Hacking Ubuntu (2007)

Part IV: Securing Your System

Chapter 11: Advanced Networking

Overview

Most of the time, people will install Ubuntu, configure the network during the installation, and not need to change it again. However, there are some situations where you will want to configure the network. This can happen if you have a laptop and frequently move between different networks, if you add in a second network card, or if you need more security than the default settings.

In many cases, changing the network configuration can be as simple as using a GUI. In other cases, you'll need to edit some configuration files in order to properly configure some adapters.

As mentioned in Chapter 10, the default Ubuntu installation is pretty secure because no network services are enabled. However, all your network traffic is probably still being sent unencrypted across the network. There are a couple of different ways you can enable encryption, authentication, and anonymity when accessing the network.

If you start turning on network services (see Chapter 12), you will need to make sure that your network is hardened. Tools like iptables can definitely help lock down a system.

Finally, when everything goes wrong, you will need to know how to debug the network. This is where tools like tcpdump, snort, and ethereal(a.k.a. Wireshark) come in handy.

Configuring Network Devices

The simplest way to configure the network is through a GUI. From the main menu, use System Administration Networking to bring up the network configuration menu (see Figure 11-1). This menu shows each of the available network adapters and enables you to configure them. You can enable or disable interfaces, and set addresses statically or through DHCP. For modems, you can enter the ISP's phone number, login credentials, and whether to reconnect after any disconnects.

Figure 11-1: The Network Settings applet, showing the properties for eth0

If you are configuring the network without a GUI, you can still configure the network device. The command ifconfig -a lists all known network devices. The lo device is the local loop-back, eth0 is usually the first wired Ethernet adapter, and sit0 is used to bridge IPv4 and IPv6. Additional network devices may be enumerated, such as eth1 and eth2 for two additional Ethernet cards.

The configuration for each device is stored in file /etc/network/interfaces. This is where you can define static or dynamic configurations, and whether they start up automatically or only as needed. For example, my computer has two Ethernet cards, but only the first one is automatically configured (see Listing 11-1).

Listing 11-1: Sample /etc/network/interfaces

# This file describes the network interfaces available on your system

# and how to activate them. For more information, see interfaces(5).

# The loopback network interface

auto lo

iface lo inet loopback

# The primary network interface

auto eth0

iface eth0 inet static

address 10.1.2.30

netmask 255.0.0.0

gateway 10.1.2.254

# The second network interface

auto eth1

iface eth1 inet dhcp

Table 11-1 shows some of the common fields for /etc/network/interfaces. For additional information, see the online manual (man 5 interfaces).

After configuring the /etc/network/interfaces file, you can load the settings using:

sudo /etc/init.d/networking restart

For interfaces that are not brought up automatically, you can use ifconfig to bring them up and down. For example, sudo ifconfig eth1 up and sudo ifconfig eth1 down.You can only use an interface when it is up.

Configuring Wireless Networks

Although wired network cards are pretty easy to configure, wireless cards usually pose some problems. For example, many wireless cards only include Windows drivers, not Linux. Without drivers, there is no way to use the hardware. Fortunately, ndiswrapper enables you to use some Windows drivers under Ubuntu!

Assuming you have a working wireless network card, configuring new wireless network configurations is not always automatic. Also, WEP, WAP, and other wireless security protocols can be hard to configure.

Looking for Drivers

Wireless network drivers can come from many different sources. Some network interface cards (NICs) are identified during the Ubuntu installation and immediately installed. These include the Intel ipw2100 and ipw2200, Cisco Aironet cards, and NICs based on the Prism chipsets (for example, Prism 2, 2.5, and 3). If you go to System Administration Networking and see your wireless card listed, then it is already supported and ready for configuration. You can just jump to the "Hacking with Wireless Tools" section.

If the wireless NIC is not supported by the base installation, consider using apt-cache to search for an appropriate Ubuntu driver. (See Chapter 4 for using apt-cache.) You may need to search based on the wireless card's chipset and not the NIC's model number or manufacturer. For example, the Madwifi driver in the linux-restricted-modules package (apt-cache search linux-restricted-modules) provides support for Atheros-based adapters. Atheros-based wireless adapters are found in many laptops as well as NICs by 3Com, D-Link, Netgear, and many other manufacturers.

If all else fails and you cannot find a native Linux driver for your wireless card (and purchasing a natively supported wireless NIC is not a viable option), then you can try using ndiswrapper to use the Microsoft Windows driver under Ubuntu.

Using ndiswrapper

Chapter 6 discusses some different emulators that work under Ubuntu. Using these emulators, you can install an entire operating system in a virtual environment. However, everything in the virtual environment stays in the virtual environment. In contrast, the Network Driver Interface Specification wrapper (ndiswrapper) program enables you to install some network drivers for Microsoft Windows in your actual Linux environment. The wrapper provides enough emulation to support Windows device drivers.

Installing a Driver

Before installing a Windows driver under Linux, you need a few things.

§ Install ndiswrapper-This can be installed using sudo apt-get install ndis- wrapper-utils. This will give you the ndiswrapper program as well as a loadable kernel module.

§ Get the Windows driver-The ndiswrapper tool works only with Microsoft Windows XP drivers. If you have drivers for Windows 95, 98, or ME (or some other version), then it won't work unless it also says that the driver will work with Windows XP. If you don't have the Windows XP driver, then you can stop here because it won't work.

§ Unpacked INF files-Most Windows drivers come bundled in a self-extracting archive. You'll need to extract the files before you can use them. Try using unzip to expand a self-extracting zip file, cabextract for Windows Cabinet files, or unshield for unpacking Install Shield files. You can install these tools using:

§ sudo apt-get install unzip cabextract unshield

§ You will know that you have extracted the right files if you see an INF file and some device drivers (likely SYS files). You can check for them using:

§ find . -type f -name '*.inf' -o -name '*.INF'

After you have gathered the necessary programs and files, you can install the drivers.

1. If the device is an external USB device, then disconnect it before installing the drivers. Some drivers may hang the operating system if the device is installed before the drivers.

