Sams Maximum Linux Security

45,145 views
44,914 views

Published on

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
45,145
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
301
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Sams Maximum Linux Security

  1. 1. MAXIMUM L INUX S ECURITY SECOND EDITION Anonymous with revisions by John Ray 201 West 103rd Street, Indianapolis, Indiana, 46290
  2. 2. Maximum Linux Security, Second Edition ACQUISITIONS EDITOR Shelley Johnston Markanday Copyright  2001 by Sams Publishing All rights reserved. No part of this book shall be reproduced, stored in a DEVELOPMENT EDITOR retrieval system, or transmitted by any means, electronic, mechanical, photo- Scott D. Meyers copying, recording, or otherwise, without written permission from the pub- MANAGING EDITOR lisher. No patent liability is assumed with respect to the use of the information Charlotte Clapp contained herein. Although every precaution has been taken in the preparation of this book, the publisher and author assume no responsibility for errors or PROJECT EDITOR omissions. Nor is any liability assumed for damages resulting from the use of Leah Kirkpatrick the information contained herein. COPY EDITOR International Standard Book Number: 0-672-32134-3 Michael Henry Library of Congress Catalog Card Number: 00-111262 INDEXER Printed in the United States of America Rebecca Salerno First Printing: June 2001 PROOFREADER 04 03 02 01 4 3 2 1 Daniel Ponder TECHNICAL EDITORS Trademarks Jason Byars All terms mentioned in this book that are known to be trademarks or service Steve Epstein marks have been appropriately capitalized. Sams cannot attest to the accuracy of this information. Use of a term in this book should not be regarded as TEAM COORDINATOR affecting the validity of any trademark or service mark. Amy Patton MEDIA DEVELOPER Warning and Disclaimer Dan Scherf Every effort has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied. The information provided is on INTERIOR DESIGNER an “as is” basis. The author(s) and the publisher shall have neither liability nor Gary Adair responsibility to any person or entity with respect to any loss or damages aris- COVER DESIGNER ing from the information contained in this book or from the use of the CD or Aren Howell programs accompanying it.
  3. 3. Contents at a Glance Introduction 1 Part I Linux Security Basics 7 1 Introducing Linux Security 9 2 Physical Security 29 3 Installation Issues 59 4 Basic Linux System Administration 95 Part II Linux User Security 137 5 Password Attacks 139 6 Data Attacks 191 Part III Linux Network Security 219 7 Malicious Code 221 8 Sniffers and Electronic Eavesdropping 251 9 Scanners 281 10 Spoofing 325 Part IV Linux Internet Security 345 11 FTP Security 347 12 Mail Security 367 13 Telnet and SSH Security 399 14 Web Server Security 435 15 Secure Web Protocols 479 16 Secure Web Development 503 17 File Sharing Security 531 18 Denial-of-Service Attacks 549 19 Linux and Firewalls 583 20 Intrusion Detection 611 21 Logs and Audit Trails 633 22 Disaster Recovery 663
  4. 4. Part V Appendixes 685 A Linux Security Command Reference 687 B Linux Security Index—Past Linux Security Issues 723 C Other Useful Linux Security Utilities/Applications 741 D Linux/Unix Security Tools 767 E Glossary 797 Index 837
  5. 5. Contents Introduction 1 PART I Linux Security Basics 7 1 Introducing Linux Security 9 What Is Linux? ......................................................................................10 Linux Is Free ....................................................................................10 Linux Closely Resembles Unix........................................................13 Where Did Linux Come From?........................................................15 Why Linux Isn’t for Everyone ........................................................15 Linux as a Standalone System ..............................................................16 Linux as an Intranet/Internet Server ......................................................18 A Linux Security Overview ..................................................................19 User Accounts ..................................................................................19 Discretionary Access Control (DAC) ..............................................21 Network Access Control ..................................................................23 Encryption ........................................................................................24 Built-in Logging, Auditing, and Network Monitoring ....................26 Intrusion Detection ..........................................................................27 Summary ................................................................................................28 2 Physical Security 29 Server Location and Physical Access ....................................................31 The Network Operations Center (NOC) ..........................................32 Public Computing Facilities ............................................................32 Computer Use Policies ....................................................................33 Network Topology ................................................................................34 Assorted Network Topologies ..........................................................34 Summary of Topology Security ......................................................40 Network Hardware ................................................................................41 Common Network Hardware Security Measures ............................42 Summary of Network Hardware ......................................................44 Workstations and Security ....................................................................44 BIOS and Console Passwords ..........................................................45 Biometric Access Controls ..............................................................46 Modem Security ..............................................................................51 Anti-Theft Devices ..........................................................................53 Unique Numbers, Marking, and Other Techniques ........................55 Summary ................................................................................................58
  6. 6. Maximum Linux Security vi 3 Installation Issues 59 About Various Linux Distributions, Security, and Installation..............60 All Distributions Are Not Created Equal… ....................................63 Partitions and Security ..........................................................................65 What Are Partitions, Exactly? ..........................................................65 Lumping Linux into a Single Partition ............................................70 Other Advantages of Multiple Partitions..........................................73 Sizing Out Partitions ........................................................................73 Creating the Swap and Root Partitions ............................................76 Creating the Extended Partition ......................................................78 Creating Logical Partitions Within the Extended Partition..............79 Other Partitioning Tools ..................................................................81 Summary of Partitions and Security ................................................83 Choosing Network Services During Installation ..................................85 Five Minutes to a More Secure System ..........................................87 chkconfig ........................................................................................90 Boot Loaders..........................................................................................91 /etc/lilo.conf: The LILO Configuration File ..............................91 Summary of Boot Loaders ..............................................................93 Summary ................................................................................................94 4 Basic Linux System Administration 95 The Basic Idea ......................................................................................96 Your Very Own Account ..................................................................97 Creating and Managing Accounts..........................................................98 Account Policy ................................................................................98 Account Structure ............................................................................99 Adding Users ..................................................................................103 Using Your Own Tools to Add Users ............................................110 Deleting Users ................................................................................111 Performing Administrative Tasks with su............................................112 su—The Substitute User ................................................................112 Access Control ....................................................................................115 Permissions and Ownership ................................................................115 chmod: Changing File Permissions ................................................117 A Closer Look at Groups ....................................................................127 Creating Groups..............................................................................129 chown: Assigning User Owner and Group Permissions ................132 Removing Groups ..........................................................................134 Bringing Down Your System ..............................................................135 shutdown: Shutting Down Your Linux System ..............................135 Summary ..............................................................................................136
