Friday, August 12, 2011

Managing links in Linux

Hard and Symbolic links are the two types of files that exist in a Unix Operating System to point to another file.
Hard Links: They are a pointer that is exactly as the same than the file it points to, no mather if it has a different name, any modification done to the pointer are also done to the target file. The hard links can only point to other files, but not directories (though directories are a special kind of files). And the other main difference with Symbolic Links is that hard links MUST reside in the same filesystem than the file they point to, because they have the same inode number.
Symbolic liks: The are a pointer to another file but they contain the name of the file they point to, it can span filesystems (they have a different inode number), and they can point to files or direcoties.
Creating Hard and Symbolic Links:
ln -fs []

By default ln (without arguments) it creates hard links.
-f, --force : Remove existing destination files.
-s, --symbolic : Make symbolic links instead of hard links.

Analysing logs in Linux

Part of the security and sysadmins tasks is the log analysis and decision taking. There is plenty of information in

The tools i recommend is called "Lire", this tool permits the creation of several reporting formats, including html, pdf, xml, between others. It also permits to analyze many log file formats, which include MySQL, Iptables, BIND, Apache, Qmail, Postfix, Syslog and more. Lire is GPL'ed Free Software (and Open Source), built around the idea of extendibility.

This tool is available from, it has been deveploped in Perl and i recommend you to install all the dependence modules with CPAN (type "perl -M CPAN -e shell" on the command line as root).

Introduction to Iptables usage in Linux

I am going to explain the generic matches, the ones that apply to all the IP packets. In general, the patch pattern looks like "-s (--src, --source).

For example:
iptables -A INPUT -s -j DROP

The IP address could also be a hostname, in that case it would be resolved to an ip address before being added to the chain. The field of the IP address could also be a range of addresses using a netmask. This instruction is applied in the INPUT chain, but it could be used also in the OUTPUT chain if the machine has more than one ip address.

iptables -A INPUT -s -j DROP

This instructions matches the first 24 bits of the address. This means, it matches addresses between -

iptables -A INPUT -s ! -j DROP

The exclamation mark negates the ipaddress, this matches the packets where the source IP is no

The "-d (--dst --destination)" matches the destination address of the packets and is used generaly on the OUTPUT chain. The same rules than in the -s option apply (address ranges can be specified as hostnames, a single IP address or a range, and negation of the addresses). For example:

iptables -A OUTPUT -d ! -j REJECT

The "-i (--in-interface) " specify on which network interface the rule should take effect, for example "eth0". This options could be used in the FORWARD, INPUT and PREROUTING chains. The network interface also accepts wildcards, for example, if you want to filter all the traffic from a privat eaddress such as in all the interfaces:

iptables -A INPUT -s -i eth* -j DROP

This would drop all packets arriving on eth0, eth1, eth2, etc.

A final "-p" option allows to work with a specific protocol, for example, if you want to drop all the UDP packets:

iptables -A INPUT -p udp -j DROP

The protocols that can be used are:
TCP, UDP, ICMP, ALL (this is for all the protocols).

 i explained some general packet matching with Iptables, now i am going to explain the TCP packet matching generalities, where the commands displayed following, all match specific values from the TCP packet headers, for example the source and destination ports, tcp options, tcp flags (for example the syn, fin, etc).

You use the --protocol argument to match TCP packets, and optionally, the source port of the packet can be specified with "--sport (--source-port) ", the source port can be a numeric value or the name of the port, that should match the port number we want in the /etc/servicesfile.

Here are two examples:
iptables -A INPUT -p tcp --sport 23 -j REJECTiptables -A INPUT -p tcp --sport telnet -j REJECT

This rules do the same, they reject the inbound traffic from the TCP port 23 of the remote host). The usage of port names instead of the number, creates a little more cpu consume and could be told as "speed penalty" in large rulesets.

It is possible also to specify a range of ports in the rules, lower and upper port separated by a colon. Here i filter all the ports between 10 and 999:
iptables -A OUTPUT -p tcp --sport 10:999 -j REJECT

All TCP source ports except the 80 are accepted with this rule:
iptables -A INPUT -p tcp --sport ! 80 -j ACCEPT

The same can be done with a range of ports:
iptables -A INPUT -p tcp --sport ! 1024:40000 -j LOG

If the first port is numerically higher than the second, iptables swaps both numbers around automatically.

To specify a TCP destination port, the "-dport (--destination-port) [port]" is used, and its rules are the same than in TCP source port matching.

For example, to stop users in your private network to connect to IRC, supposing that IRC uses the ports between 6667 to 66670, you may want to add this rule:
iptables -A OUTPUT -p tcp --dport 6667:6670 -j REJECT

To match a specific flag in the TCP header, you have to make use of "--tcp-flags [mask] [flags]".

