Cohesive Blog

Useful Linux Networking Commands

Inspired by Julia Evans’ tweet, the Cohesive team has come together to bring you our favorite Linux networking commands.

By Julia Evans https://twitter.com/b0rk/status/851785266566246400
By Julia Evans https://twitter.com/b0rk/status/851785266566246400
There are great resources out there to search. We had a few overlaps with Julia’s lists, since there are just some commands you’ll never stop using. Most commands you probably already know. Even folks in sales use the term ping when they talk about connecting!

Using the command line interface (CLI) is generally easier, but only if you can remember the commands and options. For those network commands and functions that slip from your memory, here’s a handy list:

  • ifconfig lets you set your IP address and the netmask of a network interface. You can also use it to to display and analyze network interface parameters to see if you need to enable or disable the interface.
sample ifconfig from Wikimedia Commons

sample ifconfig from Wikimedia Commons

netstat / ss (short for “network statistics”) displays network connections for incoming and outgoing TCP traffic, routing tables, and network protocol statistics. We most commonly use netstat to find problems in the network. Some recommend using ss instead.

To display what packets are being sent to port 80, use tcpdumptcpdump is a packet analyzer that displays packets being transmitted or received in that network. Want a fancy GUI view of packets? Use wireshark.

More useful diagnostic tools are traceroute / mtr. Use these to display the route or path between servers on a network. traceroute also records the route history so you can see each hop and the time it spend establishing each connection.

Fun fact, mtr is commonly know as “my traceroute” but was originally named Matt’s traceroute (MTR) by its writer, Matt Kimball.

iptables is handy when you need to set up tables for your firewalls and NAT.

To scan your network to find all the hosts and services, use nmap. By scanning the computer network, it builds a “map” of where packets end up. nmap lets you do host discovery and service and OS detection. We recommend it for network vulnerability detection too.

telnet is an oldie-but-goodie of networking. Use “teletype network” to see if a port on another server is open. telnet is not recommended on the open, unsecured internet. For public-facing networks use SSH instead.

 5 more unexpected Linux/Unix commands from Cohesive Networks

 

From Nicholas Clements, our Director of Development:

openssl is actually helpful in a couple of ways. My favourite (unexpected) way: acting like telnet but for secure connections.

$ openssl s_client -connect my_test_vns3:8000

And since Linux (and all Unixes — if that’s the correct plural) are file-handle-based, use lsof to”list open files” or all network connections, processes tied to particular ports, etc. Just look at the man page for lsof -i!

This is not network troubleshooting-specific, but I much prefer using less rather than more

 

From Barton Nicholls, our Senior Solutions Architect and Head of DevOps:

  • I find nslookup useful if I need to query the DNS to obtain either the IP address mapping or other specific DNS record information. nslookup is short for “name server lookup” It does not use the OS’s local DNS resolver library, so it’s a bit different than dig.

nslookup [-SubCommand ...] [{ComputerToFind| [-Server]}]

  • route might seem obvious but it’s a handy way to display your entries in the local IP routing table. You can also modify the route table with route. For example, you can add a default route using default gateway addresses of 192.168.12.1 with:

route add 0.0.0.0 mask 0.0.0.0 192.168.12.1

From Patrick Kerpan, our CEO:

  • The linux utility / command that everyone looking “over the shoulder” has said to me “I never knew that!” is iftop. It gives a dynamic terminal view of network interface throughput. By default, it orders connections by bandwidth usage, showing the “top” bandwidth consumers only.

iftop -N -n -i eth0

its magic.

Bonus! From Ryan Koop, Director of products and marketing:

hping3 is a ping from any source IP address. It much more feature rich, and it is one of the standard tools for security auditing and firewall testing. hping3 is the new version of hping and is scriptable with human readable descriptions.

Posted by:

- - - -

By Jim Burnham, Strategic Partnerships & Alliances at Cohesive Networks

Earlier in April Margaret wrote a post 3 Lessons learned from 2016 attacks, and today’s post will be a more descriptive on the the most common attack paths. I’ll offer 2 proscriptive steps that any organization can take to reduce their threat from cyber threats by a factor of twenty-five.

3 Lessons learned from 2016 attacks how to better protect data in the future

25 times reduction in cyber threats sounds like hyperbole — but it is an actual “real” number published in the 2016 “Verizon Data Breach Report”. The report collates data from cyber attacks across a broad base of security sources and offers industry specific details in a readable, not-too-techy style. This year’s report will be published May 3. In the meantime, here is a link to last year’s report.

The Cyber Criminals Attack Path
Cyber criminals use an attack path repeatedly which makes the actions predictable. The most common attack path is a 2 part action:

  1. Compromise a user’s credentials (commonly via a phishing attack); and
  2. Using the compromised credentials to install an exploitation kit somewhere within the enterprise.

Once the exploitation kit is installed, attackers scan your internal network looking for vulnerable hosts and target rich applications. Most enterprises do not have protections to prevent attackers from moving freely within the enterprise from one server and network to another. This “east-west” movement allows the attacker to hunt for unprotected applications. If attackers can find just a single vulnerable host, then the attacker can execute a variety of tools to carry through their crimes.

An organization that focuses on interrupting these two steps in the attack path–compromise of user credentials and attacking vulnerable hosts–will be twenty-five times less likely to be a cybercrime victim.

Two Effective Countermeasures
So what two countermeasures should an enterprise take to interrupt a hostile actor’s attack path?

tug-of-war image

1st Countermeasure
First, since the most step in the most common attack path is to compromise user credentials, then, predictably, taking action to protect user and device credentials is a common sense countermeasure.