  7. 7. vii CONTENTS PART II Linux User Security 137 5 Password Attacks 139 What Is a Password Attack? ................................................................140 How Linux Generates and Stores Passwords ......................................141 Passwords Down Through the Ages ..............................................142 The Data Encryption Standard (DES) ................................................144 Dictionary Attacks ..........................................................................146 Case Study: Cracking Linux Passwords via Dictionary Attack ..........147 Crack ..............................................................................................147 Dictionary Attacks: A Historical Perspective ................................155 Password Shadowing and the shadow Suite ........................................157 /etc/shadow: The Password shadow Database ..............................158 Beyond Creating and Deleting Users and Groups ........................170 Possible Attacks Against Your Shadowed System ........................172 After Installing the shadow Suite ........................................................174 Human Password Choices and System Security............................174 Proactive Password Checking ........................................................179 Other Password Security Issues ..........................................................182 Password Proliferation and Security ..............................................182 Pluggable Authentication Modules......................................................185 Still Other Password Security Solutions..............................................187 Regarding Network Information Service and Password Security........................................................................187 Summary ..............................................................................................189 6 Data Attacks 191 When Is Data Security Necessary?......................................................192 Real-life Attacks ............................................................................193 Forms of Data Security........................................................................194 Private Keys....................................................................................194 Public Keys ....................................................................................196 Common Encryption Algorithms ........................................................197 mcrypt: Installation and Usage ............................................................199 Using mcrypt ..................................................................................201 GnuPG: Installing and Using a Public Key Encryption Utility ............205 Generating a Keypair......................................................................206 Using Your Keychain......................................................................208 Encrypting and Decrypting Documents ........................................210 Adding a GUI to GnuPG ..................................................................210 Steganography—Time for Something Completely Different..............214 Installing and Using JPHIDE/JPSEEK ..........................................215 Additional Resources ..........................................................................217 Summary ..............................................................................................218
  8. 8. Maximum Linux Security viii PART III Linux Network Security 219 7 Malicious Code 221 What Is Malicious Code? ....................................................................222 What Is a Trojan? ..........................................................................222 Viruses ............................................................................................226 Detecting Malicious Code ..................................................................229 Tripwire ..........................................................................................232 Availability of Tripwire ..................................................................234 Installing Tripwire ..........................................................................234 Configuring and Running Tripwire ................................................241 Checking File Integrity with Tripwire............................................242 Summary on Tripwire ....................................................................245 Other File Integrity Checking Software ..............................................245 Aide ................................................................................................246 Distributed L6 ................................................................................247 Hobgoblin ......................................................................................247 sXid ................................................................................................248 trojan.pl ......................................................................................248 Additional Resources......................................................................248 Summary ..............................................................................................249 8 Sniffers and Electronic Eavesdropping 251 How Sniffers Work ..............................................................................252 Case Studies: Performing a Few Simple Sniffer Attacks ....................254 linsniffer ....................................................................................254 linux_sniffer ................................................................................258 hunt ................................................................................................264 sniffit ..........................................................................................268 Other Sniffers and Network Monitoring Tools....................................272 Risks Posed by Sniffers ......................................................................274 Defending Against Sniffer Attacks ......................................................276 ifconfig ........................................................................................277 NEPED: Network Promiscuous Ethernet Detector........................277 Other, More Generic Defenses Against Sniffers ............................278 Further Reading ..................................................................................279 Summary ..............................................................................................280 9 Scanners 281 What Is a Scanner? ..............................................................................282 Anatomy of a System Scanner ......................................................283 Anatomy of a Network Scanner ....................................................286 Scanner Building Blocks and Scanner Evolution................................290 How Scanners Fit into Your Security Regimen ..................................299
  9. 9. ix CONTENTS Various Scanner Tools ........................................................................300 SAINT (Security Administrator’s Integrated Network Tool) ........300 Nessus ............................................................................................301 nmap—The Network Mapper..........................................................306 CGI scanner v1.0............................................................................309 Are Scanners Legal? ......................................................................314 Defending Against Scanner Attacks ....................................................315 courtney (SATAN and SAINT Detector) ......................................315 IcmpInfo (ICMP Scan/Bomb Detector) ........................................317 scan-detector (Generic UDP Scan Detector) ..............................319 klaxon ............................................................................................320 Psionic PortSentry ........................................................................321 Interesting Resources ..........................................................................322 Summary ..............................................................................................323 10 Spoofing 325 What Is Spoofing All About? ..............................................................326 TCP and IP Spoofing ..........................................................................326 Case Study: A Simple Spoofing Attack ..............................................329 A Sample Attack ............................................................................329 TCP and IP Spoofing Tools............................................................331 What Services Are Vulnerable to IP Spoofing? ............................332 Preventing IP Spoofing Attacks ..........................................................334 ARP Spoofing ......................................................................................335 Defending Against ARP Spoofing Attacks ....................................337 DNS Spoofing......................................................................................338 Other Strange Spoofing Attacks ..........................................................340 Couic ....................................................................................................342 Further Reading ..................................................................................343 Summary ..............................................................................................344 PART IV Linux Internet Security 345 11 FTP Security 347 File Transfer Protocol ..........................................................................348 FTP Security History......................................................................348 FTP’s Default Security Features..........................................................352 /etc/ftpusers: The Restricted Users Access File ........................352 /etc/ftpaccess: The ftpd Configuration File ..............................354 SSH File Transfers ..............................................................................360 scp ..................................................................................................360 sftp ................................................................................................361 Alternative Solutions: SSLftp and sftp ........................................363
  10. 10. Maximum Linux Security x Specific FTP Application Security ......................................................363 ncftp ..............................................................................................363 filerunner ....................................................................................364 ftpwatch ........................................................................................364 wu-ftpd ..........................................................................................364 Summary ..............................................................................................365 12 Mail Security 367 SMTP Servers and Clients ..................................................................368 A Simple SMTP Client ..................................................................370 sendmail Security Basics ....................................................................374 sendmail Service Protection ..........................................................381 Other sendmail Resources ............................................................391 Replacing sendmail with Qmail..........................................................392 Qmail Installation ..........................................................................392 Other Qmail Resources ..................................................................396 Summary ..............................................................................................397 13 Telnet and SSH Security 399 Telnet’s Security History ....................................................................400 Secure Telnet Systems ........................................................................402 deslogin ..............................................................................................402 Installing the deslogin Distribution ..............................................403 STEL (Secure Telnet) ......................................................................409 SRA Telnet from Texas A&M University ..........................................410 The Stanford SRP Telnet/FTP Package ..............................................410 Important Documents ....................................................................411 Secure Shell (ssh) ................................................................................411 The ssh Core Utilities ....................................................................413 Quick Start: Installing the ssh Distribution ..................................413 ssh Server Configuration................................................................415 sshd Startup Command-Line Options............................................418 Starting sshd ..................................................................................421 Using the ssh Client ......................................................................423 scp: The Secure Copy Remote File Copy Program ............................425 Providing ssh Services in a Heterogeneous Network..........................425 PuTTY ............................................................................................425 Tera Term........................................................................................426 ssh Support for Macintosh..............................................................426 Examples of ssh in Action ............................................................426 ssh Security Issues ..............................................................................432 Additional Resources ..........................................................................432 Summary ..............................................................................................433
