Lab6 Oracle Linux 6 Basic Network Security Administration

(1)

Safe Harbor Statement

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions.

The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

Oracle Training Materials – Usage Agreement

Use of this Site (“Site”) or Materials constitutes agreement with the following terms and conditions:

1. Oracle Corporation (“Oracle”) is pleased to allow its business partner (“Partner”) to download and copy the information, documents, and the online training courses (collectively, “Materials") found on this Site. The use of the Materials is restricted to the non-commercial, internal training of the Partner’s employees only. The

Materials may not be used for training, promotion, or sales to customers or other partners or third parties.

2. All the Materials are trademarks of Oracle and are proprietary information of Oracle. Partner or other third party at no time has any right to resell, redistribute or create derivative works from the Materials.

3. Oracle disclaims any warranties or representations as to the accuracy or

completeness of any Materials. Materials are provided "as is" without warranty of any kind, either express or implied, including without limitation warranties of merchantability, fitness for a particular purpose, and non-infringement.

4. Under no circumstances shall Oracle or the Oracle Authorized Delivery Partner be liable for any loss, damage, liability or expense incurred or suffered which is claimed to have resulted from use of this Site of Materials. As a condition of use of the

Materials, Partner agrees to indemnify Oracle from and against any and all actions, claims, losses, damages, liabilities and expenses (including reasonable attorneys' fees) arising out of Partner’s use of the Materials.

5. Reference materials including but not limited to those identified in the Boot Camp manifest cannot be redistributed in any format without Oracle written consent.

(2)

Basic Network and Security

Administration

V1.0 January 2013

1 Introduction

In this lab, we will learn about Basic Network and Security Administration on Oracle Linux 6.

With a few basic exercises we will introduce the learner to some ways to perform Network and Security administration. We will introduce you to Network

Configuration tools and configuration files. As part of Security Administration, we will cover the Service Configuration Tool, SELinux, Firewall and Security Updates topics. Upon completion of this lab, participants will have learned about basic Network configuration and important aspects of security administration.

2 Overview

In this lab we’ll be practicing with some of the Oracle Linux 6 network and security administration tasks.

Some of the commands and concepts we’ll review in this lab are listed below.

 NetworkManager Tool and System-config-network utility

 Network Interface Configuration Files and Command Line Utilities

 Bonding

 Service Configuration Tool

 SELinux Introduction

 Firewall Configuration Tool and IPtables

 Common Vulnerabilities and Exposures (CVE) security updates

This practice can be accomplished with a single VirtualBox Oracle Linux 6.3 instance with some added virtual network interfaces.

(3)

3 Pre-requisites

This lab requires the use of the following elements:

 A current 64 bit laptop with at least 2GB RAM and 20GB free disk space

 Operating system: A 64-bit version of Microsoft Windows, Mac OS X, Linux or Solaris. Alternatively, a 32-bit host OS installed on a 64-bit CPU with

VT-x/AMD-V enabled in the BIOS.

 Oracle VirtualBox Software 4.2.10 or later (with Extension Pack installed)

 Oracle Linux 6.3 instance running inside VirtualBox:

o VM Image Provided by instructor or downloaded on your own o Installed in Lab 1 of Oracle Linux 6 Boot camp

The following assumptions have been made regarding the environment where this lab is being performed:

1. Network connectivity to the Internet is available

2. Your Oracle Linux 6.3 VirtualBox instance has been installed and you’ve assigned a normal user/password and a ‘root’ user password.

a. The recommended user name is ‘student1’ b. The recommended password is ‘oracle’ c. The recommended root password is ‘oracle’

4 VirtualBox lab setup

If you already have an instance of Oracle Linux 6.3 installed in VirtualBox or have already imported the Oracle Linux 6.3 image, you can skip this section and proceed to the Labs in Section 5. If you need to import the Oracle Linux 6.3 appliance (image in ova file provided for this training) then complete the steps in this section before you start with the Labs.

1 - In the VirtualBox main window choose

File > Import Appliance …

(4)

2 - From the Appliance Import Wizard click the

Open appliance..

button and navigate to the

Oracle_Linux_6_Bootca mp.ova file which is the

pre-built Oracle Linux 6.3 VM image you downloaded or obtained from the instructor

3 - Navigate to the folder where you downloaded or copied the Oracle Linux 6.3 Prebuilt image and click Open. The file is named

Oracle_Linux_6_Bootca mp.ova.

(5)

Appliance to import screen

5 - Confirm the default settings and choose “Import” to begin importing the virtual image. If you see a License Agreement window, read and accept the license.

6 - The progress bar will show the import

progress. Usually looks slow in the beginning but this shouldn’t take more than a few minutes.

(6)

7 - Your new image has been imported and is ready for use. Select the Oracle Linux 6

Bootcamp image.

8 - After your image has finished importing select it in the VB application and choose “Settings” and review settings.

Once you have reviewed the settings, you can select the image and click the Start button to boot Oracle Linux 6. After booting, login as ‘root’ user and activate your network

connection to start using the image.

(7)

5 Lab Exercises

5.1 NetworkManager Tool and System-config-network utility

NetworkManager is a dynamic network control and configuration application that attempts to keep network devices and connections up and active when they are available. NetworkManager consists of a core daemon, a GNOME Notification Area applet that provides network status information, and graphical configuration tools that can create, edit and remove connections and interfaces. NetworkManager can be used to configure some of the following types of connections: Ethernet, wireless, mobile broadband (such as cellular 3G), and DSL and PPPoE (Point-to-Point over Ethernet). In addition, NetworkManager can help with configuration of network aliases, static routes, DNS information and VPN connections, as well as many connection-specific parameters.

NetworkManager should be installed by default on Oracle Linux 6 systems. If by chance you do not have NetworkManager installed, you can install it using the ‘yum install NetworkManager’ command. To check if you have NetworkManager installed, you can run the following ‘rpm’ query command.

Once you have confirmed that NetworkManager is installed on your system, you can start by reading the man page of NetworkManager.