2. Find the INF files needed to install the program. In my case, there are two files needed, although other network devices may only need one INF file.

3. $ find . -name '*.inf' -o -name '*.INF'

4. ./athfmwdl.inf

5. ./net5523.inf

6. Use ndiswrapper to install the files. For my USB network adapter, there were two drivers that needed to be installed, and they needed to be installed in a specific order (see "Debugging Driver Problems").

7. sudo ndiswrapper -i ./net5523.inf

8. sudo ndiswrapper -i ./athfmwdl.inf

9. Load the kernel module.

10. sudo modprobe ndiswrapper

11. If the device needs to be plugged in (for example, a USB network adaptor), then plug it in now.

12. If you made it this far, then it didn't hang (that's great!). Use ifconfig -a to list all network devices. You should see a device called wlan0-this is the default name given to ndiswrapperdevices. You can then configure it using System Administration Networking.

13. To automatically start ndiswrapper on boot, add the kernel module to /etc/modules.

14. sudo bash -c 'echo "ndiswrapper" >> /etc/modules'

A graphical alternative to using the command line ndiswrapper is ndisgtk.

sudo apt-get install ndisgtk

sudo ndisgtk

This tool offers a front end to ndiswrapper and makes it a little easier to install devices (see Figure 11-2). You can also click the Configure Network button to quickly open the Network Settings applet.

Figure 11-2: The ndisgtk interface

Debugging Driver Problems

Installing a driver with ndiswrapper is fairly straightforward, although there are a few places where things can go very bad. If the drivers are going to hang the computer, then it will likely happen when the kernel module is loaded or when the device is plugged in. However, drivers may also cause your system to hang when the devices are unloaded or detached, or when resuming after being suspended (like on a laptop).

If the drivers are not working for you, then you can try the following:

§ Unload the drivers-If the drivers hang your system, then you should probably unload them.

o Reboot the system (usually with the front panel's reset button since the computer probably hangs).

o When Ubuntu begins to come up, press Alt+F1 so you can see all of the init steps as they happen.

o When you see the text "Configuring network interfaces," press Ctrl+C. This will skip the network configuration. As long as the network does not configure, the NDIS drivers will not load and the system will not hang. If you don't stop it here, then the system will hang again.

o Allow the rest of the initialization stages to come up.

o Log into the system.

o Use ndiswrapper -l to list each of the loaded drivers.

o Use ndiswrapper -e to erase (remove) the offending driver. For example, you can use:

o $ ndiswrapper -l

o Installed ndis drivers:

o athfmwdl driver present

o net5523 driver present, hardware present

o $ sudo ndiswrapper -e net5523

8. Reboot the system (sudo reboot) and allow it to come up completely.

§ Check the drivers-In some cases, there may be newer or more stable Windows XP drivers available. Also, drivers from compatible network devices may work better than official ones from the manufacturer.

§ Check official forums-The ndiswrapper tool is very well supported and there are hundreds of network interfaces that are documented as being compatible, incompatible, or requiring additional steps. Visit http://ndiswrapper.sourceforge.net/mediawiki/ for tips and hints for specific cards. In many cases, this forum also provides links to the actual Windows drivers, ensuring that you are installing the right one.

§ Check for compatible devices-Many manufacturers may use the same chipsets in different cards. Using lsusb or lspci -n, identify your four-byte unique identifier for your network adapter. It should look something like "0123:89ab" (although the exact hex numbers will be different). Check the official forums for the identifier and see if any other devices use the same drivers. For example, the EnGenius EUB-862 uses the same chipset as the Airlink101 (both use the USB identifier "0cf3:0001"). Although the Windows drivers that came with the EUB-862 consistently hung my system, the drivers for the Airlink101 worked well.

Hacking with Wireless Tools

Ubuntu includes many different tools for configuring the network. The most important ones are iwconfig and iwlist. Using these, you can configure and reconfigure most wireless options.

The iwconfig command is used to configure wireless devices. When used by itself, it lists every network device and, if it is a wireless device, the current configuration. For example:

$ iwconfig

lo no wireless extensions.

eth0 no wireless extensions.

sit0 no wireless extensions.

wlan0 IEEE 802.11b ESSID:"My SSID"

Mode:Managed Frequency:2.437 GHz Access Point: Not-Associated

Bit Rate:108 Mb/s

Power Management min timeout:0us mode:All packets received

Link Quality:0 Signal level:0 Noise level:0

Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0

Tx excessive retries:0 Invalid misc:0 Missed beacon:0

Using the iwlist command, you can scan for available access points (APs), as demonstrated in Listing 11-2.

Listing 11-2: Example iwlist Scan

$ sudo iwlist wlan0 scan

wlan0 Scan completed :

Cell 01 - Address: 00:18:39:CC:F8:C7

ESSID:"logo1"

Protocol:IEEE 802.11g

Mode:Managed

Frequency:2.412 GHz (Channel 1)

Quality:0/100 Signal level:-87 dBm Noise level:-256 dBm

Encryption key:on

Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 18 Mb/s

24 Mb/s; 36 Mb/s; 54 Mb/s; 6 Mb/s; 9 Mb/s

12 Mb/s; 48 Mb/s

Extra:bcn_int=100

Extra:atim=0

Extra:wpa_ie=3d180050f21101020050f21201002050f20211002050f20

Cell 02 - Address: 00:14:BF:9B:CA:D3

ESSID:"My SSID"

Protocol:IEEE 802.11g

Mode:Managed

Frequency:2.437 GHz (Channel 6)

Quality:0/100 Signal level:-36 dBm Noise level:-256 dBm

Encryption key:on

Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 18 Mb/s

24 Mb/s; 36 Mb/s; 54 Mb/s; 6 Mb/s; 9 Mb/s

12 Mb/s; 48 Mb/s

Extra:bcn_int=1000

Extra:atim=0

Cell 03 - Address: 00:18:39:2C:2B:51

ESSID:"linksys"

Protocol:IEEE 802.11g

Mode:Managed

Frequency:2.437 GHz (Channel 6)

