Linux and Internet Security


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • The reality: ACLs are rarely used in HP-UX
  • Linux and Internet Security

    1. 1. Security Issues in HP-UX and Linux Kwang H. Paick [email_address] Prairie View A&M University
    2. 2. Common Attacks <ul><li>Physical access </li></ul><ul><li>Access to the command line </li></ul><ul><li>Network access </li></ul>
    3. 3. Security Setup 1. Physical security 2. File and Directory Permission 3. User Accounts 4. Log Files 5. Correct network configuration
    4. 4. I. Physical Security <ul><li>Physical access </li></ul><ul><li>BIOS and Console Passwords </li></ul><ul><li>Anti-theft devices </li></ul>
    5. 5. Most Unix systems are not secured because <ul><li>Default installation includes a wide range of vulnerabilities </li></ul><ul><li>Software patches are not installed, and </li></ul><ul><li>Systems are not well maintained </li></ul>
    6. 6. II. File and Directory Permissions <ul><li>HP-UX systems contain > 20,000 in 10.20 </li></ul><ul><li>The most common permission problems are write access for group or other on almost any file or directory in the base installation </li></ul><ul><li>Some files and directories require group or other ‘write’ permissions </li></ul><ul><ul><ul><li>e.g. Temporary directories (group and others) </li></ul></ul></ul><ul><ul><ul><ul><li>Spool directories for the lpr system must be group writeable </li></ul></ul></ul></ul>
    7. 7. Common Permission Problems <ul><li>The number one problem has been ownership of the /etc directory by bin </li></ul><ul><li>the /etc directory must be owned by root, and writable only be the owner </li></ul><ul><li>HP-UX systems allow bin to own many other directories as well (only 48 out of 1200 directories were not owned by bin </li></ul>
    8. 8. HP-UX and ACLs <ul><li>HP-UX includes the ability to provide a finer degree of access control through access control lists </li></ul><ul><li>A user-group pair is written as user group </li></ul><ul><li>The symbol % represents no particular user or group; </li></ul><ul><li>(u.g, rwx) specific user, specific group </li></ul><ul><li>(u.%, rwx) specific user, no specific group </li></ul><ul><li>(%.g, rwx) no specific user, specific group </li></ul><ul><li>(%.%, rwx) no specific user, no specific group </li></ul>
    9. 9. HP-UX and ACLs <ul><li>Most backup utilities ignore the ACL information for compatibility with POSIX standards </li></ul><ul><li>Only the fbackup and frecover file archive utilities handle access control lists properly </li></ul><ul><li>Change ACLs with the chacl command </li></ul><ul><ul><li>-rw-r--r-- -rw-r--r-- + </li></ul></ul><ul><ul><li>lsacl xx </li></ul></ul><ul><ul><li>(lon.%,rw-)(don.%,rw-)(%.hep,r--)(%.%,r--) xx </li></ul></ul><ul><li>ACLs are rarely used. </li></ul>
    10. 10. III. User Accounts <ul><li>User accounts must be maintained correctly </li></ul><ul><li>The accounts’ database must be checked for correctness </li></ul><ul><li>New accounts must be monitored, and old accounts disabled </li></ul><ul><li>Accounts with unusual user-ids checked </li></ul><ul><li>User home directories correctly configured </li></ul><ul><li>Passwords “checked” and protected </li></ul>
    11. 11. /etc/passwd <ul><li>Must be readable by all , but writable only be the root </li></ul><ul><li>Any account with the user id of zero is granted root’s privileges </li></ul><ul><li>The home directory should exist, be owned by the user, and not writeable by group or other </li></ul><ul><li>The use of temporary directories as the home directory is a scurity problem </li></ul><ul><li>The COPS tool can check the existence, ownership and permission of each home directory </li></ul>
