SlideShare a Scribd company logo

Host security

Download as PPT, PDF
N
Nguyen Tam

Host security measures aim to comprehensively protect individual hosts through host-centric approaches tailored to the host's architecture and configuration. This involves securing configurations, access controls, permissions and services on Unix-like systems. Common weaknesses include password issues, exploitable services and improper permissions. Unix uses users, groups and world permissions on files and directories to control access. Sensitive system directories must have proper permissions to balance security and usability. Remote access utilities like rlogin pose risks if not properly configured, so disabling them in favor of SSH is recommended. The Unix password system has evolved from insecure early implementations to more secure modern schemes that hash passwords and store them separately from account details.

Technology
1 of 25
Host Security: Basic Notions Applied Security
Host security measures  Host-centric:  Tailored to host architecture:   Comprehensive:   Takes into account not only type of operating system but also configuration protect installed applications Complex, costly, protects single host
Secure host configuration Unix-like systems
Common Unix Configuration Weaknesses  Password management issues:  weak passwords default passwords re-used passwords      Exploitable services    FTP/TFTP Sendmail other services   Improper file and directory permissions Improper use of setuid Improper network file configuration Unpatched known vulnerabilities
Basic UNIX access control In Unix, there are three levels of access control  Individual (user): Each user has a unique id (uid) in the system.  Group: All users by default belong to the “user” group (some distributions), or to a singleton group containing only that individual user.   Users can belong to more than one group (most modern versions). Usually a group is defined for access control category. E.g:      root/wheel (general administration) www/web (web server administration) mail (mail server administration) adhoc groups can be used to facilitate collaboration such as directory and file sharing World (or all): The universe of all users.
File permissions   File ownership: Each file and directory in UNIX (including programs) is “owned” by a specific user, a specific group, and the world. To each level of ownership there is an associated set of permission values: read, write and execute. These values can be true (permission granted) or false. Only the owner of a file (or the special user root) can change the file permission settings. Example: drwxr-xr-x  11 brenodem brenodem 374 30 Aug 13:39 . Indicates that the file ‘.’ (the current directory) is owned by user brenodem, who belongs to the singleton group brenodem. The directory was last modified on Aug. 30th at 13:39. The user brenodem is granted read, write, and execute privileges to the file. The group and world are granted read and execute (but not write) privileges to the files.
Meaning of file permissions   The meaning of permissions for files is clear, but can be complex for directories. For instance, if a world-accessible file is located deep within a directory structure, all the parent directories of the file must grant execute permissions to the whole world.   This is because, in order to traverse a directory structure, UNIX executes cd on each directory (starting from the lowest common directory, for instance ‘/home’ ). On the other hand, it is NOT necessary that the same directories be world-readable. If a directory is not readable by a principal, its contents cannot be listed. However, it may well contain files that are readable by that principal, and these can be opened if their name are known.
Proper file and directory permissions  Any UNIX system contains several directories that are world executable, where most of the OS services reside:       /bin (commands) /etc (configuration files for the above) /usr (utilities and applications) /usr/local or /local (extra utilities and applications) These directories are not required to be world readable, only their content files need to be world readable. If the directories are not world readable (and owned by root) then only the system administrator will be able to have a global view of the system configuration and capabilities. These directories should be writable only by root to prevent the installation of programs without the administrator’s knowledge. In particular they must be “owned” by root.
Changing ownership and permissions  The root user can change ownership and permissions on files at will.    In some distributions, a user may change ownership of its own files to other users. To change group ownership of a file, you must own the file and you must belong to the new group the file will be assigned to:   chown username filename chgrp groupname filename To change permissions, you must be the file’s owner   chmod [o|g|a|u][+|-][r|w|x] filename example: chmod og+wx filename adds permissions to write and execute the file to both the file owner and file group owner.
Effective ID  When a user tries to execute a program   When the program is initiated, its effective ID is set to the ID of the user (or program) calling it.   The UNIX system decides whether the user is authorized to execute (for instance, the user may belong the the file group owner, and the file may be executable by the group). For instance, if a utility program is owned by root (typical), but called by a regular user, the effective id of the running program will equal that of the caller (user), not root. This standard mechanism is not sufficient in some cases. For instance, the login program.
