Network Security Hacks

Contents
Credits
	About the Author
	Contributors
	Acknowledgments
Preface
	Why Network Security Hacks?
	How This Book Is Organized
	Conventions Used in This Book
	Safari® Enabled
	Using Code Examples
	How to Contact Us
	Got a Hack?
Unix Host Security
	Secure Mount Points
	Scan for SUID and SGID Programs
	Scan for World- and Group-Writable Directories
	Create Flexible Permissions Hierarchies with POSIX ACLs
		Enabling ACLs
		Managing ACLs
	Protect Your Logs from Tampering
	Delegate Administrative Roles
	Automate Cryptographic Signature Verification
	Check for Listening Services
	Prevent Services from Binding to an Interface
	Restrict Services with Sandboxed Environments
		Using chroot()
		Using FreeBSD’s jail()
	Use proftpd with a MySQL Authentication Source
		See Also
	Prevent Stack-Smashing Attacks
	Lock Down Your Kernel with grsecurity
		Patching the Kernel
		Configuring Kernel Options
			Low security
			Medium security
			High security
			Customized security settings
	Restrict Applications with grsecurity
	Restrict System Calls with systrace
	Create systrace Policies Automatically
	Control Login Access with PAM
		Limiting Access by Origin
		Restricting Access by Time
	Restrict Users to SCP and SFTP
		Setting Up rssh
		Configuring chroot()
	Use Single-Use Passwords for Authentication
		OPIE Under FreeBSD
		S/Key Under OpenBSD
	Restrict Shell Environments
	Enforce User and Group Resource Limits
	Automate System Updates
Windows Host Security
	Check Servers for Applied Patches
		Using HFNetChk
		See Also
	Use Group Policy to Configure Automatic Updates
		Some Recommendations
		Digging Deeper
	List Open Files and Their Owning Processes
	List Running Services and Open Ports
	Enable Auditing
	Enumerate Automatically Executed Programs
	Secure Your Event Logs
	Change Your Maximum Log File Sizes
	Back Up and Clear the Event Logs
		The Code
		Running the Hack
	Disable Default Shares
	Encrypt Your Temp Folder
	Back Up EFS
		Backing Up Encrypted Data and EFS Keys
		Restoring EFS Keys
		Backing Up Recovery Agent Keys
	Clear the Paging File at Shutdown
	Check for Passwords That Never Expire
		The Code
		Running the Hack
Privacy and Anonymity
	Evade Traffic Analysis
		Onion Routing
		Installing Tor
		Installing Privoxy
		Configuring Privoxy for Tor
		See Also
	Tunnel SSH Through Tor
		See Also
	Encrypt Your Files Seamlessly
	Guard Against Phishing
		SpoofGuard
		Installing SpoofGuard
		How SpoofGuard Works
	Use the Web with Fewer Passwords
		PwdHash
		Remote PwdHash
	Encrypt Your Email with Thunderbird
		Setting Up Thunderbird
		Providing a Public/Private Key Pair
			Importing an existing key pair
			Generating a new key pair
		Sending and Receiving Encrypted Email
	Encrypt Your Email in Mac OS X
		Installing GPG
		Creating a GPG Key
		Installing GPGMail
		Sending and Receiving Encrypted Email
Firewalling
	Firewall with Netfilter
		Setting the Filtering Policy
		Rule Examples
		A Word About Stateful Inspection
		Ordering Rules
	Firewall with OpenBSD’s PacketFilter
		Configuring PF
		Global Options
		Traffic Normalization Rules
		Filtering Rules
	Protect Your Computer with the Windows Firewall
		Allow Programs to Bypass the Firewall
		Tracking Firewall Activity with a Windows Firewall Log
		Problems with Email and the Windows Firewall
		Hacking the Hack
		See Also
	Close Down Open Ports and Block Protocols
	Replace the Windows Firewall
		Installing CORE FORCE
		The Configuration Wizard
		Manual Configuration
	Create an Authenticated Gateway
	Keep Your Network Self-Contained
	Test Your Firewall
	MAC Filter with Netfilter
	Block Tor
Encrypting and Securing Services
	Encrypt IMAP and POP with SSL
	Use TLS-Enabled SMTP with Sendmail
	Use TLS-Enabled SMTP with Qmail
	Install Apache with SSL and suEXEC
		Apache 1.x
		Apache 2.x
	Secure BIND
		See Also
	Set Up a Minimal and Secure DNS Server
		Installing daemontools
		Installing Djbdns
		Adding Records
	Secure MySQL
	Share Files Securely in Unix
Network Security
	Detect ARP Spoofing
	Create a Static ARP Table
	Protect Against SSH Brute-Force Attacks
		Changing the Port
		Disabling Password Authentication
		Firewalling the SSH Daemon
			Limiting connections to your sshd
			Parsing logs and blocking an IP
			Rate-limiting SYN packets
	Fool Remote Operating System Detection Software
	Keep an Inventory of Your Network
	Scan Your Network for Vulnerabilities
		Nessus 2.x
		Nessus 3.x
	Keep Server Clocks Synchronized
	Create Your Own Certificate Authority
		Creating the CA
		Signing Certificates
	Distribute Your CA to Clients
	Back Up and Restore a Certificate Authority with Certificate Services
