KLUG Meeting Minutes and Agenda (#26) The 26th meeting of the Kingston Linux User Group was held Mon, Dec. 4, 2000 at 7PM at RMC. The meeting lasted until about 10:00 PM. The attendees were: Brommer, Peter Conrad-Avarmaa, Brigitte Drummond, Mark Farnell, Cam Hore, Dennis Lessard, Dave Lott, Rodney MacIntosh, Bob Mitton, Douglas Meeting Schedule: xx - Wed, Dec. 13 - End-of-year dinner at McGinnis Landing, Bath Rd. at 6pm. 27 - Wed, Jan. 3 at RMC. "Intro to Linux" 28 - Mon. Feb. 5 at RMC. "Installation HowTo" 28 - Wed, Mar. 7 at RMC. "System Administration I" Summary Of Activities: - Web page host and domain name - www.klug.on.ca. - Mailing list - http://www.egroups.com/search?query=klug- Agenda/Minutes: 1) Roll Call and Introductions (if required) - See attendees above. 2) This Meeting: There were 9 attendees to our 15th presentation "System and Network Security Part II" by Mark Drummond. Well, to start off, this presentation was about securing a computer, or a group of computers connected to a network and even ultimately to the internet. The first thing to remember is that despite all the horror stories, if you don't run services, your computer or network can't be exploited from the internet. Network services are programs, connected to ports and allow your computer to supply or manage information to others. The concept of ports is to allow a virtual door like access to your computer via the network. An example of commonly used services and ports would be http or web server on port 80, pop email access on port 110, smtp email on port 25 and even ftp file transfer on port 21. The next think to be careful not to confuse is the concept of client and server applications. Clients are the common programs that allow you to access a service on another computer. Netscape and lynx are http clients which interact with an httpd server like Apache on an internet site. Eudora is an email client which will access a popd and/or smtpd server on an ISP's system. On most UNIX like systems, Linux included, the server name usually ends in a "d" (for daemon) to differentiate it from the client side. A simple example is the "ftp" client communicates with the "ftpd" server to transfer files from one computer to another. Mark then described a typical attack sequence against a computer to determine if it is possible to break into it. If you run your Windows or Linux computer on a semi-full time internet connection, and monitor accesses to your system, you will see these happening to you. The first step of an attack is to port scan a large number of IP addresses to obtain a data base of addresses and ports which respond. This can use a readily available utility called nmap. On your logs, such an attack will show a large number of attempts to enter your system in a VERY short period of time. The next step is to use the positive responses from the above scan to actually query all the ports running services and collect the variety and version number of them. Most services will willingly supply this information. Next, the attacker will check the responding service against know exploits. Once matches are found then an attack can be mounted. The most common (?) of these attacks are "stack overflows" which allow the attacker root or administrator privilages on your machine. This allows them to collect data from your system, trash the data on that system, or use your computer as a launch point to attack another system. The danger in this last use is that you personally get blamed. In a previous presentation (June 5, 2000) Rob and Kerry demonstrated a stack overflow attack. Mark then went into the ways to protect your system. First is to know what services your computer is providing and to only provide services that you need. Second is to keep those services up to date and to monitor security announcements for exploits and fixes for them. Third is to monitor your system useage and watch for any questionable accesses. This is not as bad as it sounds and programs like Snort and Port Sentry will assist and automate this. Mark then went into a related topic of firewalling your system. This provides very precise rules that control access to, from and via your computer and any attached home network to the internet. This is included in all current Linux distributions and typically has a very automated setup. Part of this firewall called masquerading is required if you want a number of home computers to share a single high-speed internet connection via Linux. [The Dec 2000 edition of Linux Journal has an article on page 116 that explains in detail the dangers of port scans and ping sweeps and how to both implement and protect against them.] Thanks for the presentation Mark and thanks to all who participated. And don't forget to mark your calender for Wed, Dec. 13 at 6pm for the end-of-year social dinner at McGinnis Landing on Bath Road. See you there. 3) Next Meeting: Wed, Jan. 3, 2001 - "Intro To Linux". 4) Socialize / Adjourn