securing linux

attacks from the inside chapters 5,8,9 securing linux

reoccurring theme • kernel updates & patches • application updates & patches • disable not needed services / daemons • disable or remove not needed software • close open ports • strong passwords • restrict root access • restrict physical access

more worries • history scrounging • locate file database –exposing hidden files • lost & found directories • applications with hidden passwords • /tmp file systems • backup file systems • single user booting / live CD boot accessing file system • employee damage intentional and unintentional

introduction • most attacks are internal! – FBI • yet only 9% are reported • root access is the goal • ability to alter system files • ability to alter log files • ability to activate daemons • ability to facilitate future access • strategy: • regular user => system user => root user

overview • basic terminology • social engineering • access to equipment • types of attacks • what comes after root access • countermeasures

basic terminology • trojan horse • a program designed to circumvent security disguised as something benign • must rely on a user to accomplish its goals • must be delivered to a computer system • must be activated on the computer system • malware • malicious software • catch-all term to refer to any software designed to cause damage

basic terminology • virus • more than a simple stand-alone program; once activated it will infect other files on the host • must rely on a user to accomplish its goals • must be delivered to a computer system • must be activated on the computer system • cookies (small text file) • cookies are a legitimate tool used by many websites to track visitor information • the only websites that are supposed to be able to retrieve the information stored in a cookie are the websites that wrote the information

basic terminology • spyware • cookie abuse - they may track your web surfing habits across many different websites without informing you, typically considered as an invasion of privacy • spyware can also do some nasty things to ensure that the spyware keeps running and keeps influencing what you see

trojan horses and viruses • methods of delivery: trojan horse and virus • from friends • usenet / forum posts • e-mail • P2P file sharing • browsing malicious websites • security software: fixes, tests, proofs of concept

trojan horses and viruses • counter-measures: • never run a program from an untrusted source • know what the program does before you run it • run MD5 or SHA1 hash against programs • run the program on a dedicated host • run the program in a chroot jail • never run any program as root user • “when in doubt, throw it out!”

trojan horses and viruses • more specific countermeasures: • verify vendor notices • e.g., confirm e-mail information with web site visit • verify PGP signatures and MD5 checksums • perform a code review (if open source) • be sure to logout / lockscreen when away from computer • be attentive to computer when returning • fake login screen • fake screen saver

trojan horses and viruses • linux has not been susceptible to attacks by viruses • linux systems are much harder to infect • some viruses attack dual boot systems (windows + linux) by attacking from the windows partition • win32 /lindos 1st cross-platform virus

basic terminology • worm • program that can infect both the local host and also remote hosts over a network • does NOT rely on a user to accomplish its goals • a worm is a specific type of virus that propagates itself across many computers

basic terminology • time bomb • usually has malicious intent • typically attacks the host file system • a program designed to activate at some specified time in the future

worms and time bombs • countermeasures: • keep software up to date • monitor • systems logs for suspicious activity • system files for any changes in file properties

social engineering • too often system cracking has nothing to do with computer theory, cracker software, or exotic strategies • system cracking is made trivial by weaknesses in human nature • all social engineering mind games apply as discussed on week 3

social engineering • countermeasures: • be paranoid! perhaps anal is a better word? • question everything • verify the source • ask for identification • just say “no” • educate system users • do not leave passwords on post-it notes • do not leave passwords in desk drawer • pay attention to what you throw away • document shredding policy

limit access to equipment • access to computer / server rooms • limit access to hardware to authorized personnel company and vendors • log access / entry • access to user workstations • most susceptible to social engineering • worker's name • worker's family • post-it notes with passwords • develop a document shredding policy • develop a clean work area policy

boot access • boot access is root access! • if a person can boot a system, then a person owns everything on that system • can copy • can modify • can delete • can reformat the entire device! • a simple boot floppy, boot cd-rom (liveCD), boot USB

