Your SlideShare is downloading. ×
0
Linux and Internet Security
Linux and Internet Security
Linux and Internet Security
Linux and Internet Security
Linux and Internet Security
Linux and Internet Security
Linux and Internet Security
Linux and Internet Security
Linux and Internet Security
Linux and Internet Security
Linux and Internet Security
Linux and Internet Security
Linux and Internet Security
Linux and Internet Security
Linux and Internet Security
Linux and Internet Security
Linux and Internet Security
Linux and Internet Security
Linux and Internet Security
Linux and Internet Security
Linux and Internet Security
Linux and Internet Security
Linux and Internet Security
Linux and Internet Security
Linux and Internet Security
Linux and Internet Security
Linux and Internet Security
Linux and Internet Security
Linux and Internet Security
Linux and Internet Security
Linux and Internet Security
Linux and Internet Security
Linux and Internet Security
Linux and Internet Security
Linux and Internet Security
Linux and Internet Security
Linux and Internet Security
Linux and Internet Security
Linux and Internet Security
Linux and Internet Security
Linux and Internet Security
Linux and Internet Security
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Linux and Internet Security

446

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
446
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
16
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • The reality: ACLs are rarely used in HP-UX
  • Transcript

    • 1. Security Issues in HP-UX and Linux Kwang H. Paick [email_address] Prairie View A&M University
    • 2. Common Attacks <ul><li>Physical access </li></ul><ul><li>Access to the command line </li></ul><ul><li>Network access </li></ul>
    • 3. Security Setup 1. Physical security 2. File and Directory Permission 3. User Accounts 4. Log Files 5. Correct network configuration
    • 4. I. Physical Security <ul><li>Physical access </li></ul><ul><li>BIOS and Console Passwords </li></ul><ul><li>Anti-theft devices </li></ul>
    • 5. Most Unix systems are not secured because <ul><li>Default installation includes a wide range of vulnerabilities </li></ul><ul><li>Software patches are not installed, and </li></ul><ul><li>Systems are not well maintained </li></ul>
    • 6. II. File and Directory Permissions <ul><li>HP-UX systems contain &gt; 20,000 in 10.20 </li></ul><ul><li>The most common permission problems are write access for group or other on almost any file or directory in the base installation </li></ul><ul><li>Some files and directories require group or other ‘write’ permissions </li></ul><ul><ul><ul><li>e.g. Temporary directories (group and others) </li></ul></ul></ul><ul><ul><ul><ul><li>Spool directories for the lpr system must be group writeable </li></ul></ul></ul></ul>
    • 7. Common Permission Problems <ul><li>The number one problem has been ownership of the /etc directory by bin </li></ul><ul><li>the /etc directory must be owned by root, and writable only be the owner </li></ul><ul><li>HP-UX systems allow bin to own many other directories as well (only 48 out of 1200 directories were not owned by bin </li></ul>
    • 8. HP-UX and ACLs <ul><li>HP-UX includes the ability to provide a finer degree of access control through access control lists </li></ul><ul><li>A user-group pair is written as user group </li></ul><ul><li>The symbol % represents no particular user or group; </li></ul><ul><li>(u.g, rwx) specific user, specific group </li></ul><ul><li>(u.%, rwx) specific user, no specific group </li></ul><ul><li>(%.g, rwx) no specific user, specific group </li></ul><ul><li>(%.%, rwx) no specific user, no specific group </li></ul>