    12. 12. Home Directory <ul><li>Shell startup files must specify a safe PATH: </li></ul><ul><li>System directories before any local directries </li></ul><ul><li>DOT last if present in PATH ( makes Trojan horses less effective) </li></ul><ul><li>root PATH </li></ul><ul><ul><li>Never have DOT in root’s PATH </li></ul></ul><ul><ul><li>never includes writable directories in search path </li></ul></ul><ul><li>umask </li></ul><ul><ul><li>user’s default umaks 033 </li></ul></ul><ul><ul><li>root’s umaks 077 </li></ul></ul>
    13. 13. Home Directory <ul><li>Dangerous startup files permitted </li></ul><ul><li>A .rhosts file permits user to control who may log into their account remotely via the “r” commands </li></ul><ul><li>The .netrc files contain unencrypted passwords for remote logins. </li></ul><ul><li>COPS and TIGER check for these problems, as do commercial tool </li></ul>
    14. 14. Shadow Password <ul><li>A goal in many attacks is to get a copy of the encrypted passwords in the /etc/passwd file </li></ul><ul><ul><li>These attacks can be foiled by moving the encrypted passwords into a different file, only readable by the root </li></ul></ul><ul><ul><li>These files have the generic name shadow password files </li></ul></ul>
    15. 15. Shadow Password <ul><li>Some versions of UNIX come with shadow files, others must be converted </li></ul><ul><ul><ul><li>Solaris use /etc/shadow by default </li></ul></ul></ul><ul><li>Linux uses /etc/shadow after conversion </li></ul><ul><ul><ul><li>Pwconv-merge old /etc/passwd records into a new shadow database </li></ul></ul></ul><ul><ul><ul><li>Pwchk- verification and synching between /etc/shadow and /etc/passwd </li></ul></ul></ul><ul><ul><ul><li>Pwuncov- back to /etc/passwd </li></ul></ul></ul>
    16. 16. Shadow Password <ul><li>Arguments against Shadowing </li></ul><ul><ul><li>Makes account management more difficult, as the /etc/passwd file can no longer just be edited </li></ul></ul><ul><ul><li>account information gets scattered among many files if converted </li></ul></ul><ul><ul><li>Crashing an FTP server can reveal the shadowed passwords in the core file </li></ul></ul>
    17. 17. IV. Log Files <ul><li>Need to know where they are and what they contains </li></ul><ul><li>check permissions and ownership </li></ul><ul><li>see how often they are rotated/truncated </li></ul><ul><li>monitor logfile contents </li></ul><ul><li>Archive important logs </li></ul>
    18. 18. Log Files <ul><li>The wtmp files log user login, logout, date changes, start or stop of system accounting, reboots </li></ul><ul><li>/etc/wtmp </li></ul><ul><li>/var/adm/wtmp--10.20, old Linux </li></ul><ul><li>var/log/wamp --- Linux </li></ul>
    19. 19. Log Files <ul><li>Effect of su command on /var/adm/wtmp </li></ul><ul><li>When su was used, it creates a new process with both the process's real UID and effective UID altered. </li></ul><ul><li>su does not change /var/adm/wtmp file, and finger command will continue to display the account to which you logged in, not the one that you su'ed to. </li></ul>
    20. 20. Log Files: wtmp files <ul><li>Grow until no space </li></ul><ul><li>Pruning the wtmp file </li></ul><ul><li>zero the log file </li></ul><ul><li>rm /var/adm/wtmp.old </li></ul><ul><li>ln /var/adm/wtmp.old /var/adm/wtmp </li></ul><ul><li>cp /dev/null /var/adm/wtmp </li></ul>
    21. 21. Log Files <ul><li>Hack Tools </li></ul><ul><ul><li>Hacker tools(zap) delete entries matching a user name by replacing the record with nulls </li></ul></ul><ul><li>There are also zap detectors </li></ul><ul><ul><li>chkwtmp at COAST </li></ul></ul>
    22. 22. Log Files:Last Login <ul><li>lastlog file </li></ul><ul><li>/va/log/lastlog Linux </li></ul><ul><li>/usr/sbin/acct/lastlog 10.20 </li></ul><ul><li>lastlogin - keep record of date each person last logged in&quot; </li></ul><ul><li>bug - the date shown is usually 1 more than it should be because lastlogin is run at 4am and checks the last 24 hrs worth of process accounting info (in pacct)&quot; </li></ul>
