You are previewing Network Security Hacks, 2nd Edition.

Network Security Hacks, 2nd Edition

Cover of Network Security Hacks, 2nd Edition by Andrew Lockhart Published by O'Reilly Media, Inc.
  1. Network Security Hacks
  2. Copyright
  3. Credits
    1. About the Author
    2. Contributors
    3. Acknowledgments
  4. Preface
    1. Why Network Security Hacks?
    2. How This Book Is Organized
    3. Conventions Used in This Book
    4. Safari Enabled
    5. Using Code Examples
    6. How to Contact Us
    7. Got a Hack?
  5. 1. Unix Host Security
    1. Hack #1. Secure Mount Points
    2. Hack #2. Scan for SUID and SGID Programs
    3. Hack #3. Scan for World- and Group-Writable Directories
    4. Hack #4. Create Flexible Permissions Hierarchies with POSIX ACLs
      1. Enabling ACLs
      2. Managing ACLs
    5. Hack #5. Protect Your Logs from Tampering
    6. Hack #6. Delegate Administrative Roles
    7. Hack #7. Automate Cryptographic Signature Verification
    8. Hack #8. Check for Listening Services
    9. Hack #9. Prevent Services from Binding to an Interface
    10. Hack #10. Restrict Services with Sandboxed Environments
      1. Using chroot()
      2. Using FreeBSD’s jail()
    11. Hack #11. Use proftpd with a MySQL Authentication Source
      1. See Also
    12. Hack #12. Prevent Stack-Smashing Attacks
    13. Hack #13. Lock Down Your Kernel with grsecurity
      1. Patching the Kernel
      2. Configuring Kernel Options
    14. Hack #14. Restrict Applications with grsecurity
    15. Hack #15. Restrict System Calls with systrace
    16. Hack #16. Create systrace Policies Automatically
    17. Hack #17. Control Login Access with PAM
      1. Limiting Access by Origin
      2. Restricting Access by Time
    18. Hack #18. Restrict Users to SCP and SFTP
      1. Setting Up rssh
      2. Configuring chroot()
    19. Hack #19. Use Single-Use Passwords for Authentication
      1. OPIE Under FreeBSD
      2. S/Key Under OpenBSD
    20. Hack #20. Restrict Shell Environments
    21. Hack #21. Enforce User and Group Resource Limits
    22. Hack #22. Automate System Updates
  6. 2. Windows Host Security
    1. Hack #23. Check Servers for Applied Patches
      1. Using HFNetChk
      2. See Also
    2. Hack #24. Use Group Policy to Configure Automatic Updates
      1. Some Recommendations
      2. Digging Deeper
    3. Hack #25. List Open Files and Their Owning Processes
    4. Hack #26. List Running Services and Open Ports
    5. Hack #27. Enable Auditing
    6. Hack #28. Enumerate Automatically Executed Programs
    7. Hack #29. Secure Your Event Logs
    8. Hack #30. Change Your Maximum Log File Sizes
    9. Hack #31. Back Up and Clear the Event Logs
      1. The Code
      2. Running the Hack
    10. Hack #32. Disable Default Shares
    11. Hack #33. Encrypt Your Temp Folder
    12. Hack #34. Back Up EFS
      1. Backing Up Encrypted Data and EFS Keys
      2. Restoring EFS Keys
      3. Backing Up Recovery Agent Keys
    13. Hack #35. Clear the Paging File at Shutdown
    14. Hack #36. Check for Passwords That Never Expire
      1. The Code
      2. Running the Hack
  7. 3. Privacy and Anonymity
    1. Hack #37. Evade Traffic Analysis
      1. Onion Routing
      2. Installing Tor
      3. Installing Privoxy
      4. Configuring Privoxy for Tor
      5. See Also
    2. Hack #38. Tunnel SSH Through Tor
      1. See Also
    3. Hack #39. Encrypt Your Files Seamlessly
    4. Hack #40. Guard Against Phishing
      1. SpoofGuard
      2. Installing SpoofGuard
      3. How SpoofGuard Works
    5. Hack #41. Use the Web with Fewer Passwords
      1. PwdHash
      2. Remote PwdHash
    6. Hack #42. Encrypt Your Email with Thunderbird
      1. Setting Up Thunderbird
      2. Providing a Public/Private Key Pair
      3. Sending and Receiving Encrypted Email
    7. Hack #43. Encrypt Your Email in Mac OS X
      1. Installing GPG
      2. Creating a GPG Key
      3. Installing GPGMail
      4. Sending and Receiving Encrypted Email
  8. 4. Firewalling
    1. Hack #44. Firewall with Netfilter
      1. Setting the Filtering Policy
      2. Rule Examples
      3. A Word About Stateful Inspection
      4. Ordering Rules
    2. Hack #45. Firewall with OpenBSD’s PacketFilter
      1. Configuring PF
      2. Global Options
      3. Traffic Normalization Rules
      4. Filtering Rules
    3. Hack #46. Protect Your Computer with the Windows Firewall
      1. Allow Programs to Bypass the Firewall
      2. Tracking Firewall Activity with a Windows Firewall Log
      3. Problems with Email and the Windows Firewall
      4. Hacking the Hack