Quality:0/100 Signal level:-85 dBm Noise level:-256 dBm

Encryption key:off

Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 18 Mb/s

24 Mb/s; 36 Mb/s; 54 Mb/s; 6 Mb/s; 9 Mb/s

12 Mb/s; 48 Mb/s

Extra:bcn_int=100

Extra:atim=0

The example in Listing 11-2 shows a scan from iwlist. In the example, there are three APs that are within range of the Ubuntu system. You can combine the results from iwlist with iwconfig and connect to a specific AP. For example:

sudo iwconfig essid "My SSID" # connect to an AP using the SSID

sudo iwconfig essid "My SSID" channel 6 # connect to SSID on a specific channel

Enabling Wireless Security with WEP

The Wired Equivalent Privacy (WEP) protocol is a common method for encrypting wireless connections. The iwconfig program allows you to specify the physical connection. It also allows you to provide a WEP key for connecting to an AP. This can be specified on the command line as a series of hex digits or as a string. Table 11-2 shows some of the common key formats.

The key value for iwconfig can also be placed in the /etc/networking/interfaces file. In addition, you can specify multiple keys-if one key does not work, then it will try the next one. Multiple keys can be really useful if your home and office use the same SSID but different keys. (Or if your office has meeting rooms, each with the same SSID but different keys.) For example, to specify three keys and set the default to be #2, you could have lines similar to these in your /etc/networking/interfaces file:

auto wlan0

iface wlan0 inet dhcp

wireless-essid My SSID

wireless-key1 0123456789abcdef0123456789

wireless-key2 abcdef0123

wireless-key3 s:Top Secret

wireless-defaultkey 2

Enabling Wireless Security with WPA

Although WEP is certainly better than no security, there are other ways to secure wireless networks. Wi-Fi Protected Access (WPA) is steadily growing in popularity and offers stronger options for privacy and authentication.

1. To configure WPA, you will need to generate a WPA configuration file. This is done using wpa_passphrase. You will need to provide your SSID and a passphrase, and it will generate a configuration file.

2. wpa_passphrase "My SSID" "Secret Password" > tempfile

3. sudo cp tempfile /etc/wpa_supplicant.conf

4. The contents of /etc/wpa_supplicant.conf lists your network's name and the associated WPA key. Although they should be autodetected, some drivers may need to you to add proto and key_mgmt fields. Listing 11-3 shows a sample /etc/wpa_ supplicant.conf file (bold indicates optional fields).

5. Listing 11-3: Sample /etc/wpa_supplicant.conf File

6. network={

7. ssid="My SSID"

8. #psk="Secret Password"

9. psk=aa380927bc23c6a736a69fa2b395b442bade145973b3a39c25cee0c9d55b0711

10. proto=WPA

11. key_mgmt=WPA-PSK

12. }

15. After creating the /etc/wpa_supplicant.conf file, you should test it to make sure it works. In this example, the wireless interface is wlan0 and it uses the generic wireless LAN extensions (-D wext). Other possible control extensions are listed in man wpa_ supplicant and include ndiswrapper, ndis, madwifi (for Atheros adapters), and wired for wired Ethernet cards with WPA support.

16. sudo wpa_supplicant -D wext -i wlan0 -c/etc/wpa_supplicant.conf

17. To make the changes take effect every time the network interface is used, pre-up and post-down scripts can be added to /etc/networking/interfaces. These scripts will start and stop WPA support. For example:

18. auto wlan0

19. iface wlan0 inet dhcp

20. pre-up wpa_supplicant -B -w -D wext -i wlan0 -c/etc/wpa_supplicant.conf

21. post-down killall -q wpa_supplicant

Securing the Network

When you enable a network interface, you create a bi-directional path. Just as you can go out over the network, there is a path for attackers to come into your system. Firewall software, such as Tcpwrappers and IP Tables, enable you to restrict, modify, and manage network packet handling.

Using the network usually has one other limitation: there is no security. Although a user may connect remotely using SSH or some other secure protocol, the ability to connect in the first place can lead to security risks in highly sensitive environments. Fortunately, Dapper includes IPsec and IPv6. These network layer protocols can authenticate, validate, and encrypt network traffic. It's one thing to require a user-login using SSH; it's another thing to block SSH connections in the first place if they are not authenticated.

Configuring Firewalls with Tcpwrappers

The basic Ubuntu installation includes two types of firewalls: Tcpwrappers and IP Tables. Tcpwrappers is usually used with automated services such as inetd and xinetd. This system consults two files (/etc/hosts.allow and /etc/hosts.deny) and grants access based on these settings. Both files are in the same format: daemon : clients. For example, to restrict access for incoming FTP requests to only machines in the mydomain.lan domain, you can use:

in.ftpd : .mydomain.lan

When a new network request for the daemon is received, Tcpwrappers first checks /etc/ hosts.allow and then /etc/hosts.deny. If the restriction is found in /etc/hosts.allow, then the connection is permitted to contact the daemon. The /etc/hosts.deny restriction blocks the request from ever reaching the daemon. And if there is no restriction, then the connection is permitted.

If you don't want to list specific daemons and hosts, then you can use the keyword ALL.Very secure systems usually have an /etc/hosts.deny that says:

ALL: ALL

This creates a default-deny configuration and blocks access to every service from every client except when they are explicitly permitted by /etc/hosts.allow.

Testing the Tcpwrappers Configuration

You can check your Tcpwrappers configuration using the tcpdmatch command. For example, to check if the host myhost.mydomain.lan can access the service in.ftpd, you can use:

tcpdmatch in.ftpd myhost.mydomain.lan

This displays any host name warnings, service issues, and whether access is granted or denied. In addition, if any rule is matched then it will tell you which file (/etc/hosts.allow or /etc/hosts.deny) and which line.

Enabling Tcpwrappers

The active program for running Tcpwrappers is called tcpd (/usr/sbin/tcpd). This is usually found in /etc/inetd.conf for starting services. For example:

netbios-ssn stream tcp nowait root /usr/sbin/tcpd /usr/sbin/smbd

This line says to run the SMB daemon when there is a connection on port 139/tcp (the netbios-ssn TCP port). Before running the smbd daemon, Tcpwrappers is used to check if the connection is permitted.