    23. 23. Log Files:Bad Login <ul><li>Bad login attempts </li></ul><ul><li>The trouble is that these logs often contain passwords </li></ul><ul><li>Look for /etc/btmp on HP-UX </li></ul><ul><li>Make certain that these files are readable only by the root, if they exist </li></ul>
    24. 24. Log Files:su Login <ul><li>UNIX systems will always log the use of the su command </li></ul><ul><li>Located in /var/log </li></ul><ul><li>/var/adm/sulog (10.20) </li></ul><ul><li>/var/adm/messages </li></ul>
    25. 25. Log Files:su Login <ul><li>SU 01/31 20:08 + tty?? root-lon </li></ul><ul><li>SU 02/01 14:56 + tty?? root-dan </li></ul><ul><li>SU 02/01 16:06 + ttyp2 dan-kwang </li></ul><ul><li>SU 02/01 16:06 - ttyp2 babar-root </li></ul><ul><li>SU 02/01 16:06 + ttyp2 babar-root </li></ul><ul><li>SU 02/01 16:28 + tty?? root-babar </li></ul><ul><li>These logs are useful to both attackers and defenders: </li></ul><ul><ul><ul><li>Attackers can learn who knows the root password </li></ul></ul></ul><ul><ul><ul><li>Defenders can learn the same thing </li></ul></ul></ul>
    26. 26. sudo <ul><li>Allows select users to execute specified commands as root </li></ul><ul><ul><li>e.g. eject, mount, reboot, adding new acct </li></ul></ul><ul><li>prevent possible errors </li></ul><ul><ul><li>means for accountability </li></ul></ul><ul><li>/etc/sudoers </li></ul>
    27. 27. Log Files:Syslog <ul><li>The system logdaemon, or syslogd, appears in most UNIX systems </li></ul><ul><li>Newer versions of syslog will ignore messages sent from the network by default </li></ul><ul><ul><li>Use the –l flag to enable this behaviour on BSD </li></ul></ul><ul><ul><li>The –r flag is used with Linux </li></ul></ul><ul><li>mail.debug /var/adm/syslog/mail.log </li></ul><ul><li>*.info;mail.none /var/adm/syslog/syslog.log </li></ul>
    28. 28. Log Files:Syslog <ul><li>Feb 1 17:50:38 hp73 /sbin/init.d/sendmail[1119]: #### rebooted #### </li></ul><ul><li>Feb 2 09:24:03 hp73 sendmail[2272]: JAA02272: from=wu, size=9112, class=0, pri=39112, nrcpts=1, msgid=<>, relay=wu@localhost </li></ul><ul><li>Feb 2 14:16:25 hp73 sendmail[22105]: OAA22104: to=<joyum@Bayou.UH.EDU>, ctladdr </li></ul><ul><li>=<> (207/20), delay=00:00:34, xdelay=00:00:33, mailer=smtp, </li></ul><ul><li> [], stat=Sent (OAA06943 Message accepted for delivery) </li></ul><ul><li>Feb 2 14:43:13 hp73 popper[22159]: (v2.1.4-R3) Servicing request from &quot;; at </li></ul><ul><li>Feb 2 14:43:41 hp73 popper[22159]: Stats: kwang 0 0 78 1096568 </li></ul>
    29. 29. V. Network Configuration <ul><li>Any server is a potential hole. </li></ul><ul><li>‘ r’ commands </li></ul><ul><li>public services: </li></ul><ul><ul><li>poorly configured anonymous FTP servers </li></ul></ul><ul><ul><li>mail servers </li></ul></ul><ul><ul><li>older version of Linux </li></ul></ul><ul><ul><li>web servers </li></ul></ul>
    30. 30. Network Configuration <ul><li>Protecting Data in Transit </li></ul><ul><li>Replace telnet, rlogin, rsh and rcp with ssh, slogin, ssh, scp </li></ul><ul><li>Secure Shell-ssh use latest version </li></ul><ul><ul><li> </li></ul></ul>
    31. 31. Network Configuration <ul><li>Anonymous FTP </li></ul><ul><li>directory permission </li></ul><ul><li>ftp 555 with root ownership.. users to read and execute </li></ul><ul><li>/ftp/bin 555 with root ownership </li></ul><ul><li>/ftp/bin/ls 111 with root ownership…users to execute only </li></ul><ul><li>/ftp/etc 555 with root ownership </li></ul><ul><li>/ftp/etc/passwd </li></ul><ul><li> 444 with root ownership. Users to read-only access </li></ul>
