Chapter 21 - Security


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Chapter 21 - Security

  2. 2. SEVEN COMMON – SENSE RULES OF SECURITY <ul><li>Avoid putting files on the system that are likely to be interesting to hackers </li></ul><ul><li>Plug the holes that hackers can use to gain access to the system </li></ul><ul><li>Don’t provide places for hackers to build nests on the system </li></ul><ul><li>Set the traps to detect intrusions and attempted intrusions </li></ul>
  3. 3. RULES – CONTD <ul><li>Monitor the reports generated by these security tools </li></ul><ul><li>Teach ourselves about UNIX system security </li></ul><ul><li>Prowl around looking for an unusual activity </li></ul>
  4. 4. HOW THE SECURITY PROBLEMS ARE COMPROMISED <ul><ul><li>Unreliable wetware </li></ul></ul><ul><ul><ul><li>Human users are the weakest links in the chain of security </li></ul></ul></ul><ul><ul><ul><li>Teaching the users about proper security hygiene </li></ul></ul></ul><ul><ul><li>Software bugs </li></ul></ul><ul><ul><ul><li>By exploiting the errors hackers could manipulate Unix into doing whatever they want </li></ul></ul></ul><ul><ul><ul><li>Keeping up wit patches and security bulletins </li></ul></ul></ul><ul><ul><li>Open doors </li></ul></ul><ul><ul><ul><li>Gaining access by exploiting software features that would be helpful </li></ul></ul></ul><ul><ul><ul><li>Making sure that we haven’t put a welcome mat for hackers </li></ul></ul></ul>
  5. 5. /ETC/PASSWD FILE <ul><li>Contents of this file determine who can log and what they can do once they get inside </li></ul><ul><li>This file is the systems first line of defense against the intruders </li></ul><ul><li>On FreeBSD systems this file is derived from /etc/master.passwd </li></ul>
  6. 6. /ETC/PASSWD <ul><li>Password checking and selection </li></ul><ul><ul><li>Important to continually verify that every login has a password </li></ul></ul><ul><ul><li>Pseudo users should have a star(*) in the encrypted password field </li></ul></ul><ul><ul><li>Following command finds the null passwords </li></ul></ul><ul><ul><ul><li>perl –F: -ane ‘print if not $F[1];’ /etc/passwd </li></ul></ul></ul><ul><ul><li>/etc/passwd and /etc/group must be readable by the world but writable only by the root </li></ul></ul>
  7. 7. /ETC/PASSWD <ul><ul><li>/etc/shadow file should be neither readable or writable by the world </li></ul></ul><ul><ul><li>Passwords are normally changed with passwd command </li></ul></ul>
  8. 8. /ETC/PASSWD <ul><li>Need for Shadow passwords </li></ul><ul><ul><li>Since /etc/passwd/ is world readable , encrypted password string is available to all the users </li></ul></ul><ul><ul><li>Evildoers can encrypt selected dictionaries or words and compare the results with the strings in the /etc/passwd and can find the password </li></ul></ul><ul><ul><li>To impose restrictions passwords are put in a separate file that is readable only by the root </li></ul></ul><ul><ul><li>This file wit the actual password information is then called the shadow password file </li></ul></ul>
  9. 9. /ETC/PASSWD <ul><li>Group logins and shared logins </li></ul><ul><ul><li>Instead of having “root” as a group login , use sudo program to control access to rootly powers </li></ul></ul><ul><li>Password aging </li></ul><ul><ul><li>Facility that allows us to compel the users to change their passwords </li></ul></ul><ul><li>User shells </li></ul><ul><li>Rootly entries </li></ul><ul><ul><li>More than one entry in the passwd file that uses UID of zero , so more than one way to log in as root </li></ul></ul><ul><ul><li>Defense against this subterfuge is a mini script </li></ul></ul><ul><ul><li>perl –F: -ane ‘print if not $F[2];’ /etc/passwd </li></ul></ul>
  10. 10. SETUID PROGRAMS <ul><li>Prone to security problems </li></ul><ul><li>Especially Setuid shellscripts cause security problems </li></ul><ul><li>Setuid and setgid could be disabled through the use of – o nosuid option to the mount </li></ul><ul><li>Disks should be scanned periodically to look for new setuid programs </li></ul><ul><li>For eg, find will mail a list of all setuid root files to the “netadmin” </li></ul>
  11. 11. FILE PERMISSIONS <ul><li>Device file /dev/kmem allows access to the kernels own virtual address space </li></ul><ul><li>This file should only be readable by the owner and group , never by the world </li></ul><ul><li>/dev/drum and /dev/mem provide unfettered access to the systems swap space and physical memory </li></ul><ul><li>/etc/passwd and /etc/group should not be world –writable and should have owner root </li></ul>