The most effective way to secure user credentials is to implement multi-factor authentication (MFA). Ideally, MFA should be part of a broad and comprehensive security program that includes a deliberate and well thought through process and tools for identity and access management (IAM). But don’t let lack of a IAM process and plan top you from implementing multifactor authentication.

Log in to AWS with MFA

Unfortunately, given both the sophistication and persistence of attackers and the fallibility of humans, it is likely that even if an enterprise has robust program for protecting identities and credentials, attackers will gain, at some point, access to the enterprise’s internal network.
Second Countermeasure
Therefore, the second countermeasure and organization should focus on deterring and defending applications from internal east-west attacks. The most effective way to defend applications is to both hide your applications from the attackers and to restrict “east-west” traffic. The list of techniques below will achieve that:

  • Segmenting applications from the enterprise network to eliminate exposure to east-west vulnerabilities;
  • Hardening each application with an defensive application perimeter;
  • Providing each application with its own, dedicated virtual network;
  • Hiding interior traffic from threats by using encrypted connections; and
  • Monitoring network traffic for threats on both the enterprise network and on the virtual application networks.

Apply Concepts to Encapsulate Applications
These concepts familiar to IT professionals. However, it is too difficult, complex and expensive to apply these concepts in a physical world with servers, ethernet ports, network and security devices.

Fortunately, since many applications are now virtualized, organizations can take advantage of software-only virtual network and security appliances–such as Cohesive Networks VNS3–to make application encapsulation both practical and affordable. Virtual appliances aggregate these capabilities into software defined, API driven virtual appliances that can be built-up and and torn down at will for the smallest to the largest application environments.

When these techniques are applied, an application will be encapsulated in its own, custom and dedicated protective bubble. Imagine an encapsulated application as an island, isolated and hidden from from potential threats on the untrusted enterprise network and connected to the enterprise by a single well defended bridge.

An encapsulated application it is hidden from an attacker. Even if the attacker gains access to the east-west enterprise network, he or he will not be able to see much less access the application’s vulnerabilities. The attacker’s malware and exploit kits have no visible targets to identify and compromise.

Security and monitoring services can be added to analyze the traffic between the application and the enterprise. This creates an additional layer of protection to create a hardened “application edge” that adds “defense in depth” to further protect the application.

Conclusion
The repetitive attack patterns of cyber criminals allow us to identify patterns and attack paths. By identifying the most likely attack paths, enterprises can prioritize countermeasures that have the greatest efficacy.

Securing identities and encapsulating applications work together to create a layered, internal defense-in-depth that interrupts the cyber criminal’s most successful attack paths against organizations. Cohesive Network’s VNS3 makes application encapsulation both affordable and practical and organizations that deploy a solution using VNS3 and implement multifactor authentication are likely to reduce their cybersecurity threat by twenty-five times.

 

Posted by:

- - - -

Last Wednesday night the Chicago AWS user group met for a special panel about AWS Certifications. Our own Ryan Koop was a panelists, along with Chris Johnson Bidler and Rilindo Foster.

The 3 panelists had different experiences, from taking all the tests over a few months to jamming 3 associate tests into one day!

aws ugroup page

Chris took all 3 associate-level tests in one day: AWS Solution Architect Associate, AWS Developer Associate, AWS Sysops Engineer Associate. Chris has been working in DevOps and “regular Ops” for several years, and AWS for about 3 years. Chris felt most comfortable with the SA test, and saved that one for last. He did notice a fair amount of overlap between the 3 tests, primarily in the situational questions for architecture best practices.

Ryan Koop, the Director of Products and Marketing at Cohesive Networks, has taken the SA associate level test and the AWS Certified Security — Specialty Exam. The specialty exams were just announced at reInvent 2016 and were in beta from December to February 2017. The beta tests have closed, but results aren’t in yet. Ryan’s experience taking the SA test and the beta test were “table stakes” for the company looking to hit requirements for AWS partners in the APN Advanced tier. Ryan’s biggest tip is to get some hands-on experience with the AWS console along with studying materials.

Our third and final panelest was Rilindo Foster from Connecture. Rilindo said he’d been using AWS 6 months when he decided to start taking all 3 Associate level tests. Once he passed those, he move on to the 2 professional level tests: AWS Certified Solutions Architect Professional and AWS Certified DevOps Engineer Professional.

All three panelists suggested some hands-on experience with AWS services. The top 3 to know are S3, Ec2, and VPC. While there aren’t any “triva question” style sections, it does help to know the AWS terminology for proper context – “instances” for VMs, the difference between subnets and ACLs, etc.

 

The panelists all had used Acloud.guru courses to study for the tests. The founder and voice in most videos, Ryan Kroonenburg, is an AWS-promoted instructor and he sits for certifications each year at reInvent. His tips are especially helpful for nervous test takers who want to know more details about how the tests work, what question formats are, and the timing of course content.

Here’s a handy list of places to start studying as well as ways to get hands-on experience:

Join the AWS user group in Chicago! Remember to RSVP and check for updates at https://www.meetup.com/AWS-Chicago/

May 3 – S3 strorage meetup @ Cohesive/TechNexus
May 17 – hands-on with Security @ Motorola Solutions
June 6 – Kinesis @ Cohesive/TechNexus
late June – Redshift @ TBA
early July – Big Data @ Cohesive/TechNexus

Wed Jul 26 – AWS Summit Chicago @ McCormick Place

Chicago Coder Conference:
June 26-27, 2017 AWS Chicago user group discount! Get 50% off registration: 2017CCCUGaws50 http://www.chicagocoderconference.com

GOTO Chicago 2017 (gotochgo.com):
May 1-4, 2017 AWS Chicago user group discount! Get $100 off registration with the promo code “awsug” https://www.meetup.com/AWS-Chicago/events/238316999/

Posted by:

- - - -

Blog Resources