Security
-
Upload
iris-campos -
Category
Documents
-
view
30 -
download
0
description
Transcript of Security
2
Overview
Unix vs. Security Basic Unix Security Issues How to Secure Linux Box Other Security Issues Security Tools Miscellaneous
3
Unix vs. Security
Unix was not designed to be secure. Unix was designed by researchers to be
an easy, friendly way to conduct and share research. (Security = 1 / Convenience)
Unix permissions are pretty much "all-or-nothing" -- root vs. everybody else.
Many Unix administrative functions are in programs external to the kernel, able to be inspected by the world.
4
Your responsibility
Remember that breaking into a computer is a crime. People have been and will be prosecuted and sent to jail for it, so don't get tempted to try it.
If you discover a security problem, you should Alert your system administrators (if you aren't
the administrator). Alert the vendor of your version of Unix. Inform the Computer Emergency Response
Team (CERT)
5
Seven Common-sense Rules of Security
Don't put files on your system that are likely to be interesting to hackers.
Plug holes that hackers can use to gain access to you system.
Don't provide places for hackers to build nests on your system.
Set basic traps on systems that are connected to the Internet.
6
Seven Common-sense Rules of Security (cont.)
Monitor the reports generated by these security tools.
Teach yourself about UNIX system security. Traditional know-how and common sense are the most important parts of a site secure.
Prowl around looking for unusual activity.
8
/etc/passwd file
Have no accounts without passwords.Regularly verify that every login has a password.
put:awk -F: '{ if ($2 == "") print $1 }' etc/passwd in a file and execute with cron and have results mailed
Avoid accounts with weak passwords.Chose a good password.Use npasswd or passed+ instead of passwd force
users to select reasonably secure passwords.
Avoid share accounts Avoid Group Logins and Shared Logins.
Use sudo to control access to rootly powers.
9
/etc/passwd files (cont.)
Shadow your passwords If at all possible, use shadow passwords. "shadow passwords" put the passwords in a
separate file, readable only by root.
Password Aging Change passwords regularly, In particular, the
root password should be changed on a regular basis
Beware of extra entries in your passwd file that are UID 0, or any other suspicious entries.
10
/etc/passwd files (cont.)
Rootly EntriesRegularly verify that only the root login
has id 0 by running the script:
awk -F:'{if($3 == 0) print $1}'etc/passwd
Modify it to verify group ids and UID s of key individuals.
11
Setuid Programs
If you are writing setuid programs: Minimize the number of setuid programs and keep the followings seven rules in minds: Don't write setuid shell scripts.
You don’t have a enough control inside a shell script.
Don't use any library routines that invoke a shell. These includes popen and system.
Don't use execlp()or execvp() to run another program They allow you to give the program name without
the path, which is very dangerous.
12
Setuid Programs (cont.)
Always use full pathnames to identify files and programs.
Don’t rely on any kind of searching mechanism to find files.
Don't make the program setuid to root unless you have to. Make a pseudo-users name or group name instead.
Don't make setuid-programs world-readable. This can allow bad guys to attack and exploit your codes.
Don’t put secret back-door escapes in your code. These features don’t stay secret for long.
13
Setuid Program (cont.)
Check regularly for new setuid programs, or for changes in setuid programs. Can help you catch an intruder early on. Regularly compare the output of the
following script to spot clandestine setuid programs.
/usr/bin/find / -user root -perm -4000 -print /usr/ucb/mail -s "Setuid root files" netadmin
14
Special File Permissions
/dev/kmem (which maps kernel memory) should not be world-readable.
/etc/passwd and /etc/group should not be world-writable (for obvious reasons).
Do not have world-writable anonymous ftp directories.
Give no "world" permissions to disk device files.
15
How to secure linux box
Disable unused services. User and password security. Keep used services updated. Use ssh wherever possible. Packet filtering.
16
Disable Unused Services
Edit /etc/inetd.conf and comment out unused services: ftp, telnet, rstatd, etc.
