Threats and Vulnerability

Analysis in Linux
Faculty Instructor: Debjani Ghosh
Types of Vulnerabilities
1. Direct
2. Indirect
3. Veiled
4. Conditional
Direct Vulnerabilities
• Direct vulnerabilities are immediate flaws or weaknesses that
attackers can exploit without intermediaries.
• They often stem from poor configurations or weak access
controls.
• Example: A weak root password on a Linux system provides
direct access if someone tries a brute-force attack.
• Other Examples:
o Unpatched software: Known vulnerabilities in applications or services
(e.g., SSH, Apache).
o Exposed Ports: Open services (e.g., FTP on port 21) accessible to
everyone without restrictions.
Indirect Vulnerabilities
• Indirect vulnerabilities involve an attacker gaining access through
intermediaries or compromised third-party software.
• Example: An attacker compromises a Linux web server and uses
it to access internal network systems (e.g., databases or other
Linux servers).
• Other Examples:
o Man-in-the-Middle (MitM) Attacks: Intercepting traffic to gather
information or inject malicious code.
o Dependency Exploits: Vulnerabilities in packages or dependencies
installed on the Linux system (e.g., a bug in Python libraries).
Veiled Vulnerabilities
• Veiled vulnerabilities are hidden flaws that are difficult to detect and
usually embedded in malware.
• Example: A rootkit that modifies essential system commands (e.g., ps
or top) to hide its processes, making it difficult to detect.
• Note: A rootkit is a type of malware that allows cybercriminals to gain
access to a computer system and perform malicious activities without
being detected:
• Other Examples:
o Modified Kernel Modules: Attackers inject code into kernel modules to avoid
detection.
o Trojanized Programs: Attackers replace binaries (e.g., netstat) with malicious
versions that hide malicious network connections.
Practical Example
• Suppose you suspect your system might have been
compromised. You run the netstat command to check for
unusual connections:
How to Detect Trojanized Programs:
• Verify Checksums: Use tools like sha256sum or md5sum to compare
the checksums of binaries against known good versions.

• Use Trusted Sources: Always download software and updates from

verified and secure sources.
• Check File Integrity: Use tools like rpm -Va (for RPM-based systems)
or debsums (for Debian-based systems).
• Tripwire or AIDE: These are file integrity monitoring tools that can alert
you to unauthorized changes in system files.
Conditional Vulnerabilities
• Conditional vulnerabilities are exploitable only under specific
configurations or circumstances.
• Example: A vulnerability that only affects a particular version of
OpenSSL when a specific setting is enabled (e.g., Heartbleed
vulnerability).
• Other Examples:
• Kernel-Specific Exploits: Vulnerabilities affecting only certain kernel
versions.
• Service-Specific Configurations: Misconfigurations in SSH, FTP, or
database servers that expose sensitive data.
Heartbleed Vulnerability
• Heartbleed was a serious security flaw in OpenSSL versions
1.0.1 through 1.0.1f.
• It exploited a feature called the Heartbeat extension, which is
used to keep SSL/TLS connections alive.
• The vulnerability allowed attackers to read the memory of the
server, potentially exposing sensitive information like usernames,
passwords, and encryption keys.
Key Characteristics of the Heartbleed
Vulnerability:
• Version-Specific:
o It affected only OpenSSL versions 1.0.1 to 1.0.1f.
o Versions before 1.0.1 or after 1.0.1f were not vulnerable.
• Condition-Specific:
o The server or client needed to have the Heartbeat extension enabled for
the vulnerability to be exploited.
o If the Heartbeat feature was disabled, the vulnerability could not be
triggered.
Other Examples of Condition-Specific
Vulnerabilities:
• Shellshock (CVE-2014-6271):
• Affected only specific versions of the Bash shell.
• It could be exploited only if the system used Bash as its command
interpreter and allowed remote code execution.
• Spectre and Meltdown:
• These vulnerabilities affected specific CPU architectures and required
speculative execution to be enabled.
Key Takeaways for Cybersecurity Engineers
• Version-Specific: Always ensure that your software is up to date.
Vulnerabilities often impact only certain versions, so applying
patches can protect you from known issues.
• Configuration Matters: Disabling unused or unnecessary
features can reduce your attack surface. For example, if you don't
need the Heartbeat feature, disabling it would have protected
against Heartbleed.
• Continuous Monitoring: Use vulnerability scanners and tools like
Nessus or OpenVAS to identify version-specific vulnerabilities in
your system.
Security Measures in Linux
• To maintain system security, several measures and best practices
can be employed:
1. SSH Key Pair for Secure Authentication
2. Scanning Log Files
3. Closing Hidden Ports
SSH Key Pair for Secure Authentication
• SSH keys provide a more secure alternative to password-based
authentication.
o How it Works: Generates a pair of cryptographic keys—a public key
(stored on the server) and a private key (kept on the user’s local
machine).
o Commands:
SSH Key Pair for Secure Authentication

