CompTIA Linux+ XK0-005 – Unit 12 – Security part 2

  1. Demo – Exploring User Management Commands

All right, let’s take a look at some of these very simplistic commands that we can use and run to take a look at the user accounts on this system. So if I wanted to type in who, what I get to see is some information about who is currently logged in. Now, I see Trainer listed in here twice. Once, it looks like, from a remote connection, and that’s because I have another operating system running that, that they made a connection to some of our shares through NFS. So I still expect to see that user on there until I actually go out there and get rid of them. Here’s one, a command you might have thought you knew it’s who am I? But now I’m leaving the spaces in between and it tells me which of those trainers I am and basically gives me a little bit more information about when I logged in and everything else, as opposed to who am I, where I don’t put any spaces and it just gives me the name of the trainer.

Well, let’s try W as a command. Now, a lot of you might say, well, W is your attempt at a shortcut and that’s not a command. Well, let me hit tab twice. And if you notice when I hit tab twice, w actually shows up as a valid command. So let’s see what that does when I type in W. Now, what it’s doing is it’s showing me like, the who command all the people logged in, but it also tells me this, what they’re doing. So I kind of like that it gives me a little bit more information. Let’s clear our screen off and let’s type in last so we can see the last people to connect in here. You can see the root every now and then is connected. Trainer mostly has been the one connecting in there. You’re even seeing some information about the reboots that I’ve gone through as working on this virtual machine.

Let me clear that out of there and let’s try the last b. Now, last b was designed to be able to show me the last bad login attempts. Now, just in case you’re thinking, well, maybe that’s an administrator type of command, something the root needs to do. I’ll try it with the pseudo, and when it asks me, I’ll supply it with my password in a bit and we’ll see if it lets me see anything different. As far as the options of who was last logged in, all right, so let me put that password in. And again, you can see that it didn’t give me anything extra. All right, so having looked at that last b is again trying to show me bad login attempts and it looks like we had one unknown user try to make that connection in there. All right, let’s take a look at some other options here.

We’re going to play around with some of these other commands like the Ganom screen saver command and dash dash lock. And if I’m lucky, if I have this set up to go, I’m hoping that it will lock my screen. Now, it might just be that it doesn’t lock if I don’t have this particular application installed, but it looks like I have it running, and now my screen is locked. That means that the only way for me to get back in is to actually know the password. So that’s a nice little way of testing your screen saver. I still don’t believe that having a screen saver with a password is the best way to secure your computer when you leave your desk. I really do believe you should lock your machines when you leave on a purposeful note, because otherwise I’m just going to wait until you walk away and can’t see me anymore and I’ll get to your machine before your screen saver does.

All right, so here’s the same command, but if you notice, I’m putting it in as an alias. So now, if I type in the command lock, it should do the same thing as I just did with that screen saver looks. There are some pretty screen savers. All right, so now I’ll wiggle the mouse around to get the input back, and then it asks me to unlock. So there’s some very quick options, some things you can do to see who’s connected, what they’re doing, who you are, and playing with at least one layer of security, which is having your screen saver lock your system so that if you’re gone or idle for however many minutes you set it, that the people coming back to it would need your password.

  1. Topic B: Network Security

All right, now we’re going to talk about some network security, which means, of course, the traffic either transiting through our system or originating or coming to our system. So let’s take a look at some options that we have. And again, these are just tools that you may or may not use, but I think you’ll like them because you can do a lot of cool stuff with Linux. And as everybody keeps saying, it’s free. All right, so let’s take a look at that.

  1. Routing and Firewalls

First of all, you can turn your system into a router and a firewall. Now that means that you can do routing, you’ll work with routing tables and a lot of other cool stuff. So let’s talk about routing for just a second to enable routing and we’ll talk about how to enable it. What you’re basically saying is you have a multi home to box and that if a packet reaches your network card you’re actually going to look to see if you are the recipient. If you’re not the recipient, you’re actually going to look up in a routing table about where that thing should go and send it on its way. That means you have just become an intermediate system. You’re no longer a node, no longer an end system. That means you have to have routing turned on and routing tables so we can figure out where the destinations are.

Now, when we’re dealing with routing, we’re dealing with IP networks. And the thing about networks is they are logical. That means they can change, you can re change or basically readdress, you can add new ones, you can subtract them. Interfaces can fail on other routers and they can just disappear. So they’re just logical. And our goal with these IP networks is to figure out how to best get there and send our stuff to that best path. Now, as a firewall, we can also take a look at the traffic as it’s moving through and add to the routing the decisions yes or no or accept or reject or drop as to whether or not we want that traffic to move through. Which means we can protect our networks from stuff coming in or protect the destinations from stuff that’s going out.