    • 9. HP-UX and ACLs <ul><li>Most backup utilities ignore the ACL information for compatibility with POSIX standards </li></ul><ul><li>Only the fbackup and frecover file archive utilities handle access control lists properly </li></ul><ul><li>Change ACLs with the chacl command </li></ul><ul><ul><li>-rw-r--r-- -rw-r--r-- + </li></ul></ul><ul><ul><li>lsacl xx </li></ul></ul><ul><ul><li>(lon.%,rw-)(don.%,rw-)(%.hep,r--)(%.%,r--) xx </li></ul></ul><ul><li>ACLs are rarely used. </li></ul>
    • 10. III. User Accounts <ul><li>User accounts must be maintained correctly </li></ul><ul><li>The accounts’ database must be checked for correctness </li></ul><ul><li>New accounts must be monitored, and old accounts disabled </li></ul><ul><li>Accounts with unusual user-ids checked </li></ul><ul><li>User home directories correctly configured </li></ul><ul><li>Passwords “checked” and protected </li></ul>
    • 11. /etc/passwd <ul><li>Must be readable by all , but writable only be the root </li></ul><ul><li>Any account with the user id of zero is granted root’s privileges </li></ul><ul><li>The home directory should exist, be owned by the user, and not writeable by group or other </li></ul><ul><li>The use of temporary directories as the home directory is a scurity problem </li></ul><ul><li>The COPS tool can check the existence, ownership and permission of each home directory </li></ul>
    • 12. Home Directory <ul><li>Shell startup files must specify a safe PATH: </li></ul><ul><li>System directories before any local directries </li></ul><ul><li>DOT last if present in PATH ( makes Trojan horses less effective) </li></ul><ul><li>root PATH </li></ul><ul><ul><li>Never have DOT in root’s PATH </li></ul></ul><ul><ul><li>never includes writable directories in search path </li></ul></ul><ul><li>umask </li></ul><ul><ul><li>user’s default umaks 033 </li></ul></ul><ul><ul><li>root’s umaks 077 </li></ul></ul>
    • 13. Home Directory <ul><li>Dangerous startup files permitted </li></ul><ul><li>A .rhosts file permits user to control who may log into their account remotely via the “r” commands </li></ul><ul><li>The .netrc files contain unencrypted passwords for remote logins. </li></ul><ul><li>COPS and TIGER check for these problems, as do commercial tool </li></ul>
    • 14. Shadow Password <ul><li>A goal in many attacks is to get a copy of the encrypted passwords in the /etc/passwd file </li></ul><ul><ul><li>These attacks can be foiled by moving the encrypted passwords into a different file, only readable by the root </li></ul></ul><ul><ul><li>These files have the generic name shadow password files </li></ul></ul>
    • 15. Shadow Password <ul><li>Some versions of UNIX come with shadow files, others must be converted </li></ul><ul><ul><ul><li>Solaris use /etc/shadow by default </li></ul></ul></ul><ul><li>Linux uses /etc/shadow after conversion </li></ul><ul><ul><ul><li>Pwconv-merge old /etc/passwd records into a new shadow database </li></ul></ul></ul><ul><ul><ul><li>Pwchk- verification and synching between /etc/shadow and /etc/passwd </li></ul></ul></ul><ul><ul><ul><li>Pwuncov- back to /etc/passwd </li></ul></ul></ul>
