editor.
10. Restart Squid by entering rcsquid restart. 11. Close all Mozilla browser windows. 12. Select Start > Internet > Web Browser > Mozilla to open a
new Mozilla window.

13. In the address bar, enter http://www.novell.com.
When the authentication works, a password dialog should open up.

14. Enter the following information:

User name: pbear Password: SUSE
15. Confirm the password dialog by selecting OK.
The Novell web site should be loaded.

(End of Exercise)
Version 1
Workbook 7-13
Exercise 7-4
Congure Content Filtering

In this exercise you congure content ltering with Squid. The exercise assumes that you have already congured Squid on your system according to the exercises 7-1 to 7-3. The exercise consists of the following parts:

Part I: Filter Content with url_regex Part II: Install squidGuard Part III: Configure squidGuard
Part I: Filter Content with url_regex
Do the following:
1. 2. 3. 4.
Open a terminal window and su to the root user. Open the file /etc/squid/squid.conf with a text editor. Scroll down to the acl section. After the acl named all, insert the following line acl bad_site url_regex -i example.com
5.
Look for the line http_access allow localhost allowed_user and add the following line before that line http_access deny bad_site
6. 7. 8.
Save the file and close the text editor. Reload Squid by entering rcsquid reload. Start Mozilla by selecting Start > Internet > Web Browser > Mozilla. Make sure Mozilla uses your Squid installation as proxy server: a. In the address bar, enter http://www.example.com/.
9.
Workbook 7-14
Version 1
b.
When the lter has been congured correctly, the access to the site should be denied.
Part II: Install squidGuard
To install squidGuard, do the following:

1. 2.
Start YaST by selecting Start > System > YaST. When prompted for the root password, enter novell; then select OK. Start Package Manager by selecting Install and Remove Software on the right side of the YaST dialog. In Package Manager, make sure that the Filter menu in the upper left corner is set to Search. Enter squidguard in the Search field; then select Search. On the right side, select the check box before the squidGuard entry in the Results list. In the lower right corner of Package Manager select Accept. When YaST displays a dialog about package dependencies, confirm this dialog. After all packages have been installed, close YaST by selecting Close.
3.
4.
5. 6.
7. 8.
9.
Part III: Congure squidGuard
To congure squidGuard, do the following:

1. 2. 3. 4.
Open a terminal and su to the root user. Open the file /etc/squid/squid.conf in a text editor. Look for the line TAG: redirect_program. At the end of the tag description, insert the following line
Version 1
Workbook 7-15
redirect_program /usr/sbin/squidGuard
5. 6.
Save the file and close the text editor. Rename the squidGuard default configuration by entering mv /etc/squidguard.conf /etc/squidguard.conf.original
7.
Create a new file /etc/squidguard.conf with the following content logdir /var/log/squidGuard dbhome /var/lib/squidGuard/db dest blacklist { domainlist blacklist/domains urllist blacklist/urls } acl { default { pass !blacklist all redirect 302:http://www.novell.com/index.html } }
8.
Add the domain hotmail.com to the squidGuard domain blacklist by entering (on one line) echo "hotmail.com" >> /var/lib/squidGuard/db/blacklist/domains
9.
Enter rcsquid reload.
10. Select Start > Internet > Web Browser > Mozilla. 11. Make sure Mozilla is configured to use your proxy server:
a. b.
In the address bar, enter http://www.hotmail.com. When squidGuard is congured correctly, you should be redirected to http://www.novell.com.
(End of Exercise)
Workbook 7-16
Version 1
Exercise 7-5
Analyze Squid Log File

In this exercise you learn how analyze the Squid log le. You must have completed the previous exercises so that your access.log contains some data. The exercise consists of the following parts:

Part I: Install calamaris Part II: Run calamaris
Part I: Install calamaris
To install calamaris, do the following:

1. 2.
Start YaST by selecting Start > System > YaST. When prompted for the root password, enter novell; then select OK. Start Package Manager by selecting Install and Remove Software on the right side of the YaST dialog. In Package Manager, make sure that the Filter menu in the upper left corner is set to Search. Enter calamaris in the Search field; then select Search. On the right side, select the check box before the calamaris entry in the Results list. In the lower right corner of the package manager select Accept. When YaST displays a dialog about package dependencies, confirm this dialog. After all packages have been installed, close YaST by selecting Close.
3.
4.
5. 6.
7. 8.
9.
Version 1
Workbook 7-17
Part II: Run calamaris
To run calamaris, do the following:

1. 2. 3.
Open a terminal window and su to the root user. Enter calamaris -d 10 /var/log/squid/access.log. Scroll up in the terminal window and review the report.
(End of Exercise)
Workbook 7-18
Version 1
Exercise 7-6
Use Dante
In this exercise you use Dante. The exercise consists of the following parts:

Part I: Install Dante Part II: Configure the Dante Server Part III: Configure Socksify and Test Your SOCKS Server Part IV: Create a Test User Part V: Configure and Test User Authentication
Part I: Install Dante
Do the following:
1. 2.
Start YaST by selecting Start > System > YaST. When prompted for the root password, enter novell; then select OK. Start Package Manager by selecting Install and Remove Software on the right side of the YaST dialog. In Package Manager, make sure that the Filter menu in the upper left corner is set to Search. Enter dante in the Search field; then select Search. On the right side, select the check box by dante and dante-server entry in the Results list. Enter wget in the Search field; then select Search. On the right side, make sure the check box by wget entry is selected in the Results list.
3.
4.
5. 6.
7. 8.
Version 1
Workbook 7-19
wget is not part of dante but you will use it in this exercise as a test application.
9.
In the lower right corner of Package Manager, select Accept. confirm this dialog.
10. When YaST displays a dialog about package dependencies, 11. After all packages have been installed, close YaST by selecting
Close.
Part II: Congure the Dante Server
Do the following:
1.
Open a terminal and su - to the root user with the password of novell. Rename the default sockd configuration file by entering mv /etc/sockd.conf /etc/sockd.conf.original
2.
3.
Create a new configuration file /etc/sockd.conf with the following content: #Server Conguration logoutput: /var/log/sockd.log internal: your_ip_address port = 1080 external: your_ip_address method: none clientmethod: none user.privileged: root user.notprivileged: nobody #Client Rules
Workbook 7-20
Version 1
client pass { from: 10.0.0.0/24 port 1-65535 to: 0.0.0.0/0 log: connect error } #Socks Rules pass { from: 0.0.0.0/0 to: 0.0.0.0/0 protocol: tcp udp } block { from: 0.0.0.0/0 to: 0.0.0.0/0 log: connect error }
4. 5.
Save the file and start sockd with the command rcsockd start. Make sure that no error messages are displayed when sockd starts up. When the server starts successfully, only the following line should be displayed:
done
Starting sockd / dante server
6.
If there are any error messages, go to the corresponding line in the configuration file and try to correct the error, then try to start sockd again.
Part III: Congure Socksify and Test Your SOCKS Server
Do the following:
1.
Open a terminal window and su - to the root user with a password of novell. Rename the default configuration file by entering mv /etc/socks.conf /etc/socks.conf.original
2.
Version 1
Workbook 7-21
3.
Create a new configuration file /etc/socks.conf with the following content: route { from: 0.0.0.0/0 to: 0.0.0.0/0 via: your_ip_address\ port = 1080 protocol: tcp udp method: none }
4. 5.
Save the file. Open the sockd log file by entering tail -f /var/log/sockd.log
6. 7. 8.
Enter some empty lines by pressing Enter a few times. Open another terminal window, but do not su to the root user. Enter socksify wget www.novell.com The wget command should display that it was able to download the index.html le of www.novell.com.
9.
Change to the other terminal window and check if a new line has been added to the log file. If sockd and socksify were congured correctly, the wget command should have created new lines in the logle.
Part IV: Create a Test User
If you have already created the test user pbear in the exercise Congure Proxy Authentication, you can skip this part. To create a test user, do the following:
1. 2.
Select Start > System > YaST. On the left side, select Security and Users.
Workbook 7-22
Version 1
3. 4. 5. 6.
On the right side, select Edit and Create Users. Make sure that Users is selected. Select Add. Enter the following information:

Full User Name: Peter Bear User Login: pbear Password: novell Verify Password: novell
7. 8.
Select Create. When YaST notifies you about a weak password, confirm the dialog by selecting Yes. Select Finish.
9.
10. Select Close.
Part V: Congure and Test User Authentication
Do the following:
1.
Open a terminal window and su - to the root user with a password of novell. Open the file /etc/sockd.conf with a text editor. In the general server section, change the line method: none to method: pam
2. 3.
4.
In the SOCKS rule that starts with pass, insert the following two lines at the end of the rule: method: pam user: pbear
Version 1
Workbook 7-23
5. 6. 7. 8. 9.
Save the file and close the text editor. Restart sockd by entering rcsockd restart. Open the file /etc/socks.conf in a text editor. Change the method value in the rule to username. The line should now look as follows: method: username
10. Save the file and close the text editor. 11. To set the SOCKS user name, enter
export SOCKS_USERNAME=pbear
12. Enter
socksify wget www.novell.com If everything was congured correctly, you should be prompted for the password of pbear.
13. Enter novell.
wget should now download and save the le index.html.

(End of Exercise)
Workbook 7-24
Version 1
Exercise 7-7
Congure rinetd
In this exercise you learn how to congure rinetd. For this exercise, you work with a partner.
Unfortunately the logging of rinetd is not working correctly on SLES 9. All other functions of rinetd work alright.
The exercise consists of the following parts:

Part I: Install Apache on System I Part II: Install and Configure rinetd on System II Part III: Test rinetd
Part I: Install Apache on System I
To install Apache on System I, do the following:

1. 2.
Start YaST by selecting Start > System > YaST. When prompted for the root password, enter novell; then select OK. Start Package Manager by selecting Install and Remove Software on the right side of the YaST dialog. In Package Manager, make sure that the Filter menu in the upper left corner is set to Search. Type apache in the Search field; then select Search. On the right side, select the check box by apache2, apache2-prefork, and apache2-example-pages in the Results list. In the lower right corner of Package Manager, select Accept. When YaST displays a dialog about package dependencies, confirm this dialog. After all packages have been installed, close YaST by selecting Close.
3.
4.
5. 6.
7. 8.
9.
Version 1
Workbook 7-25
10. Open a terminal window and su - to the root user with a password
of novell.
11. Enter rcapache start to start the Apache web server. 12. Close the terminal window. 13. Select Start > Internet > Web Browser. 14. In the address bar, enter http://localhost.
The Apache test page should be displayed.
Part II: Install and Congure rinetd on System II
To install and congure rinetd on System II, do the following:

1. 2.
Start YaST by selecting Start > System > YaST. When prompted for the root password, enter novell; then select OK. Start Package Manager by selecting Install and Remove Software on the right side of the YaST dialog. In Package Manager, make sure that the Filter menu in the upper left corner is set to Search. Type rinetd in the search field; then select Search. On the right side, select the check box by rinetd in the Results list. In the lower right corner of Package Manager, select Accept. When YaST displays a dialog about package dependencies, confirm this dialog. After all packages have been installed, close YaST by selecting Close.
3.
4.
5. 6.
7. 8.
9.
10. Create a file /etc/rinetd.conf with the following content:
Workbook 7-26
Version 1
system_II_ip_address 80 system_I_ip_address 80 allow 10.0.0.* logle /var/log/rinetd.log logcommon

11. Save the file and close the text editor. 12. Start rinetd by entering rcrinetd start.
Part III: Test rinetd
Perform this part of the exercise on both systems: yours and your partners. To test rinetd, do the following:
1. 2.
Select Start > Internet > Web Browser In the address bar, enter http://ip_of_system_II. Although the web browser is not installed on System II, the Apache test page should be loaded because rinetd redirects the request to System I.
(End of Exercise)
Version 1
Workbook 7-27
Workbook 7-28
Version 1
Virtual Private Networks
SECTION 8

Establish a VPN Connection on 8-2 (optional) Create a VPN Configuration Using YaST on 8-6 (optional) Filter IPSec Traffic on 8-8
Version 1
Workbook 8-1
Exercise 8-1
Establish a VPN Connection