SUID   The login program is invoked by regular users, but must have root privileges in order to access the protected password files (/etc/shadow), and to authenticate the user. (Effectively spawning a program under a particular user name even if called by another.) This is called a “set user id” program (suid). -r-sr-xr-x  1 root wheel 26756 16 Aug 10:32 /usr/bin/login Note the ‘s’ in the list of privileges. That means that the caller (could be anybody, as the file is world executable) will spawn a program with the privileges of the group wheel (which can access the password file, and spawn programs (shell) under arbitrary user identities.)
Proper configuration of file permissions     The system of file access permissions underscores most of the access control decisions of the UNIX operating system. It is a flexible mechanism that enables different configurations to accommodate different usage needs. Improper configuration of file and directory permissions can create serious vulnerabilities. The use of SUID programs is a powerful mechanism that should be utilized only when necessary. For instance, a fragile program with SUID permissions can be easily exploited to grant administrative privileges to an attacker.
RPC Utilities  Most Unix systems include the RPC utilities suite for remote command execution:     rlogin (remote login) rsh (remote shell) rcp (remote copy) Two modes of authentication: host-based and password-based  RPCs originating at a trusted host (i.e., a host listed in /etc/hosts or /etc/hosts.allow or /etc/hosts.equiv), identified by network packet source address, are accepted and given uid equal to the claimed username. •RPCs called from non-trusted computers must provide both username and password. (Both sent as cleartext over the network.)
Disabling RPC utilities    The use of RPC utilities has been deprecated in favor of the ssh and scp programs, both built onto the SSH protocol, which provides encryption. For backward compatibility the SSH program supports host-based authentication. (This is stronger than in the RPC case, as hosts have SSH keys with which they can mutually authenticate their identities.) It is important to ensure that the configuration of the /etc/hosts files reflects the trust policies of your network, and that the RPC utilities are disabled whenever possible.
The UNIX password system Past and present
Early Unix Password System    In early versions of Unix, the password was processed using a “secure hash” function derived from the DES cipher. The salt was restricted to 12 bits, resulting in 4096 possible hash values for each password. Passwords were restricted to 8-character length.  8-character passwords converted into 56-bit DES keys     Password shorter than 8 characters long padded w/ zeros. Longer passwords truncated in some systems. Salt used to change the DES cipher, which is applied 25 times. Results stored in world readable /etc/passwd file
Unix crypt()
DES: IP and FP stand for initial and final permutations, respectively. F: Round function E: Expansion function 32→48 bits, is changed on crypt3() using the salt.
Old /etc/passwd file  An entry in the /etc/passwd file has the following form:  Name:Password:UserID:PrincipleGroup:Gecos: HomeDirectory:Shell  smith:Ep6mckrOLChF.:100:100:John Smith/home/smith:/usr/bin/sh guest:*:200:0::/home/guest:/usr/bin/sh    An entry ‘*’ for password means that the account has been disabled, while an empty password means that password is not required for login! When shadow passwords are used, ‘!’ or ‘x’ substitutes for the password.
New /etc/passwd file        nobody:*:-2:-2:Unprivileged User:/:/usr/bin/false root:*:0:0:System Administrator:/var/root:/bin/sh daemon:*:1:1:System Services:/var/root:/usr/bin/false smmsp:*:25:25:Sendmail User:/private/etc/mail:/usr/bin/false lp:*:26:26:Printing Services:/var/spool/cups:/usr/bin/false sshd:*:75:75:sshd Privilege separation:/var/empty:/usr/bin/false qtss:*:76:76:QuickTime Streaming Server:/var/empty:/usr/bin/false
/etc/shadow file           Entries of the form: smithj:Ep6mckrOLChF.:10193:0:99999:5::: Where the password is followed by: The date when the password was last changed, measured in elapsed days since Jan. 1st, 1970. The number of days before the password can be changed again The number of days after which the password must be changed The number of days to warn user of an expiring password The number of days after password expires that account is disabled The number of days since January 1, 1970 that an account has been disabled A reserved field for possible future use
Other changes   Since the introduction of shadow passwords, and the new crypt(), other modifications have been introduced, such as the use of MD5 passwords, and also Blowfish-encrypted passwords. Blowfish is an interesting choice: The algorithm is very slow to change keys, making hashing password expensive (good for security).
Reading assignment for 01/16   Use of a Taxonomy of Security Faults, by T. Aslam, I. Krsul, and E. H. Spafford M. Bishop and D. Klein, Improving System Security Through Proactive Password Checking,Computers and Security 14(3) pp. 233-249 (May/June 1995) http://nob.cs.ucdavis.edu/~bishop/papers/1995c+s/proact.pdf

Recommended

prateekporwal
prateekporwalprateekporwal
prateekporwal
prateekporwal
 
Linux 4 you
Linux 4 youLinux 4 you
Linux 4 you
Shashwat Shriparv
 
Unix file systems 2 in unix internal systems
Unix file systems 2 in unix internal systems Unix file systems 2 in unix internal systems
Unix file systems 2 in unix internal systems
senthilamul
 