  1. Basic Routing Table

Now your basic routing table is going to consist of destination addresses and outbound interfaces and possibly a gateway that you’re going to send it to. So let me just kind of break down what it means by a routing table. A destination network address means that I’m going to look at the IP destination address and I’m going to compare it to all of these destinations in my table and, and I’m going to take the one that has the best match. Now that is an important statement in routing. I might have a destination address in my routing table of 192. Might have another destination address of 192 168 10. Okay, they sound very similar. They both have in common 192 168. Now let’s say that the first 10 goes out network card A and one dot zero has to go out network card B. So here comes this happy packet.

I look at the destination address, the destination address says 192-1681 dot 50 and I say, well, the 192 168 matches both routes in my routing table. However, the 192 168 one route matches it even more and that’s the route you choose. So routing tables are always about longest matches. Now we also have what’s called the default route. Now let’s think about that for a second. Your current internet routing tables for the core service providers to get everywhere in the world is over 280,000 routes. I don’t think you want to put that many into your system. So what we do is we put the ones we specifically want to get destinations to and create what’s called a default route.

A default route, although labeled to us default, is technically a route with a net mask. And what that basically means is that this matches everything. I’m technically saying that zero bits matches your zero bits all the way through. And it does right, because every destination, if I just look at zero of your destination it matches zero of my network table or my route table and that’s considered a match. It’s this big SuperNet. Any other route on my table that matches you would certainly be longer than zero bits, but you almost always will have a default route listed in your table as well. Okay, one of the things I said about those routes is that they tell me which network card I’m going to use to leave. That’s important.

What is the outbound interface? But that’s assuming that the outbound interface I’m trying to connect to is in the destination network. It could be that the actual destination is several routers away, maybe 20 routers away across the world. So what I also need to know if it’s something that applies is not only what interface do I go out but do I hand it off to another router that is just one step closer to finishing the delivery and that router does the same thing that I just described. So you might also, as I said, have a gateway as well. Almost always, your default route should have a gateway because the idea is we’re sending it into the Internet, and when we hit an Internet router, then it gets you to the destination. But that’s your route table.

  1. Routing

Now, in order for routing to really work, you have to have a multi HOMEED computer. Multi HOMEED means you have more than one network card. If you have only one network card, you’re not doing a lot of routing because why am I going to send you a packet to route back to the same network I sent it from? So you need to have at least two network cards or more to be effectively a router. You also have to turn on IP forwarding, which is enabled by changing the value to a one in the proxynet IP version. Four IP forward file setting. Did you get that? I’m sure you’ll be able to see that and read it. Why do you turn it on? Well, here’s what’s unusual.

I want to be by default and end system, so as packets are seen by my network card, I’m going to look at the Mac address and say, oh, well, that’s my Mac address. I’m going to look at the IP address and say, yes, that’s my network card’s IP address. So this was meant for me. Now, if you send me a packet to my Mac address, but the IP address is different than what’s configured on my card, I’m going to throw it away because I’m going to say, well, you got the Mac right, but that’s not my address, so it obviously wasn’t meant for me. Now, when you turn this on, you become a router.

The way routers work is that in your local area network, the computers that want to send you traffic to get routed have to send it to your hardware address, your Mac. So everything comes addressed to your Mac. But now, because you know that you are a router, you can look at that destination address, and if it’s not yours, that means you’re not the destination. Go look up in your routing and figure out which interface to send it on. So you have to turn that capability on, otherwise you’re just going to throw everything away. It lets you get to those remote networks.

  1. Large Network

Now you could have a very large network which means multiple routers, multiple what we call network addresses or subnets lots of interfaces and the larger your network gets, the harder it’s going to be to utilize these static entries and the static files that I’ve just talked about. Now if you have a small network you can probably get away with having something like Linux as a router. There’s a company called Viada that actually sells a version of Linux that does routing for you and claims to be able to give you some very good throughput if you have some high speed network cards. Certainly Cisco and Juniper and Force Ten and Extreme and Alcatel and all these other companies make their livings by selling use objects that do routing for you.