The purpose of this exercise is to familiarize you with the steps necessary to set up a VPN connection. Because the class room computers might have only one NIC and therefore no network behind the gateway, you will set up an end-to-end connection with another student. To establish a VPN connection, do the following:
1.
Open a terminal window and sux - to root with a password of novell. Install the freeswan packages by entering yast -i freeswan.
2.
3.
Create two certificates with corresponding private keys, one for your own and one for your partners computer, as described in Exercise 3-1 Create a CA and Certificates on the Command Line on 3-2. You can use any certicates you created in that exercise, providing they t the hostnames of the computers you will use in this exercise. Discuss with your partner whether you will use his or your CA and certicates. The exercise assumes you use yours.
4.
Using scp, copy the certificate for your partners computer, the corresponding private key, and the root CA certificate to the computer of your partner. He or she will have to copy them to their correct place as described in Step 5.
5.
Copy the certificate of your own computer to /etc/ipsec.d/certs/ and the private key to /etc/ipsec.d/private/.
Workbook 8-2
Version 1
If public and private key are in one le, copy the private key section to a separate le in /etc/ipsec.d/private/. Delete the private key from the certicate le and copy it to /etc/ipsec.d/certs/. Copy the RootCA certicate to /etc/ipsec.d/cacerts/.
6.
Edit /etc/ipsec.secrets to include a line with the passphrase for your private key: : rsa /etc/ipsec.d/private/myPrivateKey.pem passphrase
7.
Edit /etc/ipsec.conf to fit your and your partners computers. The parameters leftsubnet and rightsubnet remain empty. Your and your partners IP address are added to left and right. As you are in the same network as your partner you can add left/rightnexthop=%direct. leftid/rightid are taken from the respective certicates. Use auto=start within the connection specication.
Version 1
Workbook 8-3
Your connection specication should look similar to the following (no changes are needed in the other sections of /etc/ipsec.conf):
# Direct connection between two computers conn da10-da20 # Left security gateway, no subnet behind it, right in same subnet. leftsubnet= left=10.0.0.10 leftnexthop=%direct # ID ist the DN from the certificate, in one line leftid="C=US, O=Training, OU=IT,\ CN=da10.digitalairlines.com/emailAddress=root@da10.digitalairlines.com" leftcert=/etc/ipsec.d/certs/myCert.pem #leftrsasigkey=%cert # already part of defaults # Right security gateway, no subnet behind it, left in same subnet. rightnexthop=%direct right=10.0.0.20 rightsubnet= # ID ist the DN from the certificate, in one line rightid="C=US, O=Training, OU=IT,\ CN=da20.digitalairlines.com/emailAddress=root@da20.digitalairlines.com" #rightrsasigkey=%cert # already part of defaults # To start this connection at startup: auto=start
8.
Open another terminal window and su - to root with a password of novell. View the log file by entering tail -f /var/log/messages.
9.
10. Start ipsec by entering rcipsec start. 11. View the log entries in the other terminal window.
If there are any errors messages, stop IPSec by entering rcipsec stop correct your conguration and try again. Note: On the computer that starts IPSec rst there will be some error message about a refused connection. This does not indicate an error in the conguration.
Workbook 8-4
Version 1
12. Once IPSec starts correctly, you will see an entry in
/var/log/messages that the security association has been successfully established (IPsec SA established {ESP=>0x...).
13. Open yet another terminal window and sux - to root with a
password of novell.
14. Start tcpdump -i ethx -n (or use ethereal) to see the packets
hitting your interface.