Not every program that uses Tcpwrappers runs the tcpd program; Tcpwrappers is commonly compiled into some network daemons. For example, the SSH daemon (sudo apt-get install openssh-server) has Tcpwrappers built-in. You can check for this by using the ldd command to list all linked libraries and search the libwrap shared library.

$ ldd /usr/sbin/sshd | grep libwrap

libwrap.so.0 => /lib/libwrap.so.0 (0xb7eee000)

This means that the SSH server will consult /etc/hosts.allow and /etc/hosts.deny before allowing connections. You can generate a list of libwrap-enabled applications using a small script:

# find all executables and test for libwrap

find /bin /usr/bin /sbin /usr/sbin -type f -perm -1 | \

while read filename ; do

haslib='ldd "$filename" | grep libwrap.so';

if [ "$haslib" != "" ] ; then echo "$filename" ; fi ;

done

Configuring Firewalls with IP Tables

Tcpwrappers operates on the network's transport layer. It can filter TCP or UDP ports, but cannot filter network layer (IP, IPv6, and so on) traffic. For this type of filtering, you can use IP Tables. Unlike Tcpwrappers, which runs as an application, IP Tables are provided as a kernel module. As a result, IP Tables impact all applications, not just those designed or configured to use it.

By default, IP Tables stores three types of filters:

§ INPUT-This table identifies what type of incoming packets to accept. For example, to block SSH packets that use TCP on port 22 from the subnet 172.16.23.0/24, then you can use:

§ sudo iptables -A INPUT -p tcp --dport 22 \

§ --source 172.16.23.0/24 -j REJECT

§ OUTPUT-This table is used to filter outbound network traffic (from your system to a remote system). For example, to block all connections to Microsoft, you can use:

§ sudo iptables -A OUTPUT --destination 207.46.0.0/16 -j REJECT

§ FORWARD-This table is used to forward traffic, in case you want to use your Ubuntu system as a network firewall. For example, to allow all traffic from my local LAN (10.0.0.0/8) to relay through my Ubuntu system, I can use:

§ sudo iptables --table nat -A POSTROUTING \

§ --out-interface eth0 -j MASQUERADE

§ sudo iptables -A FORWARD --in-interface eth0 \

§ --source 10.0.0.0/8 -j ACCEPT

However, if I only want to forward web traffic, then I can specify a destination port:

sudo iptables -A FORWARD --in-interface eth0 \

--source 10.0.0.0/8 -p tcp --dport 80 -j ACCEPT

After configuring your system to forward traffic, you can use it as the network gateway for other systems on your network.

The iptables command manages a set of tables and rules, called chains. A single table may have many different chains. The default table is called filter and has the INPUT, OUTPUT, and FORWARD chains. Other tables include nat (for network address translations), mangle (for packet modification), and raw for low-level packet management.

The iptables command takes a variety of options. Table 11-3 lists some of the more common parameters. The full list can be found in the man page for iptables.

When you are finished, you can view your tables using sudo iptables -L. For example:

$ sudo iptables -L

Chain INPUT (policy ACCEPT)

target prot opt source destination

REJECT tcp -- 172.16.23.0/24 anywhere tcp dpt:ssh

reject-with icmp-port-unreachable

REJECT tcp -- 172.16.23.0/24 anywhere tcp dpt:ssh

reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)

target prot opt source destination

ACCEPT tcp -- 10.0.0.0/8 anywhere tcp dpt:www

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

REJECT all -- anywhere 207.46.0.0/16 reject-with

icmp-port-unreachable

Saving IP Tables Settings

Changes made using IP Tables are not permanent. To make them happen every time you reboot, you will need to save the settings and re-load them during boot.

1. Configure IP Tables and test them to make sure they do what you want.

2. Custom Filtering

3. Usually when administrators configure IP Tables, it is done to block external attack paths or enable routing through an existing computer. However, there is another use.

4. Many different types of viruses, spyware, and worms call out to remote control systems. Using the OUTPUT chain from the filter table, you can block known communication protocols. For example, if nobody without your network should be accessing IRC servers, then you can block TCP ports 6666 and 6667 since these are commonly used for IRC:

5. sudo iptables -A OUTPUT -p tcp –dport 6666 -j REJECT sudo iptables -A OUTPUT -p tcp –dport 6667 -j REJECT

6. On mail servers, you can use this to block access from known spam subnets, and on proxy servers you can block access to sites that are infected with malware.

7. Personally, I have a different use. I perform computer network audits and some systems may be off limits or outside the scope of the audit. To prevent accidental access, I block outbound traffic to the restricted hosts. In some cases, hosts may only be accessed during certain hours (to prevent interference with regular customers). In this case, I use a cron job to add and remove access as needed. (See Chapter 7 for scheduling tasks with cron.)

9. Save your changes to a configuration file.

10. sudo iptables-save > iptables.conf

11. sudo mv iptables.conf /etc/iptables.conf

12. Make an init script for IP Tables. I created /etc/init.d/iptables and the contents are in Listing 11-4. Be sure to make the script executable: chmod 755 /etc/init.d/iptables.

Listing 11-4: The /etc/init.d/iptables Startup Script

#! /bin/sh

PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

NAME=iptables

DESC="IP Tables"

[ -f /etc/iptables.conf ] || exit 1

case "$1" in

start)

echo "Starting $DESC: $NAME"

/sbin/iptables --flush -t filter

/sbin/iptables --flush -t nat

/sbin/iptables-restore /etc/iptables.conf

;;

stop)

/sbin/iptables --flush -t filter

/sbin/iptables --flush -t nat

;;

restart|reload|force-reload)

echo "Restarting $DESC: $NAME"

/sbin/iptables --flush -t filter

/sbin/iptables --flush -t nat

/sbin/iptables-restore /etc/iptables.conf

;;

*)

echo "Usage: $0 {start|stop|restart|force-reload}" >&2

exit 1

;;

esac

exit 0

13. Add the script to the startup configuration. It is configured to be one of the first scripts to run.

14. cd /etc/rcS.d

15. sudo ln -s ../init.d/iptables S37iptables

Now, any configuration saved in /etc/iptables.conf will be included during startup. If you make new changes using iptables, you can save them using sudo iptables-save.

