_ __ (_)_ __ / _| ___ ___ _ _ _ __ __ _ ___ | | '_ \| |_ / _ \/ __| | | | '__/ _` |/ _ \ | | | | | _| (_) \__ \ |_| | | | (_| | __/ |_|_| |_|_| \___/|___/\__,_|_| \__, |\___| |___/ .------------- ----------------. : Official Irc Channel -> #phreak/AustNET (au.austnet.org) : : Official Web Site -> http://infosurge.wewt.net : : Official Submissions -> infosurge@wewt.net : : : : issue #2: 01/02/2000 : .__________________________________________________________. ............................[ Table Of Contents ]........................... [Intro ............................................................... phase5] [Editorial ........................................................... phase5] [News ................................................................ nobody] [Getting Payphone Numbers cont.d ....................................... sour] [Intro to php3 ....................................................... jestar] [Firewalling your Linux Box .......................................... phase5] [Address Resolution Protocol ........................................ ghengis] [Introduction to SS7 ................................................. phase5] [Basic Linux Security ................................................ phase5] [Basic Perl .......................................................... bsdave] [Outro ............................................................. phase5] [Total ................................................. infosurge (78.4kb)] .................................[ shouts ]................................. [ Shard ^jestar sour secroth ghengis lymco insane hanz3r wewted ] [ Mista Eckz assass|n mage Red^Blade Excalibur ^OpTiX^ bsdave ] [ wrath Niffum TheCzar Nailbomb saboteur tux galapogos01 x-circuit ] [ void_ karn VortexV Digit_Illogic Phrost Byte Deicidal Rendrag ] ........[ Editorial ].................................[ phase5 ]............ Who would have thought a second issue would actually be published. Not many I would wager but I believe it or not infosurge is back. Were slowly cutting down on the number of scans and increasing our level of information. Not alot has happened since number 1. We have moved the site around a fair bit as our old distro kept going down. We also have a new email addy. Thanks to wewted for letting us use wewt.net and Rendrag for providing hosting. Another issue is definately planned after this one however some for submissions and feedback would be appreciated. I don't know how many times I saw this. [phase5@melchior ~] mail No mail for phase5 Heh. I wouldn't complain if someone sent in a good ascii logo. i have recieved a cool ansi one which is at the bottom of the zine. Well, that's enough from me. Enjoy the zine. ........[ News ]......................................[ nobody ]............ Seems once again there is no news. Now, there were some developments since the last issue, ie telstras reaction to the straw technique. However, it seems nobody actually managed to put it here. This section will probably be gone next issue if no news is sent even. Even a simple url will do. ........[ Getting Payphone Numbers cont.d ].............[ sour ]............ There is a bit of info left out from artical one that I think that should be stated out. When inserting the cash into the so called "PAY" phone, then dialing out 0016 000 000 or any others that you may receive the 3 digit code, the women may say "one O zero", what she is trying to tell us is that the letter O should stay zero, and zero should be one. If you dont know what im on about then read the first issue dammit. When Brute forcing your way into those two numbers, and you come across an engaged tone, it does not mean that its the actual number, to test it either jump to the phone next to you if there is one, or mobile or what ever and punch in those digits and verify it, if its still engaged then continue scanning your way threw what ever you may have left. If theres some knob that lines up to use that phone that your on and you dont want them round then just hangup then pick up, and hold the hash key for a few secs (works with all payfones with LCD screen and I think that you can do it with any other buttons on the numpad) this will give you an Out Of Service once you hangup and then tell the knob "Look mr knob. This payphone is like Out Of Your Service Im in line first and I want to use this phone for a long time so go off and find your own phone knob". Once thats over with, just pick up and continue your business. Quick shouts to people from the StarBBS ages, phase5 for getting the mad scene backup, lets hope it will be as successful as the phrack zines, and the folks from #phreak (xcept p053553d ofcourse). sour ... ........[ intro to php3 ].............................[ jestar ]............ ________________________________ What is it? PHP is a newish server side scripting language for generating dynamic internet pages. It also contains built in support for a variety of different database servers, so your pages can be generated from information stored in a database. The main upside with it being server side is that the clients dont need to download any additional plugins/programs to view the sites created with php, to the end user they appear as standard html pages just with the .php3 extension rather than the .html one. The scripts are written in a format very similar to perl scripts, which originally had their format borrowed (read: stolen) from c programming so if you are familiar with any of these php will seem like second nature before long. But thats enough of me crapping on in the intro, its time to get down and dirty with the classic "hello world" program! _______________________________ Hello world, i'm php, pleased to meet you! The staple inital example of ever programming language ever made is the hello world example, and this is going to be no different. But first you are going to need a few things as follow: - A server with php support (either your own or someone elses) - A text editor - A brain (although, optional for this example) Ok first things first. When you are creating your .php3 files they can be a hybrid of regular html and php scripting. The php sections in your code are enclosed in tags, or alternatively tags. Either should work, but is the easiest, and the one i use. If you find your code interfering with other server technologies you will have to use . Ok now that thats out of the way here is the code for the hello world example Hello world in php3 Ok, as you can probably tell from that code, the file is a hybrid of normal regular html and the php script. The only php thing there is the echo command, and it should be pretty obvious what the syntax is. The echo() function places what ever you pass to it into the html file when the php script is run. You can put anything you wish into the echo function but there are a few things to remember. If you want to use the " character within your echo function you will need to escape it first with the \ character. This probably sounds a bit confusing so I will try to explain. Say you wanted to use php to put an image on your page. The code you would expect to use is "); ?> but if you were to run this script you would get a massive glaring errors. The reason for this is that it is reading the first " inside the img tag as the end of the echo tag. This is where the escape character \ comes into play. It tells php that the following character is not part of the command. So remembering that you can probably work out that the correct line would be "); ?>. There are other lines you can use to help format the html, the most often used one will be \n which has the same effect as pressing enter when writing code (note, that only effects the generated code if you wanted a newline on the page you would need to inlude a
