In my previous article, I showed how to replace clear-text and other insecure network protocols with more secure options. I used the example of replacing HTTP with HTTPS, and in this article, I explain how to switch FTP for SFTP and Telnet for SSH.
[ Cheat sheet: Get a list of Linux utilities and commands for managing servers and networks. ]
Because clear-text protocols are easy to capture and analyze, using them puts your network security at risk. Many of these services were written when the internet was in its infancy, and attackers now have better tools to capture sensitive information, making the bar very low for this kind of attack to succeed.
Knowing about the danger of using clear-test network protocols, you will be surprised how often I still get asked to set up an FTP or Telnet server (and the answer is always the same).
In case you haven't read my article about replacing HTTP with HTTPS, I'll repeat the tutorial's setup before explaining how to implement SFTP and SSH.
These articles will explain:
- How to use Podman to set up throwaway services to learn about insecure settings and protocols
- How to use TShark to capture and decode network traffic in real time
- How to replace obsolete services with more modern alternatives to eliminate this type of attack
This tutorial assumes you have:
- Access to Podman or Docker
- Privileged access to run TShark and containers in a special mode
- Basic knowledge of network protocols like TCP/IP, HTTP, or FTP (but don't worry too much if you don't)
[ Download now: Podman basics cheat sheet ]
Prepare your Apache sandbox
This tutorial will capture credentials on basic authentication against an unencrypted HTTPD Apache server.
You need a self-signed SSL certificate for this demo, so create a container. I used the Fedora 37 Linux distribution and the mkcert application:
[josevnz@dmaf5 self_signed_certificates]$ podman run --rm --interactive --tty --volume $HOME/Downloads:/certs mkcert_image mkcert -cert-file /certs/cert.pem -key-file /certs/cert.key dmaf5 localhost 192.168.1.30 ::1
You will use this new SSL certificate for your Podman container running Apache:
Next, build a special Apache container:
Test the authentication with curl:
curl --silent --user admin:notsosecurepassword http://dmaf5:88080/secret/
# We use --insecure because is a self-signed certificate
curl --insecure --silent --user admin:notsosecurepassword https://dmaf5:8443/secret/
The next step is to check how much sensitive information you can get with TShark.
[ Learn how to manage your Linux environment for success. ]
Use TShark to sniff the password from an FTP server
FTP sends data without encryption. Take a vsftpd container for a spin, and write a TShark expression that looks for specific FTP fields:
podman run --detach --tty --network=host --privileged --name kodegeek_vsftpd --env FTP_USER=admin --env FTP_PASS=insecurepassword --env LOG_STDOUT=yes fauria/vsftpd
tshark -i eno1 -Y 'ftp.request.command == USER or ftp.request.command == PASS' -T json
On a different terminal, establish an FTP session against your container:
josevnz@raspberrypi:~$ ftp -4 -n -v dmaf5
Connected to dmaf5.home.
220 (vsFTPd 3.0.2)
ftp> user admin insecurepassword
331 Please specify the password.
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
TShark will "nicely" provide the user and password in clear text:
"ftp.request": "1",
"ftp.response": "0",
"USER admin\\r\\n": {
"ftp.request.command": "USER",
"ftp.request.arg": "admin"
}
...
"ftp": {
"ftp.request": "1",
"ftp.response": "0",
"PASS insecurepassword\\r\\n": {
"ftp.request.command": "PASS",
"ftp.request.arg": "insecurepassword"
}
},
See it in action:
Switch to SFTP
The solution for this is to use SFTP instead of FTP.
I won't dive into how to use SFTP, as there are lots of tutorials about SFTP out there, including Evans Amoany's How to use SCP and SFTP to securely transfer files.
Sniff a Telnet server password
A Telnet server is one of those services that no one should see on their networks. I won't even ask you to run a container; instead, I will show you what a live capture looks like (I used the Docker Telnet server for this demo).
TShark can decode Telnet traffic fields in real time.
Switch to SSH
Instead of Telnet, use SSH. Once again, there is no shortage of SSH tutorials out there, so start with Evans' article How to access remote systems using SSH.
[josevnz@dmaf5 InsecureContainer]$ tshark -i eno1 -Y 'telnet' -T fields -e telnet.data
Capturing on 'eno1'
Ubuntu 17.10\r\n
dmaf5 login:
r
r
o
o
o
o
t
t
\r
\r\n
Password:
m
a
l
w
a
r
e
\r
\r\n
Last login: Sun Oct 9 01:32:14 UTC 2022 from raspberrypi.home on pts/1\r\n
This is more or less the same thing you see on the client side:
josevnz@raspberrypi:~$ telnet dmaf5
Trying fd22:4e39:e630:1:1937:89d4:5cbc:7a8d...
Connected to dmaf5.home.
Escape character is '^]'.
Ubuntu 17.10
dmaf5 login: root
Password:
Last login: Sun Oct 9 01:32:14 UTC 2022 from raspberrypi.home on pts/1
One last time in action:
What's next?
- There is more you can do to protect your networks. Learn how to use Wireshark because the bad actors already know how.
- Get started with SSH server configuration. There are lots of resources out there.
- Get the code from this tutorial. This how-to managed to do a lot of work with containers with minimum effort.
저자 소개
Proud dad and husband, software developer and sysadmin. Recreational runner and geek.
유사한 검색 결과
Deploy Confidential Computing on AWS Nitro Enclaves with Red Hat Enterprise Linux
Red Hat OpenShift sandboxed containers 1.11 and Red Hat build of Trustee 1.0 accelerate confidential computing across the hybrid cloud
What Is Product Security? | Compiler
Technically Speaking | Security for the AI supply chain
채널별 검색
오토메이션
기술, 팀, 인프라를 위한 IT 자동화 최신 동향
인공지능
고객이 어디서나 AI 워크로드를 실행할 수 있도록 지원하는 플랫폼 업데이트
오픈 하이브리드 클라우드
하이브리드 클라우드로 더욱 유연한 미래를 구축하는 방법을 알아보세요
보안
환경과 기술 전반에 걸쳐 리스크를 감소하는 방법에 대한 최신 정보
엣지 컴퓨팅
엣지에서의 운영을 단순화하는 플랫폼 업데이트
인프라
세계적으로 인정받은 기업용 Linux 플랫폼에 대한 최신 정보
애플리케이션
복잡한 애플리케이션에 대한 솔루션 더 보기
가상화
온프레미스와 클라우드 환경에서 워크로드를 유연하게 운영하기 위한 엔터프라이즈 가상화의 미래