(8)

You should next check and confirm that NetworkManager Service is running on the system using the service command as shown below.

You can use the ‘chkconfig’ command to see the init runlevels for which this

NetworkManager service will be started. The output below shows that this service starts in runlevels 2, 3, 4 and 5.

(9)

Area applet. The NetworkManager applet icon can be seen in the GNOME panel assuming that the NetworkManager package is installed on your system and the applet is running on your system. You can check whether the applet is running by using the ps command as shown below.

If you need to start it, you can run the ‘nm-applet &’ command. You can also check and confirm that this applet is included in the list of startup applications. You can check the list of startup applications under the System->Preferences->Startup

(10)

In the Startup Applications window, scroll down to the Network Manager program and make sure it is selected for startup. See screenshot below.

(11)

You can also view the Network Manager Startup program by selecting it in the program list and then clicking the Edit button. This will show you the program name and command that it runs to start this program during startup of the system.

(12)

On the top right corner of your Desktop is the NetworkManager applet icon which shows the status of your Network connection. In the screenshot below, it shows Wired Network connection that is enabled.

If you use the mouse and right click on the NetworkManager applet icon, you will see the options similar to what is shown below. You can enable networking, enable notifications, see connection information, and edit connections using this applet.

Right click the applet icon and then click the Connection information in the NetworkManager applet icon.

(13)

screenshot below. You can find the Interface name, speed, IP address, DNS server information etc. in this window for your network connection.

To edit the network connections, you can right click the icon and then select the Edit Connections option.

(14)

This will launch the Network Connections window where you can see the Names of all your network interfaces on your system. In the example below, we have System ‘eth0’ network interface that is active and enabled.

Select the ‘System eth0’ network interface and click Edit button. In the Edit window, you can see the network interface parameters that can be modified like the MTU size, IPv4 settings, IPv6 settings etc.

(15)

Note on the bottom on the Edit window there is a setting called ‘Connect

automatically’. This will enable the interface and establish the network connection automatically for this ‘eth0’ network interface automatically during system boot up process. If the box is unchecked, you will have to select that connection manually in the NetworkManager applet's left-click menu to cause it to connect after every reboot of the system.

There is another way to add/edit/delete network connections. You can run the ‘nm-connection-editor’ command from the command line as shown below to launch the Network Connections window.

(16)

Network Administration Tool (system-config-network)

Previous versions of Oracle Linux shipped with the Network Administration Tool, which was commonly known as ‘system-config-network’ tool after its command line invocation. In Oracle Linux 6 and RHEL 6, NetworkManager replaces the former Network Administration Tool while providing enhanced functionality, such as user-specific and mobile broadband configuration. NetworkManager is the recommended and preferred way on Oracle Linux 6 and we already covered this in the earlier section. It is also possible to configure the network in Linux 6 by editing interface configuration files. We will look at the network configuration files in the next lab. We will not do a lab using the system-config-network tool. But you can run this tool from command line and familiarize yourself with this tool by running the system-config-network command. The ‘/etc/sysconfig/networking/’ directory is used by the Network Administration Tool (system-config-network) and its contents should

not be edited manually.

Note: Do not make any changes or configure anything using this tool, just review it

(17)

(18)

5.2 Network Interface Configuration Files and Command Line Utilities The configuration files for network interfaces are located in the

‘/etc/sysconfig/network-scripts/’directory. The scripts used to activate and deactivate these network interfaces are also located in this directory. Although the number, name and type of interface files can differ from system to system, there are three categories of files that exist in this directory:

1. Interface configuration files 2. Interface control scripts 3. Network function files

The files in each of these categories work together to enable various network devices. The primary network configuration files on Oracle Linux systems are as follows:

/etc/hosts

The main purpose of this file is to resolve hostnames that cannot be resolved any other way. It can also be used to resolve hostnames on small networks with no DNS server. Regardless of the type of network the computer is on, this file should contain a line specifying the IP address of the loopback device (127.0.0.1) as

localhost.localdomain. For more information, refer to the hosts(5) man page.

/etc/resolv.conf

This file specifies the IP addresses of DNS servers and the search domain. Unless configured to do otherwise, the network initialization scripts populate this file. For more information about this file, refer to the resolv.conf(5) man page.

/etc/sysconfig/network

This file specifies routing and host information for all network interfaces.

/etc/sysconfig/network-scripts/ifcfg-interface-name

For each network interface, there is a corresponding interface configuration script. Each of these files provide information specific to a particular network interface.

/etc/sysconfig/networking/

The /etc/sysconfig/networking/ directory is used by the Network Administration Tool and its contents should not be edited manually.

/etc/nsswitch.conf

The Name Service Switch (NSS) configuration file, /etc/nsswitch.conf, is used by the GNU C Library to determine the sources (NIS, DNS, files) from which to obtain name-service information in a range of categories, and in what order. The order of the services listed determines in which order NSS will attempt to use those services to resolve queries on the specified database.

(19)

Interface configuration files control the software interfaces for individual network devices. As the system boots, it uses these files to determine what interfaces to bring up and how to configure them. These files are usually named ifcfg-name, where

name refers to the name of the device that the configuration file controls.

We will now look at all the files/directories that we discussed above on our Oracle Linux 6 system and get a better understanding. The output below is for the

‘/etc/hosts’ file for a Linux system. Note this file contains a line specifying the IP address of the loopback device (127.0.0.1) as localhost.

[root@examplehost /]# cat /etc/hosts

127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4

::1 localhost localhost.localdomain localhost6 localhost6.localdomain6

10.0.2.15 examplehost.com examplehost [root@examplehost /]#

The resolver configuration file is the ‘/etc/resolv.conf’ file and it contains information that is read by the resolver routines to resolve DNS host names. A sample file is shown below.

[root@examplehost /]# cat /etc/resolv.conf # Generated by NetworkManager

search com

nameserver 192.XXX.XX.XXX nameserver 130.XX.XX.XX [root@examplehost /]#

(20)

The hostname is defined in the ‘/etc/sysconfig/network’ file as can be seen from the file below.