Basic Unix
Basic UnixBasic Unix
Basic Unix
Rajesh Kumar
 
QSpiders - Unix Operating Systems and Commands
QSpiders - Unix Operating Systems and CommandsQSpiders - Unix Operating Systems and Commands
QSpiders - Unix Operating Systems and Commands
Qspiders - Software Testing Training Institute
 
Unix fundamentals
Unix fundamentalsUnix fundamentals
Unix fundamentalsDima Gomaa
 
User administration concepts and mechanisms
User administration concepts and mechanismsUser administration concepts and mechanisms
User administration concepts and mechanisms
Duressa Teshome
 
Introduction to Unix-like systems (Part I-IV)
Introduction to Unix-like systems (Part I-IV)Introduction to Unix-like systems (Part I-IV)
Introduction to Unix-like systems (Part I-IV)hildenjohannes
 

Recommended

prateekporwal
prateekporwalprateekporwal
prateekporwal
prateekporwal
 
Linux 4 you
Linux 4 youLinux 4 you
Linux 4 you
Shashwat Shriparv
 
Unix file systems 2 in unix internal systems
Unix file systems 2 in unix internal systems Unix file systems 2 in unix internal systems
Unix file systems 2 in unix internal systems
senthilamul
 
Basic Unix
Basic UnixBasic Unix
Basic Unix
Rajesh Kumar
 
QSpiders - Unix Operating Systems and Commands
QSpiders - Unix Operating Systems and CommandsQSpiders - Unix Operating Systems and Commands
QSpiders - Unix Operating Systems and Commands
Qspiders - Software Testing Training Institute
 
Unix fundamentals
Unix fundamentalsUnix fundamentals
Unix fundamentalsDima Gomaa
 
User administration concepts and mechanisms
User administration concepts and mechanismsUser administration concepts and mechanisms
User administration concepts and mechanisms
Duressa Teshome
 
Introduction to Unix-like systems (Part I-IV)
Introduction to Unix-like systems (Part I-IV)Introduction to Unix-like systems (Part I-IV)
Introduction to Unix-like systems (Part I-IV)hildenjohannes
 
Unix files
Unix filesUnix files
Unix files
Sunil Rm
 
Unix training session 1
Unix training session 1Unix training session 1
Unix training session 1
Anil Kumar Kapil,PMP®
 
Unix File System
Unix File SystemUnix File System
Unix File Systemstudent(MCA)
 
Unix files
Unix filesUnix files
Unix files
Sunil Rm
 
Linux: Basics OF Linux
Linux: Basics OF LinuxLinux: Basics OF Linux
Linux: Basics OF Linux
Omkar Walavalkar
 
Unix ppt
Unix pptUnix ppt
Unix ppt
Dr Rajiv Srivastava
 
06 users groups_and_permissions
06 users groups_and_permissions06 users groups_and_permissions
06 users groups_and_permissions
Shay Cohen
 
Linux practicals T.Y.B.ScIT
Linux practicals T.Y.B.ScITLinux practicals T.Y.B.ScIT
Linux practicals T.Y.B.ScIT
vignesh0009
 
Unix features, posix and single unix specification
Unix features, posix and single unix specificationUnix features, posix and single unix specification
Unix features, posix and single unix specification
sudha rani
 
Linux ppt
Linux pptLinux ppt
Linux pptRohit Kumar
 
Linux fundamentals
Linux fundamentalsLinux fundamentals
Linux fundamentalsRaghu nath
 
Linux Directory Structure
Linux Directory StructureLinux Directory Structure
Linux Directory Structure
Kevin OBrien
 
The unix file system
The unix file systemThe unix file system
The unix file systemgsandeepmenon
 
Introduction to unix
Introduction to unixIntroduction to unix
Introduction to unix
sudheer yathagiri
 
Unix
UnixUnix
Unix
Erm78
 
Introduction to UNIX
Introduction to UNIXIntroduction to UNIX
Introduction to UNIX
Bioinformatics and Computational Biosciences Branch
 
Linux training
Linux trainingLinux training
Linux trainingParker Fong
 
File permissions
File permissionsFile permissions
File permissions
Varnnit Jain
 
Commands and shell programming (3)
Commands and shell programming (3)Commands and shell programming (3)
Commands and shell programming (3)
christ university
 
Xfs file system for linux
Xfs file system for linuxXfs file system for linux
Xfs file system for linux
Ajay Sood
 