boot access • countermeasures: • password protect BIOS • disable all bootable devices except the fixed disk • either a simple short circuit of motherboard • or removal of battery undoes BIOS settings, so ... • place system in a secure and visible room • install security cameras in vulnerable areas • use a chassis lock / server rack locks • hot glue gun to USB ports

boot access • countermeasures (cont'd) • disable the “three-finger salute” [ctrl][alt][delete] • /etc/inittab • either #ca::ctrlaltdel:/sbin/shutdown -t 3 -r now • or ca::ctrlaltdel:/usr/local/sbin/cad_warn • cad_warn is a script file to generate e-mail which identifies users who use the three-finger salute • protect the boot loader configuration • chown root:root grub.conf • chmod 600 grub.conf • password protect all but the default option for the boot loader

boot access • countermeasures (cont'd) • be careful with single-user mode (runlevel 1) • /etc/inittab must contain the entry • su:S:wait:/sbin/sulogin • if /etc/passwd or /etc/shadow have been corrupted • then sulogin will spawn a shell for repair

general user access • even if a cracker has gained access to a user's account, he or she may not be able to take advantage of information • encrypted file systems! • good news: cracker must identify these partitions and mount • bad news: user must remember to unmount these partitions

general user access • examples of encrypted file systems • CFS: Cryptographic File System • TCFS: Transparent Cryptographic File System • BestCrypt File System • PPDD • Loopback Encrypted File System • Steg File System

types of attacks • system configuration • elevating user privileges • password cracking • trail hiding • creating backdoors

attacking system configuration • home directory permissions • often too much visibility to other users, especially if all users belong to a generic “users” group • chmod 700 /home/* /root • chmod go-rwx /home/*/* /root/* • history file information (~/.bash_history) • history scrounging reveal much about you! • make sure history files are only readable by the owner

attacking system configuration • weaknesses in the “locate” database • frequently displays hidden files and secure files to regular users • use the more secure “slocate” utility • many distributions do this by default

attacking system configuration • secure information found in lost+found directories • fsck saves fragments in the lost+found directory • lost+found is often world readable! • find / -name “lost+found” -ok chmod 700 {}\;

attacking system configuration • unmounted backup files • limit access to backup devices • chgrp backup /dev/*rtf0 • chmod 660 /dev/*rtf0 • encrypt tape backups

attacking system configuration • including “.” on PATH for convenience • unlike MSDOS which looks in the current directory first, UNIX only looks along the PATH! • if “.” is not on PATH, then activate program • ./<program> • root user should never have “.” on PATH! • regular users should probably not have “.” on PATH as well

attacking system configuration • mounting file systems “noexec” • this trick is not really very useful! • although the following command will not work • ./sample.sh (shell script) • the following command will work • /bin/bash sample.sh • a program / script is in reality data to be executed by the appropriate interpreter! • “noexec” is only meaningful in conjunction with restricted shells • rbash • rksh

attacking system configuration • links create flexibility • flexibility creates vulnerability • hard link – same i-node • may include important system files • may not cross partition boundary • symbolic link – pointer to a file (its path) • may include important system files • may cross partition boundary • may reference a non-existent file!

attacking system configuration • links (cont'd) • countermeasures: • if possible, create separate partitions for important system directories • / • /boot • /usr • /var • /home • /tmp • be careful when creating temporary files • potential link to capture sensitive data

attacking system configuration • conditional scripts (used by many distributions) • if [ -f /etc/rc.d/rc.serial ] • then • ./etc/rc.d/rc.serial • fi • a trojan horse with such a name (rc.serial) will now run at system startup as root • countermeasures: • make such startup scripts immutable • chattr +i • monitor startup scripts for any changes

attacking system configuration • kernel based attacks • kernel bugs have caused problems • in the past! • in the future! • countermeasures: • upgrade the kernel as needed! • loadable kernel modules may provide a short term solution to kernel problems until a legitimate patch is available