in the echo command). I guess thats about it for the first example. Sorry if its a bit hard to follow, but if you read it through a few times and try out the example you should be alright. Next on the list is the if statement, and simple variables. _______________________________________ Variables for me and you In php there are 2 types of variable (well, two which you need to worry about this early on in the piece) and they are the variables generated by php, and the variables which you create and fill yourself. Lets start with the ones you create. In php, all variables are prefixed with the $ character followed by the name of the variable. So lets say you want to make a variable to hold a counter (there are a variety of reasons you may want to do this) you would initialise it like this: $counter = 0; Now, this MUST be inside php tags, so the code for this is gonna be a bit beefier than the single line stuff youve seen so far. As it stands, just for setting up the variable to code would look like this: Simple ey? Oh well then, because that was so simple I think we will expand this article to include the if function. Its the exact same syntax as c and perl, so if you know that this will be second nature to you. This is for the benefit of those who are completely new to it. The basic format of the if function is as follows: if (some test) { *this gets done if the test was true* } So basically, it is a way of only having something happen if a certain test turns out to be true. The other part of the if statement is the else, which is added to the end as follows: if (some test) { *if its true do this* } else { *otherwise do this* } Time for a simple real world example of this. What will happen in this code is that a counter variable will be initialised to either true or false (you choose) and then a line will be printed depending on what the variable is. Here is the code: and thats all it takes. _____________________________________ Outtro Thats enough for this simple introduction, have a play around with this and if you have the urge to learn further ( and you should) check out the documentation at www.php.net and also the abundance of example and downloadable scripts both there and in the links sections. Have fun Jestar (c)2000 ........[ Firewalling your Linux Box ]................[ phase5 ]............ In this text I will go over the basics of setting up a small firewall to protect your box. This will not go into things such as IP Masquerading or other advanced firewalling stuff. I will assume your using ipchains as your firewalling software. This will come with your linux distribution. However, if you have a kernel 2.0.* or 2.1.* you will have ipfwadm instead. I will include commands for this as well but i recommend upgrading your kernel as ipfwadm is outdated and upgrading your kernel will provide other benefits other than ipchains. (note: ipchains itself is on the way out with the latest 2.3.* kernels using Network Packet Filtering). Since i'm not in the mood to write alot and I doubt you want to read alot I will explain things mostly using examples. ipfwadm stuff will be at the very end when we put all this shit together. For this article we will have the interfaces lo, ppp0 and ppp1. lo is the local interface and ppp0 + ppp1 will be your dialup net connection (2 dialup lines). Now, the basic syntax of ipchains is: ipchains -A type -j policy options For the purposes of this text type can be: input, output and forward while policy can be: accept, deny and reject. For those who don't know I will go over what each one of those is. Input refers to packets entering your machine. Output refers to packets leaving your machine. Foward refers to packets with a destination other than your box. Accept means let the packet through. Deny means drop the packet. Reject means drop the packet but send an icmp packet back telling the source the packet was dropped. First thing to do is to clear out any existing rules. This ensures you have a clean firewall ruleset to work with. Clearing the ruleset is done as such. ipchains -F input ipchains -F output ipchains -F forward The option -F means Flush. This will flush the rules for input, output and forward. Next step would be to allow yourself access. ipchains -A input -j ACCEPT -s 0/0 -d 0/0 -i lo Ok. Simply what that does is append a new rule to the ruleset which allows all traffic from any source to any destination which originates from the interface lo. lo of course, is you. The -i options allows you to specify an interface for the incoming packets. From this you should get the basic idea of using ipchains. Now, lets block off some stuff. The next rule will stop people spoofing your address to get past your firewalls and generally do some nasty stuff. ipchains -A input -j DENY -s 127.0/8 -d 0/0 -i ppp+ -l Basically any packets coming from an outside interface (ppp+ means anything starting with ppp, such as ppp0, ppp1,etc) with a source address of the local subnet is denied. The -l option at the end means turn on packet logging. This will write an entry to /var/log/messages with various information about the packet, such as source and destination ips. Next up is to stop icmp traffic. ipchains -A input -p icmp -j DENY -s 0/0 8 -d 0/0 -l Ok, several new options here. -p specifies protocol. It can be tcp,udp,icmp or all. The 8 after -s 0/0 means icmp type 8 (hmm). Now you may wish to block and log some trouble ports. These are ports that may indictate someone is attempting to DoS you or scan/penetrate your system. ipchains -A input -p icmp -j DENY -s 0/0 -d 0/0 21 -l ipchains -A input -p icmp -j DENY -s 0/0 -d 0/0 23 -l ipchains -A input -p icmp -j DENY -s 0/0 -d 0/0 25 -l ipchains -A input -p icmp -j DENY -s 0/0 -d 0/0 79 -l ipchains -A input -p icmp -j DENY -s 0/0 -d 0/0 139 -l ipchains -A input -p icmp -j DENY -s 0/0 -d 0/0 143 -l ipchains -A input -p icmp -j DENY -s 0/0 -d 0/0 1080 -l ipchains -A input -p icmp -j DENY -s 0/0 -d 0/0 6000 -l ipchains -A input -p icmp -j DENY -s 0/0 -d 0/0 12345 -l ipchains -A input -p icmp -j DENY -s 0/0 -d 0/0 31337 -l That's some basic stuff to be blocked. These rules will block: ftp, telnet, smtp, finger, netbios, imap, socks, X11, netbus and Back Orfice. It will also create a syslog entry as logging (-l) has been enabled. You can add or remove ports as you want. One last thing you might want to do is this: ipchains -A input -j DENY -s 0/0 -d 0/0 -y This will deny everything. However the -y option still allows you to establish connections. Now you've got a basic understanding of ipchains, the next step is to put all these rules together into a .sh file and have it exectued at bootime. Remember that rules wil be looked at in order of entry and as soon as a matching rule is found it will stop so rule placement order is important. Here is the shell script: #!/bin/bash # # Firewall Ruleset # # Allow local interface ipchains -A input -j ACCEPT -s 0/0 -d 0/0 -i lo # Block and log spoofed packets ipchains -A input -j DENY -s 127.0/8 -d 0/0 -i ppp+ -l # Block ICMP ipchains -A input -p icmp -j DENY -s 0/0 8 -d 0/0 -l # Block and log ports (ftp,telnet,smtp,finger,netbios,imap,X11,netbus,BO) ipchains -A input -j DENY -s 0/0 -d 0/0 21 -l ipchains -A input -j DENY -s 0/0 -d 0/0 23 -l ipchains -A input -j DENY -s 0/0 -d 0/0 25 -l ipchains -A input -j DENY -s 0/0 -d 0/0 79 -l ipchains -A input -j DENY -s 0/0 -d 0/0 139 -l ipchains -A input -j DENY -s 0/0 -d 0/0 143 -l ipchains -A input -j DENY -s 0/0 -d 0/0 1080 -l ipchains -A input -j DENY -s 0/0 -d 0/0 6000 -l ipchains -A input -j DENY -s 0/0 -d 0/0 12345 -l ipchains -A input -j DENY -s 0/0 -d 0/0 31337 -l # Block ALL ipchains -A input -j DENY -s 0/0 -d 0/0 -y # eof and the ipfwadm version #!/bin/bash # # Firewall Ruleset # # Allow local interface ipfwadm -I -a ACCEPT -S 0/0 -D 0/0 -W lo # Block and log spoofed packets ipfwadm -I -a DENY -S 127.0/8 -D 0/0 -W ppp+ -o # Block ICMP ipfwadm -I -P icmp -a DENY -S 0/0 8 -D 0/0 -o # Block and log ports (ftp,telnet,smtp,finger,netbios,imap,X11,netbus,BO) ipfwadm -I -a DENY -s 0/0 -D 0/0 21 -o ipfwadm -I -a DENY -S 0/0 -D 0/0 23 -o ipfwadm -I -a DENY -S 0/0 -D 0/0 25 -o ipfwadm -I -a DENY -S 0/0 -D 0/0 79 -o ipfwadm -I -a DENY -S 0/0 -D 0/0 139 -o ipfwadm -I -a DENY -S 0/0 -D 0/0 143 -o ipfwadm -I -a DENY -S 0/0 -D 0/0 1080 -o ipfwadm -I -a DENY -S 0/0 -D 0/0 6000 -o ipfwadm -I -a DENY -S 0/0 -D 0/0 12345 -o ipfwadm -I -a DENY -S 0/0 -D 0/0 31337 -o # Block ALL ipfwadm -I -a DENY -S 0/0 -D 0/0 # eof Save it and make it executable. Now add a line to your /etc/rc.d/rc.local to call it. This will ensure it is started every boot. That ends this basic article. For further information on ipchains and firewalling read the following manpages, ipchains(8) and ipfw(4). .eof. ........[ Address Resolution Protocol ]..............[ ghengis ]............ **************************************************************** * [topic;] * * [author;] * * [web;] * **************************************************************** This document is meant to be an introduction to the ARP protocol. It assumes that you are somewhat familiar with TCP/IP networking. On the Link Layer of the 7-Layer OSI Network Model, you'll find ARP, standing by itself off in a corner. This seemingly out-of-the-way protocol is actually essential for most network communication to take place, as it translates logical addresses (in this case, IP) to Hardware Addresses. ARP stands for Address Resolution Protocol, and for this document, we'll speak of ARP as it applies to a standard IPv4 TCP/IP network. ARP is responsible for resolving the 48-bit ethernet address associated with your 32-bit IP address. Your ethernet card doesn't care, nor does it even know what its IP address is. It just has a 48-bit address assigned to it, most often hard coded into the firmware. Your IP address however, can change any time, while your ethernet address stays the same. Hence, your IP-based network needs to know how to find which machine to send its IP packets to. ARP is the way. Let's say for this document your ethernet card has a hardware address of 00:00:2b:04:a9:11 and your IP address is 198.162.1.1, and you are on a class C network. When a machine on the network wants to initiate an IP-based connection, it first needs to find out the hardware address of the remote machine. ARP steps in and sends an ARP REQUEST, asking the network who has the IP address it's looking for. Let's say you are trying to connect to 192.168.1.2. Running tcpdump you might see this: 00:00:2b:04:a9:11 ff:ff:ff:ff:ff:ff arp 60: arp who-has 192.168.1.2 tell 192.168.1.1 Let's look at this packet. The first section is our hardware address. The second section is the broadcast hardware address of the network. This packet is sent to every machine listening asking each where this IP is. The third identifies the packet as being an ARP packet. The fourth is the size of the ethernet frame, padded to its minimum 60 bytes. The rest is fairly straightforward, asking "Which machine on this network has 192.168.1.2 assigned to them? Please tell 192.168.1.1 your hardware address." Now let's look at what this packet looks like on the network. Ethernet Header .