System Hardening

In this tutorial we are going to work on the firewall configuration of your machine. Some care must be taken when doing this, or you will suddenly find you can no longer log in!

In all these cases the easiest way to do the experiment is to CREATE an executable program in /root called "firewall". Start your editor and edit "firewall". Cut and paste the following into that file:

#!/bin/bash
#
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
#
# Make sure ssh and telnet stay working, and that users on
# other VMs cannot log in.
#
# --- Put a rule here if you want to be inserting at the start of INPUT
#
iptables -A INPUT -i eth0 -p tcp --dport ssh ! -s 10.0.0.0/16 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport telnet ! -s 10.0.0.0/16 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport http -j ACCEPT
#
# Sockets, once connected, continue to work
#
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# Your changes go after here.
#

Do "chmod +x ./firewall" and then just "./firewall" to configure the firewall. Execute it once and they press the check button to make sure everything is set up ok.

After executing this file you can use "iptables -L" to show you what rules have been stored in the kernel. The provided rule uses a default policy of ACCEPT. Later on we look at the default policy of DROP.

Add two users to the system, "dave" and "jim".

adduser dave
adduser jim

The "lwp-request" command goes to the web and downloads something. This As dave, run

lwp-request http://linuxzoo.net/ncsi.txt > gotit

To secure a webserver you could make sure server-side scripts run as different users, and then build firewall rules to police what users are allowed to do what. In this case user "jim" is the user whose identity is used to run scripts.

Now modify the firewall so that jim cannot initiate access the internet. He will still need access in general, otherwise when you become that user your ssh session will die.

In the firewall file, edit the file and at the end insert the following line and then execute the file again (or just run the command on its own):

iptables -A OUTPUT -o eth0 -m state --state NEW -m owner --uid-owner jim -j DROP

Once the change is made "su" to jim and try the lwp-request again. Do

cat gotit

In this question we will set up a server side script with a security problem.

Note each time you make a configuration change to the Apache server you must restart (or at the very least reload) the http service. Remember to start apache for the first time do:

service httpd start

service httpd reload

Now get the web server running...

Now we will create a simple server-side script. With an editor and while you are user dave, edit /var/www/cgi-bin/hack.htm and insert the following code.

#!/usr/bin/perl
use strict;
use CGI qw(:standard);
import_names("Q");
print header('-X-XSS-Protection'=>0);
print '<body>';
print h1 "Welcome to hack";
print p "Glad to have you back $Q::user\n";
print '</body>';

You also need to "chmod o+x /var/www/cgi-bin/hack.htm".

You can access this via the browser using "http://YOURHOSTNAME/cgi-bin/hack.htm?user=Gordon", where YOURHOSTNAME is the string given when you type "hostname". The string "Gordon" can be replaced with any name you like. Try it.

This script hosts a cross-scripting issue. If "user=gordon" become something more risks, like

hack.htm?user=gordon<script>alert("YouAreHacked")</script>

Note that in chrome (and presumably others) it detecte this as an XSS problem and protected the browser automatically. I had to disable this safety check using a flag in the script.

The right thing to do here is to sanitise the script. To do this edit the file and delete the last two lines:

print p "Glad to have you back $Q::user\n";
print '</body>';

my $u=$Q::user;
$u = "hacker" if $u !~ m/^[a-zA-Z0-9]+$/;
print p "Glad to have you back $u\n";
print '</body>';