7.3. Securing Network Services
In general, it is a good idea to disable services that you do not use. Kali makes it easy to do this
since network services are disabled by default.
As long as services remain disabled, they do not pose any security threat. However, you must be
careful when you enable them because:
• there is no firewall by default, so if they listen on all network interfaces, they are effectively
publicly available.
• some services have no authentication credentials and let you set them on first use; others
have default (and thus widely known) credentials preset. Make sure to (re)set any password
to something that only you know.
• many services run as root with full administrator privileges, so the consequences of unau-
thorized access or a security breach are therefore usually severe.
Default Credentials
We won’t list here all tools that come with default credentials, instead you should
check the
README.Debian
file of the respective packages, as well as
kali.org/docs/
1
and
tools.kali.org
2
to see if the service needs some special care to be secured.
SSH Service
If you run in live mode, the password of the kali account is ”
kali
.” Thus you should
not enable SSH before changing the password of the kali account, or before having
tweaked its configuration to disallow password-based logins.
You may also want to generate new host SSH keys, if you installed Kali by a pre-
generated image. This is covered in “
Generating New SSH Host Keys
” [page 115].
7.4. Firewall or Packet Filtering
A firewall is a piece of computer equipment with hardware, software, or both that parses the in-
coming or outgoing network packets (coming to or leaving from a local network) and only lets
through those matching certain predefined conditions.
A filtering network gateway is a type of firewall that protects an entire network. It is usually
installed on a dedicated machine configured as a gateway for the network so that it can parse all
packets that pass in and out of the network. Alternatively, a local firewall is a software service that
runs on one particular machine in order to filter or limit access to some services on that machine,
or possibly to prevent outgoing connections by rogue software that a user could, willingly or not,
have installed.
1
https://www.kali.org/docs/introduction/default-credentials/
2
https://tools.kali.org/
159
Chapter 7 — Securing and Monitoring Kali Linux
The Linux kernel embeds the netfilter firewall. There is no turn-key solution for configuring any
firewall since network and user requirements differ. However, you can control netfilter from user
space with the
iptables
and
ip6tables
commands. The difference between these two commands
is that the former works for IPv4 networks, whereas the latter works on IPv6. Since both network
protocol stacks will probably be around for many years, both tools will need to be used in parallel.
You can also use the excellent GUI-based
fwbuilder
tool, which provides a graphical representa-
tion of the filtering rules.
However you decide to configure it, netfilter is Linux’s firewall implementation, so let’s take a
closer look at how it works.
7.4.1. Netfilter Behavior
Netfilter uses four distinct tables, which store rules regulating three kinds of operations on packets:
• filter concerns filtering rules (accepting, refusing, or ignoring a packet);
• nat (Network Address Translation) concerns translation of source or destination addresses
and ports of packets;
• mangle concerns other changes to the IP packets (including the ToS—Type of Service—field
and options);
• raw allows other manual modifications on packets before they reach the connection track-
ing system.
Each table contains lists of rules called chains. The firewall uses standard chains to handle packets
based on predefined circumstances. The administrator can create other chains, which will only
be used when referred by one of the standard chains (either directly or indirectly).
The filter table has three standard chains:
• INPUT: concerns packets whose destination is the firewall itself;
• OUTPUT: concerns packets emitted by the firewall;
• FORWARD: concerns packets passing through the firewall (which is neither their source
nor their destination).
The nat table also has three standard chains:
• PREROUTING: to modify packets as soon as they arrive;
• POSTROUTING: to modify packets when they are ready to go on their way;
• OUTPUT: to modify packets generated by the firewall itself.
These chains are illustrated in Figure
7.1
, “
How Netfilter Chains are Called
” [page 161].
160
Kali Linux Revealed
|
