Open SSL and Key Based Authentication

SSL is basically Secure Socket Layer


Application 

1. Securing transaction of web using Apache-ssl
2. Securing User access for remote access to your linux Computer
3. securing VPN using open ssl based tunneling 
4. Securing email service

Server Certificate 

It is body of data placed in message to serve as proof of authenticity of sender. It contains encrypted information that associates public key iwith true identity of an indivisual server or other enitiy known as subject

Role of server certificate Authority

Trusted organisation that issues certificate for both server and clients. Suppose a client wants to access the company's extranet webserver securely over HTTPS so client uses https protocol to access content of web server.

Now web browser initiates SSL conection request.Extranet webserver uses private key to encrypt the data and send it to client , who decrypts it using public key of webserver.  Since public key send by webserver to client browser there is no way to know wheter public key is authentic , Here comes role of Certificate Authority. 

CA issues server certificate signed by CA's own public key . Geniune message from webserver contains this certificate . When browser receives server certificate it decrypts certificate information using well know public key of CA This ensure server certificate is authentic . The browser can then verify domain name used n authentic certificate is same as name of server it is communicating with.

Generating Private key for server  

[root@server]# openssl genrsa -des3 -out domain.com.key 1024 -rand /dev/urandom

Gererating Certificate Signing request 

[root@server]# openssl req -new -key www.domain.com.key -out  www.domain.com.csr 

OpenSSH 

All user password are stored in  /etc/shadow file in linux system instead of /etc/passwd file. 

SSh is basically used for secure Login of systems and for executing command on remote system.

Pacakge used is OPENSSH. port it connects is 22.

Its configuration files is  /etc/ssh/sshd-config 

Secure shell alllows us to authenticate using Public-private key scheme.

ssh-keygen is command use to generate key.

  # ssh-keygen  -t   rsa      
this will produce rsa key for your machine that is saved in /root/.ssh/id_rsa

copying of rsa key to client that you wanna be connect in future using Key Based Authentication 

keys are permannently added to client side in authorized_key directory

connecting to client 

when connection is made it ask for passphrase to decrypt key that was used when ecncrypting

therefore with key based authentication no password is used ..its just decrpyption of key takes place using Key based Authentication .


Thanks....................

Proftpd Server

Proftpd Server is another type of FTP server which is highly configurabale and Much more secure than conventional FTP server of Linux ie, vsftpd .  Proftpd server uses apacahe like configuration file . It can also control resources as how many instances of server run at any given time.

Its configuration file is  /etc/proftpd.conf 


Now m gonna tell some details about Proftpd.conf file  

ServerName : Represent FTP server name .

ServrType : standalone

DefaultServer : since FTP supports many server simultaneously virtual ftp servers , it means we may have server called default ftp server and one or more virtual ftp server .Main server s enabled by this directives .
If we wanna use virtual server and donot service ftp request on main default server keep this directive off.

Port : port where seervcie executes port 21

umask : 027 for getting default permision 750

MaxInstance:  defines no. of proftpd instance that are running simultaneously before refusing connection

<Directory /*>   Allows set of driectives that applies to particular directory path

AlllowOverwrite : this directive allow FTP user to overwrite any files they want

<Anonymous ~ftp>  creates anonymous ftp.


Securing the FTP Connectiion 


Restricting FTP connection Via IP address 
To enable IPbased authentication with main server or virtual server

     <Limit LOGIN>
  Order Allow,Deny
 Allow from 192.168.1.2, 192.168.1.3.192.168.1.4
 Deny from all
</Limit>

PAM based Authenticatioin


To enable PAM file based authentication  use following directive
    AuthPAMAuthoritative  on
    AuthPAMConfig  ftp

Disable Directory Creation and deletion privelages


<Directory /*>
<Limit MKD RMD> 
DenyAll 
</Limit>
</Diretory>

Allowing Certain group of users and users for directory creation and deletion


<Directory /*>
<Limit MKD RMD>
DenyAll
AllowGroup <groupname>
AllowUser  <username>
</Limit>
</Directory>

Restricitng Access to single Directory 


<Directory /*>
<Limit CWD>
DenyAll
</Limit>
</Directory>

Controllig READWRITE Access  


<Directory /files/Download>
<Limit READ >
AllowGroup <groupname>
Allowuser <username>
</Limit>
<Limit WRITE>
AllowUser <username> 
DenyGroup <groupname>
</Limit>