		Backing Up a CA
		The Certification Authority Backup Wizard
		Restoring a CA to a Working Server
		Restoring a CA to a Different Server
		Decommissioning the Old CA
	Detect Ethernet Sniffers Remotely
		Sniffing Shared Mediums
		Sniffing in Switched Environments
		Installing SniffDet
		Testing with ARP Queries
	Help Track Attackers
	Scan for Viruses on Your Unix Servers
		Installing ClamAV
		Configuring clamd
	Track Vulnerabilities
		Mailing Lists
		RSS Feeds
		Cassandra
		Summary
Wireless Security
	Turn Your Commodity Wireless Routers into a Sophisticated Security Platform
	Use Fine-Grained Authentication for Your Wireless Network
		Deploying the RADIUS Server
		Configuring Your AP
	Deploy a Captive Portal
		The Authentication Server
		Installing the Gateway
Logging
	Run a Central Syslog Server
	Steer Syslog
	Integrate Windows into Your Syslog Infrastructure
		Using NTsyslog
		Using Eventlog to Syslog
	Summarize Your Logs Automatically
	Monitor Your Logs Automatically
		Installing swatch
		Configuration Syntax
	Aggregate Logs from Remote Sites
		Compiling syslog-ng
		Configuring syslog-ng
		Translating Your syslog.conf
	Log User Activity with Process Accounting
	Centrally Monitor the Security Posture of Your Servers
		Installation
		Adding Agents
		Installing a Windows Agent
		Configuration
		Active Responses
		See Also
Monitoring and Trending
	Monitor Availability
		Installing Nagios
		Installing Plug-ins
		Configuring Nagios
			Adding hosts to monitor
			Creating host groups
			Creating contacts and contact groups
			Configuring services to monitor
			Defining time periods
	Graph Trends
	Get Real-Time Network Stats
	Collect Statistics with Firewall Rules
	Sniff the Ether Remotely
Secure Tunnels
	Set Up IPsec Under Linux
	Set Up IPsec Under FreeBSD
		Client Configuration
		Gateway Configuration
		Using x.509 Certificates
	Set Up IPsec in OpenBSD
		Password Authentication
		Certificate Authentication
	Encrypt Traffic Automatically with Openswan
	Forward and Encrypt Traffic with SSH
	Automate Logins with SSH Client Keys
	Use a Squid Proxy over SSH
	Use SSH As a SOCKS Proxy
	Encrypt and Tunnel Traffic with SSL
		Building Stunnel
		Configuring stunnel
		Encrypting Services
	Tunnel Connections Inside HTTP
	Tunnel with VTun and SSH
		Configuring VTun
		Testing VTun
		Encrypting the Tunnel
	Generate VTun Configurations Automatically
		The Code
		Running the Hack
	Create a Cross-Platform VPN
		Installing OpenVPN
		Testing OpenVPN
		Creating Your Configuration
		Using OpenVPN and Windows
		Using OpenVPN with Mac OS X
	Tunnel PPP
		See Also
Network Intrusion Detection
	Detect Intrusions with Snort
		Installing Snort
		Testing Snort
		Configuring Snort
		See Also
	Keep Track of Alerts
	Monitor Your IDS in Real Time
		Creating the Database
		Setting Up the Server
		Installing a Sensor
			Patching Snort
			Patching Barnyard
		Finishing Up
	Manage a Sensor Network
		Installing the Prerequisites
		Setting Up the Console
		Setting Up an Agent
		Adding an Agent to the Console
	Write Your Own Snort Rules
		Rule Basics
			Actions
			Protocols
			IP addresses
			Ports
		Options
			Adding human-readable messages
			Inspecting packet content
			Matching TCP flags
		Thresholding
			Thresholding by signature ID
			Thresholding with rule options
		Suppression
	Prevent and Contain Intrusions with Snort_inline
	Automatically Firewall Attackers with SnortSam
		Installing SnortSam
		Configuring SnortSam
		See Also
	Detect Anomalous Behavior
	Automatically Update Snort’s Rules
	Create a Distributed Stealth Sensor Network
	Use Snort in High-Performance Environments with Barnyard
		Installation
		Configuring Snort
		Configuring Barnyard
		Testing Barnyard
	Detect and Prevent Web Application Intrusions
		Installing mod_security
		Enabling and Configuring mod_security
		Creating Filters
		See Also
	Scan Network Traffic for Viruses
		Patching Snort
		Configuring the Preprocessor
			Ports to scan
			Direction to scan
			Blocking propagation
			Miscellaneous options
		Trying It Out
	Simulate a Network of Vulnerable Hosts
		Compiling honeyd
		Configuring honeyd
		Running honeyd
		Testing honeyd
	Record Honeypot Activity
		Installing the Linux Client
		Setting Up the Server
		Installing the Windows Client
Recovery and Response
	Image Mounted Filesystems
	Verify File Integrity and Find Compromised Files
		Building and Installing Tripwire
		Configuring Tripwire
		Day-to-Day Use
		See Also
	Find Compromised Packages
		Using RPM
		Using Other Package Managers
	Scan for Rootkits
	Find the Owner of a Network
		Getting DNS Information
		Getting Netblock Information
Index