CA Module 4
CA Module 4
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1
Linux Overview
Linux in the SOC (Contd.)
The following table lists a few tools that are often found in a SOC:
• These tools are used for real-time traffic monitoring and inspection.
Intrusion detection
• If any aspect of the currently flowing traffic matches any of the
systems (IDSs)
established rules, a pre-defined action is taken.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
Linux Overview
Linux in the SOC (Contd.)
SOC Tool Description
Security information and • SIEMs provide real-time analysis of alerts and log entries generated by
event management (SIEM) network appliances such as IDSs and firewalls.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Linux Overview
Linux Tools
• Linux computers that are used in the SOC
often contain penetration testing tools.
• A penetration test, also known as PenTesting,
is the process of looking for vulnerabilities in
a network or computer by attacking it.
• Packet generators, port scanners, and proof-
of-concept exploits are examples of
PenTesting tools.
• Kali Linux is a Linux distribution which
contains many penetration tools together in a
single Linux distribution.
• Notice all the major categories of penetration
testing tools of Kali Linux.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Linux Servers and Clients
An Introduction to Client-Server Communications
• Servers are computers with software
installed that enables them to provide
services to clients across the network.
• Some provide external resources such
as files, email messages, or web pages
to clients upon request.
• Other services run maintenance tasks
such as log management, disk scanning
and so on.
• Each service requires separate server
software.
• The server in the figure uses file server
software to provide clients with the ability
to retrieve and submit files.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Linux Servers and Clients
Servers, Services, and Their Ports
• A port is a reserved network resource used by a service.
• While the administrator can decide which port to use with any given service, many clients are
configured to use a specific port by default.
• The following table lists a few commonly used ports and their services. These are also called
as well-known ports.
Port Description
20/21 File Transfer Protocol (FTP)
22 Secure Shell (SSH)
23 Telnet remote login service
25 Simple Mail Transfer Protocol (SMTP)
53 Domain Name System (DNS)
67/68 Dynamic Host Configuration Protocol (DHCP)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Linux Servers and Clients
Servers, Services, and Their Ports (Contd.)
Port Description
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
Linux Servers and Clients
Clients
• Clients are programs or applications
designed to communicate with a
specific type of server.
• Clients use a well-defined protocol to
communicate with the server.
• Web browsers are web clients that are
used to communicate with web servers
through the Hyper Text Transfer
Protocol on port 80.
• The File Transfer Protocol client is
software used to communicate with an
FTP server.
• The figure shows a client uploading files
to a server. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
Basic Server Administration
Hardening Devices
• Device hardening involves implementing proven methods of securing the device and
protecting its administrative access.
• Some of these methods involve maintaining passwords, configuring enhanced remote login
features, and implementing secure login with SSH.
• Depending on the Linux distribution, many services are enabled by default. Stopping such
services and ensuring they do not automatically start at boot time is another device hardening
technique.
• OS updates are extremely important to maintaining a hardened device. OS developers create
and issue fixes and patches regularly.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Basic Server Administration
Hardening Devices (Contd.)
The following are basic best practices for device hardening:
• Ensure physical security
• Minimize installed packages
• Disable unused services
• Use SSH and disable the root account login over SSH
• Keep the system updated
• Disable USB auto-detection
• Enforce strong passwords
• Force periodic password changes
• Keep users from re-using old passwords
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Basic Server Administration
Monitoring Service Logs
• Log files are the records that a computer stores to keep track of important events. Kernel,
services, and application events are all recorded in log files.
• By monitoring Linux log files, an administrator gains a clear picture of the computer’s
performance, security status, and any underlying issues.
• In Linux, log files can be categorized as:
• Application logs
• Event logs
• Service logs
• System logs
• Some logs contain information about daemons that are running in Linux. A daemon is a
background process that runs without the need for user interaction.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Working on a Linux Host
Malware on a Linux Host
• Linux malware includes viruses, Trojan horses,
worms, and other types of malware that can
affect the operating system.
• A common Linux attack vector is its services
and processes.
• The command output shows an attacker using
the Telnet command to probe the nature and
version of a web server (port 80).
• The attacker has learned that the server is
running nginx version 1.12.0. The next step
would be to research known vulnerabilities in
the nginx 1.12.0 code.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Working on a Linux Host
Rootkit Check
• A rootkit is a type of malware designed to increase an
unauthorized user’s privileges or grant access to portions
of the software that should not normally be allowed.
• A rootkit is destructive as it changes kernel code and its
modules, changing the most fundamental operations of
the OS itself.
• Rootkit detection methods include booting the computer
from a trusted media.
• Rootkit removal can be complicated. Re-installation of the
operating system is the only real solution to the problem.
• chkrootkit is a popular Linux-based program designed to
check the computer for known rootkits.
• The command output shows the output of chkrootkit on
an Ubuntu Linux.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13