    32. 32. Network Configuration:FTP <ul><li>FTP bounce attack </li></ul><ul><li>Erroneous file permissions </li></ul><ul><li>The SITE EXEC bug </li></ul><ul><li>create restricted FTP access </li></ul><ul><li>/etc/ftpusers—restricted users access file—name appears—denies </li></ul><ul><li>etc:bin, daemon, room, uucp,.. </li></ul><ul><li>/etc/ftpaccess—core configuration file </li></ul>
    33. 33. Network Configuration <ul><li>ftphosts—used to allow or deny access to certain accounts from various host </li></ul><ul><li>( wild card supported </li></ul><ul><li>allow [username] [host or host pattern] </li></ul><ul><li>deny [username] [host or host pattern] </li></ul><ul><li>allow doe * </li></ul><ul><li>deny doe * </li></ul><ul><li>alternative is to use SSLftp-Secure Sockets Layer--- current version is 0.8 </li></ul>
    34. 34. Network Configuration:SMTP <ul><li>Trust everyone; </li></ul><ul><li>Protect the server from penetration </li></ul><ul><li>Protect smtp service from misuse, such as outsiders exploiting your mail server to send spam or fake mail </li></ul><ul><li>Current version 8.9.3 </li></ul><ul><ul><li>earlier version—update ASAP </li></ul></ul>
    35. 35. Network Configuration:SMTP <ul><li>To check sendmail version: telnet to port 25 and vew </li></ul><ul><li>telnet 25 </li></ul><ul><li>. </li></ul><ul><li>. </li></ul><ul><li>220 ESMTP 8.9.3/8.9.3;  -- version number </li></ul>
    36. 36. Network Configuration:SMTP <ul><li>Several places recommended replace sendmail with Qmail </li></ul><ul><li>ftp:// moni . msci . memphis . edu /pub/ qmail </li></ul><ul><li>developer offered a $1,000 reward to anyone who could break Qmail. </li></ul><ul><ul><li>Sendmail offers high-powered SMTP service and excellent compatibility with existing UNIX utilities. </li></ul></ul><ul><ul><li>Qmail strives to be small, fast and secure </li></ul></ul>
    37. 37. TOOLS <ul><li>Security tool that detects system vulnerabilities </li></ul><ul><li>COPS- The computer Oracle and Password System </li></ul><ul><li>Port based scanner </li></ul><ul><li>SATAN ( Security Administrator's Tool for Analyzing Networks </li></ul><ul><li>ISS- Internet security Scanner </li></ul><ul><ul><li>faster than Satan; less information </li></ul></ul><ul><li>SAINT- Security Administrator's Integrated Network Tool </li></ul><ul><ul><li>updated version of SATAN </li></ul></ul>
    38. 38. References <ul><li>Defending against Scanner Attacks </li></ul><ul><li>Courtney-SATAN and SAINT Detector </li></ul><ul><li>Sites with Defensive software </li></ul><ul><li>COAST: </li></ul><ul><ul><ul><li>ftp// </li></ul></ul></ul><ul><ul><ul><li> </li></ul></ul></ul><ul><li>NIST: </li></ul>
    39. 39. References <ul><li>NIH htttp:// </li></ul><ul><li>CIAC </li></ul><ul><ul><li> </li></ul></ul><ul><ul><li> </li></ul></ul><ul><li>CIRT </li></ul><ul><ul><li> </li></ul></ul><ul><li>FIRST </li></ul><ul><li>Trinux tools http://www/ </li></ul>
    40. 40. References <ul><li>HP-UX support: </li></ul><ul><ul><li> </li></ul></ul><ul><ul><li> for bulletins </li></ul></ul><ul><li>Linux Security News </li></ul><ul><ul><li> </li></ul></ul><ul><li>Redhat support </li></ul><ul><ul><li> </li></ul></ul><ul><li>UNIX support </li></ul><ul><ul><li>http://www.usenix.rg </li></ul></ul>
    41. 41. References <ul><li>Books </li></ul><ul><ul><li>S. Garfinkle, G. Spafford, Practical UNIX Security, O’Reilly & Associates, Sebastopol, CA 1996, 2nd ed. </li></ul></ul><ul><ul><li>Anonymous, Maximum Linux Security, SAMS, Indianapolis, IN 1999 </li></ul></ul>
    42. 42. Monitor SUID and SGID Files <ul><ul><li>SUID and SGID Files </li></ul></ul><ul><li>two speciial file permissions: </li></ul><ul><li>SGID (set group ID, octal 2000 or S) </li></ul><ul><li>SUID (set user ID, octal 4000, or s) </li></ul><ul><li>find / -perm +4000 </li></ul><ul><li>owner’s permission are enforced even when other users executed them. </li></ul>