Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Don't Get Hacked on Hostile WiFi

1,529 views

Published on

Presentation given at Ohio Linuxfest 2008 on how to lock down a Linux laptop for use in hostile wifi situations (ex: hacker con).

Published in: Technology
  • http://www.mediafire.com/download/bibo8k8wqt5ckwe
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Don't Get Hacked on Hostile WiFi

  1. 1. Don't Get Cracked on Hostile WiFi Mackenzie "maco" Morgan http://ubuntulinuxtipstricks.blogspot.com Ohio Linux Fest 11 Oct 2008
  2. 2. Scenario  Open WiFi  Security conference  Hackers everywhere
  3. 3. Disclaimer  You won't be low-hanging fruit  But won't stop OSI Layer 2 attacks
  4. 4. Before You Go  VPN  Firewall & services  Users & passwords  DNS  Hashes  Disable SHMConfig in xorg.conf  Phone a friend
  5. 5. VPN  Creates encrypted tunnel  Termination point  DD-WRT on your router at home  School network  Online services
  6. 6. Firewall Goals  Drop all inbound on all interfaces  Minimal outbound ports on wireless interface  VPN port  DNS  Whitelist outbound ports on tunnel interface
  7. 7. Firewall & Services  UFW alone is insufficient  Cannot do outbound  Need to edit /etc/ufw/before.rules and /etc/default/ufw  Outbound matters  No phoning home  Drop, not reject – takes longer to port scan  No external services  Are you going to SSH into the laptop you're holding?  IPv6 firewall is ip6tables, not iptables
  8. 8. Default drop in UFW /etc/default/ufw IPV6=no DEFAULT_INPUT_POLICY="DROP" DEFAULT_OUTPUT_POLICY="DROP" DEFAULT_FORWARD_POLICY="DROP" But that's not enough... /etc/ufw/before.rules has these lines by default: # connection tracking for outbound -A ufw-before-output -p tcp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT -A ufw-before-output -p udp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
  9. 9. Other Example Rules # DNS -A ufw-before-output -p udp --dport 53 -j ACCEPT # Ping -A ufw-before-output -p icmp --icmp-type echo-request -j ACCEPT # Allow VPN running on port 4500 through wireless interface -A ufw-before-output -p 50 -d x.x.x.x -o wlan0 -j ACCEPT -A ufw-before-output -p udp -d x.x.x.x --sport 4500 --dport 4500 -o wlan0 -j ACCEPT # Allow outbound SSH, HTTP/S, Jabber, and IRC on tunnel interface -A ufw-before-output -p tcp -m multiport --dports 22,80,443,5222,6667 -o tun0 -j ACCEPT Port numbers for protocols can be found in /etc/services
  10. 10. Users & Passwords  Temporary strong password for you  Disable unneeded users  passwd -l  Set /bin/false as shell in /etc/passwd
  11. 11. DNS  Hardcode your DNS servers  /etc/dhcp3/dhclient.conf prepend domain-name-servers 208.67.222.222; prepend domain-name-servers 208.67.220.220;  DNS Sec if you're really paranoid
  12. 12. Hashes  Not-from-repository binaries  Configuration files  Will come in handy later
  13. 13. SHMConfig  Used for configuring synaptics touchpads with synclient or Gsynaptics  Creates area of 777 memory  Turn it OFF!
  14. 14. One Last Thing... Test your setup   Netstat  Nmap (or Zenmap)
  15. 15. While There  Bluetooth  Wireshark  Logs  Physical Security
  16. 16. Bluetooth  Can't really firewall it off  Blacklist the module  /etc/modprobe.d/blacklist  Add line "blacklist hci_usb"  Don't forget your cell phone
  17. 17. Wireshark & Logs  Watch /var/log/kern.log  Look for connection attempts
  18. 18. Physical Security  Theft of hardware isn't the only threat  Don't leave your laptop unattended  Don't let any untrusted person touch it  Use the buddy system to protect the laptop  DVDs, CDs, and flash drives: Do Not Mount
  19. 19. Afterward  Verify binaries  Check environment variables  Check for new services  Change password again  Use Netstat to check for oddly-open ports
  20. 20. Verifying binaries  From repositories  rpm -Va  debsums -c  Compare hashes of non-repository binaries with ones from before
  21. 21. If You're Really Worried...  Reinstall!
  22. 22. New Security Features  Shadow 4.1  SHA-256 and SHA-512 for /etc/shadow  MD-5 and SHA-1 are no longer recommended by NIST  Touchpad configuration can be changed without SHMConfig
  23. 23. Questions?
  24. 24. See Also  DNS Sec:  http://ubuntuforums.org/showthread.php?t=492489  NSA SNAC Guide:  http://www.nsa.gov/snac/os/redhat/rhel5-guide- i731.pdf  man iptables  IANA ports list:  http://www.iana.org/assignments/port-numbers

×