    • 16. Shadow Password <ul><li>Arguments against Shadowing </li></ul><ul><ul><li>Makes account management more difficult, as the /etc/passwd file can no longer just be edited </li></ul></ul><ul><ul><li>account information gets scattered among many files if converted </li></ul></ul><ul><ul><li>Crashing an FTP server can reveal the shadowed passwords in the core file </li></ul></ul>
    • 17. IV. Log Files <ul><li>Need to know where they are and what they contains </li></ul><ul><li>check permissions and ownership </li></ul><ul><li>see how often they are rotated/truncated </li></ul><ul><li>monitor logfile contents </li></ul><ul><li>Archive important logs </li></ul>
    • 18. Log Files <ul><li>The wtmp files log user login, logout, date changes, start or stop of system accounting, reboots </li></ul><ul><li>/etc/wtmp </li></ul><ul><li>/var/adm/wtmp--10.20, old Linux </li></ul><ul><li>var/log/wamp --- Linux </li></ul>
    • 19. Log Files <ul><li>Effect of su command on /var/adm/wtmp </li></ul><ul><li>When su was used, it creates a new process with both the process&apos;s real UID and effective UID altered. </li></ul><ul><li>su does not change /var/adm/wtmp file, and finger command will continue to display the account to which you logged in, not the one that you su&apos;ed to. </li></ul>
    • 20. Log Files: wtmp files <ul><li>Grow until no space </li></ul><ul><li>Pruning the wtmp file </li></ul><ul><li>zero the log file </li></ul><ul><li>rm /var/adm/wtmp.old </li></ul><ul><li>ln /var/adm/wtmp.old /var/adm/wtmp </li></ul><ul><li>cp /dev/null /var/adm/wtmp </li></ul>
    • 21. Log Files <ul><li>Hack Tools </li></ul><ul><ul><li>Hacker tools(zap) delete entries matching a user name by replacing the record with nulls </li></ul></ul><ul><li>There are also zap detectors </li></ul><ul><ul><li>chkwtmp at COAST </li></ul></ul>
    • 22. Log Files:Last Login <ul><li>lastlog file </li></ul><ul><li>/va/log/lastlog Linux </li></ul><ul><li>/usr/sbin/acct/lastlog 10.20 </li></ul><ul><li>lastlogin - keep record of date each person last logged in&amp;quot; </li></ul><ul><li>bug - the date shown is usually 1 more than it should be because lastlogin is run at 4am and checks the last 24 hrs worth of process accounting info (in pacct)&amp;quot; </li></ul>
    • 23. Log Files:Bad Login <ul><li>Bad login attempts </li></ul><ul><li>The trouble is that these logs often contain passwords </li></ul><ul><li>Look for /etc/btmp on HP-UX </li></ul><ul><li>Make certain that these files are readable only by the root, if they exist </li></ul>
    • 24. Log Files:su Login <ul><li>UNIX systems will always log the use of the su command </li></ul><ul><li>Located in /var/log </li></ul><ul><li>/var/adm/sulog (10.20) </li></ul><ul><li>/var/adm/messages </li></ul>
    • 25. Log Files:su Login <ul><li>SU 01/31 20:08 + tty?? root-lon </li></ul><ul><li>SU 02/01 14:56 + tty?? root-dan </li></ul><ul><li>SU 02/01 16:06 + ttyp2 dan-kwang </li></ul><ul><li>SU 02/01 16:06 - ttyp2 babar-root </li></ul><ul><li>SU 02/01 16:06 + ttyp2 babar-root </li></ul><ul><li>SU 02/01 16:28 + tty?? root-babar </li></ul><ul><li>These logs are useful to both attackers and defenders: </li></ul><ul><ul><ul><li>Attackers can learn who knows the root password </li></ul></ul></ul><ul><ul><ul><li>Defenders can learn the same thing </li></ul></ul></ul>