  11. 11. xi CONTENTS 14 Web Server Security 435 Eliminating Nonessential Services ......................................................436 File Transfer Protocol (FTP) ..........................................................437 finger ............................................................................................437 Network File System (NFS) ..........................................................439 Other RPC Services........................................................................440 rwalld (The rwall Server) ............................................................441 The R Services................................................................................441 Other Services ................................................................................443 Applying Access Control to Running Services..............................446 Web Server Security ............................................................................446 httpd ..............................................................................................446 Controlling Outside Access: httpd.conf ......................................447 Configuration Options That Can Affect Security ..........................453 The ExecCGI Option: Enabling CGI Program Execution ..............454 The FollowSymLinks Option: Allowing Users to Follow Symbolic Links................................................................455 The Includes Option: Enabling Server-Side Includes (SSI) ........455 The Indexes Option: Enabling Directory Indexing ......................458 Adding Directory Access Control with Basic HTTP Authentication ..................................................................................459 htpasswd ........................................................................................460 Weaknesses in Basic HTTP Authentication ........................................465 HTTP and Cryptographic Authentication............................................466 Adding MD5 Digest Authentication ..............................................467 Running a chroot Web Environment ..................................................468 WebDAV ..............................................................................................469 Installing and Configuring WebDAV ............................................470 Using WebDAV on Mac OS X ......................................................471 Using WebDAV on Windows ........................................................473 Accreditation and Certification............................................................475 PricewaterhouseCoopers, Resource Protection Services (USA) ..........................................................................475 The American Institute of Certified Public Accountants (AICPA) ................................................................475 International Computer Security Association (Previously NCSA) ......................................................................476 Troy Systems ..................................................................................477 Summary ..............................................................................................477
  12. 12. Maximum Linux Security xii 15 Secure Web Protocols 479 The Problem ........................................................................................480 Secure Sockets Layer (SSL) from Netscape Communications Corporation ..........................................................480 SSL’s Security History ..................................................................481 Installing mod_ssl ................................................................................485 Unpacking, Compiling, and Installing OpenSSL ..........................485 Unpacking, Compiling, and Installing mod_ssl ............................487 Testing the Server ..........................................................................494 About Certificates and Certificate Authorities ..............................500 Summary of Apache-SSL ..............................................................501 Further Reading on SSL ................................................................502 Summary ..............................................................................................502 16 Secure Web Development 503 Development Risk Factors: A Wide Overview....................................504 Spawning Shells ..................................................................................504 Executing Shell Commands with system() ..................................505 popen() in C and C++ ....................................................................509 open() in Perl ................................................................................511 eval (Perl and shell) ......................................................................513 exec() in Perl ................................................................................513 Buffer Overruns ..................................................................................513 About User Input in General ..........................................................516 Paths, Directories, and Files ................................................................517 chdir() ..........................................................................................519 Files ................................................................................................519 Embedded Programming Languages ..................................................519 Installing PHP ................................................................................522 Other Embedded Languages ..........................................................525 Automated CGI Testing Tools ............................................................526 Other Interesting Security Programming and Testing Tools..........527 Other Online Resources ......................................................................529 Summary ..............................................................................................529 17 File Sharing Security 531 Linux as a File Server..........................................................................532 Samba ..................................................................................................533 Global Directives ............................................................................534 Share-Level Directives ..................................................................537 SWAT..............................................................................................540 Other Resources..............................................................................541
  13. 13. xiii CONTENTS Netatalk ................................................................................................542 Basic Netatalk Configuration ........................................................543 Additional Information ..................................................................544 NFS Security........................................................................................545 exports ............................................................................................546 Other References ............................................................................546 Virtual Private Networks......................................................................547 IPSEC ............................................................................................547 Summary ..............................................................................................548 18 Denial-of-Service Attacks 549 What Is a Denial-of-Service Attack? ..................................................551 Risks Posed by Denial-of-Service Attacks ..........................................552 Distributed Denial-of-Service Attacks (DDoS)..............................553 How This Chapter Is Laid Out ............................................................554 Network Hardware DoS Attacks ........................................................554 Attacks on Linux Networking ............................................................558 knfsd Attack ..................................................................................559 ICMP Fragmentation Attack ............................................................560 sesquipedalian.c ..........................................................................560 inetd and NMAP ..........................................................................562 lpd Bogus Print Requests ..............................................................563 mimeflood.pl ..................................................................................563 portmap (and Other RPC Services) ................................................564 Unix Socket Garbage Collection DoS............................................564 time and daytime DoS ..................................................................565 teardrop.c ....................................................................................566 identd Open Socket Flood ............................................................568 Lynx/chargen Browser Attack........................................................568 nestea.c ........................................................................................569 pong.c and ICMP Floods ..............................................................569 The Ping of Death ..........................................................................570 octopus.c ......................................................................................571 Attacks on Linux Applications ............................................................573 Netscape Communicator Content Type (1) ....................................573 Netscape Communicator Content Type (2) ....................................573 passwd Resource Starvation............................................................574 xdm ..................................................................................................575 wtmp Lock ......................................................................................575 Other DoS Attacks ..............................................................................576 Defending Against Denial-of-Service Attacks ....................................579 Online Resources ................................................................................580 Summary ..............................................................................................581