  12. 12. FILE PERMISIONS <ul><li>Directories that are accessible thru anonymous FTP should not be publicly writable </li></ul><ul><li>Only root should have both read and write permission on device disk file </li></ul><ul><li>Group owner is given read permissions to facilitate backups , but there shd be no permissions for the world </li></ul>
  13. 13. MISCELLANEOUS SECURITY ISSUES <ul><li>Remote event logging </li></ul><ul><ul><li>Syslog allows log info for both the kernel and user processes to be forwarded to file , users or another host on our network </li></ul></ul><ul><ul><li>Secure host that acts as central logging machine and prints out security violations on an old line printer could be set up </li></ul></ul>
  14. 14. MISCELLANEOUS SECURITY ISSUES <ul><li>Secure terminals </li></ul><ul><ul><li>Secure channels are usually specified as a list of TTY devices or as a keyword in a configuration file </li></ul></ul><ul><ul><li>On solaris the file is /etc/default/login </li></ul></ul><ul><ul><li>On HP-UX and red hat linux , the file is /etc/securetty </li></ul></ul><ul><ul><li>On FreeBSD it is /etc/ttys </li></ul></ul>
  15. 15. MISCELLANEOUS SECURITY ISSUES <ul><li>/etc/hosts.eqiv and ~/.rhosts </li></ul><ul><ul><li>Allows users to login(via rlogin) and copy files(via rcp) without typing the passwords </li></ul></ul><ul><ul><li>The server processes rshd and rlogind that read them should be disabled </li></ul></ul>
  16. 16. MISCELLANEOUS SECURITY ISSUES <ul><li>rexd,rexecd, and tftpd </li></ul><ul><ul><li>Rexd- poorly secured remote command execution server which shd be disabled </li></ul></ul><ul><ul><li>Rexecd – another remote command execution daemon </li></ul></ul><ul><ul><ul><li>Server for rexec library routine </li></ul></ul></ul><ul><ul><ul><li>requests sent to this include plaintext password </li></ul></ul></ul><ul><ul><li>tftpd –server for Trivial File Transfer Protocol </li></ul></ul><ul><ul><ul><li>Allows machines on the network to request files from ur hard disk </li></ul></ul></ul>
  17. 17. MISCELLANEOUS SECURITY ISSUES <ul><li>fingerd </li></ul><ul><ul><li>finger prints a short report about the particular user </li></ul></ul><ul><ul><li>Information returned by </li></ul></ul><ul><ul><ul><li>finger [email_address] </li></ul></ul></ul><ul><ul><ul><li>When supported by fingerd daemon on remote host is potentially useful to hackers </li></ul></ul></ul><ul><li>NIS (Network Information Service) </li></ul><ul><ul><li>Sun database distribution tool that many sites use to maintain and distribute files </li></ul></ul><ul><ul><li>Easy information access for the hackers </li></ul></ul>
  18. 18. MISCELLANEOUS SECURITY ISSUES <ul><li>Sendmail </li></ul><ul><ul><li>Massive network system that runs as root </li></ul></ul><ul><ul><li>Often subjected to attacks of hackers and numerous vulnerabilities </li></ul></ul><ul><li>Backups </li></ul><ul><ul><li>Backup tapes shd be kept under lock and key </li></ul></ul><ul><li>Trojan horses </li></ul><ul><ul><li>Programs that are not what they seem to be </li></ul></ul>
  19. 19. SECURITY POWER TOOLS <ul><li>Nmap - network port scanner </li></ul><ul><ul><li>Checks a set of target hosts to see which TCP and UDP ports have servers listening to them </li></ul></ul><ul><ul><li>command looks like </li></ul></ul><ul><ul><li>%nmap –sT </li></ul></ul><ul><ul><li>-sT argument asks nmap to try and connect to each TCP port on the target host in the normal way </li></ul></ul><ul><ul><li>It probes ports without initializing an actual connection </li></ul></ul><ul><ul><li>the –o option gives the nmap the ability to guess what OS a remote system is running </li></ul></ul>
  20. 20. SECURITY POWER TOOLS <ul><li>SAINT : </li></ul><ul><ul><li>Similar to nmap in finding out what servers they are running </li></ul></ul><ul><ul><li>Unlike nmap , it knows quite a lot about the actual UNIX server pgms and their vulnerabilities </li></ul></ul><ul><ul><li>Its user interface is entirely web based </li></ul></ul>
  21. 21. SECURITY POWER TOOLS <ul><li>Crack: </li></ul><ul><ul><li>Sophisticated tool that implements several password guessing techniques </li></ul></ul><ul><ul><li>Passwords should be crack resistant </li></ul></ul><ul><li>tcpd: </li></ul><ul><ul><li>Referred as “TCP wrappers” package </li></ul></ul><ul><ul><li>Allows to log connections to TCP services </li></ul></ul><ul><ul><li>Piggybacks on top of inetd </li></ul></ul>