[root@examplehost /]# cat /etc/sysconfig/network NETWORKING=yes

HOSTNAME=examplehost.com [root@examplehost /]#

Examine the files in the ‘/etc/sysconfig/network-scripts’ directory. In this directory, you will find the ‘ifcfg-eth0’ file which controls the first Ethernet network

interface card (NIC) in the system. Each device has its own configuration file. In a system with multiple NICs, there are multiple ifcfg-ethX files (where X is a unique number corresponding to a specific interface).

If you are connecting to the Internet via a dialup connection, a configuration file is necessary for the interface and it is the ifcfg-pppX file where X is the number corresponding to the interface. The ifcfg-lo file is the local loopback interface file. The following are common interface control scripts found within the

‘/etc/sysconfig/network-scripts/’ directory.

 The ifup-ippp and ifdown-ippp files bring the ISDN interfaces up and down.

(21)

 The ifup-ppp and ifdown-ppp files bring a PPP interface up or down.

 The ifup-routes file Adds static routes for a device as its interface is brought up.

For more details refer to the Networking Documentation in the Deployment Guide. Reference links to the documentation are provided in the References section of this document.

Enclosed below is the sample directory listing of the ‘/etc/sysconfig/network-scripts’ directory. Examine this directory on your system and familiarize with the files.

[root@examplehost /]# ls /etc/sysconfig/network-scripts/ ifcfg-eth0 ifdown-ipv6 ifdown-tunnel ifup-ipv6 ifup-routes network-functions

ifcfg-lo ifdown-isdn ifup ifup-isdn ifup-sit network-functions-ipv6

ifdown ifdown-post ifup-aliases ifup-plip ifup-tunnel

ifdown-bnep ifdown-ppp ifup-bnep ifup-plusb ifup-wireless

ifdown-eth ifdown-routes ifup-eth ifup-post init.ipv6-global

ifdown-ippp ifdown-sit ifup-ippp ifup-ppp net.hotplug

[root@examplehost /]#

(22)

[root@examplehost /]# cd /etc/sysconfig/network-scripts/ [root@examplehost network-scripts]# cat ifcfg-eth0

DEVICE="eth0" BOOTPROTO="dhcp" NM_CONTROLLED="yes" ONBOOT="no" TYPE="Ethernet" UUID="f6798076-24ee-4f94-9cfe-5dd98c1c2b5e" HWADDR=08:00:27:35:A3:D1 DEFROUTE=yes PEERDNS=yes PEERROUTES=yes IPV4_FAILURE_FATAL=yes IPV6INIT=no NAME="System eth0"

The following is a short description of important parameters in this file. DEVICE=name

where name is the name of the physical device BOOTPROTO=protocol

where protocol is one of the following:

• none — No boot-time protocol should be used. • bootp — The BOOTP protocol should be used. • dhcp — The DHCP protocol should be used. IPADDR=address

where address is the IP address.

In example above, this parameter is not present because it is a DHCP assigned address for this system and not a static IP address.

(23)

ONBOOT= yes or no

• yes — This device should be activated at boot-time. • no — This device should not be activated at boot-time. USERCTL= yes or no

• yes — Non-root users are allowed to control this device. • no — Non-root users are not allowed to control this device.

We will use the ‘ifconfig’ command below to check the status of our network

interfaces. Examine the output carefully and you will notice there is information for ‘eth0’ and ‘lo’ interfaces. The ‘eth0’ interface corresponds to the NIC configured on this system. In the ‘eth0’ section, you will find the hardware address, IP address, broadcast address, netmask, status (UP), and transmit/receive packets, errors etc. This output is useful to debug network connectivity issues.

[root@examplehost network-scripts]# ifconfig

eth0 Link encap:Ethernet HWaddr 08:00:27:35:A3:D1 inet addr:10.0.2.15 Bcast:10.0.2.255

Mask:255.255.255.0

inet6 addr: fe80::a00:27ff:fe35:a3d1/64 Scope:Link

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:758640 errors:0 dropped:0 overruns:0 frame:0

TX packets:84456 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:1019820253 (972.5 MiB) TX bytes:5814968 (5.5 MiB)

lo Link encap:Local Loopback

inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host

UP LOOPBACK RUNNING MTU:16436 Metric:1

RX bytes:125243 (122.3 KiB) TX bytes:125243 (122.3 KiB)

(24)

The ‘ifconfig’ command is soon going to become obsolete. You can use the ‘ip’ command which serves a similar purpose as the ‘ifconfig’ command. The ‘ip link’ command will show you the network devices configuration.

The ‘ip addr’ command will show you the IP address information. See example output below. You can read the man pages of the ‘ip’ command to see all the available options and syntax of this command.

(25)

The interface control scripts activate and deactivate system interfaces. There are two primary interface control scripts that call on control scripts located in the ‘/etc/sysconfig/network-scripts/’ directory: ‘ifdown’ and ‘ifup’.

Run the ‘ifdown eth0’ command to deactivate the ‘eth0’ interface. And confirm using ping or browser that network connection is no longer active.

[root@examplehost network-scripts]# ifdown eth0 Device state: 3 (disconnected)

[root@examplehost network-scripts]#

Also, check the ‘ifconfig’ output and compare the difference between the previous output of a working ‘eth0’ NIC and this one below of a ‘eth0’ NIC which has been deactivated. In the output below, you will notice there is no IP address assigned and hence this NIC is inactive.

(26)

[root@examplehost network-scripts]# ifconfig

eth0 Link encap:Ethernet HWaddr 08:00:27:35:A3:D1 inet6 addr: fe80::a00:27ff:fe35:a3d1/64

Scope:Link

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX bytes:1019820253 (972.5 MiB) TX bytes:5815076 (5.5 MiB)

lo Link encap:Local Loopback

inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host

UP LOOPBACK RUNNING MTU:16436 Metric:1

RX bytes:125243 (122.3 KiB) TX bytes:125243 (122.3 KiB)

(27)

Bring back the ‘eth0’ network interface by running the ‘ifup’ command as shown below.