-------------------------------. |Ethernet Dst|Ethernet Src|Frame| | Address | Address |Type | | | | | `-------------------------------' 6 bytes 6 bytes 2 bytes .--------------------------------------------------------------. | Hard|Prot|Hard|Prot|Op|Sender Eth|Sender|Target Eth|Target IP| | Type|Type|Size|Size| | Address | IP | Address | Address | | | | | | | | | | | `--------------------------------------------------------------' 2 2 1 1 2 6 4 6 4 The numbers below the fields represent the number of bytes in the field. This ARP request is 28 bytes in length. The Ethernet header contains the 48-bit ethernet address of the sender and the recipient, in this case, the recipient being the broadcast address. The 2-byte Frame Type field specifies that this is an ARP request or reply with the value 0x0806. The Hardware Type and Protocol Type fields specify the type of hardware address and type of protocol address, respectively. This would be a 1 for ethernet in this case, and an 0x0800 for for IP addresses, again respectively. Hard Size and Prot Size are related information, containing the size of the hardware address and protocol address contained in the following fields. In this case we have a 48-bit ethernet address (6 bytes) and a 32-bit IP address (4 bytes). The OP field specifies what type of service this packet is. It can be any of the following: 1 - ARP Request 2 - ARP Reply 3 - RARP Request (Reverse ARP, not covered in this article) 4 - RARP Reply For now assume Reverse ARP is a machine asking other machines for it's own IP. Since this field is a request, the target ethernet address is not included, as that is the information we are looking for. When the remote host recieved the broadcast request, it recognizes the IP as being its own, and replies: 00:00:4b:2a:01:04 00:00:2b:04:a9:11 arp 60: arp reply 192.168.1.2 is-at 00:00:4b:2a:01:04 When the machine requesting the information gets this packet, it can now open the connection to the remote machine. This entire process on a 10Mbit network may take about 3ms. The packet sent back is formatted as the first packet, with different values in the fields. 1. The Ethernet header is formed with its own information. 2. The OP type is changed to 2, ARP reply. 3. The source and destination fields are completed with the information as expected, i.e. its own IP and hardware addresses. 4. The packet contains the hardware address of the machine with the IP address originally asked for in the request. But what about machines on other networks accessed through gateways? Well, ARP requests will not be made for machines not located on the local network. Instead, packets will be forwarded to a next-hop router (gateway) for delivery to another network. I hope you learned something reading this article. Next issue, we should be talking about RARP, ProxyARP, ARP caching, and Gratuitous ARP. If you are interested in learning more about ARP or any protocols in the TCP/IP family, I highly recommend W. Richard Stevens' TCP/IP Illustrated Volume 1. This book covers many topics of TCP/IP networking in great detail, belongs next to the bed at night, and was used for reference while writing this article. Also I recommend running tcpdump on your network often and watch what's going on. This is a good way to get a preliminary look into what's really going on when that light on the hub is blinking. **************************************************************** * [topic;] * * [author;] * * [web;] * **************************************************************** For this article, let's use the following network map (I suck at ascii drawings). Assume the machines on the top are using a Class C netmask of 255.255.255.0, and that the machines on the bottom are on an 8-IP subnet in the same class C network, using a netmask of 255.255.255.248. 10.10.10.1 10.10.10.2 10.10.10.3 ____________ ____________ _____________ | | | | | | | illusion | | oblivion | | abyss | |__________| |__________| |___________| | | | ethernet --------------------------------------------------------------------------- | ________|________ | Cisco 2514 | | cube | | 10.10.10.253 | |_______________| | | <-- serial dial-up | has ip 10.10.10.250 ______|______ | | | cirrus | |___________| 10.10.10.201 ethernet | --------------------------------------------------------------------------- ______|_____ | | | pulsar | 10.10.10.202 |__________| I) Proxy ARP Proxy ARP is an implementation of ARP on a machine that allows it to answer ARP requests on one network for machines on another one of it's networks. We'll start off like this. Wayne wants to dial in to his corporate network and have access to all of the machines. Wayne has a few machines at home, so he sets himself up an 8-IP netblock (10.10.10.200-208) at work, then goes home and dials into work. The modem at work picks up and establishes a connection, giving an IP address to his machine, we'll say 10.10.10.250. The router at work has been configured to route requests for Wayne's network to Wayne via his dial-up interface. But the other machines on the network don't know that his machine isn't on the local network. As far as the other machines are concerned, his subnet is still covered by their netmask, hence on their local network. So if Illusion needs to send a packet to Pulsar, Illusion is going to look at Pulsar's IP address and consider Pulsar to be on the local network, and make an ARP request. Pulsar doesn't get that ARP request. This is where Proxy ARP comes in. The Cisco router (Cube) is going to get that ARP request, and notice that the IP in question is an IP connected to one of its serial ports. Cube is going to respond and say that Pulsar is located at its own hardware address. Illusion will then start sending packets to Cube, and Cube will forward them to Pulsar. This operation is totally transparent to Illusion. As far as its concerned, Pulsar is sitting next to it on the wire talking back and forth. Gory details? No problem. Illusion sends an ARP request looking for Pulsar. 0:0:b4:03:F2:02 FF:FF:FF:FF:FF:FF ARP 60: arp who-has 10.10.10.202 tell 10.10.10.1 Cube gets the ARP request and responds with its own HW address. 0:0:0c:3b:a3:4e 0:0:b4:03:F2:02 ARP 60: arp reply 10.10.10.202 is-at 0:0:0c:3b:a3:4e Then Illusion starts sending packets to Cube, and Cube forwards them to Pulsar. If you were to then view the ARP table on illusion, you would find that Pulsar and Cube both share the same hardware address. 2) Gratuitous Arp A very important feature of ARP is Gratuitous ARP. Seemingly minor, Gratuitous ARP is essential for several reasons. It happens when a machine asks the network for its own IP address, hence: 0:0:B4:03:F2:02 FF:FF:FF:FF:FF:FF ARP 60: arp who-has 10.10.10.1 tell 10.10.10.1 This accomplishes several things. One being that if there is another machine on the network that has the same IP, it will respond back saying so, and alert the user that there is a duplicate IP on the network. There is another situation. One feature of ARP is that it will automatically update its ARP cache if it recieves a broadcast ARP request from a machine that already has an entry in it's ARP table. More specifically, say you down one interface on a machine, put your ethernet cable into another card, and up that interface. When that interface comes up, the first ARP broadcast it sends will automatically update the arp caches of the machines on the local network with its new hardware address. Same IP, different Hardware address, because it's a different ethernet card. Now, the rest of the machines will start sending data to that hardware address instead of the previous one. That's kind of neat, now isn't it? If you send an ARP request with an IP attached to it in the "tell" field, the rest of the machines on the network will automatically assume you are that IP and send you packets. But of course they will! That's what ARP does! Resolves IP addresses to hardware addresses. Now we get to the part where ARP starts to cause trouble. How you ask? Well, the last paragraph back there should give you some ideas. Here's some questions: * What would happen if you wrote a program that replied to every ARP broadcast with its own hardware address? A few things. If you wrote a program that replied to every ARP broadcast with your IP, you'd have machines on the network (especially Windows machines, whoo boy) confused about who's the Real