Medi-culling: 13 April 2015
Medi-culling: 13 April 2015Medi-culling: 13 April 2015
Medi-culling: 13 April 2015
Arjun Rajagopalan
 
Should clopidogrel be discontinued before laparoscopic cholecystectomy?
Should clopidogrel be discontinued before laparoscopic cholecystectomy?Should clopidogrel be discontinued before laparoscopic cholecystectomy?
Should clopidogrel be discontinued before laparoscopic cholecystectomy?
Arjun Rajagopalan
 

More Related Content

What's hot

Unix files
Unix filesUnix files
Unix files
Sunil Rm
 
Unix training session 1
Unix training session 1Unix training session 1
Unix training session 1
Anil Kumar Kapil,PMP®
 
Unix files
Unix filesUnix files
Unix files
Sunil Rm
 
Linux: Basics OF Linux
Linux: Basics OF LinuxLinux: Basics OF Linux
Linux: Basics OF Linux
Omkar Walavalkar
 
Unix ppt
Unix pptUnix ppt
Unix ppt
Dr Rajiv Srivastava
 
06 users groups_and_permissions
06 users groups_and_permissions06 users groups_and_permissions
06 users groups_and_permissions
Shay Cohen
 
Linux practicals T.Y.B.ScIT
Linux practicals T.Y.B.ScITLinux practicals T.Y.B.ScIT
Linux practicals T.Y.B.ScIT
vignesh0009
 
Unix features, posix and single unix specification
Unix features, posix and single unix specificationUnix features, posix and single unix specification
Unix features, posix and single unix specification
sudha rani
 
Linux fundamentals
Linux fundamentalsLinux fundamentals
Linux fundamentalsRaghu nath
 
Linux Directory Structure
Linux Directory StructureLinux Directory Structure
Linux Directory Structure
Kevin OBrien
 
The unix file system
The unix file systemThe unix file system
The unix file systemgsandeepmenon
 
Introduction to unix
Introduction to unixIntroduction to unix
Introduction to unix
sudheer yathagiri
 
Unix
UnixUnix
Unix
Erm78
 
File permissions
File permissionsFile permissions
File permissions
Varnnit Jain
 
Commands and shell programming (3)
Commands and shell programming (3)Commands and shell programming (3)
Commands and shell programming (3)
christ university
 
Xfs file system for linux
Xfs file system for linuxXfs file system for linux
Xfs file system for linux
Ajay Sood
 

What's hot (20)

Unix files
Unix filesUnix files
Unix files
 
Unix training session 1
Unix training session 1Unix training session 1
Unix training session 1
 
Unix File System
Unix File SystemUnix File System
Unix File System
 
Unix files
Unix filesUnix files
Unix files
 
Linux: Basics OF Linux
Linux: Basics OF LinuxLinux: Basics OF Linux
Linux: Basics OF Linux
 
Unix ppt
Unix pptUnix ppt
Unix ppt
 
06 users groups_and_permissions
06 users groups_and_permissions06 users groups_and_permissions
06 users groups_and_permissions
 
Linux practicals T.Y.B.ScIT
Linux practicals T.Y.B.ScITLinux practicals T.Y.B.ScIT
Linux practicals T.Y.B.ScIT
 
Unix features, posix and single unix specification
Unix features, posix and single unix specificationUnix features, posix and single unix specification
Unix features, posix and single unix specification
 
Linux ppt
Linux pptLinux ppt
Linux ppt
 
Linux fundamentals
Linux fundamentalsLinux fundamentals
Linux fundamentals
 
Linux Directory Structure
Linux Directory StructureLinux Directory Structure
Linux Directory Structure
 
The unix file system
The unix file systemThe unix file system
The unix file system
 
Introduction to unix
Introduction to unixIntroduction to unix
Introduction to unix
 
Unix
UnixUnix
Unix
 
Introduction to UNIX
Introduction to UNIXIntroduction to UNIX
Introduction to UNIX
 
Linux training
Linux trainingLinux training
Linux training
 
File permissions
File permissionsFile permissions
File permissions
 
Commands and shell programming (3)
Commands and shell programming (3)Commands and shell programming (3)
Commands and shell programming (3)
 
Xfs file system for linux
Xfs file system for linuxXfs file system for linux
Xfs file system for linux
 

Viewers also liked

Medi-culling: 13 April 2015
Medi-culling: 13 April 2015Medi-culling: 13 April 2015
Medi-culling: 13 April 2015
Arjun Rajagopalan
 