elevating user privileges • who should have root privileges?? • just one person • a handful • anybody • how can we provide additional access • “wheel” group • “sudo” utility • sXid programs

elevating user privileges • “wheel” group • identifies those users who may execute the “su” command to become root • blocks access even if the user knows the root password • so just login as root!!!! • if access is granted then user has full privileges as root user

elevating user privileges • “sudo” utility • allows regular users to perform system administration tasks • e.g., set/change passwords or • monitor and update web pages • “sudo” does not grant full root user privileges

elevating user privileges • be careful with configuration file /etc/sudoers • always user fully-qualified paths • never rely on the default search path • always use front-end scripts to set environment variables correctly • export EDITOR=”/bin/vim” could be replaced by • export EDITOR=”bin/bash”

elevating user privileges • sXid is an all in one suid/sgid monitoring program designed to be run from cron on a regular basis • Basically it tracks any changes in your s[ug]id files and folders. If there are any new ones, ones that aren't set any more, or they have changed bits or other modes then it reports the changes in an easy to read format via email or on the command line.

elevating user privileges • sXid program are dangerous • suid programs execute as a different user • sgid programs execute as a different group • sXid programs are often necessary to achieve the desired result – e.g. to login!!! • however, they open up small holes in the armor • potential risks: • program flaws may be exploited • buffer overflow, input format, race condition • replace with a trojan horse • copies system files such as /etc/passwd or /etc/shadow

elevating user privileges • countermeasures: • minimize the number of sXid programs • make sXid programs immutable • non-root suid programs are unnecessary • create a custom group instead • utilize atomic system calls • mkstemp () system call • mktemp Linux command • analyze sXid programs for: • buffer overflows and valid input checking • activation of other programs

password cracking • password cracking is possible at all levels • from a remote host • as a regular user on a local host • as root user on a local host

password cracking • password cracking from a remote host • brute force attack to gain a foothold • the infamous guest/guest account • how about sysadmin/sysadmin

password cracking • password cracking as a regular user on a local host • subtle attacks to elevate privileges • are system files world readable? • /etc/password or /etc/shadow • are there plain text password files? • apache, samba, mysql • many people use a single password for everything!!! • even if the cracker does not elevate his/her privileges, these accounts can be used to hide work across multiple accounts

password cracking • password cracking as root user on a local host • root user can see everything => /etc/shadow • password cracking software • crack the first • john the ripper the best? password cracking software is CPU intensive • usually run on a compromised system • new user/password pairs potentially provide access to additional computer systems

password cracking • countermeasures: • ensure password files are not world readable • run password cracking software against your own system • identify users with weak passwords and educate them • obtain additional wordlists and dictionaries • packetstormsecurity.org • educate users on good password techniques

password cracking • what are bad passwords: • your name and/or birthday • your pet's name • your phone number • characters from Dilbert, Star Trek, Star Wars, LOTR, ... • non-English words • any of the above backwards

10 Most Common Passwords • password • 123456 • qwerty • abc123 • letmein • monkey • myspace1 • password1 • link182 • (your first name)

password cracking • what are good passwords: • totally random string that include upper case, lower case, digits, and punctuation • example: • pass phrases • I see you you see me too • becomes: • Icuucme2

securing linux

securing linux

Presentation Transcript

Securing change

Securing

Securing VoIP

Securing Personas

Securing Network using Linux

Securing Communications…

Securing OCB

Securing BGP

Securing Schools

IS3440 Linux Security Unit 2 Securing a Linux Platform―Core Components

IS3440 Linux Security Unit 7 Securing the Linux Kernel

IS3440 Linux Security Unit 4 Securing the Linux Filesystem

Securing IT Assets with Linux Presented by:

Securing Linux

Securing the Linux Operating System Erik P. Friebolin

securing linux

Securing PHP

Welcome to Securing Linux Intro to Linux

Securing funding

Securing Email

Securing Email