    • 26. sudo <ul><li>Allows select users to execute specified commands as root </li></ul><ul><ul><li>e.g. eject, mount, reboot, adding new acct </li></ul></ul><ul><li>prevent possible errors </li></ul><ul><ul><li>means for accountability </li></ul></ul><ul><li>/etc/sudoers </li></ul>
    • 27. Log Files:Syslog <ul><li>The system logdaemon, or syslogd, appears in most UNIX systems </li></ul><ul><li>Newer versions of syslog will ignore messages sent from the network by default </li></ul><ul><ul><li>Use the –l flag to enable this behaviour on BSD </li></ul></ul><ul><ul><li>The –r flag is used with Linux </li></ul></ul><ul><li>mail.debug /var/adm/syslog/mail.log </li></ul><ul><li>*.info;mail.none /var/adm/syslog/syslog.log </li></ul>
    • 28. Log Files:Syslog <ul><li>Feb 1 17:50:38 hp73 /sbin/init.d/sendmail[1119]: #### rebooted #### </li></ul><ul><li>Feb 2 09:24:03 hp73 sendmail[2272]: JAA02272: from=wu, size=9112, class=0, pri=39112, nrcpts=1, msgid=&lt;199902231524.JAA02272@hp73.pvamu.edu&gt;, relay=wu@localhost </li></ul><ul><li>Feb 2 14:16:25 hp73 sendmail[22105]: OAA22104: to=&lt;joyum@Bayou.UH.EDU&gt;, ctladdr </li></ul><ul><li>=&lt;kwang@hp73.pvamu.edu&gt; (207/20), delay=00:00:34, xdelay=00:00:33, mailer=smtp, </li></ul><ul><li>relay=bayou.uh.edu. [129.7.1.7], stat=Sent (OAA06943 Message accepted for delivery) </li></ul><ul><li>Feb 2 14:43:13 hp73 popper[22159]: (v2.1.4-R3) Servicing request from &amp;quot;129.207.217.28&amp;quot; at 129.207.217.28 </li></ul><ul><li>Feb 2 14:43:41 hp73 popper[22159]: Stats: kwang 0 0 78 1096568 </li></ul>
    • 29. V. Network Configuration <ul><li>Any server is a potential hole. </li></ul><ul><li>‘ r’ commands </li></ul><ul><li>public services: </li></ul><ul><ul><li>poorly configured anonymous FTP servers </li></ul></ul><ul><ul><li>mail servers </li></ul></ul><ul><ul><li>older version of Linux </li></ul></ul><ul><ul><li>web servers </li></ul></ul>
    • 30. Network Configuration <ul><li>Protecting Data in Transit </li></ul><ul><li>Replace telnet, rlogin, rsh and rcp with ssh, slogin, ssh, scp </li></ul><ul><li>Secure Shell-ssh use latest version </li></ul><ul><ul><li>http://www.slac.stanford.edu/comp/unix/ssh.htm </li></ul></ul>
    • 31. Network Configuration <ul><li>Anonymous FTP </li></ul><ul><li>directory permission </li></ul><ul><li>ftp 555 with root ownership.. users to read and execute </li></ul><ul><li>/ftp/bin 555 with root ownership </li></ul><ul><li>/ftp/bin/ls 111 with root ownership…users to execute only </li></ul><ul><li>/ftp/etc 555 with root ownership </li></ul><ul><li>/ftp/etc/passwd </li></ul><ul><li> 444 with root ownership. Users to read-only access </li></ul>
    • 32. Network Configuration:FTP <ul><li>FTP bounce attack </li></ul><ul><li>Erroneous file permissions </li></ul><ul><li>The SITE EXEC bug </li></ul><ul><li>create restricted FTP access </li></ul><ul><li>/etc/ftpusers—restricted users access file—name appears—denies </li></ul><ul><li>etc:bin, daemon, room, uucp,.. </li></ul><ul><li>/etc/ftpaccess—core configuration file </li></ul>
    • 33. Network Configuration <ul><li>ftphosts—used to allow or deny access to certain accounts from various host </li></ul><ul><li>( wild card supported </li></ul><ul><li>allow [username] [host or host pattern] </li></ul><ul><li>deny [username] [host or host pattern] </li></ul><ul><li>allow doe *.xyz.com </li></ul><ul><li>deny doe *.abc.com </li></ul><ul><li>alternative is to use SSLftp-Secure Sockets Layer--- current version is 0.8 </li></ul>