McCoy. If your entry was the latest in a machine's ARP cache, you would get packets destined for machine whose identity you have assumed. Considering this is local ethernet, you'd get the packets anyway, but they'd have the other machine's IP plastered onto your ethernet address. This would cause all sorts of problems as the machines fought about who's who. This is one style of a Denial of Service attack, however it's not very efficient. * How can I use ARP to hijack someone's TCP/IP session? Say Illusion was talking to Abyss with a telnet session, and you wanted to assume Illusion's place in the conversation. You are currently using Oblivion. You could write a program to hijack the connection by somehow (network congestion, crashing Illusion somehow, unplugging it, whatever) getting Illusion off of the network, and assuming its identity by using ARP to tell Abyss that Illusion's IP is now located on Oblivion's hardware address. Abyss can pick up right where it left off and send the next waiting packet, which your program has already been ready to recieve. You are now talking to Abyss via telnet, and the upper-layer protocols never missed a beat. This is not a very technical description of session hijacking. I'm aiming this article at people that aren't extremely familiar with the concept. * How can I use ARP as a Denial of Service attack? One way to use ARP as a DoS attack is to respond to gratuitous ARP requests with any hardware address. Since gratuitous ARP is often sent at bootstrap time, attacking this can cause a variety of problems. Windows NT machines have been known to pop up a dialog box saying "Windows has detected a duplicate IP address at HW address: #:#:#:#:#:#. The interface has been disabled.". NT then proceeds to down the interface until it is brought back up by hand, and the interface sometimes can not be brought back up as long as there is another machine on the network with the same IP. This has happened to me personally before, however since it was years ago I'm not sure what version of NT besides that it was 4.0 that this occured on (Service Packs, etc). Try giving your UNIX machine an IP that's the same as your NT machine, boot your NT machine and check what happens. * How secure is ARP? ARP is about as secure as crotchless underwear on a glass floor. There is no security involved with ARP directly besides ethernet switching (or "Smart Hubs"), which helps prevent sniffing and other problems by knowing what hardware address is coming in on what port on the switch. If you have access to broadcast ARP, you can cause damage to your local ethernet. ARP wasn't designed to be secure. It's a trusted protocol, stateless in design. There is no connected status, it's just broadcast packets and one-packet replies. There's no authentication involved. This is just an introduction to ARP. ARP is a fundamental protocol on networks today. Mapping logical addresses to physical addresses is essential with the protocols we use. As more and more people get onto the internet, and we start to lean towards IPv6, we should be seeing some changes come along in major protocols, ARP included. Steps have been taken to keep ARP in check, such as switching. These steps are nescessary to keep co-locations facilities, ISPs, and businesses' communications a bit more secure. If everyone at a co-location facility was on a big hub, colissions, sniffing and IP spoofing would be a bigger problem. Plugging everyone into a different interface on a router would get expensive, so switching is the way to go. **************************************************************** * [topic;] * * [author;] * * [web;] * **************************************************************** *************************** (Note: For all these examples, there are no switches, smart hubs, etc., implemented on the network in question.) (Note 2: If you wish to actually do some of what you see here, I suggest grabbing a copy of send_arp, an ARP forging application that's been floating around the net, and I've modified it a bit. It should be on www.sysfail.org soon after this article is published. If not, e-mail me.) Situation 1: You are on a ethernet at a small office. Another employee has picked up a copy of 2600 from the local Barnes and Noble. After spending 3 days OCRing code out of the book, he has managed to compile a copy of teardrop on the only Linux box at the office (the dial-up server, "RAS"). He thinks it's really funny to crash the unpatched print server all day whenever you need to queue up some invoices. Knowing that he's telnetting into the machine and logging in as root, and also knowing that his machine is the only machine in the office that has access to do that, you figure it would be just keen to somehow trick the server into thinking that you are coming from Joe's machine. Situation 1 Low-Down: We need to spoof a connection from "joe" to "server", and we are on "tom". We need to not take "joe" off the network or cause any funny messages to pop up on the screen. Here's our network layout: Full Class C: 192.168.0.x Netmask: 255.255.255.0 ------------------------------------------------------------------------------ | | | | | | | | * * * * Printer Server Tom Joe 192.168.0.5 192.168.0.1 192.168.0.2 192.168.0.3 (Linux) (Linux) (Windows) (0:0:0:0:0:01) (0:0:0:0:0:02) (0:0:0:0:0:03) You have made the intelligent choice to install Linux on your other drive on "tom". Your network is working fine, and you can communicate with all your other machines. Somehow, you need to make "server" think that you are telnetting to it from "joe". You've already sniffed the unencrypted root password "hork" from the local ethernet. Let's take a look at what happens when joe telnets to server. **** 0:0:0:0:0:03 ff:ff:ff:ff:ff:ff 0806 42 arp who-has 192.168.0.1 tell 192.168.0.3 0:0:0:0:0:01 0:0:0:0:0:03 0806 60 arp reply 192.168.0.1 is-at 0:0:0:0:0:01 0:0:0:0:0:03 0:0:0:0:0:01 0800 62: 192.168.0.3.1029 > 192.168.0.1.23: S 21441998:21441998(0) win 8192 (DF) (ttl 128, id 32010) 0:0:0:0:0:01 0:0:0:0:0:03 0800 58: 192.168.0.1.23 > 192.168.0.3.1029: S 2811556923:2811556923(0) ack 2144199 win 32736 (ttl 64, id 175) *** What we have here are four separate packets initializing a telnet session. First packet: ARP request: get HW address of IP to connect to Second packet: ARP reply: Here's the hardware address requested from "server" Third packet: I want to telnet to you, you listening? Fourth packet: Sure thing bro, acking your port 23 request, let's go. We're not concerned about the latter two packets, just the first two. The ARP request/reply pair. If we can somehow convince server that it wants to send packets destined for "joe" to "tom", we're in business. Sounds easy enough, and in a way that's true. But there are several obstacles to overcome. You might say, "let's just assume the IP address of joe." That won't work. You'll have two machines responding to the same IP address, you really don't want that. You don't want a message on either box complaining that there's duplicate IPs on the network either. When your machine sees a packet go by, it checks the hardware address stamped on the ethernet packet header. If it's not a match, the packet isn't for us, and we don't care about it. More specifically, the device driver never looks at the destination IP, just the HW address (of course, there are exceptions where some drivers dig more into the packet for various purposes). This can be taken advantage of in numerous ways, and for ARP attacks, it can really come in handy. If we ifconfig up an interface on "tom" with the IP address of "joe", and tell "server" that "joe"'s IP address is located at "tom"'s Hardware address, then server should send packets destined for "joe" to "tom", and it will also accept packets from "tom" thinking that it's "joe", bypassing the IP-based security implemented on "server". Ok. Read that again. * We tell SERVER that the IP address of JOE is really located at the HARDWARE ADDRESS of TOM. Function: Packets from SERVER to JOE will be encapsulated on the ethernet with headers sending it to TOM instead of JOE (instead of the header including the ethernet address of JOE, it will have TOM'S address instead. This means JOE will ignore the packet while TOM will recieve it. SERVER will not know that TOM isn't JOE, because TOM is talking with JOE's IP). How: We send a hand-crafted ARP packet (reply specifically, it can be a request, but we'll get into that another time. The packet would look like this on the wire: 0:0:0:0:0:02 0:0:0:0:0:01 0806 60 arp reply 192.168.0.3 is-at 0:0:0:0:0:02 TOM SERVER ARPREPLY IP OF JOE HWA OF TOM Now, if you try to telnet to SERVER from TOM, you should be able to connect, and it will allow you to log in as root. But wait! We lit up a message on the Windows box on Joe's desk saying that there's an IP address conflict on the network! Busted! There are several things you must take into account: 1) You need to "ifconfig -arp eth:" and set up static ARP entries and routes when you do this. You don't want that interface speaking ARP to anyone unless you make it but you need it to know where to send packets. 