Enabling IPsec

Although firewalls prevent some connections, they do nothing to actually authenticate the connection and offer no privacy options. If you really need to make sure the connection is permitted and don't want someone to see what you are doing, then consider using IPsec, the security extension to IP. IPsec offers digital signatures for authentication and encryption for privacy.

IPsec provides point-to-point security that can be used as a secure path or as a virtual private network (VPN). The configuration happens in two stages. First you define the keys to use, and then you define the security policies.

The main program for configuring IPsec is called setkey and it comes from the ipsec- tools package.

sudo apt-get install ipsec-tools

Unmasking Racoon

There is an alternate package to ipsec-tools called racoon. (Yes, it is spelled with one c, not like the animal with the same name.) Although racoon is popular with some Linux and BSD distributions, ipsec-tools was the first one included in the main repository for older versions of Ubuntu. This historical precedence gives it slightly more popularity with Ubuntu users. Both packages include the setkey program and both have nearly identical usage. Ironically, the man page for setkey from the ipsec-tools package explicitly references racoon, even if you don't install racoon.

So, what is the difference between racoon and ipsec-tools? Not much from my viewpoint. ipsec-tools accepts configuration commands from a file or stdin, while racoon also supports configurations on the command-line. The racoon package also uses a different configuration file location: /etc/racoon/racoon-tool. conf instead of /etc/ipsec-tools.conf.

Creating IPsec Keys

To create a key, you need to know the IP addresses for the source and destination hosts, the algorithm, and the key. For example, to define a key for 3DES encryption using cipher block chaining (CBC), I can use:

echo 'add 10.1.1.5 10.1.2.10 esp 0x201 -m tunnel

-E 3des-cbc "Twenty-four characters!!"

-A hmac-md5 0xdeadbeefcafe1234deadbeefcafe1234 ;' |

sudo setkey -c

In this case, the 3DES key for encryption is the string Twenty-four characters!!, and the secret password used for authenticating the packet is the hexadecimal value 0xdeadbeef- cafe1234deadbeefcafe1234.

The setkey program either reads in commands from a file or from stdin. If you just want to run one setting, then place the command in an echo statement and pipe the data into setkey -c. The -c option to setkey says to read from stdin, whereas -f says to read from a file. The lines that it reads are commands such as add or delete and include configuration options. Each command needs to end with a semicolon.

The add option within the setkey command is used to specify a Security Association Database (SAD) entry. These are basically combinations of encryption, authentication, and compression definitions along with network addresses.

§ Addresses-The first two options to the add command are the source and destination IP addresses. These can be IP or IPv6 address (although they must both be IP or both be IPv6).

§ Protocol-The next parameter specifies the type of protocol. The available values are usually either esp for encapsulating security payload or ah for authenticated header. The former defines a protected payload, while the latter is only used for authenticating the sender. Other protocols include esp-old and ah-old (from obsolete standards), ipcomp, and tcp for using TCP with MD5 for validation.

§ SPI-The protocol is followed by a Security Parameter Index used to identify the SAD entry.

§ Mode-The -m option identifies the type of protocol. It can be tunnel, transport, or any.A tunnel is used for a VPN, while transport is only used for protecting the transport layer (TCP or UDP traffic). Other protocols, such as ICMP, will not pass through the secure connection when using transport. Specifying -m any allows the SAD to be used for either tunnel or transportsecurity.

§ Encryption-The -E option specifies an encryption algorithm and a secret key used for the encryption. The length of the key depends on the selected encryption algorithm. For example, -E 3des-cbc requires a 24-byte key. Table 11-4 lists the available encryption algorithms and the required key lengths. Keys can be provided as hexadecimal values (beginning with 0x) or as quoted strings. If you do not specify an encryption algorithm, then the entire packet will be sent unencrypted-the same as using the null cipher with no key.

§ Authentication-The -A option specifies the algorithm for digitally signing the packet. This authentication header allows the recipient to know that the packet is actually from the sender. As with encryption, the key can either be a hexadecimal value (beginning with 0x) or a quoted string, and the key size depends on the algorithm (see Table 11-5). If this option is not specified, then the header is not authenticated.

§ Compression-The -C option can be used to specify packet compression. The only available algorithm is deflate, based on the same algorithm used to compress gzip files (see RFC2394). However, unlike gzip, you cannot specify the compression level. Although compression is useful in some situations, such as transmitting large text files, it isn't ideal for all situations. For example, most encryption algorithms generate random looking data that may not compress well. Also if the data being transmitted is already compressed, then it won't compress any further. Trying to compress data again may only consume more CPU resources. If you're transmitting small packets or not using encryption, then it might be worthwhile to enable compression since the TCP header (a significant transmission overhead) will be compressed. However, for large blocks of streaming data through an encrypted tunnel, you might see better performance without using encryption. This is because the TCP header no longer accounts for a significant amount of data, and encrypted data does not compress well. For these reasons, this option is usually not enabled.

Both ends of an encrypted tunnel need to have the same configuration. Otherwise, they will be unable to communicate. However, both directions of an encrypted tunnel do not need to use the same configuration. For example, transmitting IPsec packets may use an authenticated header with one key, and responses may use authentication and encryption with different keys.

Configuring the Security Policy Database

While the Security Association Database (SAD) is used to match algorithms to a particular configuration, the Security Policy Database (SPD) says when to use the SAD entries. The setkey option spdadddefines the requirements. For example:

spdadd 10.1.2.10 10.1.1.5 any -P in

ipsec esp/tunnel/10.1.2.10-10.1.1.5/require;

As with the add command, spdadd takes a series of parameters.

§ Addresses-The first two parameters specify the source and destination addresses. These can be provided as IP or IPv6. They can also contain an optional subnet mask and port number. For example, 10.1.2.10 is the same as 10.1.2.10/32 and 10.1.2.10/32[any]. If you want to allow an entire subnet, then you can use something like 10.1.2.0/24. You can specify port (for example, port 80) as 10.1.2.10[80] or 10.1.2.0/24[80]. Specific ports are very useful if you are configuring a static VPN.