    • 34. Network Configuration:SMTP <ul><li>Trust everyone; </li></ul><ul><li>Protect the server from penetration </li></ul><ul><li>Protect smtp service from misuse, such as outsiders exploiting your mail server to send spam or fake mail </li></ul><ul><li>Current version 8.9.3 </li></ul><ul><ul><li>earlier version—update ASAP </li></ul></ul>
    • 35. Network Configuration:SMTP <ul><li>To check sendmail version: telnet to port 25 and vew </li></ul><ul><li>telnet abc.xyz.edu 25 </li></ul><ul><li>. </li></ul><ul><li>. </li></ul><ul><li>220 abc.xyz.edu ESMTP 8.9.3/8.9.3;  -- version number </li></ul>
    • 36. Network Configuration:SMTP <ul><li>Several places recommended replace sendmail with Qmail </li></ul><ul><li>ftp:// moni . msci . memphis . edu /pub/ qmail </li></ul><ul><li>developer offered a $1,000 reward to anyone who could break Qmail. </li></ul><ul><ul><li>Sendmail offers high-powered SMTP service and excellent compatibility with existing UNIX utilities. </li></ul></ul><ul><ul><li>Qmail strives to be small, fast and secure </li></ul></ul>
    • 37. TOOLS <ul><li>Security tool that detects system vulnerabilities </li></ul><ul><li>COPS- The computer Oracle and Password System </li></ul><ul><li>Port based scanner </li></ul><ul><li>SATAN ( Security Administrator&apos;s Tool for Analyzing Networks </li></ul><ul><li>ISS- Internet security Scanner </li></ul><ul><ul><li>faster than Satan; less information </li></ul></ul><ul><li>SAINT- Security Administrator&apos;s Integrated Network Tool </li></ul><ul><ul><li>updated version of SATAN </li></ul></ul>
    • 38. References <ul><li>Defending against Scanner Attacks </li></ul><ul><li>Courtney-SATAN and SAINT Detector </li></ul><ul><li>Sites with Defensive software </li></ul><ul><li>COAST: </li></ul><ul><ul><ul><li>ftp//coast.cs.purdue.edu/pub/tools </li></ul></ul></ul><ul><ul><ul><li>http://www.cs.purdue.edu/coast/archive/Archive_indexing.html </li></ul></ul></ul><ul><li>NIST:http://cs-www-ncsl.nist.gov/tools/tols.htm </li></ul>
    • 39. References <ul><li>NIH htttp://www.alw.nih.gov/Security/prog-full.htm </li></ul><ul><li>CIAC </li></ul><ul><ul><li>ftp://ciac.llnl.gov/pub/ciac/sectools/unix </li></ul></ul><ul><ul><li>http://ciac.lnl.gov/ciac </li></ul></ul><ul><li>CIRT </li></ul><ul><ul><li>http://www.cert.org </li></ul></ul><ul><li>FIRST http://www.first.org </li></ul><ul><li>Trinux tools http://www/trinux.org </li></ul>
    • 40. References <ul><li>HP-UX support: </li></ul><ul><ul><li>http://us-support.external.hp.com </li></ul></ul><ul><ul><li>security-alert@hp.com for bulletins </li></ul></ul><ul><li>Linux Security News </li></ul><ul><ul><li>http://security.linuxtoday.com </li></ul></ul><ul><li>Redhat support </li></ul><ul><ul><li>http://www.redhat.com/support/errata </li></ul></ul><ul><li>UNIX support </li></ul><ul><ul><li>http://www.usenix.rg </li></ul></ul>
    • 41. References <ul><li>Books </li></ul><ul><ul><li>S. Garfinkle, G. Spafford, Practical UNIX Security, O’Reilly &amp; Associates, Sebastopol, CA 1996, 2nd ed. </li></ul></ul><ul><ul><li>Anonymous, Maximum Linux Security, SAMS, Indianapolis, IN 1999 </li></ul></ul>
    • 42. Monitor SUID and SGID Files <ul><ul><li>SUID and SGID Files </li></ul></ul><ul><li>two speciial file permissions: </li></ul><ul><li>SGID (set group ID, octal 2000 or S) </li></ul><ul><li>SUID (set user ID, octal 4000, or s) </li></ul><ul><li>find / -perm +4000 </li></ul><ul><li>owner’s permission are enforced even when other users executed them. </li></ul>

    ×