Don't Get Hacked on Hostile WiFi

1,397 views
1,289 views

Published on

Presentation given at Ohio Linuxfest 2008 on how to lock down a Linux laptop for use in hostile wifi situations (ex: hacker con).

Published in: Technology
1 Comment
1 Like
Statistics
Notes
  • http://www.mediafire.com/download/bibo8k8wqt5ckwe
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total views
1,397
On SlideShare
0
From Embeds
0
Number of Embeds
17
Actions
Shares
0
Downloads
18
Comments
1
Likes
1
Embeds 0
No embeds

No notes for slide

Don't Get Hacked on Hostile WiFi

  1. 1. Don't Get Cracked on Hostile WiFi Mackenzie "maco" Morgan http://ubuntulinuxtipstricks.blogspot.com Ohio Linux Fest 11 Oct 2008
  2. 2. Scenario  Open WiFi  Security conference  Hackers everywhere
  3. 3. Disclaimer  You won't be low-hanging fruit  But won't stop OSI Layer 2 attacks
  4. 4. Before You Go  VPN  Firewall & services  Users & passwords  DNS  Hashes  Disable SHMConfig in xorg.conf  Phone a friend
  5. 5. VPN  Creates encrypted tunnel  Termination point  DD-WRT on your router at home  School network  Online services
  6. 6. Firewall Goals  Drop all inbound on all interfaces  Minimal outbound ports on wireless interface  VPN port  DNS  Whitelist outbound ports on tunnel interface
  7. 7. Firewall & Services  UFW alone is insufficient  Cannot do outbound  Need to edit /etc/ufw/before.rules and /etc/default/ufw  Outbound matters  No phoning home  Drop, not reject – takes longer to port scan  No external services  Are you going to SSH into the laptop you're holding?  IPv6 firewall is ip6tables, not iptables
  8. 8. Default drop in UFW /etc/default/ufw IPV6=no DEFAULT_INPUT_POLICY="DROP" DEFAULT_OUTPUT_POLICY="DROP" DEFAULT_FORWARD_POLICY="DROP" But that's not enough... /etc/ufw/before.rules has these lines by default: # connection tracking for outbound -A ufw-before-output -p tcp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT -A ufw-before-output -p udp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
  9. 9. Other Example Rules # DNS -A ufw-before-output -p udp --dport 53 -j ACCEPT # Ping -A ufw-before-output -p icmp --icmp-type echo-request -j ACCEPT # Allow VPN running on port 4500 through wireless interface -A ufw-before-output -p 50 -d x.x.x.x -o wlan0 -j ACCEPT -A ufw-before-output -p udp -d x.x.x.x --sport 4500 --dport 4500 -o wlan0 -j ACCEPT # Allow outbound SSH, HTTP/S, Jabber, and IRC on tunnel interface -A ufw-before-output -p tcp -m multiport --dports 22,80,443,5222,6667 -o tun0 -j ACCEPT Port numbers for protocols can be found in /etc/services
  10. 10. Users & Passwords  Temporary strong password for you  Disable unneeded users  passwd -l  Set /bin/false as shell in /etc/passwd
  11. 11. DNS  Hardcode your DNS servers  /etc/dhcp3/dhclient.conf prepend domain-name-servers 208.67.222.222; prepend domain-name-servers 208.67.220.220;  DNS Sec if you're really paranoid
  12. 12. Hashes  Not-from-repository binaries  Configuration files  Will come in handy later
  13. 13. SHMConfig  Used for configuring synaptics touchpads with synclient or Gsynaptics  Creates area of 777 memory  Turn it OFF!
  14. 14. One Last Thing... Test your setup   Netstat  Nmap (or Zenmap)
  15. 15. While There  Bluetooth  Wireshark  Logs  Physical Security
  16. 16. Bluetooth  Can't really firewall it off  Blacklist the module  /etc/modprobe.d/blacklist  Add line "blacklist hci_usb"  Don't forget your cell phone
  17. 17. Wireshark & Logs  Watch /var/log/kern.log  Look for connection attempts
  18. 18. Physical Security  Theft of hardware isn't the only threat  Don't leave your laptop unattended  Don't let any untrusted person touch it  Use the buddy system to protect the laptop  DVDs, CDs, and flash drives: Do Not Mount
  19. 19. Afterward  Verify binaries  Check environment variables  Check for new services  Change password again  Use Netstat to check for oddly-open ports
  20. 20. Verifying binaries  From repositories  rpm -Va  debsums -c  Compare hashes of non-repository binaries with ones from before
  21. 21. If You're Really Worried...  Reinstall!
  22. 22. New Security Features  Shadow 4.1  SHA-256 and SHA-512 for /etc/shadow  MD-5 and SHA-1 are no longer recommended by NIST  Touchpad configuration can be changed without SHMConfig
  23. 23. Questions?
  24. 24. See Also  DNS Sec:  http://ubuntuforums.org/showthread.php?t=492489  NSA SNAC Guide:  http://www.nsa.gov/snac/os/redhat/rhel5-guide- i731.pdf  man iptables  IANA ports list:  http://www.iana.org/assignments/port-numbers

×