The [mask] argument is a list of flags separated by commas, which should be matched.
The [flags] argument is a list of flags that must be set, any flag listed in the [mask] argument, but not in the second, this means that the flag must be unset.

The possible flags are: SYN, ACK, FIN, RST, PSH and URG. ALL and NONE are also possible.

In this example, the SYN,ACK and FIN flags are the mask, and the SYN flag is the one that has to be set:
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN SYN -j ACCEPT

The mask can also be inverted, meaning that the ACK and FIN should be set, but not the SYN:
iptables -A FORWARD -p tcp --tcp-flags ! SYN,ACK,FIN SYN -j ACCEPT

Matching a particular TCP flag:
This is accomplished with the "--syn" flag, it is usefull because the SYN flag is the TCP start sequence also known as the "3 way handshake", explained in this picture:

iptables -A FORWARD -p tcp --syn -j ACCEPT iptables -A FORWARD -p tcp ! --syn -j ACCEPT

In this case i am going to explain some iptables features related with UDP. UDP (User Datagram Protocol) has the characteristic of being connectionless.

The packets format is this:
In this packet format can be seen that UDP has no flags like TCP. UDP cares only about the source and destination addresses.

In Iptables, udp is specified with the "-p udp" argument. Similar rules apply to udp than with TCP matching, negation and port ranges are allowed:

-sport (--source-port) 
--dport (--destination-port) 

This rule matches any UDP packet with source port of 161 (SNMP)
iptables -A INPUT -p udp --sport 161 -j ACCEPT

This rule logs all the packets with destination port with range from 161 to 180
iptables -A INPUT -p udp --dport 161:180 -j LOG

To learn more about UDP, see the RFS 768

10 most important Unix Security issues

1. Web Server. One of the places that an intruder is going to check first is for vulnerabilities in your Apache version and in you cgi-scripts.

2. Remote Procedure Calls. RPC Services should be down if they are not required, they allow a remote user to execute instructions in your computer; the intruder usualy gains root access this way.
3. SNMP (Simple Network Management Protocol). This protocol is known to have had its vulnerabilities and their password can be easily cracked and more easier captured from the network.
4. SSH (Secure Shell). SSH has been exploited before, if you do not need it then you can turn it off, or filter the source ip addresses with TCP Wrapper.

5. Remote Services (Trusted host). This was a setup in the machines based on the rely of other machines IP address, and leaved access without asking password. Their binaries are "rsh", "rcp", "rlogin" and "rexec". They exist and can be used also today, the attacked can do a party with your machine if they use a technique known as "ip spoofing".

6. FTP (File Transfer Protocol). Many vulnerabilities have been found in FTP, as exploits and protocol weaknesses, like clear text password transfer (resolved in SFTP).

7. LPD (Line Printer Daemon). This daemon is also remotely exploitable with help of an overflow and a shellcode, gaining root access if the server is running as root.

8. BIND/DNS (Dynamic Name Server). DNS Flooding, exploits and other attacks are available, if you are going to set up a DNS, use a firewall to filter any port that you do not want.

9. Sendmail. This mail transfer agent is known for its buffer overflows and remote exploits, though it has resolved its issues, always appears something new. It is recommended to use qmail.

10. Weak Password / No Passwords in the system. I do not need to explain this.

Many people that talk about security talk about a false sense of security that one can have in the cyberspace, i do not totaly agree with them, i see very often thay it is created a false sense of insecurity also. The items i have listed before create some sense of insecurity and alert; but do not worry, if you are going to run one of this critical services, just keep in mind:

* Use a well configured firewall (pay more attention to "well configured" than "firewall")
* Set up correctly an Intrusion Detection and Prevention System.
* Ask for help a security professional

How to do an secure tunel with ssh in Linux

You may know that ssh is a secure way to connect, remember those old days when telnet was used and the passwords just flew through the network and any person with a sniffer could capture it ?

With ssh you can create a secure connection from one point to anther, going through a middle point, like the figure shows:
The tunnel is an cyphered connection from A to B, and from B to C the connection is not cyphered (almost not by ssh that we are using). B acts as a gateway to C.
In A you would write:
$ ssh -g -L [port in A]:[C address]:[port in C] [b address]
Example of doing a tunnel to a webpage:
$ ssh -g -L

You would connect with your browser to
This would create a tunnel from A to B and B to gmail, this way nobody in A's network will be able to sniff the gmail traffic, only in B's network would that be possible.