  22. 22. SECURITY POWER TOOLS <ul><li>COPS (Computer Oracle an Password System) </li></ul><ul><ul><li>It’s a classic tool that identifies many classic security problems </li></ul></ul><ul><ul><li>Warns us of the potential problem by sending emails </li></ul></ul><ul><li>tripwire </li></ul><ul><ul><li>Monitors the permission and checksums of important system files so that we can easily detect files that have been replaced </li></ul></ul>
  23. 23. CRYPTOGRAPHIC SECURITY TOOLS <ul><li>Kerberos </li></ul><ul><ul><li>Its an authentication system </li></ul></ul><ul><ul><li>Facility that guarantees that users and services are in fact who they claim to be </li></ul></ul><ul><ul><li>Uses DES to construct nested set of credentials called “tickets”. </li></ul></ul><ul><ul><li>Tickets are passed around network to certify the identity and to provide access </li></ul></ul><ul><ul><li>It never transmits unencrypted passwords and relieves the users from typing the passwords repeatedly </li></ul></ul>
  24. 24. CRYPTOGRAPHIC SECURITY TOOLS <ul><li>PGP :Pretty Good Privacy </li></ul><ul><ul><li>Focused primarily on email security </li></ul></ul><ul><ul><li>Used to encrypt data , generate signatures and to verify the origin of files and messages </li></ul></ul><ul><ul><li>Software packages are often distributed with PGP signature file that guarantees the origin and purity of software </li></ul></ul>
  25. 25. CRYPTOGRAPHIC SECURITY TOOLS <ul><li>SSH : the secure shell </li></ul><ul><ul><li>Confirms user’s identity and encrypts all communications between two hosts </li></ul></ul><ul><ul><li>The server daemon sshd authenticates in different ways </li></ul></ul><ul><ul><ul><li>Method A: user logged in automatically if the name of the remote host that user is logging is in ~/.rhosts or equivalent files </li></ul></ul></ul><ul><ul><ul><li>Method B: uses public key crytography to verify the identity of remote host </li></ul></ul></ul><ul><ul><ul><li>Method C : uses public key cryptography to establish users identity </li></ul></ul></ul><ul><ul><ul><li>Method D : allows user to enter his or her normal login password </li></ul></ul></ul>
  26. 26. CRYPTOGRAPHIC SECURITY TOOLS <ul><li>SRP : Secure Remote Password </li></ul><ul><ul><li>Highly secure way to verify passwords over public network </li></ul></ul><ul><ul><li>telnet and ftp could be used </li></ul></ul><ul><li>One Time Passwords in Everything </li></ul><ul><ul><li>Instead of encrypting passwords , its jus made sure that they work only once </li></ul></ul><ul><ul><li>One time passwords are generated on our behalf </li></ul></ul>
  27. 27. FIREWALLS – basic tool for network security <ul><li>Its only a supplemental security measure </li></ul><ul><li>Packet filtering firewalls </li></ul><ul><ul><li>Limits the types of traffic that can pass thru the internet gateway based on information on the packet header </li></ul></ul><ul><li>How the services are filtered </li></ul><ul><ul><li>the daemons that provide these services bind to the appropriate ports and wait for connectiions from remote sites </li></ul></ul><ul><ul><li>Service specific filtering is based on the assumption that the client will use a non privileged port to contact a privileged port on the server </li></ul></ul>
  28. 28. FIREWALLS <ul><li>Service proxy fire walls </li></ul><ul><ul><li>service proxies intercepts the connections to and from the outside world </li></ul></ul><ul><ul><li>establishes new connections to services inside our network </li></ul></ul><ul><ul><li>Acts as a sort of shuttle or chaperone between the worlds . </li></ul></ul><ul><li>Stateful inspection firewalls </li></ul><ul><ul><li>Designed to inspect the traffic that flows through them and compare the actual network activity to what “should” be happening </li></ul></ul>
  29. 29. What to do when a site has been attacked <ul><li>Don’t panic </li></ul><ul><li>Decide on an appropriate level of response </li></ul><ul><li>Hoard all available tracking information </li></ul><ul><li>Assess your degree of exposure </li></ul><ul><li>Pull the plug </li></ul><ul><li>Devise a recovery plan </li></ul><ul><li>Communicate the recovery plan </li></ul><ul><li>Implement the recovery plan </li></ul><ul><li>Report the incident to authorities </li></ul>