ComputerSecurityStudent (CSS) [Login] [Join Now]


|UNIX >> Perl Lessons >> Current Page |Views: 12614

(Perl: Lesson 9)

{ Policy Part 2: Parsing /etc/ssh/sshd_config  }

Section 0. Background Information
  1. What is /etc/ssh/sshd_config?
    • /etc/ssh/sshd_config - OpenSSH SSH daemon configuration file.  sshd reads configuration data from /etc/ssh/sshd_config. The file contains keyword-argument pairs, one per line. Lines starting with `#' and empty lines are interpreted as comments
    • LogLevel - Gives the verbosity level that is used when logging messages from sshd The possible values are: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3. The default is INFO. DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify higher levels of debugging output..
    • PermitEmptyPasswords - When password authentication is allowed, it specifies whether the server allows login to accounts with empty password strings. The default is ``no''.
    • X11Forwarding - Specifies whether X11 forwarding is permitted. The argument must be ``yes'' or ``no'' The default is ``no''.  When X11 forwarding is enabled, there may be additional exposure to the server and to client displays if the sshd proxy display is configured to listen on the wildcard address.
    • UsePAM - Enables the Pluggable Authentication Module interface. If set to ``yes'' this will enable PAM authentication using ChallengeResponseAuthentication and PAM account and session module processing for all authentication types.

  2. Getting Perl
    • For the purposes of these perl lesson, I will be using a perl package that comes standard on Backtrack, Ubuntu and most flavors of Linux and Unix.
    • However, if you are using Windows, instead of a Linux, Unix or MAC operating system, you still have options.
  3. Pre-Requisite
  4. Lab Notes
    • In this lab we will do the following:
      1. We will download a basic perl program that extracts the following keyword-argument pairs: LogLevel, PermitEmptyPasswords, and X11Forwarding.
      2. The program will provide extraction examples using split.

  5. Legal Disclaimer
    • As a condition of your use of this Web site, you warrant to computersecuritystudent.com that you will not use this Web site for any purpose that is unlawful or that is prohibited by these terms, conditions, and notices.
    • In accordance with UCC § 2-316, this product is provided with "no warranties, either express or implied." The information contained is provided "as-is", with "no guarantee of merchantability."
    • In addition, this is a teaching website that does not condone malicious behavior of any kind.
    • Your are on notice, that continuing and/or using this lab outside your "own" test environment is considered malicious and is against the law.
    • © 2013 No content replication of any kind is allowed without express written permission.

Section 1. Login to BackTrack
  1. Start Up VMWare Player
    • Instructions:
      1. Click the Start Button
      2. Type Vmplayer in the search box
      3. Click on Vmplayer

     

  2. Open a Virtual Machine
    • Instructions:
      1. Click on Open a Virtual Machine

     

  3. Open the BackTrack5R1 VM
    • Instructions:
      1. Navigate to where the BackTrack5R1 VM is located
      2. Click on on the BackTrack5R1 VM
      3. Click on the Open Button

     

  4. Edit the BackTrack5R1 VM
    • Instructions:
      1. Select BackTrack5R1 VM
      2. Click Edit virtual machine settings

     

  5. Edit Virtual Machine Settings
    • Instructions:
      1. Click on Network Adapter
      2. Click on the Bridged Radio button
      3. Click on the OK Button

     

  6. Play the BackTrack5R1 VM
    • Instructions:
      1. Click on the BackTrack5R1 VM
      2. Click on Play virtual machine

     

  7. Login to BackTrack
    • Instructions:
      1. Login: root
      2. Password: toor or <whatever you changed it to>.

     

  8. Bring up the GNOME
    • Instructions:
      1. Type startx

 

Section 2. Bring up a console terminal
  1. Start up a terminal window
    • Instructions:
      1. Click on the Terminal Window

     

  2. Obtain the IP Address
    • Instructions:
      1. ifconfig -a
    • Note(FYI):
      • My IP address 192.168.1.111.
      • In your case, it will probably be different.