2) Doing this *during* an existing session between JOE and SERVER will cause that connection to drop, unless you work fast. 3) You need to be constantly sending poison ARP to SERVER *and* JOE during your attack. As long as you keep telling both machines where to find (er, where you WANT them to find) each other, they won't *ask*. And the less they ask, the better. Situation 2: I want to hijack joe's session to server. How can this be done using ARP as a tool? First off, remember what we said about accidently cutting off Joe's session earlier? Well now that's exactly what we want to do. During a conversation between JOE and SERVER, you inject poison ARP, telling SERVER that you're JOE, and telling JOE that SERVER is the printer or something. Then, you proceed to send a flood of spoofed ACKs to the SERVER, pushing the sequence numbers out of JOE's acceptable window, and by the time JOE finds out what happened, you've already got his end of the connection, and SERVER hasn't even noticed anything funny (I'm not going to cover the insides of TCP sequence numbers today, that's another article. :) ). How this happens: * JOE is talking to SERVER * TOM assumes JOE's IP address. * TOM sends out an ARP reply unicast to JOE saying SERVER is-at 0:3:1:3:3:7 or something, then immediately send a packet to SERVER saying that JOE is-at 0:0:0:0:0:2 (tom's real HW address) * To be on the safe side, you push the sequence numbers of the session way out of JOE's acceptable range. * JOE is a Windows box and doesn't know what the hell is going on. He's just sending packets looking for SERVER and probably grinding the hard drive or showing a little animated paperclip that says "Click here to learn more about session hijacking" which just points to a broken link on microsoft.com. * Meanwhile, TOM is re-synching the connection to SERVER, and as far as SERVER is concerned, the connection was just broken for a moment, and now is better, and will gladly talk to TOM in the place of JOE, considering that the IP is right and that TOM's HW address maps to that IP in the arp table on SERVER. * JOE is still a Windows box and at this point Windows telnet will bring up a message like "Lost Connection" and probably lock up telnet because it's so poorly coded and has no emulation and... anyway.... * TOM has full control over the connection and SERVER couldn't be happier about it. JOE just sits there and plays a neat screen saver and grinds the hard drive every couple minutes. I will probably be writing an article specifically on this topic, as I'm not going to cover this more specifically in the scope of this article. Situation 3: I just picked up 2600 at Barnes and Noble. I want to be a hacker. My 6th grade computer teacher is a real dork and I want to make the network not work right n stuff. I tried mashed potatos in the power outlets but I got in trouble. What can I do? Well, good news for you. ARP can cause all sorts of problems on a network. If you haven't figured out how this is possible yet, I'm not sure what to tell you, read the article again and maybe you'll think of a way you could make computers on a network not able to talk to each other using ARP. I hope you enjoyed, and should you have any questions, email me. References: I. "TCP/IP Illustrated, Volume 1: The Protocols" W. Richard Stevens, January 1994. (Addison-Wesley Professional Computing Series). ISBN:0201633469 II. "Playing redir games with ARP and ICMP" MESSAGE THREAD: document sections reviewed were authored by Yuri Yolobuev ........[ Introduction to SS7 ].......................[ phase5 ]............ . Intro . What is Signaling . What is SS7 . Basic Signaling with SS7 . Associated Signaling . North American Signaling . SS7 signaling links . An example phone call over SS7 . Layers of the SS7 Protocol . Acronyms Summary . Outro Intro ------- In this article I will go over the basics of SS7. Due to the lack of technical phreaking information being written I will keep this simple and hopefully encourage other phreaks to go learn about the PSTN. This article will only be in relation to the PSTN and so if definitions or concepts appear limited in skope it is because they only refer to components of the PSTN. What is Signaling ------------------- Signaling is the exchange of information between components of the pstn needed to provide and maintain service. There are two types of signaling, in-band and out-of-band. In-band signaling is sent over the same line as is used for the call, ie the voice circuit. For example, getting a dialtone, dialing digits, etc are all in-band signaling. In-band signaling is done through the use of MF tones. This is what allowed the bluebox to work, emulating the phone companies MF tones and sending them down the phone line, as the voice line was also used for signaling. Out-of-band signaling is when signaling information is sent over a seperate line. All signaling information is sent over this line, which is called a signaling link. Out-of-band has various advantages to in-band signaling including faster transmission speeds (56kps), allowing signaling anytime during a call, and other features. What is SS7 ------------ SS7 stands for Signaling System 7. It is a signaling system that utilises out-of-band signaling and high speed packet data. SS7 is a packet-switched system as opposed to a circuit switched system. Packet switching is far more efficient than circuit switching. Circuit switching is 50% efficient. When one person talk and the other listens, the line is only 50% in use. In packet switching the packets are stored until a certain amount is reached and then sent. This makes it 100% efficient. Basic Signaling with SS7 ------------------------- There are two types of signaling networks with SS7. These are known as Associated Signaling and North American Signaling. Associated Signaling -------------------- For a basic SS7 setup, the signaling network would look similar to this. .-----. -------------------- .-----. | | -------------------- | | | A | -------------------- | B | ._____. .................... ._____. In this ascii diagram A and B represent two switches. The dashed lines are voice lines while the dotted line shows the signaling link. For call setup and maintenance this setup is fairly efficient. All signaling requirements between switch A and B would use this signaling link. This form of signaling is still used in many places. North American Signaling ------------------------ The Americans decided that they wanted to be complex. They wanted a signaling system where any switch could signal to any other switch without a direct signaling link. Thus, the North American Signaling Architecture was born. This network is comprised of the basic components. signal switching points (SSPs) - These are the lowest class switch. They have SS7 capable software and start, end, and switch calls. signal transfer points (STPs) - These are the packet switches. They route incoming signals to the correct destination and other advanced routing functions. signal control points (SCPs) - These are databases used in advanced call processing. These signaling components are crucial for calls to take place. Any call in which the called party is served by another switch than the calling party needs the above components to be functioning for the call to be processed. To avoid problems though, this network has been made highly redundant which allows it to bypass most network failures. The STP's and SCP's are most often placed in pairs, with both doing the same task. This prevents a small error in one STP from stopping signaling. I will draw a pseudo-ascii text diagram to explain what this network looks like. SCP1 SCP2---. .---SCP3 SCP4 | | | | | | | | |____|___STP1....STP3___|____| | | / : : \ | | | /.---STP2....STP4---. | |____/____/_.| |._\____\__| / / \ \ / / \ \ SSP1 SSP2 # # # # # # # That may be the worst ascii diagram in existence. Never the less, I will try and explain it and hopefully you will see what it represents. #'s shows subscribers connected to their local switch(SSP1 and SSP2). SSP1 and SSP2 are both connected to a pair of STPs. The two STP pairs are connected to each other. They also have links to SCPs for advanced call processing. Study that poorly made ascii and this explaination for a bit and it should come to you. SS7 signaling links ----------------------------- SS7 signaling links are all the same. They are classed however, on there use in the signaling network. There are 5 link types, A-F. A Link - These links connect an STP to either an SSP or an SCP. C Link - These links interconnect pairs of STPs. These are what reduce network failure by making multiple signaling links available. B, D and B/D Link - These links interconnect a pair of STPs to another pair of STPs. These links are either called B,D or B/D but they all refer to the same link type. E Link - These links are another link type used only to enhance reliability. An SSP will be connected to an STP pair through A links. These E links are the same but link to a secondary, or backup pair of STPs. In case the main STPs cannot be reached then the second pair will be used. F Link - These links are used in Associated Signaling only. They do not use STPs and link directly between two SSPs. An example phone call over SS7 ------------------------------- I will briefly explain what goes on during a phone call. To help visualise this I will draw an ascii, but as I suck at ascii diagrams this will probably confuse you instead. [asKi diagram] STP1 ---------- STP2 / \ / \ / \ _______/ \ SSP1_______/ \_______________SSP2 | | Mr. X ...................... Mrs. Y Voice . Signaling - or \ Subscriber | Right now your probably thinking, wtf is that shit. Yes, strangely enough ascii is not the best graphics format in the world. Basically Mr. X and Mrs. Y are both connected to their respective switches (SSP). Both switches have two signaling links, connecting both to STP1 and STP2 (STP Pair). They do not have a signaling link to each other. I will show this step by step as when i first wrote this in one big chunk it looked confusing. 