1

Security

Bo Ye,Quanhua Lu

2

Overview

Unix vs. Security Basic Unix Security Issues How to Secure Linux Box Other Security Issues Security Tools Miscellaneous

3

Unix vs. Security

Unix was not designed to be secure. Unix was designed by researchers to be

an easy, friendly way to conduct and share research. (Security = 1 / Convenience)

Unix permissions are pretty much "all-or-nothing" -- root vs. everybody else.

Many Unix administrative functions are in programs external to the kernel, able to be inspected by the world.

4

Your responsibility

Remember that breaking into a computer is a crime. People have been and will be prosecuted and sent to jail for it, so don't get tempted to try it.

If you discover a security problem, you should Alert your system administrators (if you aren't

the administrator). Alert the vendor of your version of Unix. Inform the Computer Emergency Response

Team (CERT)

5

Seven Common-sense Rules of Security

Don't put files on your system that are likely to be interesting to hackers.

Plug holes that hackers can use to gain access to you system.

Don't provide places for hackers to build nests on your system.

Set basic traps on systems that are connected to the Internet.

6

Seven Common-sense Rules of Security (cont.)

Monitor the reports generated by these security tools.

Teach yourself about UNIX system security. Traditional know-how and common sense are the most important parts of a site secure.

Prowl around looking for unusual activity.

7

Basic Unix Security Issues

8

/etc/passwd file

Have no accounts without passwords.Regularly verify that every login has a password.

put:awk -F: '{ if ($2 == "") print $1 }' etc/passwd in a file and execute with cron and have results mailed

Avoid accounts with weak passwords.Chose a good password.Use npasswd or passed+ instead of passwd force

users to select reasonably secure passwords.

Avoid share accounts Avoid Group Logins and Shared Logins.

Use sudo to control access to rootly powers.

9

/etc/passwd files (cont.)

Shadow your passwords If at all possible, use shadow passwords. "shadow passwords" put the passwords in a

separate file, readable only by root.

Password Aging Change passwords regularly, In particular, the

root password should be changed on a regular basis

Beware of extra entries in your passwd file that are UID 0, or any other suspicious entries.

10

/etc/passwd files (cont.)

Rootly EntriesRegularly verify that only the root login

has id 0 by running the script:

awk -F:'{if($3 == 0) print $1}'etc/passwd

Modify it to verify group ids and UID s of key individuals.

11

Setuid Programs

If you are writing setuid programs: Minimize the number of setuid programs and keep the followings seven rules in minds: Don't write setuid shell scripts.

You don’t have a enough control inside a shell script.

Don't use any library routines that invoke a shell. These includes popen and system.

Don't use execlp()or execvp() to run another program They allow you to give the program name without

the path, which is very dangerous.

12

Setuid Programs (cont.)

Always use full pathnames to identify files and programs.

Don’t rely on any kind of searching mechanism to find files.

Don't make the program setuid to root unless you have to. Make a pseudo-users name or group name instead.

Don't make setuid-programs world-readable. This can allow bad guys to attack and exploit your codes.

Don’t put secret back-door escapes in your code. These features don’t stay secret for long.

13

Setuid Program (cont.)

Check regularly for new setuid programs, or for changes in setuid programs. Can help you catch an intruder early on. Regularly compare the output of the

following script to spot clandestine setuid programs.

/usr/bin/find / -user root -perm -4000 -print /usr/ucb/mail -s "Setuid root files" netadmin

14

Special File Permissions

/dev/kmem (which maps kernel memory) should not be world-readable.

/etc/passwd and /etc/group should not be world-writable (for obvious reasons).

Do not have world-writable anonymous ftp directories.

Give no "world" permissions to disk device files.

15

How to secure linux box

Disable unused services. User and password security. Keep used services updated. Use ssh wherever possible. Packet filtering.

16

Disable Unused Services

Edit /etc/inetd.conf and comment out unused services: ftp, telnet, rstatd, etc.

