Tech Skills - Linux Security Techniques - 5.

0 Security Testing
Filename: techskills-linuxsecurity-5-1-verifying_firewall_configurations
Title: Verifying Firewall Configurations
Subtitle: Linux Security Techniques

5.1 Verifying Firewall Configurations

What tools can we use to see whether our firewall is working properly?

Determine port status

More ports are open than we want to share
Make a list of ports that should be open
Make a list of ports that are open, but blocked by the FW
Use scanning software to ensure the ports are closed

How can we see what ports are open on our system?

Two primary tools

netstat aka "The old way"
NETwork STATistics
ss aka "The new way"
Socket Statistics

Can you show us how netstat works?

netstat
Display active sessions
netstat -t
-t Display only TCP port
Hides all of the UNIX ports
netstat -ut
Displays TCP and UDP
Disable name resolution
netstat -tn
-n Disable IP to name resolution
Display all sessions
netstat -at
-a Show listening and non-listening sockets
What is using a port?
netstat should show what application is using the port
netstat -atp
-p Show the program name
Use sudo for the most complete information
Can also use fuser to find the process ID
sudo fuser 111/tcp

What about ss? Is it mostly the same?

ss
ss is replacing netstat
Display listening sockets
ss -l
Provide output similar to netstat
ss -ta
ss -ua
ss -tua

Now that we know what ports are open, how can we see what the firewall is allowing?

Depends on the firewall

Check the related episode or the documentation
firewalld
firewall-cmd --zone=public --list-all
firewall-cmd --list-all-zones
 iptables
iptables --list

How can we test which ports are actually closed?

nmap
Network MAPper
Open source utility
Freely available
https://nmap.org/
Install nmap
yum install nmap
Install zenmap GUI (Optional)
yum install https://nmap.org/dist/zenmap-7.60-1.noarch.rpm
sudo zenmap &

How do we use nmap to scan for open ports?

Perform a basic scan

nmap <ip>
Scan only reserved ports
nmap -p 1-1024 172.17.0.128
Scan the top 100 ports
nmap -F 172.17.0.128

What do the port states mean?

open
An application is actively responding to requests
closed
The port is open, but no application is listening
filtered
Packets are being blocked before reaching the port
Indicates a hardware/software firewall
Firewall is responding with a REJECT
unfiltered
Port is accessible, but nmap cannot determine if it is open/closed
A more detailed scan is required
open|filtered
nmap cannot determine if the port is open or filtered
One of them is true
Usually indicates a firewall with REJECT but a non-standard message
closed|filtered
nmap cannot determine if the port is closed or filtered
One of them is true
Usually indicates a firewall with DROP instead of REJECT

Are there any other scan types we should be aware of?

Stealth SYN Scan with OS Detection

NOTE: SYN scan is the default
nmap -sS -O 172.16.0.0/24
TCP Connect scan
nmap -sT 172.16.0.128
nmap -sT -p 80 172.16.0.128
UDP Connect scan
nmap -sU 172.16.0.128
Disable ping probes
nmap -sT -PN 172.16.0.128