Limiting Directory Browsing Privelages


<Directory /path>
<Limit DIRS>
DenyGroup <groupname>
</Limit>
</Directory>

Controlling BufferOverflow Attack  


this is most common type of attack method still folllowed by intruders , To prevent such type of attack on your ftp server Proftpd provides directive CommandBufferSize  whos value when set apprpriately can prevent Buffer Overflow ATTACK  


CommandBufferSize 512




This is Simple Proftpd Configurationa and Securtiy features for FTP server .............Thank u 

Advanced Intrusion Detection Environment (AIDE using ICU)

AIDE is basically advanced intrusion detection environment which performs function of file system integrity check of Linux system. Normally various file integrity checker are available but they all are made for single host machine..........Wat if administrator wants to check several system in its domain simultaneously...from its own single system........??????????????????????? 

Solution is right here ........."AIDE using ICU"  (Advanced intrusion detection environment using Integrtiy Checking utility ) AIDE alone can check single system but to check for multiple system together we need ICU.
ICU server and client are established and configured.

1 ) Download and install aide latest version ....system with RHEL6 have package in there YUM repositry by default......check for other distro's of Linux.

Establishing ICU Server

1) download tar file for ICU from http://nitzer.dhs.org/ICU/ICU.html  OR GOOGLE IT .......

2) I downloaded version ICU-0.3.tar.gz

3) su  - root  on your system and extract source on system which you want to create ICU server.By this server you have to launch ICU on remote linux system on which u want to perform integrity check .

4) extract the source and copy the folder so obtained after extraction ICU-0.3 to /usr/local/ICU on your server system

5) create user  "icu"
 # useradd   icu 
# chown -R /usr/local/ICU          //changing ownership of directory and files of ICU 
# chmod -R 700 /usr/local/ICU

6) # vim /usr/local/ICU/ICU.conf
     modify  directive ICU_server_name
     modify  directive admin_e-mail 

ssh = /usr/bin/local/ssh
scp = /usr/bin/local/scp
ssh-keygen = /usr/bin/ssh-keygen

If u dont use sendmail as default mail server basically RHEL5 uses sendmail as default mail server and RHEL6 uses Postfix by default .

Postfix = /usr/sbin/postfix

7) su - icu and run following command

           #perl ICU.pl  -G      
8)        #perl ICU.pl  -s      
 if any error message occur fix it  accordingly

9)  copy and rename aide binary files from /usr/local/bin to /usr/local/ICUbinaries/aide.bin-i386-linux 




Establishing ICU Client        


The ICU server runs AIDE on remotehost via ssh protocol.Here it is how to establish ICU client

1) edit /usr/local/ICU/ICU.hosts file to add client name you want to monitor
syntax
hostname : email : OS : architecture : port


client.localdomain : root@server.localdomain : linux : i386 : 22 


2) Perform sanity check of file using

# /usr/local/ICU/perl  ICU.pl -s -r client.localdomain  


3) create a tarball containing all necesaary files and configuration for remote host to run aide on it .

# perl ICU.pl  -n  -r  client.localdomain 


This will create tar file of all required configuration file that are required at host side

4) FTP the tarr file to host machine (client) whose files are to be checked

5) At clientside on client system  


# tar xvf  client.localdomain-icu-install.tar

it creates new directory client.localdomain-install

6) #cd client.localdomain-icu-install


7) # sh icu-install.sh      //this installs copy of aide.conf and aide.db file to /var/adm/.icu

It automatically apends keys to various files .


Initializing remote host integrity check 


1) log in as su - icu
2) cd /usr/local/ICu
3) #perl ICU.pl -i -r client.localdomain


enter yes when prompted becuz server connecting to host via ssh for first tym

4) wait till database is initailized for first tym . after initializaiton run same script again in futre to check file system.


When initializing new host first integrity database and configuration are saved as

/usr/local/ICU/database/client.localdomian/archives/adie.db-first-TIMESTAMP.gz 


and 


/usr/local/ICU/database/client.localdomian/archives/adie.conf-first-TIMESTAMP.gz 
are initaial databse and cofniguration files . eah tym integrity is checked these files are matched and files with latest timstamp is updated at server.

Checking of Remote Host Integrity Database


# su - icu 
# /usr/local/ICU/perl ICU.pl  -v -c -r client.localdomain 


All Results will be mailed to root@server.localdomain  or whatever email u provided in ICU.hosts file

Thanks ........