15. Ping your partners computer from the first terminal window.
You should see ICMP and ESP packets in the output of tcpdump.
This is done by replacing right=ipaddress by right=%any and deleting the line with rightid on the computer that acts as the gateway (=left). No changes are needed on the road warrior side.
16. (optional) Modify your configuration so that one of your
computers acts as a road warrior and the other as a gateway accepting connections from road warriors.
(End of Exercise)
Version 1
Workbook 8-5
Exercise 8-2
(optional) Create a VPN Conguration Using YaST

The purpose of this exercise is to familiarize you with the YaST VPN module and let you compare the conguration you created in the Exercise 8-1 Establish a VPN Connection on 8-2 with the one created by YaST. You work with your partner as in the previous exercise. To create a VPN conguration using YaST, complete the following:
1.
Open a terminal window and sux - to root with a password of novell. Change directory to /etc. Save a copy of your IPSec configuration by entering cp ipsec.conf ipsec.conf.manual Open the le ipsec.conf in an editor and delete the connection description created in Exercise 8-1. Save the le and close the editor.
2. 3.
4.
Start the YaST VPN module by entering yast2 ipsec &
5.
Decide whether you will use your CA or that of your partner. Either give the needed files to your partner or get them from him or her. Import the CA certificate and the certificate for your server after selecting Enable VPN Services in the VPN Configuration dialog. Define the connection for a VPN connection between your computers. Open another terminal window and compare the resulting configuration in /etc/ipsec.conf with the one you created in Exercise 8-1 Establish a VPN Connection on 8-2, now saved as /etc/ipsec.conf.manual, using less.
6.
7.
8.
Workbook 8-6
Version 1
9.
View the log file /var/log/messages in a terminal window by entering tail -f /var/log/messages
10. Start IPSec by entering
rcipsec start View /var/log/messages for any errors. Correct your conguration as necessary.
11. Once the connection is established, start tcpdump in a terminal
window and ping your partners computer. You should see ESP packets to and from your computer.
(End of Exercise)
Version 1
Workbook 8-7
Exercise 8-3
(optional) Filter IPSec Trafc

The purpose of this exercise is to write rules affecting the trafc within an IPSec tunnel. To lter IPSec trafc, do the following:
1.
Open a terminal window and sux - to root with a password of novell. Make a copy of the script you created as part of Exercise 6-2 Modify the Script to Set and Delete iptables Rules on 6-15. Modify this script to

2.
3.
Mark incoming ESP packets. Accept incoming and outgoing ESP packets. Accept incoming and outgoing UDP packets to and from port 500 Accept incoming SSH packets only from within the tunnel. Accept packets that belong to established connections.
4. 5.
Start the script and correct any errors. Start the IPSec connection to your partner. Have him or her connect to your computer by using SSH. Ask another student to connect to your computer using SSH as well. (Only your partner should succeed.)
6.
Modify your rules, this time using the policy module to achieve the same result. Start and test the script again by repeating Step 4 and 5.
7.
(End of Exercise)
Workbook 8-8
Version 1
Intrusion Detection and Incident Response
SECTION 9

Log to a Remote Host on 9-2 Use Argus on 9-4
Version 1
Workbook 9-1
Exercise 9-1
Log to a Remote Host

The purpose of this exercise is to show you hot easy it is to create a log host. In this exercise you work with a partner. Decide who of you will send messages and who will receive them. (Do not both send and receive messages to each other, as this might create an endless loop.) To log to a remote host, complete the following:

Part I: On the Computer Receiving Messages Part II: On the Computer Sending Messages
Part I: On the Computer Receiving Messages
Do the following:
1.
Open a terminal window and su - to root with a password of novell. Open the file /etc/sysconfig/syslog in vi and add -r to the variable SYSLOGD_PARAMS: SYSLOGD_PARAMS="-r"
2.
3. 4.
Save the file and quit vi. Restart the syslogd by entering rcsyslog restart
5.
View /var/log/messages by entering tail -f /var/log/messages
Workbook 9-2
Version 1
Part II: On the Computer Sending Messages
Do the following:
1.
Open a terminal window and su - to root with a password of novell. Open the file /etc/syslog.conf in vi and add the line *.* @logging_host.digitalairlines.com
2.
3. 4.
Save the file and quit vi. Reload the syslogd by entering rcsyslog reload
5.
If the receiving computer is already configured to receive log entries, you should see log entries from the sending computer in the console running tail. (You can create log entries by logging in at a terminal window, or by using the program logger.)
(End of Exercise)
Version 1
Workbook 9-3
Exercise 9-2
Use Argus
The purpose of this exercise is to give you an idea how Argus works and how reports are generated. Do the following:
1.
Open a terminal window and su - to root with a password of novell. Install Argus by entering yast -i argus
2.
3. 4.
Check if the interface set in /etc/sysconfig/argus is correct. Start Argus by entering rcargus start
5.
Produce different kinds of network traffic, like browsing the web or using SSH to connect to your neighbor. View the log file by entering ra -r /var/log/argus.log
6.
7.
(optional) Work out filtering rules to limit the output to a certain kind of traffic of your choice.
(End of Exercise)
Workbook 9-4
Version 1
LifeFire Exercise
SECTION 10
LifeFire Exercise
In this section, you get the opportunity to put the various parts covered throughout this course into a comprehensive scenario. It is also intended as part of your preparation for the Novell CLE 9 (Certied Linux Engineer 9) Practicum exam. You will work with other students in these scenarios to do the following:

Set Up the Application-Level Gateway on 10-4 Set Up the Screening Router on 10-5 Set Up a Web Server in the DMZ on 10-6 Set Up the Mail Server in the LAN on 10-7 Set Up the VPN Gateway on 10-8
Remember that skills from all three Novell CLP courses as well as SUSE LINUX Network Services Course 3057 might be necessary to fulll the required tasks. To do these exercises, some of the computers need two NICs and you will need several patch cables and switches or hubs.
Version 1
Workbook 10-1
Scenario
Digital Airlines is planning on deploying SUSE LINUX Enterprise Server 9 in its central rewall environment. It will consist of application-level gateways, packet lters, and remote access via IPSec. As network administrator for Digital Airlines, you worked out the following network layout: Figure 10-1
Workbook 10-2
Version 1
LifeFire Exercise
A separate computer acts as a VPN gateway to allow off site users to connect to the LAN: Figure 10-2
You decide to start by installing a pilot installation in the test lab.
Version 1
Workbook 10-3
Objective 1
Set Up the Application-Level Gateway

The following are tasks and requirements that need to be performed on the application level gateway:
Set up the network configuration according to the network plan (this will require a switch or hub to connect to the DMZ and the screening router). Configure Squid to allow the clients in the local network to access the World Wide Web using HTTP and HTTPS. Configure a forwarding-only DNS server. Configure a socks server, and configure the clients accordingly. Configure Postfix to accept mail for digitalairlines.com and to forward all mail for that domain to the internal mail server running on 172.16.0.250. From the internal network, mail is only accepted from the internal mail server and relayed to the mail server of the ISP. Write a script to set iptables rules that allow you to access only the above services (squid, socks, mail, dns) and SSH on the application level gateway. Test your configuration.
Workbook 10-4
Version 1
LifeFire Exercise
Objective 2
Set Up the Screening Router

The following are tasks and requirements that need to be performed on the screening router:
Install a minimal installation of SUSE LINUX Enterprise Server 9. Set up the network configuration according to the network plan (this will require a switch or hub to connect to the application-level gateway and the DMZ). Write a script that sets iptables rules to allows traffic through the router that originate from legitimate servers running on the application-level gateway or the DMZ computers. The only service on the screening router itself that can be accessible is sshd (from the application-level gateway only). Add this to the iptables script. Configure sshd to allow only public key authentication, no root login. Test your configuration.
Version 1
Workbook 10-5
Objective 3
Set Up a Web Server in the DMZ

The following are tasks and requirements that need to be performed on the web server:
Set up the network configuration according to the network plan (this will require a switch or hub to connect to the application-level gateway and the screening router). Install a web server offering a test page visible from the Internet as well as the intranet. Make this page accessible via SSL as well (coordinate with the other students on who creates the certificate). Test your configuration.
Workbook 10-6
Version 1
LifeFire Exercise
Objective 4
Set Up the Mail Server in the LAN

The following are tasks and requirements that need to be performed on the local mail server:
Set up the network configuration according to the network plan. The mail server has the IP address 172.16.0.250. Install Postfix as the mail server for the domain digitalairlines.com. It receives mail from the application-level gateway for the users, and the users use it as their mail server to send mail to others. Install qpopper or cyrus-imap for the users to pick up their mail. After the above works, change the configuration to secure SMTP and POP3/IMAP with SSL. This includes setting up a PKI with a RootCA and server certificates (coordinate with the other students on who creates the certificate). Add password authentication to Postfix. Modify Postfix so that it only accepts mail from users who have a valid certificate. Test your configuration.
Version 1
Workbook 10-7
Objective 5
Set Up the VPN Gateway