[root@examplehost network-scripts]# ifup eth0 Active connection state: activating

Active connection path:

/org/freedesktop/NetworkManager/ActiveConnection/2 state: activated

Connection activated

(28)

The next tool we will learn about is the ‘ethtool’. ‘Ethtool’ is a utility for

configuration of Network Interface Cards (NICs). This utility allows querying and changing settings such as speed, port, auto-negotiation, PCI locations and checksum offload on many network devices, especially Ethernet devices.

As always start by reading the man pages of ‘ethtool’ utility. [root@examplehost /]# man ethtool

Run the ‘ethtool <device name>’ command as shown in example below to see the output displayed by this tool.

(29)

(half duplex, full duplex), auto-negotiation of network speed etc. You can read the ‘ethtool’ documentation here and try changing these settings for your device name to get an understanding of this tool.

There are two other tools that are commonly used in network administration that we will briefly discuss. The ‘netstat’ and ‘route’ commands are two commands that are often used to resolve network routing issues. The ‘netstat’ command can be used to print network connections, routing tables, interface statistics, masquerade

connections, and multicast memberships. Read and get familiarized with the

‘netstat’ man pages and try this command on your system. The ‘route’ command can also be used to show / manipulate the IP routing table. The ‘ip route’ command can also provide similar information as provided by the ‘route’ command. We will let you explore the ‘route’ command on your own by reading the man pages and trying it out on your setup.

You can use the ‘service’ command as shown below to check status, stop, start, restart etc.

[root@examplehost /]# service network Usage: /etc/init.d/network

{start|stop|status|restart|reload|force-reload} [root@examplehost /]#

In the output below, we check the network status and find from the output that there are 2 interfaces (eth0 and lo) configured and both these interfaces are active. [root@examplehost /]# service network status

Configured devices: lo eth0

Currently active devices: lo eth0

(30)

This concludes the networking lab.

5.3 Bonding

The Linux bonding driver provides a method for aggregating multiple network interfaces into a single logical "bonded" interface. In Oracle Linux 6, you can bind network interface cards (NICs) together into a single channel using the bonding kernel module and a special network interface, called a channel bonding interface. Channel bonding enables two or more network interfaces to act as one,

simultaneously increasing the bandwidth and providing redundancy.

The following example shows how to setup a bonding device and enslave two real Ethernet devices (eth1 and eth2) to it:

# modprobe bonding

# ifconfig bond0 192.208.0.1 netmask 255.255.0.0 # ifenslave bond0 eth1 eth2

The ‘ifenslave’ tool can be used to attach and detach slave network devices to a bonding device.

Configuring Bonding:

We will take a closer look at the steps to configure bonding in Oracle Linux 6. Since most of our laptop VirtualBox environments have a single physical network

interface card and rely on DHCP for their IP address, we will not do this lab. But if you have a setup available with multiple NICs and have assigned IP addresses then you can try the steps below on your setup.

We will document the steps required to configure a ‘bond0’ which bonds interfaces ‘eth0’ and ‘eth1’. The first step is to make sure your Oracle Linux bonding driver is loaded using the ‘modprobe’ command as shown below.

(31)

Next step is to create a new file named ‘bonding.conf’ in the ‘/etc/modprobe.d/’ directory. Note that you can name this file anything you like as long as it ends with a .conf extension. Insert the following line in this new file:

alias bond<N> bonding

where bond<N> corresponds to our bonding interface. In our example, this will be bond0. Sample ‘/etc/modprobe.d/bonding.conf’ file is shown below.

After you have created the ‘/etc/modprobe.d/bond.conf’ file, create the

‘/etc/sysconfig/network-scripts/ifcfg-bond<N>’ file. In our case, we will create the ‘/etc/sysconfig/network-scripts/ifcfg-bond0’ file as shown below. The Device name is ‘bond0’, we assign an IP address and Netmask value for the bonding interface. The Onboot=yes parameter means this interface will be activated at boot time. In

Bonding_Opts parameter, we specify the mode and miimon values. The mode allows you to specify the bonding policy like modes 0, 1, 2 etc. Mode 0 sets a round-robin policy for fault tolerance and load balancing. Mode1 or active backup sets an active-backup policy for fault tolerance. The miimon value specifies how often MII link monitoring occurs in milliseconds. Refer to Networking Documentation for more details.

(32)

Create the ‘ifcfg-eth0’ and ‘ifcfg-eth1’ files for the 2 physical NICs that are being bonded. Sample files shown below. Note that these files, contain the the MASTER and SLAVE directives in the configuration files. The MASTER value is set to the channel bonding interface to which the Ethernet interface is linked.

(33)

This completes the configuration. You can now enable bonding by running the ‘ifconfig bond0 up’ command or rebooting the system. When you reboot the system, you will see the following boot time messages when bonding is being setup:

You can also check the ‘/var/log/boot.log’ messages of your system after the system has booted if you miss seeing the above messages during boot time.

Once the system has booted, you can verify if bonding is setup correctly. On the top right corner of your Desktop is the NetworkManager applet icon which shows the status of your Network connection. If you click the icon, you will see the ‘System bond0’ configured as shown below.

If you right click the NetworkManager applet icon, you can view the Connection information.

(34)

See example screenshot for Connection Information below. There will be two tabs which will correspond to each of the two network interfaces (eth0 and eth1) that for the bonded connection.

(35)

An ‘ifconfig’ output for a system with bonding configured will show the ‘bond0’ interface. See sample screenshot below.

You can also test the network and verify that everything is working correctly. This concludes the lab on bonding.

5.4 Service Configuration Tool

Maintaining security of your Linux system is extremely important, and one of the tasks is to manage access to system services carefully. There are several different methods for managing access to system services. The easiest way to deny access to a service is to turn it off. Both the services managed by ‘xinetd’ and the services in the ‘/etc/rc.d/init.d’ hierarchy (also known as SysV services) can be configured to start or stop with the Service Configuration Tool. This Service Configuration Tool is a graphical tool for enabling and disabling services (including xinetd services). Functionality to start, stop, and restart services is also included.

