Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Note
Contents are NOT mine. Most of them are from the wonderful book Practical Unix and Internet Security and Real World Linux Security. Others are extracted from various good resources including;
Linux Security FAQ Solaris Security FAQ Sun Solaris / HP-UX / Tru64 Unix man pages
Table of contents
Before we start Security basics Unix / Linux sever security System setup guide Detection Recovery
Security requirements
Confidentiality Integrity Authentication Non-repudiation Availability Access control Combined
User authentication used for access control Non-repudiation combined with authentication
Some terminologies
System security / network security Passive attack / active attack
sniffing / spoofing
Two models
Access control
discretionary access control vs. mandatory access control
Audit
Security policy
Simple and generic policy for system which users can readily understand and follow. Starting point :
That which is not permitted is prohibited.
Setup steps
(1) Identify what you are trying to protect. (2) Determine what you are trying to protect it from. (3) Determine how likely the threats are. (4) Implement measures which will protect your assets in a cost-effective manner. (5) Review & improve the process continuously
Samples
ftp://coast.cs.purdue.edu/pub/doc/policy
Bad passwords
Your name, spouses name, partners name, pets name, childs name, friends name, bosss name Operating system, hostname, username Phone number, license plate number, birth date, social security number Words in the dictionary Simple patterns of letters on the keyboard (qwerty) Passwords of all the same letter Any of above spelled backwards Any of above followed or prepended by a single digit
Password
Good passwords
Have both uppercase and lowercase letters. Have digits and/or punctuation characters as well as letters. May include some control characters and/or spaces. Are easy to remember, so they do not have to be written down. Are seven or eight characters long.
Password
Password
Who is superuser ?
UID of 0 Any username can be the superuser. Normal security checks and constraints are ignored for the superuser. Superuser is not for casual use.
Do not login as superuser, use /bin/su with - option instead.
Superuser
Set a trap
% cd % chmod 700 . % touch ./-f
To do is just say to administrator. I have a funny file in my directory I cant seem to delete.
Superuser
alias rm=rm i Only become root to do single specific task. Stay normal user shell until you are sure what needs to be done by root. Command path
Minimum and trusted directories only Never include . No writable directories
Superuser
Solaris : /etc/default/login
CONSOLE=/dev/console
Always be slow and deliberate running as root. Think before you type.
Superuser
File permission
File type
- : plain file d : directory c : character device (tty, printer) b : block device (disk, CD-ROM) l : symbolic link s : socket =, p : FIFO
File system
SUID/SGID/sticky bits
SUID (set uid)
Processes are granted access to system resources based on user who owns the file.
sticky bit
If set on a directory, then a user may only delete files that the he owns or for which he has explicit write permission granted, even when he has write access to the directory. (e.g. /tmp )
File system
File system
File system
File system
Dangerous accounts
Accounts without passwords
# cat /etc/passwd | awk -F: 'length($2)<1 {print $1}'
Default accounts
Just remove them !
Shared accounts
Less accountability, less security. Create several accounts in a group.
Account
Dormant account
Risks
Intruder can use dormant account without being noticed. Owner of dormant account cannot follow your policy or order. (e.g. Dear every users, please change your passwords right now.)
How to handle
Disabling dormant account automatically (SVR4)
usermod f 10 newcat (locked if no login in 10 days)
Freeze it
Put * in password field chmod 0 /home/newcat find / -user newcat -ls Account
Simple examples
By metadata
# cat /usr/adm/filelist | xargs ls -ilds > /tmp/now # diff -b /usr/adm/savelist /tmp/now
By checksum
# find `cat /usr/adm/filelist` -ls -type f -exec md4 {}\; > /tmp/now # diff -b /usr/adm/savelist /tmp/now
Integrity
Tripwire
Tripwire is a tool that checks to see what has changed on your system. The program monitors key attributes of files that should not change, including binary signature, size, expected change of size, etc. Where is it ?
Commercial version : http://www.tripwire.com/ For Linux user : http://www.tripwire.org/ For Unix user : ftp://coast.cs.purdue.edu/pub/COAST/Tripwire/trip wire-1.2.tar.Z
Integrity
check periodically
# tripwire check reconcile differences (e.g. software installation)
# tripwire update accept-all twrfile report_file Integrity
Basics
Consider remote logging to secure log data. List of log files
acct / pacct : Commands run by users aculog : Dial-out modem (acu : automatic call unit) lastlog : Most recent login success/fail times loginlog : Bad login attempts messages : Console / syslog facility sulog : su command utmp / utmpx : Each user currently logged in wtmp / wtmpx : Login/out, shutdown/startup xferlog : FTP access
Log and audit
u/wtmp file
last
Displays login and logout information about users and terminals
acct/pacct file
(Solaris 5.8) /usr/lib/acct/[startup , shutacct]
Starts or stop accounting.
Monitoring logs
logcheck (logsentry)
Extracts anything that might indicate a security violation or other abnormality, and informs via e-mail. http://www.psionic.com/products/logsentry. html
Basic terms
Bug vs. malware (or malicious software) Kinds of malwares
Security tools and toolkits Back doors and trap doors Logic bombs Viruses Worms Trojan horses Bacteria and rabbits
Programmed threats
Trojan horse
Never execute anything until youre sure of program or inputs to program. Never run anything as root unless you absolutely must.
Programmed threats
If under attack,
Call computer incident response center to se if other sites have made similar reports. Isolate your server to prevent spread.