Limit users access to Linux in a time range

In the cases when you want to limit the access to a Linux operating system in a time range, you would like to use pam_time was written by Andrew G. Morgan.

Take a look at /etc/security/time.conf

To limit for example ssh access from 23:00 PM and 08:00 AM.

The format of the file is:

the !Al means, anything except "All the days".

If you would like to permit people from 4 to 8 PM all the days, except root:

Further reading:man time.conf

Disable users from loggin into the server, except the administrator

In cases where you have to disable the login to all users,except root, for example when you have to do a backup, you have to use (man nologin).

1) Edit the pam file for the service you want to control, in this example i modify ssh pam control file, located in /etc/pam.d/sshd

Add this line
account required

2) Create the /etc/nologin file, just do "touch /etc/nologin"

This should disable the login from ssh. If you want to disable the login from terminal, modify the /etc/pam.d/login file.

3) To re-enable the login just remove /etc/nologin

How to control which files have been deleted and by who ?

 This is a hack you can use to control file deletion and know exactly who deleted a file.

The trick is to add into the /etc/profile file this script:

[walter@walter ~]$ rm () { echo `id` deleted the file $1 at `date` >> /tmp/.log; /bin/rm $1; }

The log file will show you this:

uid=500(walter) gid=500(walter) groups=500(walter) deleted the file test at Mon Nov 26 10:31:16 ART 2007 
To print also the hostname where the deletion has come from:
$ rm() { i=`tty | cut -d / -f 3,4`;host=`w | grep $i | awk '{print $3}'`;echo -e `id` deleted the file $1 at `date` comming from "$host\n" >> /tmp/.log;/bin/rm "$@";}
The output would be:
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),503(devel) deleted the file at Tue Nov 27 15:09:14 ART 2007
The problem of this solution is that if the user is some curious, he could know about this "set" variable, and:

* Unset the variable
* Execute the binary calling it directly

So, if you need the best way, you will have to write a little C script that replaces the original "rm" binary and rename the original "rm" binary to "rm.orig". Now, the "rm" binary should log the deletion of the file and then execute the "rm.orig", obviously, changing the process name to "rm", so the user do not suspects.

Advantages of Linux over its commercial competitors

Linux is free.
You can install a complete Unix system at no expense other than the hardware.

Linux is fully customizable in all its components.
Thanks to the General Public License (GPL), you are allowed to freely read and modify the source code of the kernel and of all system programs.

Linux runs on low-end, cheap hardware platforms.
You can even build a network server using an old Intel 80386 system with 4 MB of RAM.

Linux is powerful.
Linux systems are very fast, since they fully exploit the features of the hardware components. The main Linux goal is efficiency, and indeed many design choices of commercial variants, like the STREAMS I/O subsystem, have been rejected by Linus because of their implied performance penalty.

Linux has a high standard for source code quality.
Linux systems are usually very stable; they have a very low failure rate and system maintenance time.

The Linux kernel can be very small and compact.
It is possible to fit both a kernel image and full root filesystem, including all fundamental system programs, on just one 1.4 MB floppy disk. As far as we know, none of the commercial Unix variants is able to boot from a single floppy disk.

Linux is highly compatible with many common operating systems.
It lets you directly mount filesystems for all versions of MS-DOS and MS Windows, SVR4, OS/2, Mac OS, Solaris, SunOS, NeXTSTEP, many BSD variants, and so on. Linux is also able to operate with many network layers, such as Ethernet (as well as Fast Ethernet and Gigabit Ethernet), Fiber Distributed Data Interface (FDDI), High Performance Parallel Interface (HIPPI), IBM's Token Ring, AT&T WaveLAN, and DEC RoamAbout DS. By using suitable libraries, Linux systems are even able to directly run programs written for other operating systems. For example, Linux is able to execute applications written for MS-DOS, MS Windows, SVR3 and R4, 4.4BSD, SCO Unix, XENIX, and others on the 80 x 86 platform.

Linux is well supported.
Believe it or not, it may be a lot easier to get patches and updates for Linux than for any other proprietary operating system. The answer to a problem often comes back within a few hours after sending a message to some newsgroup or mailing list. Moreover, drivers for Linux are usually available a few weeks after new hardware products have been introduced on the market. By contrast, hardware manufacturers release device drivers for only a few commercial operating systems — usually Microsoft's. Therefore, all commercial Unix variants run on a restricted subset of hardware components.

With an estimated installed base of several tens of millions, people who are used to certain features that are standard under other operating systems are starting to expect the same from Linux. In that regard, the demand on Linux developers is also increasing. Luckily, though, Linux has evolved under the close direction of Linus to accommodate the needs of the masses.