1. Now, Mr. X is getting lonely and decides to call Mrs. Y. He picks up the phone and dials her number. His switch gets the message, and realises it needs to get to SSP2. SSP1 will select and idle trunk between itself and SSP2. It sends a message along one of it's signaling links (SSP1-STP1 or SSP1-STP2). It can use either link, it makes no difference. 2. The STP gets the message and sees the destination is SSP2. It routes the message along down a signaling link to SSP2. 3. SSP2 receives the message. It checks the line status of Mrs. Y. If the line is clear it sends a message back saying the line is clear. This message goes back to the STP. It also completes the call path and sends a ringing tone over the trunk to SSP1 and rings the line of Mrs. Y. 4. The STP receives the message, checks the destination and routes it to SSP1. 5. SSP1 gets the message. It's at this point that Mr.X is connected to the trunk and heres the ringing tone. 6. Mrs. Y picks up the phone. SSP2 sends a message over the signaling link saying the call is answered. 7. The STP check the destination and routes the message to SSP1. 8. SSP1 gets the message. It makes sure that Mr. X is connected and that a 2-way conversation can take place. 9. Mr. X hears his wife coming home. He quickly zips up and hangs up the phone. Now, SSP1 gets the hangup. It sends a message indicated the call is over. 10. Once again, STP receives and routes message. This should be no suprise by now. 11. SSP2 gets the message. It checks the message to see which trunk the call was on. It sets the trunk to idle and sends a message back. 12. STP gets and routes message. 13. SSP1 gets the message. It checks to see which trunk the call was on and idles it. Thats a basic phone call. Layers of the SS7 Protocol --------------------------- The SS7 protocol is like most other protocols of the day and is layered. These are the eight layers of SS7. Physical Layer - Defines the physical and electrical characteristics of the signaling links. Signaling links carry raw data at 56kps and utilise DS-0 channels Message Transfer Part-Level 2 - This provides link-layer functionality. It makes sure that two end points of a signaling link can reliably exchange signaling messages. It incorporates error checking, flow control and sequence checking. Message Transfer Part-Level 3 - This extends on MTP-2 to provide network layer functionality. It ensures that messages can be delivered between signaling points regardless of whether there is a direct signaling link. It has such features as node addressing, routing, alternate routing and congestion control. The MTP-Level 2 and MTP-Level 3 layers together are referred to as the MTP. Signaling Connection Control Part - This adds to major functions that the MTP lack. One is the capability to address applications within a signaling point. The MTP can only send a receive messages from a node as a whole, it does not deal with software applications within a node. While MTP call-setup messages and network-management messages are addressed to a node as a whole, other messages are used by seperate applications(subsystems). For example, 1800 call processing. SCCP allows these subsystem to be explicitly addressed. Global Title Translation - The second function performed by SCCP is the ability to perform incremental routing through the use of Global Title Translation (GTT). With GTT a SSP does not need to know every destination point it may need to route to. It can send a message to the STP along with a GTT query. The STP will then find the destination and route the message appropriately. An example of GTT would be calling a national number which would connect your to the closest office. The switch sends the message to the STP along with a GTT query. The STP checks its database and routes the call to the correct destination. The STP may also route to another STP further down the line which will find the final destination. GTT can also be used to share load among paired SCPs. The STP can chose from redundant SCPs to share the load accross availabe SCPs. ISDN User Part - This defines the messages and protocol used in the establishment and tear down of voice and data calls. It is also used to manage the trunk network which they use. ISUP is used for both ISDN and non-ISDN calls. Transaction Capabilities Application Part - TCAP defines messages and protocols used to communicate between subsystems in a node. They use SCCP for transport. Operations, Maintenance and Administration Part - OMAP defines messages and protocol to be used to administrate the SS7 network. Some of these features are validating network routing tables and diagnosing link troubles. OMAP uses both MTP and SCCP for routing. Acronyms Summary ----------------- I will provide a summary of the acronyms used in this text for ease of reference. A Link - Access Link B Link - Bridge Link C Link - Cross Link D Link - Diagonal Link GTT - Global Title Translation ISUP - ISDN User Part MF - Multi Frequency MTP - Message Transfer Part OMAP - Operations, Maintenance Administration Part PSTN - Public Switched Telephone Network SCCP - Signal Connection Control Part SCP - Signal Control Point SS7 - Signaling System 7 SSP - Signal Switched Point STP - Signal Transfer Point TCAP - Transaction Capabilities Application Part Outro ------ This ends this article. This file may quite possibly contain a few errors. The majority was typed up from memory, and memory is flawed(or at least mine is). I have purposely not gone into details such as the actual message types sent during calls. I have also not gone into packet structure on SS7. These things will be covered in another article. Hopefully, you have a basic idea of how signaling works after reading this and will see phreaking in a different sense. .eof. ........[ Basic Linux Security ]......................[ phase5 ]............ . intro . security policy . OS installation . password security . services and daemons . tcp wrappers . logging . watching your logs . firewalling . scan and probe detection . local access . outro . references [intro] Basic Linux security texts. There a dime-a-dozen. It seems every person writes one of these, so heres mine. This is designed for the average home user, who just uses linux as a desktop OS. It is also aimed at those who maybe offer a few shell accounts and therefore need to think about local security a bit more. This is definitely not aimed at those offering many shells, for free or for profit, or running a server of some kind as alot more securing would need to be done for those setups. note: commands will be surrounded by single quotes for readability. these commands should be typed without the quotes. [security policy] First of all you must consider a security policy. Identify your needs, security over usability. If this is your home box and you don't plan on letting anyone else telnet, ftp, etc.. into your box then your going to really lock down on remote access and detection. If you maybe give out a couple of shells to friends you know then your going to have to relax a little on remote access and concentrate more on local security. And in either scenario your going to carefully monitor probes, scans and attacks. [OS installation] This is were security beings. Don't just install everything or whatever sounds cool. Since this is your personal box you don't need (m)any server daemons. Just install what you need. Know everything your installing. If you keep the install minimal to your needs this will cut down on both maintenance and security risks, as the less installed the less chance of a vulnerability. Once you've installed your system and everything is working your going to want to update your packages. Look on the web site of the distro you installed and see if any vulnerabilities have been found for your version. Download and install all necessary patches. For the paranoid among you, using a different box or a windows os on the same box should be used to download these patches. This prevents the newly installed system being vulnerable in this time frame. Once again, only for the paranoid. Now, most people would recommend getting the