§ Policy-The -P option specifies policy requirements. This starts with the direction of packet traversal; -P in, -P out, or -P any. While both sides of an IPsec connection need to have the same SAD values, the -P option in the SDP need to be reversed. If one system says -P in then the other needs to say -P out. The policy also defines what should happen. The options are ipsec for enabling IPsec, discard to deny access, or none to allow unsecured connections.

§ IPsec-If the policy specifies using ipsec, then you also need to specify which SAD to associate with the SPD and when to associate it. The specification has four parameters, separated by slashes.

o Protocol-This can be either esp or ah.

o Mode-This can be either tunnel or transport.

o Addresses-This is only required for tunnels; it lists the source and destination addresses with optional ports. For transport mode, this field can be blank (denoted by //).

o Level-This says when to enable IPsec. The value must be either default, use, or require. The default setting will consult the esp_trans_deflev kernel variable (see Chapter 7for sysctl). If you have not changed anything, then this means no IPsec. The use value will try to use IPsec, but fall back to regular IP if a connection cannot be established. Finally, the require value demands IPsec and will not establish a connection without it-this is the most secure option.

Configuring IPsec

There is a startup script called /etc/init.d/setkey that configures IPsec at boot. It does this by consulting the configuration file /etc/ipsec-tools.conf. If you want to configure IPsec, place your settings in this file. Listing 11-5 shows a sample configuration file that uses encryption and authenticated headers between two hosts.

Listing 11-5: Sample /etc/ipsec-tools.conf

#!/usr/sbin/setkey -f

# Flush the SAD and SPD

flush;

spdflush;

#########

# My host is 10.1.1.5

# The remote host is 10.1.2.10

#########

# Set a tunnel between 10.1.1.5 and 10.1.2.10

add 10.1.1.5 10.1.2.10 esp 0x201 -m tunnel

-E 3des-cbc "Twenty-four characters!!"

-A hmac-md5 "0123456789abcdef" ;

add 10.1.2.10 10.1.1.5 esp 0x301 -m tunnel

-E 3des-cbc "Twenty-two plus two more"

-A hmac-md5 0xdeadbeefcafe1234deadbeefcafe1234;

########

# Security policies

# NOTE: If this file is placed on the remote host, then

# swap the "-P out" and "-P in" values.

# All outbound traffic must go through the tunnel

spdadd 10.1.1.5 10.1.2.10 any -P out

ipsec esp/tunnel/10.1.1.5-10.1.2.10/require;

# All inbound traffic must come from the tunnel

spdadd 10.1.2.10 10.1.1.5 any -P in

ipsec esp/tunnel/10.1.2.10-10.1.1.5/require;

After creating the configuration file, you can test it using:

sudo setkey -f /etc/ipsec-tools.conf

If there are any errors when it loads, they will be cryptic but at least you will know that there is a problem. Errors are likely due to typographical mistakes or oversights. After it loads, you can use setkey -Dand setkey -DP to view the current settings.

$ sudo setkey -D

10.1.1.5 10.1.2.10

esp mode=tunnel spi=513(0x00000201) reqid=0(0x00000000)

E: 3des-cbc 5477656e 74792d66 6f757220 63686172 61637465 72732121

A: hmac-md5 30313233 34353637 38396162 63646566

seq=0x00000000 replay=0 flags=0x00000000 state=mature

created: Nov 25 16:53:50 2006 current: Nov 25 16:53:55 2006

diff: 5(s) hard: 0(s) soft: 0(s)

last: hard: 0(s) soft: 0(s)

current: 0(bytes) hard: 0(bytes) soft: 0(bytes)

allocated: 0 hard: 0 soft: 0

sadb_seq=1 pid=9861 refcnt=0

10.1.2.10 10.1.1.5

esp mode=tunnel spi=769(0x00000301) reqid=0(0x00000000)

E: 3des-cbc 5477656e 74792d74 776f2070 6c757320 74776f20 6d6f7265

A: hmac-md5 deadbeef cafe1234 deadbeef cafe1234

seq=0x00000000 replay=0 flags=0x00000000 state=mature

created: Nov 25 16:53:50 2006 current: Nov 25 16:53:55 2006

diff: 5(s) hard: 0(s) soft: 0(s)

last: hard: 0(s) soft: 0(s)

current: 0(bytes) hard: 0(bytes) soft: 0(bytes)

allocated: 0 hard: 0 soft: 0

sadb_seq=0 pid=9861 refcnt=0

$ sudo setkey -DP

10.1.2.10[any] 10.1.1.5[any] any

in prio def ipsec

esp/tunnel/10.1.2.10-10.1.1.5/require

created: Nov 25 16:53:50 2006 lastused:

lifetime: 0(s) validtime: 0(s)

spid=32 seq=2 pid=9864

refcnt=1

10.1.1.5[any] 10.1.2.10[any] any

out prio def ipsec

esp/tunnel/10.1.1.5-10.1.2.10/require

created: Nov 25 16:53:50 2006 lastused:

lifetime: 0(s) validtime: 0(s)

spid=25 seq=1 pid=9864

refcnt=1

10.1.2.10[any] 10.1.1.5[any] any

fwd prio def ipsec

esp/tunnel/10.1.2.10-10.1.1.5/require

created: Nov 25 16:53:50 2006 lastused:

lifetime: 0(s) validtime: 0(s)

spid=42 seq=0 pid=9864

refcnt=1

Finally, you can test the connection. If you can ping the host or connect using a known service such as SSH or HTTP, then you know it is working.

Enabling Proxies

Another way to add security to the network is to relay through a proxy. Chapter 5 covers how to install a SOCKS server for assisting privacy. The example relays web traffic through a SSH tunnel. However, this example works because the web browser was configured to use a proxy. Under Dapper, there are many different ways to configure proxies. For example, there is a general system proxy setting that few applications use. There are also some generic proxy settings that are supported by a variety of applications.