Should clopidogrel be discontinued before laparoscopic cholecystectomy?
Should clopidogrel be discontinued before laparoscopic cholecystectomy?Should clopidogrel be discontinued before laparoscopic cholecystectomy?
Should clopidogrel be discontinued before laparoscopic cholecystectomy?
Arjun Rajagopalan
 
Can it wait until morning? A comparison of nighttime versus daytime cholecyst...
Can it wait until morning? A comparison of nighttime versus daytime cholecyst...Can it wait until morning? A comparison of nighttime versus daytime cholecyst...
Can it wait until morning? A comparison of nighttime versus daytime cholecyst...
Arjun Rajagopalan
 
Overdiagnosis
OverdiagnosisOverdiagnosis
Overdiagnosis
Arjun Rajagopalan
 
Duration of antibiotic treatment after appendicectomy for acute complicated a...
Duration of antibiotic treatment after appendicectomy for acute complicated a...Duration of antibiotic treatment after appendicectomy for acute complicated a...
Duration of antibiotic treatment after appendicectomy for acute complicated a...
Arjun Rajagopalan
 
The effect of gum chewing on postoperative ileus in colorectal surgery
The effect of gum chewing on postoperative ileus in colorectal surgeryThe effect of gum chewing on postoperative ileus in colorectal surgery
The effect of gum chewing on postoperative ileus in colorectal surgery
Arjun Rajagopalan
 
Pain control with ultrasound-guided inguinal field block compared with spinal...
Pain control with ultrasound-guided inguinal field block compared with spinal...Pain control with ultrasound-guided inguinal field block compared with spinal...
Pain control with ultrasound-guided inguinal field block compared with spinal...
Arjun Rajagopalan
 
How to write a clinical article
How to write a clinical articleHow to write a clinical article
How to write a clinical article
Arjun Rajagopalan
 
Everyone is gaining but the average is slipping: SImpson's paradox
Everyone is gaining but the average is slipping: SImpson's paradoxEveryone is gaining but the average is slipping: SImpson's paradox
Everyone is gaining but the average is slipping: SImpson's paradox
Arjun Rajagopalan
 
The acute abdomen - a process-based approach
The acute abdomen - a process-based approachThe acute abdomen - a process-based approach
The acute abdomen - a process-based approach
Arjun Rajagopalan
 

Viewers also liked (10)

Medi-culling: 13 April 2015
Medi-culling: 13 April 2015Medi-culling: 13 April 2015
Medi-culling: 13 April 2015
 
Should clopidogrel be discontinued before laparoscopic cholecystectomy?
Should clopidogrel be discontinued before laparoscopic cholecystectomy?Should clopidogrel be discontinued before laparoscopic cholecystectomy?
Should clopidogrel be discontinued before laparoscopic cholecystectomy?
 
Can it wait until morning? A comparison of nighttime versus daytime cholecyst...
Can it wait until morning? A comparison of nighttime versus daytime cholecyst...Can it wait until morning? A comparison of nighttime versus daytime cholecyst...
Can it wait until morning? A comparison of nighttime versus daytime cholecyst...
 
Overdiagnosis
OverdiagnosisOverdiagnosis
Overdiagnosis
 
Duration of antibiotic treatment after appendicectomy for acute complicated a...
Duration of antibiotic treatment after appendicectomy for acute complicated a...Duration of antibiotic treatment after appendicectomy for acute complicated a...
Duration of antibiotic treatment after appendicectomy for acute complicated a...
 
The effect of gum chewing on postoperative ileus in colorectal surgery
The effect of gum chewing on postoperative ileus in colorectal surgeryThe effect of gum chewing on postoperative ileus in colorectal surgery
The effect of gum chewing on postoperative ileus in colorectal surgery
 
Pain control with ultrasound-guided inguinal field block compared with spinal...
Pain control with ultrasound-guided inguinal field block compared with spinal...Pain control with ultrasound-guided inguinal field block compared with spinal...
Pain control with ultrasound-guided inguinal field block compared with spinal...
 