very latest version of your particular version. The theory is the older versions have many vulnerabilities and therefore are insecure. However, the latest version is new. It's unknown and untested. By using the very latest version you are vulnerable to the latest exploits which may not be publically released or a patch may not yet exist. However, an older distribution, while having several published exploits, will also have patches. Obtaining an older version and patching and upgrading it to fix all known vulnerabilities will lead to a box equal or more secure than the latest version. This does not mean using a version many years old. A version one or two release prior to the latest or about one year before the latest would be a good choice. This is personal preference however and many among you will undoubtably choose to use the latest. You will have to keep a very close eye on security mailing lists to make sure you remain vulnerability free though. (this does not mean using an older version means you don't look out for new exploits). I will note however i don't follow my own advice and run a fairly recent distribution. [password security] Ok, let's start with the basics. Shadow passwords. Shadow passwords is where your accounts passwords, normally located in /etc/passwd is moved to another file, only accessible to root. /etc/passwd must be world-readable as many things need them for checking uid's & guid's. By using shadow passwords the passwords are moved to a safe location but the other information is still accessible. Now, shadow passwords should be turned on during the install. If not then once you have logged onto your system for the first time run the command 'pwconv' as root. If that command doesn't exist you are probably running a very old distro in which case you will need to install a shadow suite yourself. I can't really be bothered finding one and giving you the url. Use the net for something other than pr0n and find one. Another thing which you may wish to implement is PAM[1]. PAM stands for Pluggable Authentication Module. Basically, it allows you to choose how you want various applications to authentication users. Most of the latest distro's come with PAM. As an example of PAM, we will enable md5 hashes for your passwords. This makes passwords harder to crack. PAM stores it's files in /etc/pam.d. This directory stores various files for different applications. Now.. this is what a line will look like before md5 hashes. password required /lib/security/pam_pwdb.so use_authtok nullok shadow Note the shadow at the end. This indicates were using shadow passwords. Simply change this line to the use of md5. The line line looks like this. password required /lib/security/pam_pwdb.so use_authtok nullok shadow md5 You will need to edit most if not all of the files in this directory. As you can see PAM easily allows you to change authentication methods without doing a whole heap of recompiles and configurations. Just before I finish on passwords, it's best to look through your passwd file and remove default accounts. Most of them will be disabled anyway (invalid password field such as an * or X instead of the encrypted password) but they still shouldn't be there. Such accounts such as nobody, games, etc should be removed. Also accounts that perform functions such as halt, shutdown, etc. There will also be accounts things such as mail, news, etc. This are generally not needed and can be removed. [services and daemons] The average linux distro will come with many open ports and services. What your going to want to do is shut those off. Open up the file /etc/inetd.conf and comment out (prefix the line with a #) any services you don't need. This should be all of them except maybe telnet or ftp. Also, you may wish to leave auth open. Shutting this off shouldn't generally cause any problems though some servers, such as certain ftp or irc servers may not allow you access. If your giving out shells or running a small ftp server or what have u then leave whatever you need uncommented. Don't leave things like telnet open just for the hell of it, or you want your friends to see your el1te banner and fjear you. After making the changes to /etc/inetd.conf your will need to restart the inetd daemon. Either 'killall -HUP inetd' or 'ps aux | grep inetd' take note of the PID of inetd, then 'kill -HUP PID_OF_INETD'. When you install linux, most likely a wide variety of daemons and programs will be loaded at startup. Some of these are useful such as gpm, others are downright dangerous. Next thing to do is to shut off some of those daemons. These daemons get loaded every boot. In linux the startup files are found in /etc/rc.d/rc3.d. To change what's started either a) run '/usr/sbin/setup' and select System Services b) run 'chkconfig' this program will list each startup service and display whether it is off or on for runlevels 0-6. Services can be added and deleted. c) enter the directory /etc/rc.d/rc3.d. For services that are active, the filename will begin will a capital S. For those that are not, the filename will begin with a capital K or lowercase s. Simply rename files as needed. [tcp wrappers] Any decent system these days should be running tcp wrappers. What this is is a wrapper over a normal daemon. It checks the users host against it's list and performs actions depending on what is configured. It can allow access and run the real daemon, deny access, run a program, etc. It should be already installed and configured. TCP Wrappers uses the files /etc/hosts.allow and /etc/hosts.deny. Quite obviously, they are lists of who to allow and who to deny respectively. The format of an entry in these files is service:host:action First let's configure the hosts.allow file. You will want to allow localhost access. Do this by entering the following line into the hosts.allow file. ALL: 127.0.0.1 Note that no action was specified. The default is to allow access. Now, move on to hosts.deny. The most basic setup would be ALL:ALL This will deny access to all hosts on all services. However, you may want a little more feedback. Perhaps when someone connects to certain ports root is mailed or a line is added to a special log file. Perhaps you want to keep track of .gov or .mil address's. You should be logging and monitoring your normal syslogd logs anyway but maybe you want a seperate, clean log. In this case you may want to do something like this. ALL: .gov, .mil: spawn /usr/bin/finger @%h | /bin/mail -s "Gov/Mil Access Attempt from %h using %s" root & in.telnetd: ALL: spawn /usr/bin/finger @%h | /bin/mail -s "Telnet attempt from %h" root & In that example whenever a .gov or .mil address attempts to any port then a mail is sent to root with the address, system and finger info. Also, if anybody attempts to telnet in then a mail is sent to root with their host and finger info. btw.. %h and %s stand for host and service respectively. You can find out the full list through 'man hosts.deny' You can do anything you want really. Generally, the ALL:ALL deny should be fine. Note that if you have a service commented out in /etc/inetd.conf then your wont get a connection log. Hence therefore it is useful to run a simple script that adds a line to the log of your choice with the service and host. You may prefer however to do connection logging with a third party logger such as tcplogd. [logging] Logging is a vital part of system security. Without an audit trail, there can be no hope of finding the intruder or even seeing what happened to your system For our purposes, logging shall be done via the syslog daemon. This daemon is started at boot time and should not be turned off. The problem with logs is that if a intruder manages to obtain root, logs are useless. The solution to this is to setup a secondary host as a logbox. This means it is just a system that stores logs. For the home user, this may just be a 386 box connected to the main box. This logging box should not be running ANY services and should be completely firewalled off(except for the main box which is sending the logs). You will also need to implement a third party logging tool for logging connections. There are plenty of these around. I use tcplogd, which is part of the snplogd[2] package. This will log basic tcp connects. Your main log to watch will be /var/log/messages. The majority of logging information will end up here. Also /var/log/secure will log things such as logins, su's, etc. [watching your logs] As we all know, logs grow quickly. It gets hard to keep an eye on them all the time. This is were log filtering programs come in. These go through your logs, find bits of interest and do various things from there. One example is Swatch[3], which will tail a logfile, a when it finds certain user-definable patterns in the logfile can echo them to screen, beep, run a command, etc. This can be a way of keeping a xterm or console open watching the log without superfluous information being displayed, only things of interest. [scan and probe detection] Having a secure box is one thing, but that's only one part. You should also have a good detection system, so