Programmed threats
Vulnerabilities
ftp
Passwords are sent in plain text. /etc/ftpusers
List of accounts that are NOT allowed to use ftp.
telnet
Passwords are sent in plain text. Attacker can hijack the session.
TCP/IP
Vulnerabilities (continued)
smtp (sendmail)
Must be upgraded 8.9.3 or higher. Current version is 8.12.6. Check permission of /var/spool/mqueue, sendmail.cf, /etc/aliases*, /etc/mail/mailertable* (owned by root, writable by owner only)
TCP/IP
Vulnerabilities (continued)
Sun RPC portmapper
Assigns the TCP/UDP ports used for RPC. To improve security, turn it off if possible. Or,
Replace it with Wietse Venemas version. Block packets on port 111.
TCP/IP
Vulnerabilities (continued)
web
Yet another BIG topic. See references;
Lincoln D. Steins WWW Security FAQ
http://www-genome.wi.mit.edu/WWW/faqs/wwwsecurity-faq.html
TCP/IP
Vulnerabilities (continued)
NFS
Limit exported and mounted file systems Export read-only and use root ownership Remove group-write permission for files and directories Do not export server executables and home directories Do not allow users to log into server Use fsirand and set the portmon variable Use showmount e Use secure NFS
TCP/IP
Vulnerabilities (continued)
tftp (UDP 69)
No security at all.
finger ( 79 )
Provides user information.
TCP/IP
Linux
Securing Debian Manual
http://www.debian.org/doc/manuals/securingdebian-howto/
10. Use tcpwrapper for network services. 11. Install Secure Shell and encourage its use. 12. Install integrity checker (e.g. Tripwire). 13. Test it periodically
e.g. Nessus, COPS, Tiger,
Module 5 : Detection
Monitoring Scanning Handling
Monitoring (1/2)
Log (logcheck)
Propagate it using loghost and e-mail. Check it.
Network (tcpdump)
Monitoring
Monitoring (2/2)
Process (ps)
Check suspicious processes, e.g. compiler. Record typical size of daemons and important programs to detect Trojan horse.
Load (uptime)
Monitoring
Scanning
Find suspicious files. Run Tripwire. Detect promiscuous network interfaces.
(see next page)
Scanning
Scanning
Handling incidents
Dont panic
Is it really a security incident ? Was any damage really done ? Evidence or normal operation, that is the question.
Document
Write down everything you find, always noting the date and time.
Module 6 : Recovery
Regaining control of system Finding and repairing the damage Tracing attacker
3. Boot again
1. Remove the system disk from the compromised system and connect it as second disk to a secure system. (Or, boot from secure boot floppy.) 2. Run fsck 3. Before coming up multi-user mode, check cracker generated email.
Regaining control of system
Checking logs
Log files
/var/log/* Shell history files (esp. for root) Mailboxes (mbox, /?/spool/mail, /?/spool/mqueue) Firewall logs, ISPs log tcpwrapper log (denied log only)
Other files
/tmp/* Hidden directories (e.g. /home/*/.??*) Other files started with .
Finding and repairing the damage
Useful commands
With IP address (A.B.C.D)
nslookup type=any D.C.B.A.in-addr.arpa dig x A.B.C.D
Using ping
See the distance
Using traceroute
Tracing hacker
Module 7 : D.I.Y.
Requirement Analysis Plan and Do
Network
Network distribution component (e.g. router, hub, switch) Network service host (e.g. directory, NMS) Network connection / Cabling
Data (e.g. database, agreement, policy, guideline) Software Human Environment (e.g. UPS, air conditioner, cabinet)
Requirement
Cost of loss
Requirement
1 : Open
Requirement
Availability
5 : Non stop 4 : Recovery within 4 hours 3 : Recovery within 8 hours 2 : Recovery within 12 hours 1 : Recovery within 24 hours
Requirement
Requirement
Requirement
Analysis
Automated analysis
e.g. Nessus
Manual analysis
OS checklists
Analysis
Sample results
Service daemons
Problems
Some old-version daemons have buffer overflow vulnerabilities. Unnecessary daemons are running.
To do
Remove unnecessary daemons. Keep necessary daemon up to date. Run security scanner periodically.
Analysis
Sample results
Backdoors, vulnerable files
Problems
Backdoor is not found, but there is no counter measure for future backdoors.
To do
Install and run Tripwire periodically.
Analysis
Sample results
Misuse by users
Problems
Sendmails vulnerability can lead to root compromise.
To do
Remove if unnecessary. Keep it up to date if necessary.
Analysis
Sample results
User accounts
Problems
Super user accounts are shared by administrators and developers. Weak passwords are found.
To do
Define each systems usages clearly. Define each users role according to usage of system. Apply password control (including aging).
Analysis
Sample results
Log management
Problems
No log management.
To do
Setup a loghost, and all logs are configured to be sent to it. Write a log management guideline and apply it.
Analysis
Sample results
Network configuration
Problems
Database servers are exposed to Internet.
To do
Set up a DMZ. Put external service servers at DMZ. Put Database servers at internal network
Analysis
Categories of reaction
Configuration issue
Issues are solved by configuring servers and network equipments properly. Usually done within a week.
Management issue
Several units within organization work together to handle these issues. Plan => Do => See cycle
Plan
Categorize To Dos
Configuration issue
Remove unnecessary daemons. Apply password control (including aging).
Management issue
Write a log management guideline and apply it. Define each systems usages clearly. Define each users role according to usage of system.