How to write a clinical article
How to write a clinical articleHow to write a clinical article
How to write a clinical article
 
Everyone is gaining but the average is slipping: SImpson's paradox
Everyone is gaining but the average is slipping: SImpson's paradoxEveryone is gaining but the average is slipping: SImpson's paradox
Everyone is gaining but the average is slipping: SImpson's paradox
 
The acute abdomen - a process-based approach
The acute abdomen - a process-based approachThe acute abdomen - a process-based approach
The acute abdomen - a process-based approach
 

Similar to Host security

Unix/Linux Basic Commands and Shell Script
Unix/Linux Basic Commands and Shell ScriptUnix/Linux Basic Commands and Shell Script
Unix/Linux Basic Commands and Shell Script
sbmguys
 
16. Computer Systems Basic Software 2
16. Computer Systems Basic Software 216. Computer Systems Basic Software 2
16. Computer Systems Basic Software 2New Era University
 
Lesson 2 Understanding Linux File System
Lesson 2 Understanding Linux File SystemLesson 2 Understanding Linux File System
Lesson 2 Understanding Linux File System
Sadia Bashir
 
Unix Operating System
Unix Operating SystemUnix Operating System
Unix Operating System
subhsikha
 
Basic orientation to Linux
Basic orientation to LinuxBasic orientation to Linux
Basic orientation to Linux
Vidyaratha Kissoon
 
Linux Security
Linux SecurityLinux Security
Linux Security
Mahdi Cherif
 
Linux security
Linux securityLinux security
Linux security
trilokchandra prakash
 
Linux: An Unbeaten Empire
Linux: An Unbeaten EmpireLinux: An Unbeaten Empire
Linux: An Unbeaten Empire
Yogesh Sharma
 
linux-lecture1.ppt
linux-lecture1.pptlinux-lecture1.ppt
linux-lecture1.ppt
Nikhil Raut
 
Linux
LinuxLinux
Linux
Hemakumar.S
 
UNIT II-Programming in Linux
UNIT II-Programming in LinuxUNIT II-Programming in Linux
UNIT II-Programming in Linux
Dr.YNM
 
Unix_Introduction_BCA.pptx the very basi
Unix_Introduction_BCA.pptx the very basiUnix_Introduction_BCA.pptx the very basi
Unix_Introduction_BCA.pptx the very basi
Priyadarshini648418
 
LINUX
LINUXLINUX
LINUXARJUN
 
Linux Getting Started
Linux Getting StartedLinux Getting Started
Linux Getting Started
Angus Li
 
Basics of Linux Commands, Git and Github
Basics of Linux Commands, Git and GithubBasics of Linux Commands, Git and Github
Basics of Linux Commands, Git and Github
Devang Garach
 
Linux administration classes in mumbai
Linux administration classes in mumbaiLinux administration classes in mumbai
Linux administration classes in mumbai
Vibrant Technologies & Computers
 
Introduction 2 linux
Introduction 2 linuxIntroduction 2 linux
Introduction 2 linux
Papu Kumar
 
Introduction to Unix
Introduction to UnixIntroduction to Unix
Introduction to Unix
Nishant Munjal
 

Similar to Host security (20)

Unix/Linux Basic Commands and Shell Script
Unix/Linux Basic Commands and Shell ScriptUnix/Linux Basic Commands and Shell Script
Unix/Linux Basic Commands and Shell Script
 
16. Computer Systems Basic Software 2
16. Computer Systems Basic Software 216. Computer Systems Basic Software 2
16. Computer Systems Basic Software 2
 
Tutorial 2
Tutorial 2Tutorial 2
Tutorial 2
 
Lesson 2 Understanding Linux File System
Lesson 2 Understanding Linux File SystemLesson 2 Understanding Linux File System
Lesson 2 Understanding Linux File System
 
Unix Operating System
Unix Operating SystemUnix Operating System
Unix Operating System
 
Basic orientation to Linux
Basic orientation to LinuxBasic orientation to Linux
Basic orientation to Linux
 
Linux Security
Linux SecurityLinux Security
Linux Security
 
Linux security
Linux securityLinux security
Linux security
 
Linux: An Unbeaten Empire
Linux: An Unbeaten EmpireLinux: An Unbeaten Empire
Linux: An Unbeaten Empire
 
linux-lecture1.ppt
linux-lecture1.pptlinux-lecture1.ppt
linux-lecture1.ppt
 
Linux
LinuxLinux
Linux
 
UNIT II-Programming in Linux
UNIT II-Programming in LinuxUNIT II-Programming in Linux
UNIT II-Programming in Linux
 
Unix_Introduction_BCA.pptx the very basi
Unix_Introduction_BCA.pptx the very basiUnix_Introduction_BCA.pptx the very basi
Unix_Introduction_BCA.pptx the very basi
 
LINUX
LINUXLINUX
LINUX
 
Linux Getting Started
Linux Getting StartedLinux Getting Started
Linux Getting Started
 
Basics of Linux Commands, Git and Github
Basics of Linux Commands, Git and GithubBasics of Linux Commands, Git and Github
Basics of Linux Commands, Git and Github
 
