Chapter 4.4 Linux Host Security
Which command would you use to list all of the currently defined iptables rules? sudo iptables -F sudo /sbin/iptables-save sudo iptables -L sudo iptables -A INPUT -j DROP
sudo iptables -L
You want to make sure no unneeded software packages are running on your Linux server. Select the command from the drop-down list that you can use to see all installed RPM packages. yum list packages yum list rpm packages yum list installed yum list rpm installed
yum list installed
Question 7 In which of the iptables default chains would you configure a rule to allow an external device to access the HTTPS port on the Linux server? Forward Accept Output Input
Input
Question 1 Which command should you use to display both listening and non-listening sockets on your Linux system? (Tip: enter the command as if in Command Prompt.)
netstat -a
Question 3 You need to increase the security of your Linux system by finding and closing open ports. Which of the following commands should you use to locate open ports? nslookup netstat nmap traceroute
nmap
Question 2 Which command should you use to scan for open TCP ports on your Linux system? (Tip: enter the command as if in Command Prompt.)
nmap -sT
Action: Clear current rules
Command: sudo iptables -F
Action: List current rules
Command: sudo iptables -L
Question 4 What does the netstat -a command show? All listening and non-listening sockets All network users All connected hosts All listening sockets
All listening and non-listening sockets
You have configured the following rules. What is the effect? sudo iptables -A INPUT -p tcp --dport 25 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT sudo iptables -A OUTPUT -p tcp --sport 25 -m conntrack --ctstate ESTABLISHED -j ACCEPT Allow SSH traffic Block SMTP traffic Allow SMTP traffic Block SSH traffic
Allow SMTP traffic
Accept
Allows the connection.
Action:Allow HTTP traffic on portAllow HTTPS traffic on port 443
Command: sudo iptables -A INPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT sudo iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate ESTABLISHED -j ACCEPT
Action: Block connections from 192.168.0.254
Command: sudo iptables -A INPUT -s 192.168.0.254 -j DROP
Action: Save iptables changes (Ubuntu)
Command: sudo /sbin/iptables-save The command may be different on other Linux systems.
Action: Drop all incoming traffic
Command: sudo iptables -A INPUT -j DROP
Action: Allow SMTP mail on port 25
Command: sudo iptables -A INPUT -p tcp --dport 25 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT sudo iptables -A OUTPUT -p tcp --sport 25 -m conntrack --ctstate ESTABLISHED -j ACCEPT
Action: Allow HTTP traffic on port 80
Command: sudo iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT sudo iptables -A OUTPUT -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT (To allow HTTPS, you would use port 443.)
Action: Block SMTP mail on port 25
Command: sudo iptables -A OUTPUT -p tcp --dport 25 -j REJECT
Question 6 Which action would you use in a rule to disallow a connection silently? Forward Drop Reject Accept
Drop
Drop
Drops the connection. For example, an IP address in a rule with a drop action pings your system; the request is dropped. No response is sent to the user.
Check network connections
Open network connections (open sockets) on a computer create a security risk. A socket is an endpoint of a bi-directional communication flow across a computer network. Use the following netstat (network statistics) options to identify the open network connections on Linux systems: -a lists both listening and non-listening sockets. -l (lowercase 'L') lists listening sockets. -s displays statistics for each protocol. -i displays a table of all network interfaces.
Locate open ports
Open ports can provide information about which operating system a computer uses. Also, they can provide entry points or information about ways to formulate an attack. To locate open ports: 1.Install the nmap utility if it is not already installed. *yum install nmap *apt -i nmap 2.Use both of the following commands to scan for open ports: *nmap -sT ipaddress|fqdn scans for TCP ports *nmap -sU ipaddress|fqdn scans for UDP ports 3.Determine which services use the open ports. 4.Disable any unused service using the open ports information. (Make sure the service used is not a dependency for another service). *systemctl disable servicename *systemctl stop servicename
Which type of packet would the sender receive if they sent a connection request to TCP port 25 on a server with the following command applied? sudo iptables -A OUTPUT -p tcp --dport 25 -j REJECT RST ACK SYN ICMP Unreachable Port
RST
Reject
Rejects the connection, but will send a response back. This lets the sender know that the traffic reached a system, but was rejected.
Chains
The Linux iptables firewall utility uses policy chains (sets of rules) to allow or block network traffic. When a connection is initiated to your system, iptables looks for a matching rule. If it doesn't find one, it uses the default action in the tables. Be aware that iptables almost always comes pre-installed on any Linux distribution.
Input
This chain controls the behavior for incoming connections. For example, if a user attempts to ping the system, iptables attempts to match the IP address and port to a rule in the input chain
Output
This chain is used for outgoing connections. For example, if you ping testout.com, iptables checks its output chain to see what the rules are regarding ping and testout.com before allowing or denying the ping request.
Forward
This chain is used for packets leaving the system. These are incoming connections that aren't delivered locally. In other words, the traffic is not destined for the router; the router forwards the traffic to the destination device.
Check for unnecessary network services
Unnecessary network services waste computer resources and increase the system's attack service. To remove unnecessary network services: 1.Find all installed services and determine which are not needed: DNS, SNMP, DHCP and others. *systemctl --type=service --state=active 2.Use the man command and the Internet to research services you don't recognize. *If the service is not needed, determine if it is a dependency for another service. 3.Disable the service by using the following command: *systemctl disable servicename 4.Use one of the following commands to immediately stop the script: *systemctl stop servicename 5.Use one of the following commands to remove the script package entirely. yum erase packagename apt remove packagename rpm -e packagename dpkg -r packagename
Remove unnecessary software
Unnecessary software occupies disk space and could introduce security flaws. To remove unnecessary software: 1.Enter one of the following commands: yum list installed to see installed RPM packages on the computer. apt *apt autoremove automatically removes unused packages *apt list list all installed packages dpkg get-selections to see installed Debian packages on the computer. 2.Research the function of any unrecognized package to determine if it is necessary. 3.Use one of the following commands to uninstall unnecessary packages. yum erase packagename apt remove packagename rpm -e packagename dpkg -r packagename
Actions Performed
You can accept, drop, or reject the connections. After you define your accept rules, you should create a rule to drop all other traffic to prevent unauthorized access to the system.
iptables
iptables is a firewall command line utility for Linux operation systems that uses three policy chains to allow or block network traffic.