  14. 14. Maximum Linux Security xiv 19 Linux and Firewalls 583 What Is a Firewall? ..............................................................................584 Network-Level Firewalls: Packet Filters ........................................585 Application-Proxy Firewalls/Application Gateways......................586 Assessing Whether You Really Need a Firewall ................................588 Internet Gateway/Firewalls ..................................................................589 tcpd: TCP Wrappers ............................................................................592 TCP Wrappers and Network Access Control ................................595 Summary of TCP Wrappers ..........................................................598 ipfwadm ................................................................................................598 ipfwadm Basics................................................................................599 Configuring ipfwadm ......................................................................602 ipchains ..............................................................................................603 ipchains Security History..............................................................604 iptables ..............................................................................................604 Free Firewall Tools and Add-ons for Linux ........................................605 Commercial Firewalls..........................................................................606 CSM Proxy/Enterprise Edition ......................................................607 GNAT Box Firewall........................................................................607 NetScreen........................................................................................607 Sun Cobalt Adaptive Firewall ........................................................608 PIX Firewall ..................................................................................608 Additional Resources ..........................................................................608 Summary ..............................................................................................610 20 Intrusion Detection 611 What Is Intrusion Detection? ..............................................................612 Basic Intrusion Detection Concepts ....................................................613 Some Interesting Intrusion Detection Tools ........................................615 chkwtmp ..........................................................................................615 tcplogd ..........................................................................................616 Snort ..............................................................................................617 HostSentry ....................................................................................618 Shadow ............................................................................................619 MOM ..................................................................................................620 The HummingBird System ............................................................621 AAFID (Autonomous Agents for Intrusion Detection) ....................622 Practical Intrusion Detection ..............................................................623 PortSentry ....................................................................................624 Installing and Configuring PortSentry ..........................................625 Automating Startup ........................................................................628 Documents on Intrusion Detection ................................................629 Summary ..............................................................................................631
  15. 15. xv CONTENTS 21 Logs and Audit Trails 633 What Is Logging, Exactly? ..................................................................634 Logging in Linux ................................................................................635 lastlog ..........................................................................................636 last ................................................................................................637 xferlog ..........................................................................................640 httpd Logs......................................................................................641 Samba ............................................................................................645 System and Kernel Messages ........................................................647 /var/log/messages: Recording System and Kernel Messages ....647 Writing to syslog from Your Own Programs ................................651 Backing and Handling Logs ..........................................................654 Other Interesting Logging and Audit Tools ........................................657 SWATCH (The System Watcher) ..................................................658 SNORT ..........................................................................................659 Watcher ..........................................................................................659 NOCOL/NetConsole v4.0 ..............................................................660 PingLogger ....................................................................................660 LogSurfer........................................................................................660 Analog ............................................................................................661 Summary ..............................................................................................661 22 Disaster Recovery 663 What Is Disaster Recovery? ................................................................664 Why You Need a Disaster Recovery-Contingency Plan ................664 Steps to Take Before Building Your Linux Network ..........................664 Hardware Standardization ..............................................................664 Software Standardization: Your Basic Config................................666 Choosing Your Backup Tools ..............................................................669 Simple Archiving: tarring and Zipping Your Files and Directories ........................................................................................670 Creating a tar Archive ..................................................................670 Compressing Your tar Archive with gzip ....................................671 kArchiver ........................................................................................672 cpio: Another File Archive Tool ....................................................673 Creating a Hot Archive Site ..........................................................674 Types of Backups and Backup Strategies............................................675 Backup Packages ................................................................................679 KDat................................................................................................679 KBackup (from Karsten) ................................................................680 Enhanced Software Technologies’ BRU ........................................680 AMANDA (the Advanced Maryland Automatic Network Disk Archiver)..............................................................................681 Odds and Ends ....................................................................................682 Summary ..............................................................................................683
  16. 16. Maximum Linux Security xvi PART V Appendixes 685 A Linux Security Command Reference 687 .htaccess ......................................................................................688 .htpasswd ......................................................................................688 ACUA (An Add-On) ......................................................................689 amadmin ..........................................................................................689 amanda ............................................................................................689 amcheck ..........................................................................................689 amcleanup ......................................................................................689 amdump ............................................................................................690 amrestore ......................................................................................690 Angel Network Monitor (An Add-On) ..........................................690 AppleVolumes.default ..................................................................690 APS (An Add-On) ..........................................................................690 arp ..................................................................................................691 bootpd ............................................................................................691 cfdisk ............................................................................................691 chmod ..............................................................................................692 chown ..............................................................................................692 chroot ............................................................................................692 CIPE Crypto IP Encapsulation (An Add-On) ................................693 crypt ..............................................................................................693 ctrlaltdel ....................................................................................693 Dante (An Add-On) ........................................................................693 Deception Toolkit (An Add-On) ....................................................694 DOC (Domain Obscenity Control, an Add-On) ..............................694 dns_lint (An Add-On) ..................................................................694 dnswalk (An Add-On) ....................................................................694 Ethereal (An Add-On) ....................................................................694 exports ..........................................................................................694 exscan (An Add-On) ......................................................................695 FakeBO (An Add-On) ....................................................................695 fdisk ..............................................................................................695 finger ............................................................................................695 fingerd ..........................................................................................696 ftphosts ........................................................................................696 ftpaccess ......................................................................................696 ftpd ................................................................................................697 ftpshut ..........................................................................................697 ftpwho ............................................................................................697 GNU Privacy Guard (An Add-On) ................................................697 halt ................................................................................................698