Proxies can add more than a level of indirection. Some proxy systems, like Tor, can provide network anonymity.

Using the General System Proxy

Individual applications can be independently configured to each use a proxy, In contrast, Ubuntu's Gnome desktop supports a global proxy configuration. The theory is that all applications will immediately use the proxy rather than directly access the Internet. In reality, only specific applications use these settings and you may need to log out and log back in for all applications to use the configuration. General system proxy configurations are commonly required for corporate networks that have specific outbound relays for accessing the Internet.

To set the general proxy, use System Preferences Network Proxy. This opens the Network Proxy Preferences applet (see Figure 11-3). In this applet, you can declare your SOCKS, HTTP, HTTPS, and FTP proxy servers. You will need to know the host names (or network address) as well as the proxy port number. Under the Advanced Configuration tab, you can specify local hosts and networks that do not require proxy access.

Figure 11-3: The Network Proxy Preferences applet.

Enabling Application-Specific Proxy Configurations

Although the global proxy settings are a nice idea, they are currently not supported by many applications. For example, the settings may be ignored by firefox, ssh, wget, and apt-get. If you want more general proxy support, you can use environment variables. Many applications look for HTTP, HTTPS, and FTP proxy definitions in variable names that have become de facto standards. Table 11-6 lists the more common definitions. In general, if the variable is in all capitals, only the server name and port number are specified. Lowercase variables need entire URLs.

These proxy definitions can be added to your $HOME/.profile (or $HOME/.bashrc) for individual user declarations. For system-wide support, they should be added to /etc/ bash.bashrc or /etc/profile.

Defining these proxy variables will give you proxy support for some applications, but other applications need their own configurations. For example:

§ Firefox-Proxy settings for the web browser must be specified through the Firefox preferences. If you have multiple profiles, then you will need to set the preferences in each one of them.

§ APT-The apt-get command looks for proxies in /etc/apt/apt.conf. The default install says:

§ Acquire::http::Proxy "false";

This setting disables all proxies. If you need to use a proxy, then you can change the line to something like:

Acquire::http::Proxy "http://proxyserver:port/";

This tells apt-get to use this specific proxy for HTTP access. If you have multiple proxies available, then you can specify multiple proxy definitions.

Enabling SOCKS Clients

While HTTP and FTP proxies forward specific protocols, SOCKS servers can forward almost any protocol. This can be specified using the SOCKS_SERVER environment variable. For example:

export SOCKS_SERVER=10.1.2.251:1080

Unfortunately, most applications do not support SOCKS, even if the environment variable is defined. For SOCKS support, you will need to socksify applications.

1. If you have not already installed it, then install the dante-client package. This will give you a SOCKS client.

2. sudo apt-get install dante-client

3. Edit the /etc/dante.conf configuration and declare your SOCKS server. You will need to know the server's network address, port, and version (either SOCKSv4 or SOCKSv5). My configuration specifies a SOCKS server at 10.1.2.251 and uses the standard port 1080. The configuration looks like this:

4. route {

5. from: 0.0.0.0/0 to: 0.0.0.0/0 via: 10.1.2.251 port = 1080

6. protocol: tcp udp # server supports tcp and udp

7. proxyprotocol: socks_v4 socks_v5 # server supports both versions.

8. method: none #username # no authentication needed

9. }

10. To enable SOCKS support for non-SOCKS applications, run the application through the socksify wrapper. For example to use ssh to connect to the host outside.local.lan via the SOCKS server, I can use:

11. socksify ssh outside.local.lan

Similarly, I can force Firefox to use the SOCKS server without changing the Firefox proxy settings:

socksify firefox

Anonymizing with Tor

A simple proxy is good for relaying traffic, but a group of proxies can provide network anonymity. A system called The Onion Router (Tor) uses groups of linked proxies to relay traffic. The connection between each proxy is encrypted, so anyone observing the network traffic will be unable to see what is going on. From the client's end, Tor looks like just another SOCKS proxy server (although it may have significantly higher network delays).

Installing Tor is relatively easy:

sudo apt-get install tor

The installation packages include startup scripts for /etc/init.d/ and intelligent default configurations.

To run an application over the Tor network, either set the proxy to be localhost:9050,or use the program torify the same way you would use socksify. For example, to run Firefox through the Tor network, you can use: torify firefox –no-xshm. When Firefox runs using Tor, your external IP address may be anywhere in the world. Connecting to sites like Google (http://www.google.com) may display text in English, German, Italian, or some other language depending on where Google thinks you are coming from.

Understanding Tor's Limitations

Although Tor does make all of the SOCKS connections effectively anonymous, there are still some ways to breach the anonymity.

The most significant leak is due to UDP traffic. Tor only proxies TCP. However, host name lookups use UDP. If you connect to a site by specifying the host name, then the host name lookup may be traceable back to your system. To overcome this limitation, install the privoxy package.

sudo apt-get install privoxy

The privoxy system provides an HTTP proxy interface to Tor. Since HTTP proxies do not need the client to perform host name lookups, UDP traffic is never generated by the client. You can then use the HTTP_PROXY and http_proxy environment variables (or the Firefox HTTP proxy connection preference) to specify using the privoxy server on localhost:8118.

While privoxy provides anonymity for web requests, it offers no security for other protocols. For example, SSH through a Tor connection will generate a host name lookup that is traceable.

Another limitation to Tor comes from unproxied requests. For example, if your web browser spawns a RealPlayer or Totem player for streaming video, then these players may not use the proxy server.

Debugging the Network

In my own experience, configuring networks to use proxies or encryption doesn't always work right the first time. Between typographical errors and missed steps, it might take a few tries to get it right. You are probably going to need a network sniffer to diagnose bad connections and make sure the good connections are working right. (There's no point in setting up an IPsec tunnel only to discover later that all traffic is transmitted in plain text, or to configure a proxy and find that your critical applications are not using it.)

You can use a couple of different tools to diagnose network issues. They range in complexity from "pretty pictures" to hard-core packet analysis. The main tools that I use are EtherApe, Snort, and Ethereal.