      5. See Also
    4. Hack #47. Close Down Open Ports and Block Protocols
    5. Hack #48. Replace the Windows Firewall
      1. Installing CORE FORCE
      2. The Configuration Wizard
      3. Manual Configuration
    6. Hack #49. Create an Authenticated Gateway
    7. Hack #50. Keep Your Network Self-Contained
    8. Hack #51. Test Your Firewall
    9. Hack #52. MAC Filter with Netfilter
    10. Hack #53. Block Tor
  9. 5. Encrypting and Securing Services
    1. Hack #54. Encrypt IMAP and POP with SSL
    2. Hack #55. Use TLS-Enabled SMTP with Sendmail
    3. Hack #56. Use TLS-Enabled SMTP with Qmail
    4. Hack #57. Install Apache with SSL and suEXEC
      1. Apache 1.x
      2. Apache 2.x
    5. Hack #58. Secure BIND
      1. See Also
    6. Hack #59. Set Up a Minimal and Secure DNS Server
      1. Installing daemontools
      2. Installing Djbdns
      3. Adding Records
    7. Hack #60. Secure MySQL
    8. Hack #61. Share Files Securely in Unix
  10. 6. Network Security
    1. Hack #62. Detect ARP Spoofing
    2. Hack #63. Create a Static ARP Table
    3. Hack #64. Protect Against SSH Brute-Force Attacks
      1. Changing the Port
      2. Disabling Password Authentication
      3. Firewalling the SSH Daemon
    4. Hack #65. Fool Remote Operating System Detection Software
    5. Hack #66. Keep an Inventory of Your Network
    6. Hack #67. Scan Your Network for Vulnerabilities
      1. Nessus 2.x
      2. Nessus 3.x
    7. Hack #68. Keep Server Clocks Synchronized
    8. Hack #69. Create Your Own Certificate Authority
      1. Creating the CA
      2. Signing Certificates
    9. Hack #70. Distribute Your CA to Clients
    10. Hack #71. Back Up and Restore a Certificate Authority with Certificate Services
      1. Backing Up a CA
      2. The Certification Authority Backup Wizard
      3. Restoring a CA to a Working Server
      4. Restoring a CA to a Different Server
      5. Decommissioning the Old CA
    11. Hack #72. Detect Ethernet Sniffers Remotely
      1. Sniffing Shared Mediums
      2. Sniffing in Switched Environments
      3. Installing SniffDet
      4. Testing with ARP Queries
    12. Hack #73. Help Track Attackers
    13. Hack #74. Scan for Viruses on Your Unix Servers
      1. Installing ClamAV
      2. Configuring clamd
    14. Hack #75. Track Vulnerabilities
      1. Mailing Lists
      2. RSS Feeds
      3. Cassandra
      4. Summary
  11. 7. Wireless Security
    1. Hack #76. Turn Your Commodity Wireless Routers into a Sophisticated Security Platform
    2. Hack #77. Use Fine-Grained Authentication for Your Wireless Network
      1. Deploying the RADIUS Server
      2. Configuring Your AP
    3. Hack #78. Deploy a Captive Portal
      1. The Authentication Server
      2. Installing the Gateway
  12. 8. Logging
    1. Hack #79. Run a Central Syslog Server
    2. Hack #80. Steer Syslog
    3. Hack #81. Integrate Windows into Your Syslog Infrastructure
      1. Using NTsyslog
      2. Using Eventlog to Syslog
    4. Hack #82. Summarize Your Logs Automatically
    5. Hack #83. Monitor Your Logs Automatically
      1. Installing swatch
      2. Configuration Syntax
    6. Hack #84. Aggregate Logs from Remote Sites
      1. Compiling syslog-ng
      2. Configuring syslog-ng
      3. Translating Your syslog.conf
    7. Hack #85. Log User Activity with Process Accounting
    8. Hack #86. Centrally Monitor the Security Posture of Your Servers
      1. Installation
      2. Adding Agents
      3. Installing a Windows Agent
      4. Configuration
      5. Active Responses
      6. See Also
  13. 9. Monitoring and Trending
    1. Hack #87. Monitor Availability
      1. Installing Nagios
      2. Installing Plug-ins
      3. Configuring Nagios
    2. Hack #88. Graph Trends
    3. Hack #89. Get Real-Time Network Stats
    4. Hack #90. Collect Statistics with Firewall Rules
    5. Hack #91. Sniff the Ether Remotely
  14. 10. Secure Tunnels
    1. Hack #92. Set Up IPsec Under Linux
    2. Hack #93. Set Up IPsec Under FreeBSD
      1. Client Configuration
      2. Gateway Configuration
      3. Using x.509 Certificates
    3. Hack #94. Set Up IPsec in OpenBSD
      1. Password Authentication
      2. Certificate Authentication
    4. Hack #95. Encrypt Traffic Automatically with Openswan
    5. Hack #96. Forward and Encrypt Traffic with SSH
    6. Hack #97. Automate Logins with SSH Client Keys
    7. Hack #98. Use a Squid Proxy over SSH
    8. Hack #99. Use SSH As a SOCKS Proxy
    9. Hack #100. Encrypt and Tunnel Traffic with SSL
      1. Building Stunnel
      2. Configuring stunnel
      3. Encrypting Services