  17. 17. xvii CONTENTS hosts_access ..................................................................................698 hosts.allow....................................................................................698 hosts.deny ....................................................................................698 hosts_options ................................................................................698 hosts.equiv....................................................................................699 HostSentry from the Abacus Project ..............................................699 htpasswd ........................................................................................699 httpd ..............................................................................................700 identd ............................................................................................700 IdentTCPscan (An Add-On) ..........................................................700 inetd.conf ....................................................................................700 ip_filter (An Add-On) ................................................................701 IPAC (An Add-On) ........................................................................701 IPchains ..........................................................................................702 ipfwadm ..........................................................................................702 IPTables ..........................................................................................702 IPv4 & IPv6 Sniffer........................................................................702 ISS (An Add-On)............................................................................702 KSniffer (An Add-On)....................................................................703 last ................................................................................................703 Logcheck from the Abacus Project (An Add-On)..........................703 lsof (An Add-On) ..........................................................................703 MAT (Monitoring and Administration Tool, an Add-On)..............704 WebDAV (mod_dav—an Apache Add-On) ....................................704 mod_ssl (An Apache Add-On) ......................................................704 MOM (An Add-On)........................................................................704 msystem (An Add-On That’s Made for Unix but Can Work with Linux) ........................................................................704 NEPED (Network Promiscuous Ethernet Detector, an Add-On) ..................................................................................705 Nessus (An Add-On) ......................................................................705 netstat ..........................................................................................705 NMAP (The Network Mapper, an Add-On) ..................................705 npasswd (An Add-On) ....................................................................706 ntop (An Add-On) ..........................................................................706 OpenSSL ........................................................................................706 passwd ............................................................................................706 passwd+ (An Add-On) ....................................................................707 pgp4pine ........................................................................................707 ping ................................................................................................707 ps ....................................................................................................708 qmail (An Add-On) ........................................................................708 QueSo (An Add-On) ........................................................................708
  18. 18. Maximum Linux Security xviii rcmd ................................................................................................708 rcp ..................................................................................................709 reboot ............................................................................................709 rlogin ............................................................................................709 rhosts ............................................................................................709 rhosts.dodgy (An Add-On) ..........................................................710 rsh ..................................................................................................710 scp ..................................................................................................710 PortSentry from the Abacus Project ..............................................710 services ........................................................................................711 shadow ............................................................................................711 Shadow in a Box (An Add-On)......................................................711 showmount ......................................................................................711 shutdown ........................................................................................712 SINUS (An Add-On) ......................................................................712 smb.conf ........................................................................................712 Snort (An Add-On) ........................................................................712 SocketScript (An Add-On) ............................................................712 ssh ..................................................................................................713 ssh-add ..........................................................................................713 ssh-agent ......................................................................................713 ssh-keygen ....................................................................................713 sshd ................................................................................................713 Strobe (An Add-On) ......................................................................714 sudo ................................................................................................714 Swan (An Add-On) ........................................................................714 sXid Secure (An Add-On) ..............................................................714 sysklogd ........................................................................................714 System Administrator’s Tool for Analyzing Networks (SATAN, an Add-On) ..................................................................715 tcpd (TCP Wrappers) ....................................................................715 tcpdchk ..........................................................................................715 tcpdmatch ......................................................................................715 tcpdump ..........................................................................................716 tftp ................................................................................................716 The Linux Shadow Password Suite (An Add-On) ........................716 traceroute ....................................................................................716 traffic-vis (An Add-On) ............................................................718 Trinux (An Add-On) ......................................................................718 TripWire (An Add-On) ..................................................................718 trafgraf ........................................................................................718 trojan.pl ......................................................................................718
  19. 19. xix CONTENTS ttysnoop ........................................................................................719 vipw ................................................................................................719 visudo ............................................................................................719 w ......................................................................................................719 who ..................................................................................................720 whois ..............................................................................................720 xinetd.conf....................................................................................721 Xlogmaster (An Add-On) ..............................................................721 B Linux Security Index—Older Linux Security Issues 723 Summary ..............................................................................................739 C Other Useful Linux Security Tools 741 D Sources for More Information 767 Linux Security Patches, Updates, and Advisories..........................768 Mailing Lists ........................................................................................768 Usenet Newsgroups ............................................................................771 Secure Programming ......................................................................773 General Web Security ....................................................................776 General Security Resources............................................................777 RFCS of Interest ............................................................................787 E Glossary 797 Index 837
  20. 20. About the Authors Anonymous is a self-described Unix and Perl fanatic who lives in southern California with his wife Michelle and a half-dozen computers. He currently runs an Internet security consulting company and is at work building one of the world’s largest computer security archives. He also moonlights doing contract programming for several Fortune 500 firms. John Ray is an award-winning developer and security consultant with more than 16 years of programming and administration experience. He has worked on projects for the FCC, The Ohio State University, Xerox, and the state of Florida, as well as serving as IT Director for Blue Cosmos Design, Inc. Ray has written/contributed to more than 10 titles currently in print, ranging from Using TCP/IP: Special Edition to Sams Teach Yourself Dreamweaver UltraDev 4 in 21 Days.