Note: You must be running the X Window System and have root privileges to use the

(36)

There are 2 ways to run the Service Configuration tool:

1) Running from the command line – ‘system-config-services’ command 2) Running from the GUI - System -> Administration ->Services menu

To start the application on the desktop, go to the main menu on the panel and click on System -> Administration -> Services.

(37)

and also using the command line. But before checking the status of ‘httpd’ service, verify that the ‘httpd’ package is installed on your Oracle Linux 6 system.

Check to see if the httpd package is installed:

[root@examplehost /]# rpm -qa | grep httpd httpd-tools-2.2.15-15.0.1.el6_2.1.x86_64 httpd-2.2.15-15.0.1.el6_2.1.x86_64

Check the status of ‘httpd’ service using the ‘service’ command: [root@examplehost /]# service httpd status httpd is stopped

Run the ‘system-config-services’ command if you want to verify the status of a service using the GUI. Example screenshot below shows that the service is disabled.

(38)

Start the ‘httpd’ service using the command line as shown below. Ignore the warning about FQDN if you see it; just make sure the service has started.

[root@examplehost /]# service httpd start

Starting httpd: httpd: Could not reliably determine the server's fully qualified domain name, using examplehost.com for ServerName

[ OK ]

To verify or check the status of the ‘httpd’ service, you can run the following command:

[root@examplehost /]# service httpd status httpd (pid 5055) is running...

(39)

You can also verify the status of a service in the GUI by running the Service Configuration Tool.

Now that the httpd service (Apache web server) is running on the system, we can open the Firefox browser and go to http://localhost. You should expect to see the Apache home page if the service is running correctly.

(40)

The ‘chkconfig’ command can be used to check the status of service for various init runlevels. If you want to check the ‘httpd’ service status for different run levels then you can run the following ‘chkconfig’ command. In the example below, we see that the httpd service is initially off for all run levels. We then turn on this service using the ‘chkconfig httpd on’ command. Note that after turning on this ‘httpd’ service, this ‘httpd’ service is turned on for run levels 2, 3, 4 and 5 and it takes effect on the next reboot of the system. Similarly, you can run the ‘chkconfig httpd off’ command to turn off the ‘httpd’ service for run levels 2,3,4 and 5 but this takes effect upon the next reboot of the system.

[root@examplehost /]# chkconfig --list | grep httpd

httpd 0:off 1:off 2:off 3:off

4:off 5:off 6:off

[root@examplehost /]# chkconfig httpd on [root@examplehost /]#

[root@examplehost /]# chkconfig --list httpd

httpd 0:off 1:off 2:on 3:on 4:on 5:on

6:off

Stop the ‘httpd’ service as shown below.

[root@examplehost /]# service httpd status httpd (pid 5055) is running...

[root@examplehost /]# service httpd stop

Stopping httpd: [ OK ]

(41)

acpid Advanced Configuration and Power Interface event daemon atd Run commands scheduled by at command

auditd Linux auditing system daemon autofs Auto-mount file systems on demand bluetooth Trigger bluetoothd start-up

crond Service to run scheduled commands via crond daemon cups Common Unix printing system service

ip6tables IPv6 IPtables firewall service iptables IPv4 IPtables firewall service

kdump Helps loading kdump kernel into memory lvm2-monitor Monitors LVM2 disk volumes

network Bring up/down networking on a system

nfs This service provides the NFS server functionality

ntpd Ntpd is the Network Time Protocol daemon to synch time postfix Postfix mail transport agent service

rsyslog Rsyslog logging service

sshd Starts the OpenSSH server daemon

ypbind NIS daemon running on NIS clients to bind to NIS domain

Now that you have learned how to use the Service Configuration tool and the service/chkconfig commands, you can decide which services to enable and which ones to disable depending on your deployment requirements. The non-essential services in your deployment should be disabled to make the system more secure and also improve performance by reducing resource utilization of un-needed services.

Another command to configure runlevel services is the ‘ntsysv’ command. The ‘ntsysv’ utility is a command line application with a simple text user interface to configure which services are to be started in selected runlevels. You can run this utility by typing ‘ntsysv’ at a shell prompt as ‘root’ user.

(42)

The utility displays the list of available services (the services from the

/etc/rc.d/init.d/ directory) along with their current status and a description obtainable by pressing ‘F1’ key.

We will not be doing any lab on the ‘ntsysv’ utility as the preferred way is to use the ‘chkconfig’ utility as we used in the earlier labs. This concludes the services

(43)

5.5 SELinux Introduction

Security-Enhanced Linux (SELinux) is an implementation of a mandatory access

control (MAC) mechanism in the Linux kernel, checking for allowed operations after

standard discretionary access controls (DAC) are checked. It was created by the National Security Agency and can enforce rules on files and processes in a Linux system, and on their actions, based on defined policy.

Let us begin by looking at the SELinux config file. The ‘/etc/selinux/config’ file is the main SELinux configuration file. It controls the SELinux mode and the SELinux policy to use. Run the ‘cat’ command or use an editor to view the

‘/etc/selinux/config’ file on your Oracle Linux 6 system.

The SELINUX option in the config file sets the mode SELinux runs in. SELinux has three modes:

• Enforcing: SELinux policy is enforced. SELinux denies access based on SELinux policy rules.

• Permissive: SELinux policy is not enforced. SELinux does not deny access, but denials are logged for actions that would have been denied if running in enforcing mode.

• Disabled: SELinux is disabled. Only DAC rules are used.

When using enforcing mode, SELinux policy is enforced, and SELinux denies access based on SELinux policy rules. Denial messages are logged. When using permissive mode, SELinux policy is not enforced. SELinux does not deny access, but denials are logged for actions that would have been denied if running SELinux in enforcing mode. When using disabled mode, SELinux is disabled (the SELinux module is not registered with the Linux kernel), and only DAC rules are used.