 

Section 3. Download scan_sshd_config.pl
  1. Become the student user and make a directory
    • Instructions:
      1. su - student
      2. mkdir -p perl_lessons
      3. cd perl_lessons

     

  2. Download scan_sshd_config.pl
    • Instructions:
      1. wget http://www.computersecuritystudent.com/UNIX/PERL/lesson9/scan_sshd_config.pl.TXT
      2. mv scan_sshd_config.pl.TXT scan_sshd_config.pl
      3. chmod 700 scan_sshd_config.pl
      4. perl -c scan_sshd_config.pl
      5. ./scan_sshd_config.pl -v
      6. ls -l POLICY-A02.txt

     

Section 4. Analyze The Code
  1. SheBang Directive
    • Instructions:
      1. vi scan_sshd_config.pl
      2. :set nu
      3. Press the <Enter> key
    • Note(FYI):
      • Line 1: #!/usr/bin/perl
        • #! - is called the SheBang Directive.  SheBang is an interpreter directive that tells Linux to load the following program.
        • /usr/bin/perl - is the Perl Interpreter.  SheBang tells the program loader to run the Perl Interpreter.
      • Line 4: chomp(my $PRINT = $ARGV[0]);
        • $ARGV is a special perl array to receive command line arguments.
        • $PRINT will be used to tell the program to output data to the screen.
      • Line 7:  my $dir = "/home/student/perl_lessons";
        • Set the $dir variable to the directory location of the program.
      • Line 10: $log = "$dir/POLICY-A02.txt";
        • Set the $log variable to the output file name.
      • Line 12: open(LOG,">$log") || die "Cannot Open Filename: $!";
        • Open the log file POLICY-A02.txt.  LOG is the filehandle name. The greater than operator (>) mean to write to output.
      • Line 15: &scan_sshd_config;
        • Execute the subroutine scan_sshd_config.
      • Line 17: close(LOG);
        • Close the filehandle LOG, which is log file POLICY-A02.txt.

     

  2. Explaining Lines 19 through 32
    • Instructions:
      1. Arrow down to line 19
    • Note(FYI):
      • Line 4, 20 & 32: sub print_it
        • This subroutine has two actions: (1) Print to Output (line 31), and (2) Print to Screen (Lines 25 to 28).
      • Line 22: chomp(my $tmp = $_[0]);
        • Assign variable $tmp to first parameter.
      • Line 25 - 28: if($PRINT eq "-v")
        • If $PRINT is equal to -v, then print output to screen.
      • Line 31: print LOG "$tmp\n";
        • Print output to the filehandle LOG, which means print to the output file POLICY-A01.txt.

     

  3. Explaining Lines 34 through 88
    • Instructions:
      1. Arrow down to line 34
    • Note(FYI):
      • Line 34: sub scan_sshd_config
        • The scan_sshd_config subroutine scans the /etc/ssh/sshd_config file.
      • Line 37: my @CONTENTS = `cat /etc/ssh/sshd_config`;
        • This cats the contents of the /etc/ssh/sshd_config file into an array.

     

  4. Explaining Lines 38 through 42
    • Instructions:
      1. Arrow down to line 39
    • Note(FYI):
      • Line 39: foreach my $line (@CONTENTS)
        • This is a foreach loop.  We will go through the array @CONTENTS line by line.  Remember the @CONTENTS array contains the /etc/login.defs file.
      • Line 41: chomp($line);
        • Perl has a built in function called chomp that removes any end of line characters.

     

  5. Explaining Lines 43 through 66
    • Instructions:
      1. Arrow down to line 44
    • Note(FYI):
      • Line 44: if($line =~ /^LogLevel|^#LogLevel/)
        • Find a line that starts with either LogLevel OR #LogLevel. "^" means starts withs.  "||" means OR.
      • Line 46-49: if($line =~ /^#LogLevel/)
        • If line starts with #LogLevel, then display Comment Out Violation.
      • Line 50: else
        • If line does not start with #LogLevel, then go else clause.
      • Line 54: ($LOG_tag,$LOG_value) = split(/\s+/,$line);
        • Use the split function extract the LogLevel tag and value based on one or many white space (\s+) as a delimiter.
      • Line 57: if($LOG_value !~ m/VERBOSE/i)
        • If the extracted $LOG_value does not contain the string VERBOSE, then print violation.
        • If the extracted $LOG_value does contain the string VERBOSE, then print passed.