  21. 21. Dedications For Harlie, my sister. For you, I stopped the clocks. I wound down the money machine. I bade the planets come to rest and commanded that all the winds fall silent, merely so that I could hear you. I still hear you now, laughing, as you rush through the trees in our garden. —Anonymous In memory of Carol Neuschwander and William C. Ray, I —John Ray Acknowledgments The following persons were indispensable: Harry Reginald Hammond, Michael Michaleczko, Scott Lobel, David Fugate, Andrew Marsh, Tonie Villeneuve, and John Sale. Additionally, my deepest thanks to a superb editing team: Mark Taber, Scott Meyers, Shelley Johnston Markanday, Randi Roger, Jason Byars, Steve Epstein, Dan Scherf, Mike Henry, and Ben Berg. —Anonymous Many thanks to the wonderful people at Sams, including Shelley Johnston Markanday, Scott Meyers, and Leah Kirkpatrick. I’d also like to express my gratitude to Jason and Steve, the tech editors, for checking and double-checking each example and URL, and to the original author (who shall continue to remain nameless) for creating a work that was a delight to update, yet comprehensive in scope. Finally, a very special thanks to Amtrak security and Chicago police for not shooting me or my companion during our recent train ride. —John Ray
  22. 22. Tell Us What You Think! As the reader of this book, you are our most important critic and commentator. We value your opinion and want to know what we’re doing right, what we could do better, what areas you’d like to see us publish in, and any other words of wisdom you’re willing to pass our way. You can e-mail or write me directly to let me know what you did or didn’t like about this book—as well as what we can do to make our books stronger. Please note that I cannot help you with technical problems related to the topic of this book, and that due to the high volume of mail I receive, I might not be able to reply to every message. When you write, please be sure to include this book’s title and author as well as your name and phone or e-mail address. I will carefully review your comments and share them with the author and editors who worked on the book. E-mail: webdev@samspublishing.com Mail: Mark Taber Associate Publisher Sams Publishing 201 West 103rd Street Indianapolis, IN 46290 USA
  23. 23. Introduction As little as four years ago, Linux books were a rarity on the bookstand. The fledgling operat- ing system was considered a dead-end by some, and a hobby operating system by others. The marketplace for a Linux security book was, as you might guess, remarkably small. Today, Linux growth in the server marketplace easily outpaces commercial operating systems such as Windows NT. Expansion into the consumer arena has also started, with the maturation of the KDE and GNOME environments and the strong support of innovative companies such as Eazel. No matter how you use Linux, you need to understand its security model. The advent of wide- spread broadband service has suddenly turned each connected computer into the potential tool of a hacker. Without the proper security provisions, you risk the loss of data, theft of informa- tion, perhaps even criminal prosecution for negligence. To make matters worse, Linux distribu- tions are not created equal. Depending on the version of Linux you’re installing, you might be getting a system more secure than traditional desktop operating systems, or a computer more open and exposed than Windows NT on its worst day. With this revision, Maximum Linux Security continues its tradition of providing the most com- prehensive and up-to-date information available. Those new to Linux will enjoy the depth of coverage, and seasoned pros will appreciate the unbiased look at new and upcoming technolo- gies. Linux security is no longer just useful to a select few, and Maximum Linux Security will continue to bring the latest tools and developments to you, the reader. This Book’s Organization Over the course of writing several books, I’ve learned much about structure and organization. Armed with this knowledge, I’ve examined my earlier works and found serious shortcomings that might have prevented readers from quickly locating important information. To prevent that from happening again, I wrote this book with a new approach. In particular, Maximum Linux Security is cross-referenced exceptionally well, and is therefore a more cohesive resource. Such cross-referencing inevitably leads to better indexing, too—a critical point that’s often overlooked in otherwise superb books. This book’s most valuable facet, in fact, might be how I cross-referenced it. Let’s briefly cover that issue now.
  24. 24. Maximum Linux Security 2 How This Book Is Cross-Referenced Authors of books like this one generally enjoy certain advantages. For example, imagine if this book’s title were Maximum NT Security. I could write it swiftly, cover to cover, secure in the knowledge that Windows NT users have years of experience (if not with NT, with Windows 3, 3.1, 3.11, 95, and 98). Indeed, my readers would quickly understand and implement every sug- gestion and tip. But this book is a special case. Although Linux users now number more than 10 million, the majority of them have used Linux for less than one year. In fact, many are just now getting their bearings. Additionally, although excellent Linux security documentation is available online, there are few hardcopy books on the subject. Again, this is in contrast to Windows NT. A big problem that is being addressed (albeit slowly), is the availability of GUI software for configuring much of Linux’s server functionality. Unlike Windows NT, Linux was built with command-line tools and has been adding graphic interfaces to these tools over time. In the Windows world, much of the configuration is handled by centralized management software and with preferences being stored in a proprietary binary database—also known as the Registry. Linux developers, on the other hand, often break up essential functions into separate com- mands, or files, or both. A good example is the tcpd system, which allows you to accept or deny network connections from specified hosts or host hierarchies. To skillfully employ tcpd, you must be familiar with several commands and files: • /etc/hosts.allow—A table of host access rules • /etc/hosts.deny—A table of host denial rules • hosts_access—A system and language for establishing access rules • hosts_options—An extension to hosts_access • tcpd—The TCP daemon • tcpdchk—A tool that verifies your tcpd-centric configuration • tcpdmatch—A tool that interactively demonstrates your rules These arrangements can be frustrating and confusing for first-time Linux users. They might become discouraged, believing that they’ll never properly configure all those commands and files. This understandably contributes to Linux’s reputation as a difficult-to-configure operating system. Finally, Linux conforms to the axiom most commonly attributed to Perl programmers: There’s more than one way to do it. Linux often has several commands that perform the same (or sub- stantially the same) function.
  25. 25. 3 INTRODUCTION My chief aim in writing Maximum Linux Security was to impart a holistic understanding of Linux security, especially to new users. To do that, I needed a way to clearly identify and cross-reference • Groups of commands and files that must be used in concert • Groups of commands that perform similar tasks I settled on something that I call clusters. These are maps that point to required commands and files and related or similar tools. This has resulted in a level of context-sensitive cross- referencing rarely seen in retail technical books. Let’s look at an example. Chapter 4, “Basic Linux System Administration,” will cover basic system administration tasks such as adding and deleting users. One tool you can use for this purpose is linuxconf. Linuxconf’s cluster provides a basic summary about the tool: linuxconf Application: linuxconf Required: linuxconf+support modules Config Files: self-maintained Similar Utilities: useradd, adduser Security History: Version 1.11r11, as shipped with Red Hat 5.1 was SUID root (you’ll learn more about SUID and its implications later in this chapter). Because linuxconf can alter many of the configuration files on a machine, this presented a very serious problem. The quick fix is to remove the inappropriate permission by typing chmod -s /bin/linuxconf. There have been other minor bugs with the program itself. These are documented in depth at http://www.solucorp.qc.ca/linuxconf/. New users will benefit from this approach because they can quickly see the relationships between different commands or files. This is especially important when the main tool is associ- ated with many separate configuration files, as in the case of tcpd. But that’s not all. This sort of bi-directional, context-sensitive cross-referencing (even without cluster maps) occurs throughout the book. Wherever possible, when discussing one tool, I cross-reference similar or associated tools that are discussed elsewhere. These associative trails lead not simply to relevant chapters, sections, and man pages, but to supplementary information online.