Now I’m not going to try to get on the case of saying don’t buy them, use the free stuff. I got to tell you there’s some big benefits by using a real hardware based firewall over a software based but for a small network on a limited budget I think this is not a bad solution. And then we can deal with larger networks that have better routing protocols, memory design for large routing tables. I mean that’s a different argument but you can certainly see where this solution might be viable on a network that might not have so many destinations to keep track of.

  1. Modifying Routing Tables

Now these routing tables are something you’re going to have to take care of and that you can do through commands like route add. Route add is your way of adding a route to the routing table. Now when you put it in there, you’ll have to supply the remote network, the subnet mask information, and you’re going to have to be able to tell me if needed any of the next hops that I need to have. If you use the command IP route ad, then you’re going to be putting in similar information. But in that case, you definitely will have to tell me about the outbound interface and the next top that I’m putting in there. You can also use routing protocols to some extent to have automatic routing changes take place.

Now I’m not going to get into routing protocols, that’s a whole other world for the most part in a small network with a few decisions, you’re going to use the route add command to be able to add in specifically how you want to get from where you are to where you want to go. Now, to verify that your routes are working or that you’re taking paths that you think are right, there is a command called Traceroute. Trace Route’s. Job is to basically start, usually you run it on an end system, a node, and you do a trace route and it tells you about the routers that it goes through to get to the destination. In a small network, you should be able to look at the results of that trace route and say, yes, that looks like the right path to get from where I am to where I want to go.

It lets you kind of know everything. Routing wise is working right in a nutshell, trace route works by sending a packet with a time to live of one. The reason for that is that routers decrement the time to live and when it hits zero, it throws the packet it away and sends back a message. So when you send a packet with a TTL of one, the first router drops, it sends you a message. Then Trace route sends the same packet with a TTL of two. First router is okay, second router changes it down to a zero, sends a message, and it just keeps doing that until it gets to the destination. But that’s in a nutshell, it’s how Trace Route works. 

  1. Demo – Examining Routing

All right, let’s take a look at the route command. So it’s telling me it doesn’t like that, so let me make sure I am in the route option. And now let’s try the route command. And now you can see my routing table showing up in just a minute. Now it’s taking a little bit of time to pull it all up. The first one was pretty straightforward because it was actually the network that my network card is attached to. And then the next one is the only other route of my routing table. The default route. Technically, the destination would have read zero zero if you looked at it as an IP four address. The mask is appropriately also zero zero zero. So they often call out the zero zero route, and that’s the address of my gateway to get out to that default route. All right, well that seems pretty straightforward.

Let’s take a look at the cat command and let’s go to this process system network for IP version four, and go to the IP underscore forward configuration. And there it shows me the counters. It says right there that by that counter that is being a zero means I’m not a router. And that’s something I wouldn’t expect to be. So by taking a look at that, we can tell whether or not we’re actually doing the work of routing. Now, I would tell you or not just because here if Config tells me I have only one ethernet card, and to be a router, I need to have at least two. Some of you might argue you could be a router on a stick, but that’s more of the very advanced stages of routing.

So for most often when we look at routing, we have to have two cards, so we have an in and out.  All right, finally another command let me clear is trace Route. Trace route is kind of a nice program that we use to determine if we’re taking the best path to get from where we are to where we want to go. So we’re going to do a traceroute to Google. com. And what it will do is basically if you’ve not heard of what trace route does, it sends a packet to your destination, in this case Google, and it sets the time to live at the IP layer to a value of one. Now each router, as it grabs these packets will decrement that time to live by a value of one. And if the value goes from one to zero, then the router throws it away. So that’s what we’re seeing here.

We’re seeing that the first router grabbed it, took the first packet with a TTL of one, decremented it by one, became a zero, and it threw it away. And when it did, it sent a message back saying basically, here, this is me, I just threw the packet away. Here’s another one from the next top service provider router. The next one then it looks like they handed it off to this other service provider. It bounced around in theirs for a while and then it just took off to a couple of other service providers all the way through until it got to the destination. So trace route just kept saying, so the first packet had a TTL of one, then a TTL of 234567 all the way through until it got to its destination.

And then it said, well, okay, I got to my destination and hopefully you got all the messages back about the path. Now, some machines will block this. You might see asterisks asterisks asterisks because some machines refuse to reply that information. Some may be behind firewalls, trying to keep it from coming out. So it’s not unusual. More, I guess often today that you would get a lot of Asterisks towards the end of the path. All right, well, there’s some information about the routing and of course, the direction that we took. You noticed here, the very first hop was the 1921-6811, which was our default gateway information we saw when we typed the route command.

 

img