The following are tasks and requirements that need to be performed on the VPN gateway:

Set up the network configuration according to the network plan. Create the necessary certificates for the gateway and a road warrior (or coordinate with the other students on who creates the certificates). Set up the VPN gateway so that road warrior notebooks can access the corporate LAN no matter what IP address they are assigned from their provider. Set up a script to set iptables rules that allow IPSec connections and traffic within the tunnel, but no unencrypted traffic on the interface connected to the Internet. Test your configuration.
Workbook 10-8
Version 1

Novell Course 3058 SUSE Linux Security WorkBook

Încărcat de

Informații document

Descriere originală:

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Novell Course 3058 SUSE Linux Security WorkBook

Încărcat de

Drepturi de autor:

Formate disponibile

SUSE LINUX Security

Novell Training Services

Novell, Inc. Trademarks

SUSE LINUX Security Self-Study Workbook

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Intro-1 SUSE LINUX Enterprise Server 9 Setup Instructions . . . . . . . . . . . . . . . . . . . . . . . Intro-2

SUSE LINUX Administration/Self-Study Workbook

SUSE LINUX Security Self-Study Workbook

SUSE LINUX Security Self-Study Workbook

SUSE LINUX Security/Self-Study Workbook

SUSE LINUX Enterprise Server 9 Setup Instructions

Access the SUSE LINUX Enterprise Server 9 as a VMware Server

SUSE LINUX Security Self-Study Workbook

Check Setup Prerequisites

SUSE LINUX Enterprise Server 9 Self-Study Server DVD

SUSE LINUX Security/Self-Study Workbook

Install the SUSE LINUX Enterprise Server 9 VMware Server

SUSE LINUX Security Self-Study Workbook

Congure the SUSE LINUX Enterprise Server 9 VMware Server

Before starting SUSE LINUX Enterprise Server 9, do the following:

Check the following device settings:

SUSE LINUX Security/Self-Study Workbook

Save the change by selecting OK.

SUSE LINUX Security Self-Study Workbook

Start the SUSE LINUX Enterprise Server 9 VMware Server

SUSE LINUX Security/Self-Study Workbook

VMware Workstation Tips

SUSE LINUX Security Self-Study Workbook

Internet access is optional for completing the exercises.

When you are ready to begin installation, press Enter.

SUSE LINUX Security/Self-Study Workbook

SUSE LINUX Security Self-Study Workbook

SUSE LINUX Security/Self-Study Workbook

In this section of the workbook, you learn how to do the following:

SUSE LINUX Security/Self-Study Workbook

Install SLES 9 with a Customized Partition Scheme

SUSE LINUX Security/Self-Study Workbook

Software installation takes some time.

SUSE LINUX Security/Self-Study Workbook

Username: root Password: novell

10. Log in as geeko again.

12. Open the file /etc/pam.d/xdm in a text editor and remove or

You can now log in as root.

SUSE LINUX Security/Self-Study Workbook

Use nmap to Scan for Open Ports

SUSE LINUX Security/Self-Study Workbook

Run a nessus Scan

Start nessusd by entering: rcnessussd start

Cryptography: Basics and Practical Application

Cryptography: Basics and Practical Application

In this section of the workbook, you learn how to do the following:

SUSE LINUX Security/Self-Study Workbook

Create a CA and Certicates on the Command Line

Cryptography: Basics and Practical Application

new_certs_dir certificate serial #crlnumber

SUSE LINUX Security/Self-Study Workbook

To view the certificate, entering: openssl x509 -in daxx-cacert.pem -text

View the files index.txt and serial with cat. server.digitalairlines.com.

Cryptography: Basics and Practical Application

(optional) Create a Root CA and Certicates Using YaST

SUSE LINUX Security/Self-Study Workbook

(optional) Work with GPG

To encrypt that file, enter gpg -ea textle

Cryptography: Basics and Practical Application