In the example below, you can see that SELINUX mode is set to enforcing. This means SELinux is enabled on this system and enforcing the security policy. The SELINUXTYPE option sets the SELinux policy to use. There are two policies that can be used – Targeted and MLS policy. Targeted policy is the default policy as is also seen in the sample config file below.

(44)

[root@examplehost /]# cd /etc/selinux [root@examplehost selinux]# ls

config restorecond.conf restorecond_user.conf semanage.conf targeted

[root@examplehost selinux]# cat config

# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values:

# enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing.

# disabled - No SELinux policy is loaded. SELINUX=enforcing

# SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # mls - Multi Level Security protection.

SELINUXTYPE=targeted

[root@examplehost selinux]#

You can check the status of SELinux on your Oracle Linux 6 system using the ‘sestatus’ command as shown below. In the following sample output, you can see that SELinux is enabled and set to enforcing mode. The policy is targeted policy.

(45)

SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 26

Policy from config file: targeted [root@examplehost selinux]#

Another way to check the status of SELinux is by using the ‘getenforce’ command. The ‘getenforce’ command returns Enforcing, Permissive, or Disabled. In the example shown below, the ‘getenforce’ command returns enforcing which means SELinux is enabled on this system and enforcing the security policy.

[root@examplehost selinux]# /usr/sbin/getenforce Enforcing

[root@examplehost selinux]#

The ‘policycoreutils-gui’ RPM package provides ‘system-config-selinux’ command which is a graphical tool for managing SELinux. Install the SELinux GUI tool on your Oracle Linux 6 systems by installing the ‘policycoreutils-gui’ RPM package.

(46)

First check to see if the ‘policycoreutils-gui’ RPM package is already installed on the system. In the example, below ‘rpm’ query command does not return this package name, this means that the package is not installed.

[root@examplehost /]# rpm -qa | grep policycoreutils-gui [root@examplehost /]#

We will install the ‘policycoreutils-gui’ RPM package using the ‘yum’ command. [root@examplehost /]# yum install policycoreutils-gui Loaded plugins: refresh-packagekit, security

Setting up Install Process Resolving Dependencies

--> Running transaction check

---> Package policycoreutils-gui.x86_64 0:2.0.83-19.24.0.1.el6 will be installed

--> Processing Dependency: policycoreutils-python = 2.0.83-19.24.0.1.el6 for package:

policycoreutils-gui-2.0.83-19.24.0.1.el6.x86_64

package: setools-console-3.3.7-4.el6.x86_64 ...

... ...

--> Finished Dependency Resolution Dependencies Resolved

=========================================================== ====================

Package Arch Version Repository Size =========================================================== ==================== Installing: policycoreutils-gui x86_64 2.0.83-19.24.0.1.el6 ol6_latest 206 k

Installing for dependencies:

audit-libs-python x86_64 2.2-2.el6 ol6_latest 59 k gnome-python2-gtkhtml2 x86_64 2.25.3-20.el6 ol6_latest 21 k gtkhtml2 x86_64 2.11.1-7.el6 ol6_latest 153 k libcgroup x86_64 0.37-4.el6 .... ....

(47)

Transaction Summary

=========================================================== ====================

Install 10 Package(s) Total download size: 1.9 M Installed size: 6.5 M Is this ok [y/N]: y ... ... ... ... Dependency Installed: audit-libs-python.x86_64 0:2.2-2.el6 gnome-python2-gtkhtml2.x86_64 0:2.25.3-20.el6 gtkhtml2.x86_64 0:2.11.1-7.el6 libcgroup.x86_64 0:0.37-4.el6 libsemanage-python.x86_64 0:2.0.43-4.1.el6 policycoreutils-python.x86_64 0:2.0.83-19.24.0.1.el6 setools-console.x86_64 0:3.3.7-4.el6 setools-libs.x86_64 0:3.3.7-4.el6 setools-libs-python.x86_64 0:3.3.7-4.el6 Complete! [root@examplehost /]#

(48)

(49)

You can now verify that you have the ‘system-config-selinux’ command on your system as shown below.

[root@examplehost /]# which system-config-selinux /usr/bin/system-config-selinux

You can also find this SELinux GUI application under the System -> Administration

-> SELinux Management menu option.

Run the ‘system-config-selinux’ command to launch the SELinux GUI application or launch it from the System ->Administration -> SELinux Management menu option.

(50)

Disabling SELinux:

SELinux is enabled by default on Oracle Linux 6 systems. Some applications require disabling SELinux before they can be installed. We will now learn how to disable SELinux on Oracle Linux 6 systems.

To disable SELinux, set ‘SELINUX=disabled’ in the ‘/etc/selinux/config’ file. [root@examplehost /]# vi /etc/selinux/config

# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values:

# enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing.

# disabled - No SELinux policy is loaded. SELINUX=disabled

# SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # mls - Multi Level Security

(51)

Reboot your system after changing the value to ‘disabled’. After reboot, confirm using the ‘getenforce’ command or the ‘sestatus’ command that it returns Disabled.

[root@examplehost /]# /usr/sbin/getenforce Disabled

[root@examplehost /]# /usr/sbin/sestatus SELinux status: disabled [root@examplehost /]#

(52)

5.6 Firewall Configuration Tool and IPtables

Firewalls are one of the core components of a network security implementation. A firewall is a system designed to prevent unauthorized access to or from a private network. Firewalls help prevent unauthorized network packets from accessing the system's network interface. The firewall examines network traffic and allows or denies the traffic based on specified security criteria. If a request is made to a port that is blocked by a firewall, the request is ignored. If a service is listening on one of these blocked ports, it does not receive the packets and is effectively disabled.

Hence, you should be careful when configuring a firewall to block access to ports not in use and not block access to ports used by configured services.