Run ‘ps aux’ and exam the output carefully, look for extra daemons: sendmail, named, nfsd, etc. If you don’t need it, kill it.

17

Disable Unused Services (cont.)

Run ‘netstat -a | fgrep LISTEN’ and look for unusual ports. This will print up something like this

• tcp 0 0 *:6000 *:* LISTEN • tcp 0 0 *:www *:* LISTEN • tcp 0 0 *:auth *:* LISTEN • tcp 0 0 *:finger *:* LISTEN • tcp 0 0 *:shell *:* LISTEN • tcp 0 0 *:sunrpc *:* LISTEN

18

Keep Used Services Updated

Install Updateme, a handy script for keeping your system up-to-date.

Learn how your vendor provides software updates! Many packages have security problems discovered with them after release, and Linux vendors will release new versions to fix these.

Redhead 5.2: <URL:

ftp://ftp.redhat.com/linux/redhat-5.2/updates/>

SuSE 6.0: <URL:

ftp://ftp.suse.com/pub/SuSE-Linux/suse_update/SuSE-6.0/>

19

User and password Security

Run ‘pwconv’ to turn on shadow passwords.

If possible, get PAM (Pluggable Authentication Modules) installed.

Don’t run routinely as root. Use sudo to aid in delegating root

tasks.

20

Installing ssh

Download source:<URL: ftp://ftp.cs.hut.fi/pub/ssh/ssh-

1.2.26.tar.gz> Unpack source: tar -xzof ssh-1.2.26.tar.gz Configure: cd ssh-1.2.26; sh configure Build: make Install: (as root) make install You may also wish to install ssh version 2

after version1.

21

Using ssh

Other end must run sshd server. Use just like telnet or rlogin. Like rlogin can use a different remote username by adding ‘-l name’. Use config file (see ssh manpage) to set common parameters persistently.

Use scp to copy files like rcp. Example:scp pcecs237.cs.umbc.edu:myprog.c .

22

Packet Filtering

Allows you control what packets reach your machine from the network,and only allow in data to services you intend to offer.

Helps prevent hostile scanning for accidentally open services.

In Linux 2.0.x look for ipfwadm, in 2.2.x ipchains.

For more information see<URL: http://www.xos.nl/linux/ipfwadm/>

23

Other Security Issues

Remote Event LoggingUse "syslog" to send important events

to a secure machine Secure Terminals

Restrict root logins to specific terminals by listing them in /etc/securettys

Be very careful with /etc/hosts.equiv and .rhosts files

NIS and NFS Security and Sendmail

24

Security Tools

COPS -- Computer Oracle and Password System COPS does many scans for common security

problems on Unix systems. Warns you of problems. You have to fix

them.

Crack Tries to guess passwords by using

dictionary words, encrypting them, and comparing with the encrypted password

25

Security Tools (cont.)

TCP wrapper (tcpd) A package that is used to monitor incoming IP

connections

Allows you to selectively block hosts and provides logging of all connections via syslog /etc/inetd.conf

telnet stream tcp nowait root etc/in.telnetd in.telnetd

you can change this to:telnet stream tcp nowait root /usr/ets/tcpd

in.telnetd

26

Security Tools (cont.)

Tripwire A file integrity checkerNotifies you of changes to important system

files

SATANAnalyzes hosts on your network for certain

well-known (and dangerous) vulnerabilities

27

Miscellaneous

BackupsHave regular backups To recover from destructive attacks To have a known "clean" configuration to

compare against

Trojan HorsesBe careful with software off the net Get software from known sourcesDon't compile things right away.Don't install it if you can't get source, unless

you're sure of what it is

28

Miscellaneous (cont.)

Packet FilteringControlling access to a network by analyzing

the incoming and outgoing packets Packet filtering is one technique, among many,

for implementing security firewalls

Kerberosan authentication system developed at MIT uses DES encryption requires a secure "authentication" server