Run ‘ps aux’ and exam the output carefully, look for extra daemons: sendmail, named, nfsd, etc. If you don’t need it, kill it.
17
Disable Unused Services (cont.)
Run ‘netstat -a | fgrep LISTEN’ and look for unusual ports. This will print up something like this
• tcp 0 0 *:6000 *:* LISTEN • tcp 0 0 *:www *:* LISTEN • tcp 0 0 *:auth *:* LISTEN • tcp 0 0 *:finger *:* LISTEN • tcp 0 0 *:shell *:* LISTEN • tcp 0 0 *:sunrpc *:* LISTEN
18
Keep Used Services Updated
Install Updateme, a handy script for keeping your system up-to-date.
Learn how your vendor provides software updates! Many packages have security problems discovered with them after release, and Linux vendors will release new versions to fix these.
Redhead 5.2: <URL:
ftp://ftp.redhat.com/linux/redhat-5.2/updates/>
SuSE 6.0: <URL:
ftp://ftp.suse.com/pub/SuSE-Linux/suse_update/SuSE-6.0/>
19
User and password Security
Run ‘pwconv’ to turn on shadow passwords.
If possible, get PAM (Pluggable Authentication Modules) installed.
Don’t run routinely as root. Use sudo to aid in delegating root
tasks.
20
Installing ssh
Download source:<URL: ftp://ftp.cs.hut.fi/pub/ssh/ssh-
1.2.26.tar.gz> Unpack source: tar -xzof ssh-1.2.26.tar.gz Configure: cd ssh-1.2.26; sh configure Build: make Install: (as root) make install You may also wish to install ssh version 2
after version1.
21
Using ssh
Other end must run sshd server. Use just like telnet or rlogin. Like rlogin can use a different remote username by adding ‘-l name’. Use config file (see ssh manpage) to set common parameters persistently.
Use scp to copy files like rcp. Example:scp pcecs237.cs.umbc.edu:myprog.c .
22
Packet Filtering
Allows you control what packets reach your machine from the network,and only allow in data to services you intend to offer.
Helps prevent hostile scanning for accidentally open services.
In Linux 2.0.x look for ipfwadm, in 2.2.x ipchains.
For more information see<URL: http://www.xos.nl/linux/ipfwadm/>
23
Other Security Issues
Remote Event LoggingUse "syslog" to send important events
to a secure machine Secure Terminals
Restrict root logins to specific terminals by listing them in /etc/securettys
Be very careful with /etc/hosts.equiv and .rhosts files
NIS and NFS Security and Sendmail
24
Security Tools
COPS -- Computer Oracle and Password System COPS does many scans for common security
problems on Unix systems. Warns you of problems. You have to fix
them.
Crack Tries to guess passwords by using
dictionary words, encrypting them, and comparing with the encrypted password
25
Security Tools (cont.)
TCP wrapper (tcpd) A package that is used to monitor incoming IP
connections
Allows you to selectively block hosts and provides logging of all connections via syslog /etc/inetd.conf
telnet stream tcp nowait root etc/in.telnetd in.telnetd
you can change this to:telnet stream tcp nowait root /usr/ets/tcpd
in.telnetd
26
Security Tools (cont.)
Tripwire A file integrity checkerNotifies you of changes to important system
files
SATANAnalyzes hosts on your network for certain
well-known (and dangerous) vulnerabilities
27
Miscellaneous
BackupsHave regular backups To recover from destructive attacks To have a known "clean" configuration to
compare against
Trojan HorsesBe careful with software off the net Get software from known sourcesDon't compile things right away.Don't install it if you can't get source, unless
you're sure of what it is
28
Miscellaneous (cont.)
Packet FilteringControlling access to a network by analyzing
the incoming and outgoing packets Packet filtering is one technique, among many,
for implementing security firewalls
Kerberosan authentication system developed at MIT uses DES encryption requires a secure "authentication" server