CS197U: A Hands on Introduction to Unix
Lecture 10: Security Issues and Traffic Monitoring Tian Guo
University of Massachusetts Amherst – CICS
1
Reminders
• Assignment 5 is due Thursday (Oct. 22)
• Part 1 (tracking webpage update): Hints
• cronbab -e for editing cron table, default editor is emacs • make sure there is one new empty line at the bottom of cron table
• Crtl+X then S to save, Ctrl+X then C to quit
• In the script, save command output string to a variable update=`COMMAND` • Check the inequality of two strings: “$update” and “” (no changes) • You get full points when you and I (the $CC email) receive 10 emails from edlab server at the
exact time. • Assignment 6 is posted. • Due next Thursday (Oct. 29) • You will need A LOT of piping and awk in a line (mostly the same format) • <COMMAND> | grep <KEYWORD>| awk –F”:” ‘{print $n }’
• prints out your target answer/string
field separator is : (default is space)
2
Last time
• Your network configurations : your own machine • ifconfig, iwconfig, iwlist, dhclient • Can not connect to a remote site?
• ping, host • The site seems to be alive, but the connection is slow
• traceroute
ARP: Address Resolution Protocol
Question: how to determine
MAC address of B from IP
address?
137.196.7.78
1A-2F-BB-76-09-AD
137.196.7.23
137.196.7.14
• Each IP node (host, router)
on LAN has ARP table
• ARP table: IP/MAC
address mappings for
some LAN nodes
< IP address; MAC address;
TTL>
•
LAN
71-65-F7-2B-08-53
137.196.7.88
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
TTL (Time To Live): time after
which address mapping will be
forgotten (typically 20 min)
Demo
• arp – address resolution protocol • Broadcast your own address when first joining the network/LAN
• arp –n : list the table of all IP addresses ßà hardware MAC mapping • arp –d <hostname> : delete a host’s hardware address from ARP table • arp –s <hostname> <HW> : add an mapping of an IP/MAC • Wireshark • Sniffing all the packets passing through the “shared” media • Ethernet LANs or wireless LANs
• Various of TCP and UDP connections • Packet headers and the contents
Security Issues
• LAN is based on a broadcast system • Know who your neighbors are • Know their MAC/IP addresses mapping
• When a packet arrives your LAN • Look at the destination IP address of the packet header • If not your packets, dump them • Otherwise, receive and respond to the packet • Can I take a look at someone else’s packet in my LAN? • Their emails, their passwords, and their conversations
Traffic Monitoring: ifstat
• ifstat: real-time throughput of each interface
• ifstat –t : with timestamps with 1 second interval • Example 1: Display every 5 second
• ifstat -t 5 • Example 2: Display loopback device • ifstat -i lo • Example 3: Display “eth0” every 10 seconds • ifstat -t 5 -i eth0
Traffic Monitoring: iftop
• iftop: detailed bandwidth information
• Example 1: sudo iftop: 2, 10 and 40 second intervals; • Example 2: sudo iftop -P: display by port number
• Example 3: sudo iftop -c configfile (or specify in ~/.iftoprc)
Bad guys can sniff packets
packet “sniffing”:
• broadcast media (shared ethernet, wireless)
• promiscuous network interface reads/records all packets (e.g., including passwords!) passing by
C
A
src:B dest:A
payload
B
Wireshark – Packet Sniffer
• Capture packets being sent/received from/to your computer • Install Wireshark on your Virtual Machine: sudo get-apt install wireshark
Running Wireshark with sudo
• sudo wireshark
Running Wireshark as non-root
• wirehark
Running wireshark securely
• Step 1: sudo dpkg-reconfigure wireshark-common
• Step 2: Select yes to enable non-superusers capture
• Step 3: Add candidate user to the wireshark group • sudo usermod -a -G wireshark tian
• Step 4: Log out and log back in to run wireshark as non-root user
Wireshark
tshark: terminal based wireshark
• Install by: sudo apt-get install tshark • After configuring wireshark to run as non-superuser, you should be able to
do: • tshark
• Benefit: Allows you to script the network analysis
tshark examples
• Capture traffic from host 1.2.3.4 • tshark -f “src host 1.2.3.4”
• capture traffic to host 1.2.3.4
• tshark -f “dst host 1.2.3.4”
• Capture traffic between host 1.2.3.4 • tshark -f "dst host 1.2.3.4 and src host 1.2.3.4” ??? • tshark -f "dst host 1.2.3.4 or src host 1.2.3.4” AND tshark -f “host
1.2.3.4”
tshark examples
• Only capture HTTP traffic in verbose • tshark -f “tcp port 80” -V
• Ignore SSH traffics in traditional way • tshark -f “not port 22”
Unsecure vs. Secure Network Connections
• ssh vs. telnet • Secure Shell (SSH) for secure remote login vs. plain text interaction • scp vs. ftp • Secure CoPy based on SSH vs. File Transfer Protocol
• https:// vs. http:// • Secure HyperText Transfer Protocol • wget: a short for World wide web and Get • Supports HTTP, FTP, and HTTPS
Summary
Command
Description
arp
Address resolution protocol (IP vs. MAC)
ifstat Real time bandwidth monitoring on all interfaces
iftop
Monitoring details of specific interface
ftp/scp
(Un)secure file transport
wireshark
Packet sniffing