Packet sniffers are only as good as the network that they are connected to. If your network adaptor is located on an isolated network (or behind a network switch), then you are not going to see many packets. In contrast, if you are connected to a busy network then you will see lots of packets.

Using EtherApe

EtherApe is a simple packet sniffer that graphically displays all network connections. This is a great tool if you just want to know where the connections are going, without the details found in every packet.

To use EtherApe, you just need to install it and run it.

sudo apt-get install etherape

sudo etherape

The graphical display shows a large black field with every node heard on the network represented by dots (see Figure 11-4). Lines between nodes show connections, and line thickness represents the amount of traffic. Lines are color-coded based on protocols and listed in the protocol key on the left side. You can also hover your mouse over any of the lines and see the protocol's name at the bottom of the window.

Figure 11-4: EtherApe capturing packets

EtherApe can be a quick way to identify that a proxy or secure tunnel is being used. For example, if all of your network connections should pass through a proxy or VPN, then the only connections should go to one host. Similarly, ports map to protocols. If connections are supposed to use a specific port, then you can make sure that the specific port is being used. Also, if you are using IPsec and the packet should be encrypted, then you should see an unknown protocol being displayed.

Using Ethereal

Although EtherApe can give you a very quick view of what is happening, it does not allow you to tell what traffic is being transmitted. For example, if everything should use a proxy and EtherApe shows some traffic outside of the proxy's connection, then you need some way to debug it. Ethereal (also known as Wireshark) is absolutely the most powerful packet analyzer I've ever come across. Not only can it collect and display packets, but it can also disassemble the packet fields and decode most protocols. If something should be encrypted, then you can confirm that the packet contents are encrypted. If some packets are unexpected, then you can capture the packets and analyze them and investigate what is really going on.

Running Ethereal is almost as easy as running EtherApe:

1. Install the Ethereal package.

2. sudo apt-get install ethereal

3. Run Ethereal.

4. sudo ethereal

The Ethereal user interface allows you to capture packets or analyze packets, but capturing and analyzing are usually done in two separate steps.

5. Capture some packets by selecting Capture Interfaces from the menu. This will display a list of available interfaces. From this popup window, you can click the Capture button for the appropriate interface.

6. As packets are being captured, a capture status window is available. It shows the number of each packet type collected. When you are done capturing packets, you can click Stop. This moves you from the collection phase to the analysis phase.

7. The analysis window is divided into three segments (see Figure 11-5). The top shows each packet that was collected in the order that it was collected. You can click any packet to reveal the contents in the lower two window sections. The middle section shows the decoded components and the lower section shows the raw packet. You can click any part of the decoded section and the raw bytes in the lower section will be highlighted. Similarly, you can click any of the raw bytes to see what the decoded bytes mean.

Figure 11-5: The Ethereal packet analyzer

Although Ethereal is relatively easy to use, it has some very complex packet filtering options. Some functions have a very steep learning curve. If you have a need to use Ethereal for anything other than basic capture-and-analysis, then you probably should get a book dedicated to Ethereal; there are plenty of available resources. Another source for more information is the Ethereal web site http://www.wireshark.org.

Sharks and Lawyers

If you start digging into resources dedicated to Ethereal, then it won't take long until you see a product named Wireshark. Wireshark is Ethereal. Due to some legal wrangling, the creators of Ethereal are no longer permitted to use that name. Although the new name is Wireshark, you will still see the program called Ethereal; Ubuntu still delivers the ethereal package. In the future, the package may be renamed as well as the executable, but for now, Wireshark stands for Ethereal.

Using Snort and Tcpdump

Ethereal and EtherApe are very useful if you have a graphical workstation. However, if you are using a command-line terminal, remote login, or the Ubuntu Server installation, then you really need a command-line tool. The two most common are Tcpdump and Snort.

Tcpdump comes standard on Ubuntu systems. It allows you to capture packets and apply simple packet filters. For example, to capture all UDP packets, you can use: sudo tcpdump udp. If you want to capture all packets, use sudo tcpdump.

Each packet that is captured displays a line on the console. For example:

14:32:28.958743 IP ubuntu.roach.lan.32966 > dns.roach.lan.domain: 31917+

A? cow.rats. (26)

14:32:28.959476 IP ubuntu.roach.lan.32967 > dns.roach.lan.domain: 35645+

PTR? 251.1.1.10.in-addr.arpa. (41)

14:32:28.960760 IP dns.roach.lan.domain > ubuntu.roach.lan.32967: 35645*

1/1/0 PTR[|domain]

14:32:28.960929 IP ubuntu.roach.lan.32967 > dns.roach.lan.domain: 33818+

PTR? 5.1.1.10.in-addr.arpa. (39)

14:32:28.961467 IP dns.roach.lan.domain > ubuntu.roach.lan.32967: 33818*

1/1/0 PTR[|domain]

14:32:28.997905 IP dns.roach.lan.domain > ubuntu.roach.lan.32966: 31917

NXDomain 0/1/0 (101)

Each line includes a timestamp, the protocol, source and destination addresses with ports, and some of the decoded packet flags. Tcpdump can be configured to write packets to a file and the file can be later used by Ethereal for analysis.

Snort (sudo apt-get install snort) is an alternative to Tcpdump. Just as Ethereal is more complex than EtherApe, Snort is more complex than Tcpdump. Using Snort, you can capture packets, display contents, trigger rules and alerts, and even create your own plug-in filters. As with Ethereal, if you need to use Snort for anything more complicated that displaying packets with basic filters (for example, sudo snort -v udp), then I strongly recommend the Snort homepage (http://www.snort.org) as a resource. There are also plenty of books on basic and advanced Snort configurations.

Summary

Networking with Ubuntu does not need to be static. At any time you can enable new network adaptors and reconfigure existing ones. Network connections may be direct, routed through proxies, or protected through encrypted network connections. With tools like ndiswrapper, you are not limited to hardware with Linux drivers, and IPsec and Tor add security to your connections.

Configuring new network routes is not always simple. Ubuntu offers a variety of powerful packet analysis tools that you can use to diagnose network problems.