On Oracle Linux 6 systems, a simple firewall configuration tool is the graphical firewall configuration tool. The Firewall Configuration Tool (system-config-firewall) creates basic iptables rules for a general-purpose firewall using a GUI interface. For advanced users and server administrators, manually configuring a firewall with ‘iptables’ tool is probably a better option. In older versions of Linux, the most

popular firewall/NAT package running on Linux was called ipchains, but it had some shortcomings. The Netfilter organization decided to create a new product called ‘iptables’. The iptables implementation is considered to be a faster and more secure alternative to ipchains and iptables has become the default firewall package

installed under RHEL 6 and Oracle Linux 6 releases. We will now introduce you to both the basic Firewall Configuration tool and the more advanced ‘iptables’ tool.

Firewall Configuration Tool:

To start the Firewall Configuration Tool, you can go to the System ->

(53)

(54)

Alternatively, you can type the ‘system-config-firewall’ command at a shell prompt. [root@examplehost /]# /usr/bin/system-config-firewall

In the following screenshot, you can see that the Firewall is enabled on this system. And you can also see that ‘ssh’ service using TCP protocol and port 22 is a trusted service on this system.

The firewall rules configuration information is stored in the

‘/etc/sysconfig/iptables’ file. If you view this file, you will see an output similar to what is shown below. You can see in the screenshot below that there is an entry for port 22 and that entry corresponds to the ‘ssh’ service.

(55)

# Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. *filter

:INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0]

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT

-A INPUT -i lo -j ACCEPT

-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

-A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT

In the Firewall Configuration window, click the Disable button and then the Apply button to disable the Firewall. Once the Firewall is disabled, you will see the grayed out GUI screen like what is shown below. When the firewall is disabled, it allows all network traffic and there is no trusted service or any blocked ports or network traffic.

(56)

And when the Firewall is disabled, there is no ‘/etc/sysconfig/iptables’ file on the system. You can verify after disabling the firewall that the ‘/etc/sysconfig/iptables’ file is no longer present.

[root@examplehost /]# ls -l /etc/sysconfig/iptables

ls: cannot access /etc/sysconfig/iptables: No such file or directory

Re-enable the Firewall on your Oracle Linux 6 system by clicking the Enable and Apply buttons. Once the firewall has been enabled, add WWW (HTTP) service which runs on TCP port 80 to the listed of trusted services. See screenshots below.

(57)

Click ‘Yes’ on the following window to override any existing firewall configuration.

Once you have the WWW (HTTP) service that runs on port 80 enabled, you can verify and view the INPUT rule that it adds to the ‘/etc/sysconfig/iptables’ file on your system. See example outputs below.

(58)

[root@examplehost /]# cat /etc/sysconfig/iptables

You can see in the above screenshot there is a new line that gets added for port 80 HTTP service in the ‘/etc/sysconfig/iptables’ file. This is the INPUT rule for the HTTP Service and makes this a trusted service which means the system will now allow connections to port 80 used by the HTTP service.

Verify that the HTTP service is running on your system. If it is not running, you can start it using the ‘service httpd start’ command.

(59)

httpd (pid 32706) is running... [root@examplehost /]#

Once you have the httpd service running, you can use the ‘netstat’ command to confirm that port 80 is open and listening for incoming connections.

[root@examplehost /]# netstat -tulpn | grep 80

tcp 0 0 :::80 :::* LISTEN 32706/httpd

You can stop the HTTPD service once you have confirmed that ‘netstat’ shows port 80 is open and listening for connections.

[root@examplehost /]# service httpd stop

Stopping httpd: [ OK ]

(60)

Let us go back to the Firewall Configuration GUI and Click the ‘Other Ports’ option on the left of the screen. You will see a screen similar to what is shown below. If you setup a LDAP Directory server on a Linux system which has firewall enabled, then you would have to open the port 389 for the LDAP service on that system. Port 389 is the default LDAP server port. In this lab, we will assume that we have LDAP server installed and will open the port 389 by adding it in the list of ports that are

accessible.

Click the Add button and add Port 389 to the list of accessible ports.

In the “Port and Protocol” Window, select the LDAP port 389 and click the OK button.

(61)

You should now have the Port 389 with protocol TCP and service LDAP in the list of accessible ports in the GUI as seen below. Click the ‘Apply’ button to apply these changes.

(62)

Clicking the ‘Apply’ button will add an INPUT rule for the LDAP port 389 that we just added as a accessible port. Open (use ‘cat’) the ‘/etc/sysconfig/iptables’ file and check and confirm the rule that was added for Port 389 in this file.

(63)

Configuration tool like marking network interfaces which are trusted, masquerading IPv4 addresses, port forwarding, etc. We will not be doing labs for these in this training.

iptables tool:

As we discussed earlier, the Firewall Configuration Tool is used for setting up basic firewall rules. If you need some advanced and complex rules, you should use

‘iptables’ tool. Actually, there are two tools available – iptables and ip6tables. The ‘iptables’ tool is for IPv4 networks and that is what we will use in this training. The ‘ip6tables’ is for IPv6 packets filtering and we will not be working on IPv6 network tools in this training.

The ‘iptables’ administration tool is a command line tool that is available in the Linux kernel 2.4 and above. The ‘iptables’ tool uses the Netfilter subsystem to

enhance network connection, inspection, and processing. The ‘iptables’ tool features advanced logging, pre- and post-routing actions, network address translation, and port forwarding, all in one command line interface.

Start by reading the man pages of ‘iptables’ tool. [root@examplehost /]# man iptables

(64)

You can use the ‘service iptables’ command to list all available options for the iptables service.

[root@examplehost /]# service iptables Usage: iptables

{start|stop|restart|condrestart|status|panic|save} [root@examplehost /]#

Check using the ‘service’ command to find out if the iptables service is running or not. In the screenshot below, it says the Firewall is not running which means the iptables service is stopped.

(65)

[root@examplehost /]# service iptables status iptables: Firewall is not running.

If the iptables service is running on your system, you will see an output similar to what is shown below.

[root@examplehost /]# service iptables status Table: filter

Chain INPUT (policy ACCEPT)

num target prot opt source destination 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 5 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 6 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:389 7 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)

num target prot opt source destination 1 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)

num target prot opt source destination [root@examplehost /]#

(66)

If you need to start the iptables service, you can start it as shown below. [root@examplehost /]# service iptables start

iptables: Applying firewall rules: [ OK ]

You can also run the ‘chkconfig’ command to see the init runlevels for which the iptables service is started during system reboots.