    10. Hack #101. Tunnel Connections Inside HTTP
    11. Hack #102. Tunnel with VTun and SSH
      1. Configuring VTun
      2. Testing VTun
      3. Encrypting the Tunnel
    12. Hack #103. Generate VTun Configurations Automatically
      1. The Code
      2. Running the Hack
    13. Hack #104. Create a Cross-Platform VPN
      1. Installing OpenVPN
      2. Testing OpenVPN
      3. Creating Your Configuration
      4. Using OpenVPN and Windows
      5. Using OpenVPN with Mac OS X
    14. Hack #105. Tunnel PPP
      1. See Also
  15. 11. Network Intrusion Detection
    1. Hack #106. Detect Intrusions with Snort
      1. Installing Snort
      2. Testing Snort
      3. Configuring Snort
      4. See Also
    2. Hack #107. Keep Track of Alerts
    3. Hack #108. Monitor Your IDS in Real Time
      1. Creating the Database
      2. Setting Up the Server
      3. Installing a Sensor
      4. Finishing Up
    4. Hack #109. Manage a Sensor Network
      1. Installing the Prerequisites
      2. Setting Up the Console
      3. Setting Up an Agent
      4. Adding an Agent to the Console
    5. Hack #110. Write Your Own Snort Rules
      1. Rule Basics
      2. Options
      3. Thresholding
      4. Suppression
    6. Hack #111. Prevent and Contain Intrusions with Snort_inline
    7. Hack #112. Automatically Firewall Attackers with SnortSam
      1. Installing SnortSam
      2. Configuring SnortSam
      3. See Also
    8. Hack #113. Detect Anomalous Behavior
    9. Hack #114. Automatically Update Snort’s Rules
    10. Hack #115. Create a Distributed Stealth Sensor Network
    11. Hack #116. Use Snort in High-Performance Environments with Barnyard
      1. Installation
      2. Configuring Snort
      3. Configuring Barnyard
      4. Testing Barnyard
    12. Hack #117. Detect and Prevent Web Application Intrusions
      1. Installing mod_security
      2. Enabling and Configuring mod_security
      3. Creating Filters
      4. See Also
    13. Hack #118. Scan Network Traffic for Viruses
      1. Patching Snort
      2. Configuring the Preprocessor
      3. Trying It Out
    14. Hack #119. Simulate a Network of Vulnerable Hosts
      1. Compiling honeyd
      2. Configuring honeyd
      3. Running honeyd
      4. Testing honeyd
    15. Hack #120. Record Honeypot Activity
      1. Installing the Linux Client
      2. Setting Up the Server
      3. Installing the Windows Client
  16. 12. Recovery and Response
    1. Hack #121. Image Mounted Filesystems
    2. Hack #122. Verify File Integrity and Find Compromised Files
      1. Building and Installing Tripwire
      2. Configuring Tripwire
      3. Day-to-Day Use
      4. See Also
    3. Hack #123. Find Compromised Packages
      1. Using RPM
      2. Using Other Package Managers
    4. Hack #124. Scan for Rootkits
    5. Hack #125. Find the Owner of a Network
      1. Getting DNS Information
      2. Getting Netblock Information
  17. About the Author
  18. Colophon
  19. Copyright
O'Reilly logo

Chapter 5. Encrypting and Securing Services

Hacks 5461

A network is only as secure as the weakest host connected to it. Therefore, it follows that a host is only as secure as the weakest service that it’s running. After all, the only way into a system from the network (barring esoteric kernel-level network stack vulnerabilities) is through the services that it offers. Because of this, a large part of network security involves ensuring that your services are configured securely. This entails configuring services to provide only the functionality that’s required of them to accomplish the tasks they need to perform. Additionally, you should give services access to only the bare minimum of system resources needed.

That’s just part of the solution, though. If a network service operates in clear-text, all of your work spent locking it down can be for nothing. In most cases, all an attacker has to do to gain access to such a service is use a packet sniffer to capture the login details of a user authenticating with the service.

This chapter shows how to deploy IMAP, POP3, and SMTP servers that are protected with encryption, in order to prevent your users from accidentally disclosing their login credentials and keep their data safe from prying eyes. You’ll also learn how to securely deploy DNS services and MySQL. In addition, you’ll learn how to deploy Apache with SSL support and how to keep your users’ CGI scripts from accessing files that they normally wouldn’t be able to access.

Hack #54. Encrypt ...

The best content for your career. Discover unlimited learning on demand for around $1/day.