you can spot an attack before it happens. A good utility for this is portsentry[4], which is part of the abacus project. Basically portsentry will monitor a set of ports, either by binding to them in basic tcp mode or by watching packets as they come in and checking the destination in the advanced modes. You set a limit of how many connects to different ports are allowed before it is considered a portscan. Once a portscan is detected portsentry takes appropriate action such as adding them to your /etc/hosts.deny or blocking them with a local packet filter such as ipchains. Portsentry will also detect the majority of the "stealth" scan types such as SYN, FIN, XMAS and NULL. Now, different people argue over whether to automatically block the scanning person via a local packet filter. Some claim that it's a good option and the odds of a DoS attack being used against you are very slim. Others say its stupid and people can make you block things you don't want to block. This is due to the fact these "stealth" scans are very easily spoofed. I will leave this decision up to you. However, if you have a decent understanding of your packet filter you should change the blocking rule so that the even though the host is blocked you can still open connections to that host, while they cannot establish a connection to you. [local access] Now we've dealt with remote access we now have to deal with the local system. Assuming an attacker managed to get onto your system or that you let people have shells on your box, we have to limit the damage that they can do. Before starting it's best to create a group for priviledged commands. I will use the group wheel in this example. Add people who need priviledged access to this group. Suid Root Suid stands for Set User ID. Basically, when the program executes it runs as the UID of the owner. Suid root programs obviously run as uid 0 and as such can be a source of system weakness's. If you can't figure out why they pose a potential problem then you need to think a bit harder. Anyway, you should locate all suid root programs on your system and decide individualy whether they should stay suid root. These lines will find all suid root programs on your system. find / -perm 4777 >> suid.txt find / -perm 4770 >> suid.txt find / -perm 4755 >> suid.txt find / -perm 4750 >> suid.txt find / -perm 4751 >> suid.txt find / -perm 4500 >> suid.txt find / -perm 4555 >> suid.txt find / -perm 4550 >> suid.txt find / -perm 4551 >> suid.txt Check each file and decide if it needs to stay suid. You should. If it doesn't then a simple 'chmod o-x file' and 'chgrp wheel file' will fix it. Things such as su should be changed to privlidged group access only. Remote Root This is something you don't want. Root should never be able to remotely login. To remove this ability edit the file /etc/securetty and make sure only local tty's are listed. [outro] I'm too tired to continue so that will wrap up this file. This should give you a BASIC idea of linux security. If you want more advanced information then I suggest you go out and learn more about your system. Theres a lot more I could have added, especially to the local access section but I find it better if you actually go out and figure out how to do things yourself. [references] [1] PAM - Pluggable Authentication Module ftp://ftp.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam.html [2] snplogd - 3 part of the logging package (tcp,udp,icmp) http://www.franken.de/users/gauss/snplog/ [3] Swatch, log watcher ftp://ftp.stanford.edu/general/security-tools/swatch. [4] portsentry - part of the abacus sentry project http://www.psionic.com .eof. ........[ Basic Perl ]................................[ bsdave ]............ So... you want to learn perl, why? because all the 133t h4x0r's know perl, like bsdave and lymco. Well contrary to popular belief perl is really simple (not really but its comforting to think so). Read on and find out... To use this tutorial you will need a recent'ish linux/bsd because most come with perl pre-installed. Or if your desperate and waaaay to lame to install a free unix on your computer you could always go to www.perl.com and download a version for win32 BUT. Alot of the example programs here won't work under Win32 because they rely on other programs which are BSD and linux only, like grep and traceroute etc... So if this is the case you should probably get a shell account or not be a total fetus-head and learn about free unix's which is what perl is designed for. Chapter one, information about Perl: First off, perl is an interpreted language, which means you don't compile it and then have a binary of your program. You just pipe it to the perl interpretar and it follows the commands. Almost like a bash script. Perl has 2 basic types of variables. All variables begin with a $ sign. eg $myvariablename. This is so it isn't confused with Perl's command words like print, and if... Variables : This is a character or string that holds a defined value. for example $x = 1, so if you were to print x to the screen you would see 1. In perl you can create empty variables with "my" or "local" but you'll learn about this later. Arrays : This is a character or string that holds multiple variables. for example @X = (1,2,3,4,5) and you could print any of those values to the screen with $X[variable position -1]. eg $X[2] would print 3 in this instance because 3 is in the 2nd position. this may seem slightly consfusing but it really isn't after a while. Loops: These are the heart of programming,without these every program would just do the same thing everytime with no input. if (this happens) { do this; } see?, here's a more real world example, if ($x=5) { print "X was five!\n"; } while (this is happening) { do this; } while ($x<10) { print "HEEELP! I'm stuck in a loop! press Ctrl+C To stop me!\n"; } Your first script: Ok... so now you know some basics we're gunna right a simple script and deconstruct it, This small program generates a block of IP's for you. you'd start it with: perl ipmake.pl ip.ip.ip and it'd generate the last octet. #Title:ipmake.pl - These are comments left for anyone viewing the source. #Author:bsdave - Anything with a # in front won't be run by perl so you #================================== - can leave things in here explaining what you script does. if (length($ARGV[0])==0) { -This here says if there is nothing in perls print "Usage is: perl ipmake.pl [three octet IP with no trailing .]\n"; -array $ARGV[0] print to the screen that stuff. } -the "\n" means for perl to press enter. else { -This says if the if statement isn't right, do this instead. $ip=$ARGV[0]; -This assigns a value to $ip $testip=0; -This assigns a value to $testip while ($testip<255) { -This says that while the number being held by $testip is less then 255 $testip=$testip + 1; -add 1 to it print $ip . ".$testip\n"; -and print it to the screen like $ip + $testip } -This ends the 'while' loop. } -This ends off the 'else' loop that the 'while' loop is in. Ok that seems simple enough, right? BTW. I should of told you that $ARGV[x] is an in-built perl array that stands for "Argument Vector" which is basically any command line input. eg perl myscript.pl $ARGV[0] $ARGV[1] $ARGV[2] etc. So. you've successfully read your first perl script? do you feel 133ter already? :). Well here's a challenge and some tips, try to make a script that counts to a specified number from looking at the script above. The answer you'll need is in the while loop, you'll need to make your own while loop to do this but nothing else really. When you've done one scroll down some more and check out the at the end. :). If its not the same as mine don't worry, mine is just how I did it, two people never write a script exactly the same. As long as it looks clean and works its A-OK and correct. ***Answer to this issues challenge number 1: The script that counts to a specified number. #Title:count.pl #Author:bsdave #================================== $number = 0; $finish = $ARGV[0]; while ($number<$finish) { $number++; print "$number\n"; } NB: $number++ tells perl to add one to $number. its common to do this to save space in a script. Well thats it for this issue. bye from bsdave. check us out at http://charisma.rendrag.net or come on over to #charisma on au.austnet.org... next issue is about opening and handling files. seeya then. - Bsdave ........[ Outro ].....................................[ phase5 ]............ That's all folks. ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³³²ÛÛßÛß ³²ÛÛÛÜÛßß²ÛÛÛÛÛ ³²ÛÛßÛßßß²ÛÛÛÛ³²ÛÛßÛßßß²ÛÛÛÛ ³ ³³²ÛÛÛÛÛ ³²ÛÛÛÛÛ ³²ÛÛÛÛÛ ³²ÛÛÛÛÛ ³²ÛÛÛÛ³²ÛÛÛÛÛ ³²ÛÛÛÛ ³ ³³²ÛÛÛÛÛ ³²ÛÛÛÛÛ ³²ÛÛÛÛÛ ³²ÛÛÛÛÛß ³²ÛÛÛÛÛ ³²ÛÛÛÛ ³ ³³²ÛÛÛÛÛܳ²ÛÛÛÛÛ ³²ÛÛÛÛÛܳ²ÛÛÛÛÛ ³²ÛÛÛÛÛÜܲÛÛÛÛܳ ÚÄÄÄÄÄÄÄÄÄÄÄÙ ÀÄÄÄÄÄÄÄÄÄÄÄ¿ ³³²ÛÛÛÛÛßß ß ³²ÛÛÛÛÛ ³²ÛÛÛÛÛ ³²ÛÛÛÛÛßß²ÛÛÛÛ ³²ÛÛßÛßßß²ÛÛÛÛ ³²ÛÛßÛßßß²ÛÛÛÛ ³ ³ ßßßßßßß²ÛÛÛÛÛ ³²ÛÛÛÛÛ ³²ÛÛÛÛÛ ³²ÛÛÛÛÛßß²ÛÛÛÜ ³²ÛÛÛÛÛ ³ ³²ÛÛÛÛÛ ³²ÛÛÛÛ ³ ³³²ÛÛÛÛÛ ³²ÛÛÛÛÛ ³²ÛÛÛÛÛ ³²ÛÛÛÛÛ ³²ÛÛÛÛÛ ³²ÛÛÛÛ ³²ÛÛÛÛÛ ³ßÛÛÛÛ ³²ÛÛÛÛÛßßßßßßß ³ ³³²ÛÛÜÛÜÜܲÛÛÛÛÛܳ²ÛÛÜÛÜÜܲÛÛÛÛÛܳ²ÛÛÛÛÛ ³²ÛÛÛÛܳ²ÛÛÛÛÛÜܲÛÛÛÛܳ²ÛÛÛÛÛÜܲÛÛÛÛܳ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ v64!MSN^PCS . EOF .