[root@examplehost /]# chkconfig --list iptables

iptables 0:off 1:off 2:on 3:on 4:on 5:on

6:off

(67)

Type the following ‘iptables’ command as ‘root’ user to list the rules of your firewall. The -L option is to list rules and the -n option is to display IP address and port in numeric format. You can also include the -v option to get a more verbose output.

[root@examplehost /]# iptables -L -n Chain INPUT (policy ACCEPT)

target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:389 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

target prot opt source destination REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

target prot opt source destination [root@examplehost /]#

(68)

Rules are stored in chains and there are 3 chains – INPUT, FORWARD and OUTPUT. If you just want to view all the rules in the INPUT chain only, you can run the

following command.

[root@examplehost /]# iptables -L INPUT -n Chain INPUT (policy ACCEPT)

target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:389 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited [root@examplehost /]#

(69)

You can print the line numbers for rules in the INPUT, FORWARD and OUTPUT chains using the –line-numbers option as shown below. This line-numbers option is useful for adding/deleting rule lines as we will see shortly.

[root@examplehost /]# iptables -L -n --line-numbers Chain INPUT (policy ACCEPT)

(70)

To delete line 6 of input rules, you can use the –D option as shown below. This will delete line 6 which is the LDAP port 389 access rule in the screenshot above. [root@examplehost /]# iptables -D INPUT 6

After deleting the rules, run the iptables command to list the rules. You will notice that the rule line for LDAP port 389 has been deleted.

(71)

But if you see the ‘/etc/syconfig/iptables’ file, you will see that the LDAP Port 389 rule is still there in this file. Any guesses why it is still there?

(72)

The rule is still there because after deleting the rule, we have not saved the rules configuration file (/etc/sysconfig/iptables). Run the ‘iptables save’ command to save the new rules.

[root@examplehost /]# service iptables save iptables: Saving firewall rules to

/etc/sysconfig/iptables:[ OK ] [root@examplehost /]#

Once the rules have been saved, you can run the cat command to check the ‘/etc/sysconfig/iptables’ file and this time you should not see the LDAP port 389 rule in this file. See screenshot below.

(73)

# Generated by iptables-save v1.4.7 on Wed Feb 6 16:03:37 2013 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0]

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT

# Completed on Wed Feb 6 16:03:37 2013 [root@examplehost /]#

Even after you have saved the file, you still need to restart the iptables service so that it can re-read the new rules from the ‘/etc/sysconfig/iptables’ file and enforce the new rules.

(74)

[root@examplehost /]# service iptables restart

iptables: Flushing firewall rules: [ OK ]

iptables: Setting chains to policy ACCEPT: filter [ OK ]

iptables: Unloading modules: [ OK ]

Let us list the rules with their line numbers now. We will then add back a rule using the iptables command.

num target prot opt source destination 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 5 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 6 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

(75)

Let us now add a rule between line 5 and line 6 of our rules. In the example below, we are adding a new INPUT rule as line 6 where protocol is TCP and the port that we allow access to is the LDAP port 389.

Once you added the new rule for port 389 using the ‘iptables’ command, you can check using iptables command using the line-numbers option and confirm that it has been added as line 6.

(76)

(77)

iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ] [root@examplehost /]#

We will now look at an example where we open a range of ports on the Oracle Linux 6 system. In the example below, we will open ports from 8000 to 8010 on this system using the ‘iptables’ command. We actually append the INPUT rules and add a new one in this example.

[root@examplehost /]# iptables -A INPUT -m state --state new -m tcp -p tcp --dport 8000:8010 -j ACCEPT

(78)

You can use the ‘iptables –L’ option and confirm that you see a new line (line 8 in example below) appended to the INPUT rules for the port range that was opened. [root@examplehost /]# iptables -L -n --line-numbers

Chain INPUT (policy ACCEPT)

num target prot opt source destination 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 5 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 6 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:389 7 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited 8 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpts:8000:8010

(79)

We will remove this rule that we just added using the –D option of the ‘iptables’ command as shown below.

[root@examplehost /]# iptables -D INPUT 8 [root@examplehost /]#

(80)

[root@examplehost /]# service iptables save iptables: Saving firewall rules to

/etc/sysconfig/iptables:[ OK ]

Configuring complex firewall rules is an advanced topic and will require a deep understanding of the deployed services and requirements before you configure firewalls. This concludes the introductory lab to Firewall and iptables.

One last thing, Nmap ("Network Mapper") is a free and open source utility for

network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. We will leave this as a topic for you to explore on your own depending on your interest and requirements.

(81)

5.7 Common Vulnerabilities and Exposures (CVE) security updates

Common Vulnerabilities and Exposures (CVEs) is a dictionary of publicly known information security vulnerabilities and exposures. CVE’s common identifiers enable data exchange between security products and provide a baseline index point for evaluating coverage of tools and services. It is strongly recommended to frequently apply security updates and patches, to keep your Oracle Linux system secure at all times.

In this lab, we will look at some of the package management commands that can help you identify and install security updates on your Oracle Linux 6 system. We will look at using the yum security plugin. The yum security plugin extends yum to allow lists and updates to be limited using security relevant criteria.

We will start by checking to see if the Oracle Linux 6 system has the yum security plugin already installed or not. You can check whether this yum security plugin is installed or not using the following ‘rpm’ command.

[root@examplehost /]# rpm -qa | grep yum-plugin-security yum-plugin-security-1.1.30-14.el6.noarch

Next, check and make sure that this yum security plugin is enabled. You should find a ‘security.conf’ file under the ‘/etc/yum/pluginconf.d/’ directory.

[root@examplehost /]# cd /etc/yum/pluginconf.d/ [root@examplehost pluginconf.d]#

[root@examplehost pluginconf.d]# ls

refresh-packagekit.conf rhnplugin.conf security.conf [root@examplehost pluginconf.d]#