  26. 26. Maximum Linux Security 4 Here’s an example from Appendix A, “Linux Security Command Reference”: amadmin Description: Administrative interface to control amanda backups. Security Relevance: Use amadmin to configure the amanda backup system. For more informa- tion, please see Chapter 22, “Disaster Recovery”; amanda, amcheck, and amcleanup in this appendix; the amadmin manual page; or http://www.cs.umd.edu/projects/amanda/ amanda.html. This double-barreled approach has led to a tight book that you can use to instantly find the information you want in great detail and depth. Using This Book To implement the examples in this book, you’ll need the following: • Linux (Craftworks, Debian, Delix DLD, Eagle Group, Eurielec, Kheops, Linux Universe, MNIS, OpenLinux, Red Hat, SuSE, SlackWare, Stampede Linux, TransAmeritech, TurboLinux, Yggdrasil, and so on) • A full installation, including standard TCP/IP clients and servers, GCC/EGCS, and Perl NOTE Examples are often either dependent on Linux or an application version. For instance, some tools demand recent versions of Perl, some demand gtk, some demand a.out support, and many demand ELF (Executable and Linking Format) support. Ideally, you’ll have a recent Linux distribution that satisfies these requirements (examples were generated with Red Hat and Caldera Systems). Internet connectivity is not strictly required, although extensive online resource listings are provided. Most examples can be replicated with a local Web server on a single networked machine. However, I strongly recommend that you use an intranet at the very least. Certain examples require multiple machines, such as testing firewall rules. With few exceptions, examples focus on achieving security without using the proprietary tools sometimes included in commercial Linux distributions. I took this approach to ensure that the material would be relevant to all versions of Linux. At the same time, I do realize that many people want to use graphical administration tools, so I’ve included information on the latest tools that are available for a wide variety of Linux distributions.
  27. 27. 5 INTRODUCTION Finally, I wrote this book to be useful to more than just advanced administrators. If you’re new to Linux, the sheer volume of commands and options might be overwhelming. This text helps weed through the unnecessary information and get to what actually works. Odds and Ends Finally, a few notes: • Links and home pages—Between revisions of Maximum Linux Security, many of the resource links have changed or disappeared altogether. Such is the way of the Web. I’ve made every attempt to provide links to large and reliable security sites. If, for any reason, a link fails to work, try a search engine such as http://www.google.com/ to locate an archive, or cached copy of the original material. • About products mentioned in Maximum Linux Security—I mention many products in this book—some commercial, some not—but I’m not affiliated with any of them. If I mention a tool, I do so purely because it’s useful or because an example was generated with it. That said, I’d like to thank those developers who provided technical support on their products. Their help was greatly appreciated. • Software versions—One of the great things about Linux is that the available software is always undergoing constant improvement. Unfortunately, this also makes it very difficult to document a particular version of an application and expect it to remain current through the lifetime of the book. Although a conscious effort is made to provide the most up-to-date information, don’t be surprised if a version number doesn’t match what you see or a screenshot has changed slightly. • Mistakes and such—If you find that your product has been mentioned and the informa- tion was incorrect, please contact Sams Publishing. Summary So, that covers it. I hope you enjoy Maximum Linux Security and find it useful. Although the book is not exhaustive, it does cover essential Linux security tasks. Also, the accompanying CD-ROM and many online references will provide you with indispensable tools and additional information sources. These combined elements should put you well on your way to securing your Linux system. Please mail your comments and criticisms to maxlinux@shadesofinsanity.com.
  28. 28. PART Linux Security Basics I IN THIS PART 1 Introducing Linux Security 9 2 Physical Security 29 3 Installation Issues 59 4 Basic Linux System Administration 95
  29. 29. Introducing Linux Security CHAPTER 1
  30. 30. Linux Security Basics 10 PART I It’s an unbroken rule in the computer publishing industry: Books like this one must begin with a tour of the featured operating system. If you’re sick to death of introductory Linux chapters, please feel free to skip ahead to Chapter 2, “Physical Security.” Here, I’ll address the following questions: • What is Linux? • Where did Linux come from? • Can you use Linux as a standalone system? • Is Linux suitable as an intranet/Internet server? • What security features does Linux offer? What Is Linux? What is Linux? That depends on who you ask. The short answer is this: Linux is a free, Unix-like, open-source, Internet-optimized, 32- or 64-bit network operat- ing system (often used by hackers) that runs on widely disparate hardware, including Intel (X86) and RISC processors. Let’s break this down one step at a time. Linux Is Free Linux’s best-known characteristic is that it’s free. However, free in this context has a dual meaning. In one sense, Linux is free because you can obtain it for no cost. For example, although many folks do, you needn’t buy a Linux book and CD-ROM just to get Linux. Instead, if you have fast online access, you can download Linux from the Internet and install it for nothing. Compare this to other operating systems. Most commercial vendors demand that you pay on a per-installation basis. That means each time you install an operating system, you must pay additional fees. Hence, if you have 10 workstations, you’ll pay 10 license fees. In contrast, you can install Linux on multiple workstations (hundreds, if you like) and never pay a cent. CAUTION A few third-party Linux applications are commercial, and their vendors do impose licensing restrictions. Check your Linux documentation to ensure that you don’t inadvertently copy and distribute commercial tools. Typically, Linux distributions that contain commercial soft- ware are packaged and sold commercially. Although you can download Red Hat 7.x from Red Hat software, for example, you will not get everything that comes with the boxed version.