     

  6. Explaining Lines 67 through 88
    • Instructions:
      1. Arrow down to line 67
    • Note(FYI):
      • Line 67: elsif($line =~ /^PermitEmptyPasswords|^#PermitEmptyPasswords/)
        • Find a line that starts with either PermitEmptyPasswords OR #PermitEmptyPasswords. "^" means starts withs.  "||" means OR.
      • Line 69-72: if($line =~ /^#PermitEmptyPasswords/)
        • If line starts with #PermitEmptyPasswords, then display Comment Out Violation.
      • Line 73: else
        • If line does not start with #PermitEmptyPasswords, then go else clause.
      • Line 76: ($PEP_tag,$PEP_value) = split(/\s+/,$line);
        • Use the split function extract the PermitEmptyPasswords tag and value based on one or many white space (\s+) as a delimiter.
      • Line 79: if($PEP_value =~ m/yes/i)
        • If the extracted $PEP_value does contain the string YES, then print violation.
        • If the extracted $PEP_value does contain the string YES, then print passed.

     

  7. Explaining Lines 89 through 111
    • Instructions:
      1. Arrow down to line 89
    • Note(FYI):
      • Line 89: elsif($line =~ /^X11Forwarding|^#X11Forwarding/)
        • Find a line that starts with either X11Forwarding OR #X11Forwarding. "^" means starts withs.  "||" means OR.
      • Line 91-94: if($line =~ /^#X11Forwarding/)
        • If line starts with #X11Forwarding, then display Comment Out Violation.
      • Line 95: else
        • If line does not start with #X11Forwarding, then go else clause.
      • Line 99: ($X11_tag,$X11_value) = split(/\s+/,$line);
        • Use the split function extract the X11Forwarding tag and value based on one or many white space (\s+) as a delimiter.
      • Line 102: if($X11_value =~ m/yes/i)
        • If the extracted $X11_value does contain the string YES, then print violation.
        • If the extracted $X11_value does contain the string YES, then print passed.

     

  8. Instructions:
    1. Arrow down to line 115
  9. Note(FYI):
    • Line 115: }
      • End of foreach loop
    • Line 116: }
      • End of subroutine

     

  10. Save and Quit
    • Instructions:
      1. Press the <Esc> key
      2. :q!
      3. Press the <Enter> key

 

Section 5. Proof of Lab
  1. Project
    • Instructions:
      1. cp scan_sshd_config.pl scan_sshd_config.BKP
      2. Your project is to write an if-clause that interrogate the string "UsePAM" the same way the program interrogates the string LogLevel, PermitEmptyPasswords and X11Forwarding.
      3. vi scan_sshd_config.pl
      4. After the line that contains "#Project Work Starts Here", place the below code.
        • 
elsif($line =~ /^UsePAM|^#UsePAM/)
{
	if($line =~ /^#UsePAM/)
	{
		&print_it("[2.4] UsePAM: NA, [Violation]: Should not be commented");
	}
	else
	{
		($PAM_tag,$PAM_value) = split(/\s+/,$line);

		# Prevent ssh login from bypassing pam 
		if($PAM_value !~ m/yes/i)
		{
			&print_it("[2.4] UsePAM: $PAM_value, [Violation]: Should be set to yes");
		}
		else
		{
			&print_it("[2.4] UsePAM: $PAM_value, [Passed]: Set correctly");
		}
	}
}
      5. Press <Esc>
      6. :wq!

       

  2. Proof of Lab
    • Instructions
      1. chmod 700 scan_sshd_config.pl
      2. perl -c scan_sshd_config.pl
      3. ./scan_sshd_config.pl -v
      4. date
      5. echo "Your Name"
        • Put in your actual name in place of "Your Name"
        • e.g., echo "John Gray"
    • Proof Of Lab Instructions:
      1. Press the <Ctrl><Alt> keys simultaneously
      2. Press the <PrtScn> key
      3. Paste into a word document
      4. Upload to Moodle
     


Help ComputerSecurityStudent
pay for continued research,
resources & bandwidth