Linux filesystemhierarchy
Linux filesystemhierarchyLinux filesystemhierarchy
Linux filesystemhierarchy
 
Linux administration classes in mumbai
Linux administration classes in mumbaiLinux administration classes in mumbai
Linux administration classes in mumbai
 
Introduction 2 linux
Introduction 2 linuxIntroduction 2 linux
Introduction 2 linux
 
Introduction to Unix
Introduction to UnixIntroduction to Unix
Introduction to Unix
 

Recently uploaded

Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
DianaGray10
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
Product School
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
Alison B. Lowndes
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi
Fwdays
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
Abida Shariff
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
Frank van Harmelen
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Product School
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 

Recently uploaded (20)

Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 

Host security

  • 2. Host security measures  Host-centric:  Tailored to host architecture:   Comprehensive:   Takes into account not only type of operating system but also configuration protect installed applications Complex, costly, protects single host
  • 3.
  • 4.
  • 6. Common Unix Configuration Weaknesses  Password management issues:  weak passwords default passwords re-used passwords      Exploitable services    FTP/TFTP Sendmail other services   Improper file and directory permissions Improper use of setuid Improper network file configuration Unpatched known vulnerabilities
  • 7. Basic UNIX access control In Unix, there are three levels of access control  Individual (user): Each user has a unique id (uid) in the system.  Group: All users by default belong to the “user” group (some distributions), or to a singleton group containing only that individual user.   Users can belong to more than one group (most modern versions). Usually a group is defined for access control category. E.g:      root/wheel (general administration) www/web (web server administration) mail (mail server administration) adhoc groups can be used to facilitate collaboration such as directory and file sharing World (or all): The universe of all users.
  • 8. File permissions   File ownership: Each file and directory in UNIX (including programs) is “owned” by a specific user, a specific group, and the world. To each level of ownership there is an associated set of permission values: read, write and execute. These values can be true (permission granted) or false. Only the owner of a file (or the special user root) can change the file permission settings. Example: drwxr-xr-x  11 brenodem brenodem 374 30 Aug 13:39 . Indicates that the file ‘.’ (the current directory) is owned by user brenodem, who belongs to the singleton group brenodem. The directory was last modified on Aug. 30th at 13:39. The user brenodem is granted read, write, and execute privileges to the file. The group and world are granted read and execute (but not write) privileges to the files.
  • 9. Meaning of file permissions   The meaning of permissions for files is clear, but can be complex for directories. For instance, if a world-accessible file is located deep within a directory structure, all the parent directories of the file must grant execute permissions to the whole world.   This is because, in order to traverse a directory structure, UNIX executes cd on each directory (starting from the lowest common directory, for instance ‘/home’ ). On the other hand, it is NOT necessary that the same directories be world-readable. If a directory is not readable by a principal, its contents cannot be listed. However, it may well contain files that are readable by that principal, and these can be opened if their name are known.
  • 10. Proper file and directory permissions  Any UNIX system contains several directories that are world executable, where most of the OS services reside:       /bin (commands) /etc (configuration files for the above) /usr (utilities and applications) /usr/local or /local (extra utilities and applications) These directories are not required to be world readable, only their content files need to be world readable. If the directories are not world readable (and owned by root) then only the system administrator will be able to have a global view of the system configuration and capabilities. These directories should be writable only by root to prevent the installation of programs without the administrator’s knowledge. In particular they must be “owned” by root.
  • 11. Changing ownership and permissions  The root user can change ownership and permissions on files at will.    In some distributions, a user may change ownership of its own files to other users. To change group ownership of a file, you must own the file and you must belong to the new group the file will be assigned to:   chown username filename chgrp groupname filename To change permissions, you must be the file’s owner   chmod [o|g|a|u][+|-][r|w|x] filename example: chmod og+wx filename adds permissions to write and execute the file to both the file owner and file group owner.
  • 12. Effective ID  When a user tries to execute a program   When the program is initiated, its effective ID is set to the ID of the user (or program) calling it.   The UNIX system decides whether the user is authorized to execute (for instance, the user may belong the the file group owner, and the file may be executable by the group). For instance, if a utility program is owned by root (typical), but called by a regular user, the effective id of the running program will equal that of the caller (user), not root. This standard mechanism is not sufficient in some cases. For instance, the login program.
