Franske ITC-2480 Lab 12
Revision as of 05:33, 9 April 2014 by BenFranske (talk | contribs)
Introduction
In this lab you will learn about several Linux utilities which can be used for monitoring Linux and other systems for security and service uptime purposes.
Lab Procedure
Prerequisites
- Open an SSH console to your Linux system using the PuTTY software, login with your standard user account
- The IP address of a partner's system which you have permission to portscan
Monitoring connections with netstat
- One common activity you would want to do when evaluating the security of a system is to find out what ports the system is accepting connections on. For this reason most operating systems have some kind of utility to display active network connections and open ports, Linux is no exception. The netstat utility can show you currently active network connections as well as open ports on your local system.
- Take a look at the man page for the netstat command. Specifically, figure out what the -n -a -t and -u options do.
- Run the netstat -natu command on your system and observe the output.
- Try to identify what the purpose of each open port on your system is. Note, there are many online guides to common uses for ports.
- You'll find that there are a number of ports open on your system. Some of these we have opened to provide a specific service such as SMTP, DNS, Webserver, etc. but some such as the sunrpc port are open simply by default on a fresh install. There are a number of different strategies you can use to secure your system including disabling a service, binding it to an internal-only IP address, or blocking access with a firewall rule. If your firewall is setup with an implicit (or explicit) reject any rule at the bottom of the input chain and you have not specifically opened a port it should not be accessible from other systems. How can we test that though? The netstat utility is useful at making a list of ports somehow open on the system but it does not show us how those ports react if someone outside actually tries to connect.
Scanning ports using nmap
- The nmap Network Mapper utility is a very powerful security scanning utility available on Linux. Before we begin this section of the lab it is important to remember that scanning a system is often seen as an attack against the system and should not be done unless you are the administrator of both the system that you are scanning from and the system you are scanning or have the explicit permission of the system administrator of those systems! In some areas people have been legally charged and prosecuted for scanning of systems which they are not authorized to do. You have been warned!
- Unlike netstat, nmap is not part of the default Debian installation so you will need to install the nmap package before proceeding.
- nmap is complex and powerful. Entire books and extensive documentation are available which you may want to reference but we'll only be exploring some of the more basic features in this introduction.
- nmap provides a system on the Internet which they allow you to scan for testing purposes so let's try a verbose scan (which gives additional diagnostic detail using the nmap -v scanme.nmap.org command.
- Review the output and then run the same command without the -v verbose option and compare the output you receive.
- When scanning your own system there are a few different ways to go about it. You could either scan the localhost address 127.0.0.1 or the actual outside IP address of your system. You could also setup a separate system or VM and do the scanning from that system. In each case you might see somewhat different results, can you guess why?
- The answer is related to how you have firewall rules setup and what addresses you have services bound to. For example by default on Debian systems mySQL connections only listens for connections on the localhost address (127.0.0.1) and not on outside interfaces. Try running the nmap 127.0.0.1 command and then compare output with the nmap <your outside ip address here> command. Do you see some network services listening only on the localhost address. These services are not accessible from outside your computer even though the ports are open and you would see them as open with netstat. This shows us some of the additional value of using nmap.
- The most realistic use of nmap though is to scan like an attacker would using a system outside of the one you're testing. Use nmap to scan a partner's IP address and take a look at some of the nmap documentation to try a few different types scans on that system. If you would like you can also try scanning the entire ITC-2480 subnet (172.17.50.0/24) if you want to try some subnet scanning capabilities.
- Remember that in our case these systems are secure from the outside world because we have an upstream firewall which you have bypassed by connecting to our VPN and these systems are using unroutable private IPv4 addresses.
- nmap also supports scanning IPv6 addresses. Note that a running service is not necessarily listening on both IPv4 and IPv6 addresses just because you have them both active on your machine. Figure out how to scan IPv6 addresses with nmap and try scanning both an IPv4 and IPv6 address on your machine and compare the results. Use the same type of address (i.e. both IPv4 and Ipv6 addresses should be the localhost addresses or should both be outside addresses) Are the same services open on both IPv4 and IPv6 on your system?
Graphing statistics with Cacti
- Install the cacti package on your system. You can ignore the message about adodb-php no longer being supported and you can idetnitfy that you are using the apache2 webserver. If you provide your mySQL root password the installation script will create the database automatically for you.
- Visit http://<your-ip-address>/cacti and complete the web portion of the install, taking the pre-filled default options.
- Login to the Cacti interface using admin/admin for the username and password. You will be prompted to set a new password
- In order to start the data collection process click the "System Utilities" link and then the "Rebuild Poller Cache' link.
- Click the graphs tab to view some basic statistical graphs about your system. Note that it may take at least ten minutes of data collection before you have graphs as this information is only collected once every five minutes by default.
- Additional graphs can be generated for this system and other systems by collecting data via SNMP or other method. Data to be collected can include network throughput, CPU load, memory and disk usage, power voltage, temperature, etc. Just about any number a system can give you can be tracked. Do a little research online about the types of information that Cacti can collect and graph over time and how that might be useful for monitoring and troubleshooting systems.
Monitoring services with Nagios
- Install the nagios3 package on your system.
- Visit http://<your-ip-address>/nagios3 and login with the username nagiosadmin and the password which you specified during the installation process.
- Click the "Services" menu link to see what services are being tracked on your local machine by default.
- See if you can follow the Nagios documentation to setup alerts to your local system user's email address if the web server you're running goes down.
- Try disabling your web server (service apache2 stop) for at least 5 minutes and see if you get a notification email in your user's mailbox and a notification in the Nagios web UI that the HTTP service is down.