• Command 1: ssh-keygen -t rsa -b 4096 –C [email protected]

o This command generates a new SSH key pair with specific parameters.
o ssh-keygen: This is the command-line tool for generating SSH keys. It creates both a
private key and a public key.
o -t rsa: This specifies the type of encryption algorithm to use. Here, rsa means it will
use the RSA algorithm (Rivest-Shamir-Adleman), which is widely used for secure data
transmission.
o -b 4096: This option defines the number of bits in the key. A key size of 4096 bits is
quite strong and more secure than the default 2048 bits. The larger the key size, the more
difficult it is to crack, but it also requires more processing power.
o -C "[email protected]": This is a comment or label for the key, often set to your
email or username to help identify the key. This comment is appended to the public key
file, making it easier to manage keys by associating them with specific users.
SSH Key Pair for Secure Authentication

• Command 2: ssh-copy-id user@server_ip

o This command copies the public key to the remote server, allowing you to
log in securely without a password.
o ssh-copy-id: This command securely installs the generated public key
(id_rsa.pub) on the server so you can use passwordless SSH
authentication.
o user@server_ip: This specifies the username and IP address (or
hostname) of the remote server where the key will be copied. For
example, if your username is debian and your server IP is 192.168.1.5,
you would enter [email protected]. This setup ensures that the
remote server recognizes your private key and allows access without a
password.
Scanning Log Files
• Logs provide valuable insights into potential security issues. By
analyzing log files, students can detect anomalies, failed login
attempts, and other suspicious activities.
• Key Log Files:
• /var/log/auth.log - Authentication logs (failed and successful
login attempts).
• /var/log/syslog - General system events.
Scanning Log Files
• Example Commands:
grep "Failed password" /var/log/auth.log # Check for failed SSH attempts
tail -f /var/log/syslog # Real-time monitoring of syslog
Identifying and Closing Hidden Ports
• Unused or hidden ports can expose services to potential threats.
Identifying and closing these ports helps in minimizing the attack
surface.
• Identifying Open Ports:
sudo ss -tuln # List services listening on ports
sudo nmap -sT localhost # Scan for open ports on localhost

• Closing Unused Ports:

sudo systemctl stop service_name # Stop unused services
sudo systemctl disable service_name # Disable service from starting at boot
sudo iptables -A INPUT -p tcp --dport 8080 -j DROP # Block specific port using iptables
Identifying OpenPorts-Command 1: sudo ss
-tuln
• This command uses the ss tool to list active network connections and
sockets. Each parameter specifies the type of information to display.
o sudo: Runs the command with root privileges, necessary to view information about
services running on privileged ports (ports below 1024).
o ss: A tool to display socket statistics, similar to netstat, but faster and more modern.
o -t: Shows TCP connections only. TCP (Transmission Control Protocol) is a connection-
oriented protocol, commonly used for data transmission over the internet.
o -u: Shows UDP connections only. UDP (User Datagram Protocol) is a connectionless
protocol, often used for streaming or real-time applications.
o -l: Displays only listening sockets. Listening sockets are those that are open and
waiting for incoming connections on specified ports.
o -n: Shows addresses and port numbers in numeric format rather than resolving them
into hostnames and service names. This makes the output faster to generate and easier
to read when looking for specific port numbers.
• Overall Meaning: sudo ss -tuln lists all active listening TCP and UDP
sockets (ports) on the system, showing them in a numeric format.
Identifying OpenPorts-Command 2: sudo
nmap -sT localhost
• This command uses nmap to scan for open ports on the local machine.
o sudo: Runs the command with root privileges, which may be necessary for a
more complete scan of certain ports and services.
o nmap: Network Mapper, a powerful tool for network discovery and security
auditing. It can identify open ports, running services, and operating systems.
o -sT: Specifies a TCP connect scan. This type of scan establishes a full TCP
connection to each scanned port, identifying whether each port is open, closed,
or filtered. It’s the most reliable but can be slower since it fully establishes and
tears down the TCP connection.
o localhost: Specifies the target to scan, in this case, localhost (the current
machine).
• Overall Meaning: sudo nmap -sT localhost performs a TCP
connect scan on the local machine to identify which TCP ports are
open and listening.
Closing Hidden Ports-Command 1: sudo
systemctl stop service_name
• This command stops a service currently running on the system.
o sudo: Runs the command with root privileges, which are needed to
manage system services.
o systemctl: This is the command used to control systemd and manage
services in modern Linux distributions.
o stop: Tells systemctl to stop a specific service.
o service_name: This is a placeholder for the name of the service you want
to stop (e.g., apache2 for Apache server, nginx for NGINX server).
• Overall Meaning: This command stops a currently running
service, which releases system resources and closes any
associated network connections.
Closing Hidden Ports-Command 2: sudo
systemctl disable service_name
• This command prevents a service from starting automatically at system
boot.
o sudo: Runs the command with root privileges, necessary to change the startup
configuration of system services.
o systemctl: Manages services and system settings with systemd.
o disable: Tells systemctl to disable the specified service from starting on
boot.
o service_name: The name of the service you wish to disable (e.g., apache2,
nginx).
• Overall Meaning: This command stops the specified service from
launching automatically the next time the system boots, which can
improve boot time and reduce system load.
Closing Hidden Ports-Command 3: sudo
iptables -A INPUT -p tcp --dport
8080 -j DROP
• This command uses iptables to block incoming connections on a specific
port, enhancing system security by restricting access.
o sudo: Runs the command with root privileges, necessary to alter firewall rules.
o iptables: A command-line firewall utility for managing network traffic rules in Linux.
o -A INPUT: Adds (-A) a rule to the INPUT chain, which handles incoming connections.
This tells the system to evaluate incoming packets against this rule.
o -p tcp: Specifies the protocol to be matched by the rule, in this case, TCP. This is
common for applications requiring reliable connections, like web servers.
o --dport 8080: Specifies the destination port number (8080 in this example) for the
rule. This is the port we want to block.
o -j DROP: Defines the action to be taken on matching packets, which is to DROP them.
Dropping a packet means it is discarded silently without any response, effectively
blocking incoming connections on this port.
• Overall Meaning: This command blocks all incoming TCP connections on
port 8080, which can prevent unwanted access to services listening on that
port.
Linux Malware: Types and Characteristics
• Linux is not immune to malware; here are three significant types:
1. Botnets
2. Ransomware
3. Rootkits
Botnets
• Botnets consist of infected devices that an attacker can remotely
control to perform tasks like DDoS attacks, spam, or data theft.
• Example: Mirai Botnet - targets Linux-based IoT devices by
scanning for weak Telnet passwords.
• Detection and Prevention:
• Disable Telnet and use SSH with key-based authentication.
• Monitor outbound traffic for unusual activity patterns.
• Use Intrusion Detection Systems (IDS) to detect unusual network
activity.
Ransomware
• Linux ransomware is less common but can encrypt files or
services, demanding a ransom to restore access.
• Example: Erebus Ransomware - targeted Linux servers in South
Korea, encrypting files and demanding Bitcoin for decryption.
• Protection Measures:
• Regular backups of important data.
• Use read-only mounts for critical directories.
• Implement file integrity monitoring tools to detect unauthorized
modifications.
Rootkits
• Rootkits are highly sophisticated malware that gives attackers
persistent root-level access and hides their presence.
• Example: Linux.Lady - a cryptocurrency mining rootkit that stays
hidden in infected systems.
• Detection and Prevention:
• Use rootkit detection tools like chkrootkit or rkhunter.
• Enable kernel hardening features, such as disabling module loading after
boot.
• Limit root privileges and use Least Privilege Principles for processes.
Summary