  • 13. SUID   The login program is invoked by regular users, but must have root privileges in order to access the protected password files (/etc/shadow), and to authenticate the user. (Effectively spawning a program under a particular user name even if called by another.) This is called a “set user id” program (suid). -r-sr-xr-x  1 root wheel 26756 16 Aug 10:32 /usr/bin/login Note the ‘s’ in the list of privileges. That means that the caller (could be anybody, as the file is world executable) will spawn a program with the privileges of the group wheel (which can access the password file, and spawn programs (shell) under arbitrary user identities.)
  • 14. Proper configuration of file permissions     The system of file access permissions underscores most of the access control decisions of the UNIX operating system. It is a flexible mechanism that enables different configurations to accommodate different usage needs. Improper configuration of file and directory permissions can create serious vulnerabilities. The use of SUID programs is a powerful mechanism that should be utilized only when necessary. For instance, a fragile program with SUID permissions can be easily exploited to grant administrative privileges to an attacker.
  • 15. RPC Utilities  Most Unix systems include the RPC utilities suite for remote command execution:     rlogin (remote login) rsh (remote shell) rcp (remote copy) Two modes of authentication: host-based and password-based  RPCs originating at a trusted host (i.e., a host listed in /etc/hosts or /etc/hosts.allow or /etc/hosts.equiv), identified by network packet source address, are accepted and given uid equal to the claimed username. •RPCs called from non-trusted computers must provide both username and password. (Both sent as cleartext over the network.)
  • 16. Disabling RPC utilities    The use of RPC utilities has been deprecated in favor of the ssh and scp programs, both built onto the SSH protocol, which provides encryption. For backward compatibility the SSH program supports host-based authentication. (This is stronger than in the RPC case, as hosts have SSH keys with which they can mutually authenticate their identities.) It is important to ensure that the configuration of the /etc/hosts files reflects the trust policies of your network, and that the RPC utilities are disabled whenever possible.
  • 18. Early Unix Password System    In early versions of Unix, the password was processed using a “secure hash” function derived from the DES cipher. The salt was restricted to 12 bits, resulting in 4096 possible hash values for each password. Passwords were restricted to 8-character length.  8-character passwords converted into 56-bit DES keys     Password shorter than 8 characters long padded w/ zeros. Longer passwords truncated in some systems. Salt used to change the DES cipher, which is applied 25 times. Results stored in world readable /etc/passwd file
  • 20. DES: IP and FP stand for initial and final permutations, respectively. F: Round function E: Expansion function 32→48 bits, is changed on crypt3() using the salt.
  • 21. Old /etc/passwd file  An entry in the /etc/passwd file has the following form:  Name:Password:UserID:PrincipleGroup:Gecos: HomeDirectory:Shell  smith:Ep6mckrOLChF.:100:100:John Smith/home/smith:/usr/bin/sh guest:*:200:0::/home/guest:/usr/bin/sh    An entry ‘*’ for password means that the account has been disabled, while an empty password means that password is not required for login! When shadow passwords are used, ‘!’ or ‘x’ substitutes for the password.
  • 22. New /etc/passwd file        nobody:*:-2:-2:Unprivileged User:/:/usr/bin/false root:*:0:0:System Administrator:/var/root:/bin/sh daemon:*:1:1:System Services:/var/root:/usr/bin/false smmsp:*:25:25:Sendmail User:/private/etc/mail:/usr/bin/false lp:*:26:26:Printing Services:/var/spool/cups:/usr/bin/false sshd:*:75:75:sshd Privilege separation:/var/empty:/usr/bin/false qtss:*:76:76:QuickTime Streaming Server:/var/empty:/usr/bin/false
  • 23. /etc/shadow file           Entries of the form: smithj:Ep6mckrOLChF.:10193:0:99999:5::: Where the password is followed by: The date when the password was last changed, measured in elapsed days since Jan. 1st, 1970. The number of days before the password can be changed again The number of days after which the password must be changed The number of days to warn user of an expiring password The number of days after password expires that account is disabled The number of days since January 1, 1970 that an account has been disabled A reserved field for possible future use
  • 24. Other changes   Since the introduction of shadow passwords, and the new crypt(), other modifications have been introduced, such as the use of MD5 passwords, and also Blowfish-encrypted passwords. Blowfish is an interesting choice: The algorithm is very slow to change keys, making hashing password expensive (good for security).
  • 25. Reading assignment for 01/16   Use of a Taxonomy of Security Faults, by T. Aslam, I. Krsul, and E. H. Spafford M. Bishop and D. Klein, Improving System Security Through Proactive Password Checking,Computers and Security 14(3) pp. 233-249 (May/June 1995) http://nob.cs.ucdavis.edu/~bishop/papers/1995c+s/proact.pdf