  31. 31. Introducing Linux Security 11 CHAPTER 1 Linux is also free in other, more important ways. One is that Linux offers you overwhelming 1 technical freedom. When you purchase Linux, you get more than just the operating system— LINUX SECURITY you also get the source code. Thus, if you don’t like how Linux works out-of-the-box, you can INTRODUCING change it. (And not just a little bit, either. You can mold the entire operating system to suit your needs.) Additionally, Linux offers many free programming languages, compilers, and associated devel- opment tools. Here are just a few: • ADA • BASIC • C • C++ • Expect, a scripting language for automating network sessions • FORTRAN • Gawk, an implementation of awk—a pattern scanning and matching language • GTK, a toolkit for building Linux GUI applications. Used extensively in the GNOME environment. • PASCAL • PHP, an embedded programming language, much like Active Server Pages in Windows; used to add dynamic functionality to Web sites • Python, an object-oriented scripting language • Qt, a cross-platform toolkit, similar to GTK, that is used for building GUI KDE applications • Shell languages (csh, bash) • SQL, Structured Query Language—The industry standard relational database query lan- guage; used developing sophisticated database server applications • TCL/Tk, a scripting language and GUI toolkit, respectively • The Practical Extraction and Report Language (Perl) Under the GNU General Public License, you can use these tools to develop and resell Linux applications without paying royalty fees. However, if you make changes to GPL libraries, you must also make these free under the GPL. For more information about the GNU GPL, please see the accompanying CD-ROM, or visit the online reference: http://www.gnu.org/ copyleft/gpl.html. The greatest freedom that Linux offers, though, is still its open source, which provides substan- tial security benefits. When you use commercial operating systems, you place your destiny in
  32. 32. Linux Security Basics 12 PART I the vendors’ hands. If their code is fundamentally flawed, you’ll never know it. (Or if you do, you might discover the truth too late. Your system might already be compromised.) With Linux, you can examine the code yourself to see how system security is implemented. This raises a hotly debated issue. Linux critics insist that to reap the full benefits of Linux’s technical freedom, you must cultivate a higher level of technical expertise than you would need when using consumer-oriented operating systems. Is this true? Absolutely. In fact, you’ll find that some Linux security tools are actually toolkits consisting of many inde- pendent security modules. When properly used in concert, these toolkits grant you wide lati- tude to conceive and implement custom security solutions. In exchange for this power, you give up some of the ease of point-and-click computing. So, establishing a secure Linux host will admittedly take time and effort. But I have good news and a rebuttal to this. Linux soft- ware development is increasing at an exponential rate, and, growing along with it is the soft- ware to administer Linux machines. Figure 1.1 shows one of the more popular administration tools, Solucorp’s Linuxconf (http://www.solucorp.qc.ca/linuxconf/), which allows cen- tralized administration from an easy-to-use interface. This book will show you the best of both worlds—the command line and the maturing GNOME/KDE tools. FIGURE 1.1 Linxconf provides a centralized point for many administration tasks.
  33. 33. Introducing Linux Security 13 CHAPTER 1 NOTE 1 LINUX SECURITY INTRODUCING In all fairness to Linux, it should be mentioned that the best NT/2000 administrators also use the command line. The difference between administering Linux/Unix and Windows is mainly one of perception. The assumption is made that you can point and click your way to every- thing you’d ever want to do in Windows, but experienced administrators will tell you other- wise. Linux’s GUI administration tools are often as good as or even surpass their Windows counterparts, but you’ll still need the command line to fine-tune your settings. Linux Closely Resembles Unix Linux is often called Unix-like, a Unix clone, or an operating system based on Unix. Such descriptions are accurate but not very illuminating if you’ve never used Unix. Let me remedy that. Unix has ancient roots. In 1964, MIT, General Electric, and Bell Labs (then a division of AT&T) collaborated on an operating system called the Multiplexed Information and Computing System, or MULTICS. The MULTICS project, I’m sorry to say, was a disaster. It was large, unwieldy, and buggy. Despite that early failure, good things emerged from the MULTICS project. Ken Thompson, a programmer from Bell Labs, felt that he could do better. In 1969, with assistance from fellow programmers Dennis Ritchie and Joseph Ossanna, Thompson did just that. Some signs of the times: America was at war in Vietnam, the number-one hit single was Marvin Gaye’s “I Heard It Through the Grapevine,” and if you were cool, you were driving a Dodge Charger. It was against this backdrop that Thompson did his work. Thompson’s early Unix was shaky, but that quickly changed. He rewrote Unix in the C pro- gramming language a year later. The result was a quicker, more stable operating system that was both portable and easily maintained. What happened next was critical. In the early 1970s, Unix was distributed to universities. There, students and educators alike found Unix to be practical, versatile, and relatively easy to use. Unix was therefore incorporated into the computer science curriculum at many universi- ties. As a result, a generation of computer science graduates acquired Unix experience. When they later took that experience to the marketplace, they brought Unix to the mainstream. However, the events that would ultimately make Unix an immensely popular network operating system occurred elsewhere. Around the same time, the U.S. government was working on an internetwork for wartime communication. This network was designed to be impervious to a Soviet nuclear first strike. The problem was this: Although the government had a suitable trans- mission medium, the telephone system, it had no operating system to match. Enter Unix.
  34. 34. Linux Security Basics 14 PART I Internetwork engineers chose Unix based on several factors. By then, roughly 1974, Unix already had powerful networking capabilities. For example, thanks to Ray Tomlinson of Bolt, Beranek, and Newman, Unix had electronic mail. Other network protocols would follow, and by 1978, Unix was jam-packed with networking software. The U.S. government got its inter- network after all, which we now call the Internet, and Unix became a phenomenon. So, Unix is the operating system of yore that was used to create the Internet. Linux shares a common lineage and many characteristics with Unix. For example: • Much of Linux is also written in C. • Linux supports preemptive multitasking, or the capability to handle multiple processes simultaneously. Using Linux, you can simultaneously compile a program, download e- mail, and play solitaire. The system divides up the processor time automatically, so each program can continue to run in the background. • Linux supports multiuser sessions. Multiple users can log in to Linux simultaneously (and during these sessions, they can also multitask). • Linux offers a hierarchical file system. Its top-level directory holds subdirectories that branch out to even further subdirectories. Together, these subdirectories form a tree struc- ture. Multiple drives show up within the same tree, rather than as separate entities, as in Windows and Mac OS. • Linux’s graphical user interface (GUI) is MIT’s X Window System, or X. • Linux offers extensive network functionality, supporting most internetworking protocols and services. Finally, many Unix applications have been ported to Linux, or require no porting at all. Thus, Linux has a pronounced Unix-like look and feel. In these respects, Linux is very much like Unix. Indeed, Linux so closely resembles Unix that casual users could confuse the two. They shouldn’t. Beyond these similarities, Linux and Unix part ways when it comes to the philosophy behind their development. For example, Unix evolved into a mostly academic variation (BSD), and a commercial operat- ing system (System V) that, for many years, ran on expensive proprietary hardware. Linux runs on almost anything, including • Advanced Micro Devices and Cyrix processors • Digital Alpha processors • Intel 80386, 80486, and Pentium family of processors • Motorola/IBM PowerPC processors • Sparc processors

×