280 likes | 430 Views
Security. Bo Ye, Quanhua Lu. Overview. Unix vs. Security Basic Unix Security Issues How to Secure Linux Box Other Security Issues Security Tools Miscellaneous. Unix vs. Security. Unix was not designed to be secure.
E N D
Security Bo Ye, Quanhua Lu
Overview • Unix vs. Security • Basic Unix Security Issues • How to Secure Linux Box • Other Security Issues • Security Tools • Miscellaneous
Unix vs. Security • Unix was not designed to be secure. • Unix was designed by researchers to be an easy, friendly way to conduct and share research. (Security = 1 / Convenience) • Unix permissions are pretty much "all-or-nothing" -- root vs. everybody else. • Many Unix administrative functions are in programs external to the kernel, able to be inspected by the world.
Your responsibility • Remember that breaking into a computer is a crime. People have been and will be prosecuted and sent to jail for it, so don't get tempted to try it. • If you discover a security problem, you should • Alert your system administrators (if you aren't the administrator). • Alert the vendor of your version of Unix. • Inform the Computer Emergency Response Team (CERT)
Seven Common-sense Rules of Security • Don't put files on your system that are likely to be interesting to hackers. • Plug holes that hackers can use to gain access to you system. • Don't provide places for hackers to build nests on your system. • Set basic traps on systems that are connected to the Internet.
Seven Common-sense Rules of Security (cont.) • Monitor the reports generated by these security tools. • Teach yourself about UNIX system security. Traditional know-how and common sense are the most important parts of a site secure. • Prowl around looking for unusual activity.
/etc/passwd file • Have no accounts without passwords. • Regularly verify that every login has a password. put:awk -F: '{ if ($2 == "") print $1 }' etc/passwd in a file and execute with cron and have results mailed • Avoid accounts with weak passwords. • Chose a good password. • Use npasswd or passed+ instead of passwd force users to select reasonably secure passwords. • Avoid share accounts • Avoid Group Logins and Shared Logins. • Use sudo to control access to rootly powers.
/etc/passwd files (cont.) • Shadow your passwords • If at all possible, use shadow passwords. • "shadow passwords" put the passwords in a separate file, readable only by root. • Password Aging • Change passwords regularly,In particular, the root password should be changed on a regular basis • Beware of extra entries in your passwd file that are UID 0, or any other suspicious entries.
/etc/passwd files (cont.) • Rootly Entries • Regularly verify that only the root login has id 0 by running the script: awk -F:'{if($3 == 0) print $1}'etc/passwd • Modify it to verify group ids and UID s of key individuals.
Setuid Programs • If you are writing setuid programs: Minimize the number of setuid programs and keep the followings seven rules in minds: • Don't write setuid shell scripts. • You don’t have a enough control inside a shell script. • Don't use any library routines that invoke a shell. • These includes popen and system. • Don't use execlp()or execvp() to run another program • They allow you to give the program name without the path, which is very dangerous.
Setuid Programs (cont.) • Always use full pathnames to identify files and programs. • Don’t rely on any kind of searching mechanism to find files. • Don't make the program setuid to root unless you have to. • Make a pseudo-users name or group name instead. • Don't make setuid-programs world-readable. • This can allow bad guys to attack and exploit your codes. • Don’t put secret back-door escapes in your code. • These features don’t stay secret for long.
Setuid Program (cont.) • Check regularly for new setuid programs, or for changes in setuid programs. • Can help you catch an intruder early on. • Regularly compare the output of the following script to spot clandestine setuid programs. /usr/bin/find / -user root -perm -4000 -print/usr/ucb/mail -s "Setuid root files" netadmin
Special File Permissions • /dev/kmem(which maps kernel memory) should not be world-readable. • /etc/passwd and /etc/group should not be world-writable (for obvious reasons). • Do not have world-writable anonymous ftp directories. • Give no "world" permissions to disk device files.
How to secure linux box • Disable unused services. • User and password security. • Keep used services updated. • Use ssh wherever possible. • Packet filtering.
Disable Unused Services • Edit /etc/inetd.conf and comment out unused services: ftp, telnet,rstatd, etc. • Run ‘ps aux’ and exam the output carefully, look for extra daemons: sendmail, named, nfsd, etc. • If you don’t need it, kill it.
Disable Unused Services (cont.) • Run ‘netstat -a | fgrep LISTEN’ and look for unusual ports. This will print up something like this • tcp 0 0 *:6000 *:* LISTEN • tcp 0 0 *:www *:* LISTEN • tcp 0 0 *:auth *:* LISTEN • tcp 0 0 *:finger *:* LISTEN • tcp 0 0 *:shell *:* LISTEN • tcp 0 0 *:sunrpc *:* LISTEN
Keep Used Services Updated • Install Updateme, a handy script for keeping your system up-to-date. • Learn how your vendor provides software updates! Many packages have security problems discovered with them after release, and Linux vendors will release new versions to fix these. • Redhead 5.2: • <URL: ftp://ftp.redhat.com/linux/redhat-5.2/updates/> • SuSE 6.0: • <URL: ftp://ftp.suse.com/pub/SuSE-Linux/suse_update/SuSE-6.0/>
User and password Security • Run ‘pwconv’to turn on shadow passwords. • If possible, get PAM (Pluggable Authentication Modules) installed. • Don’t run routinely as root. • Use sudo to aid in delegating root tasks.
Installing ssh • Download source: • <URL: ftp://ftp.cs.hut.fi/pub/ssh/ssh-1.2.26.tar.gz> • Unpack source: tar -xzof ssh-1.2.26.tar.gz • Configure: cd ssh-1.2.26; sh configure • Build: make • Install: (as root) make install • You may also wish to install ssh version 2 after version1.
Using ssh • Other end must run sshd server. • Use just like telnet or rlogin. Like rlogin can use a different remote username by adding ‘-l name’. Use config file (see ssh manpage) to set common parameters persistently. • Use scp to copy files like rcp. Example: • scp pcecs237.cs.umbc.edu:myprog.c .
Packet Filtering • Allows you control what packets reach your machine from the network,and only allow in data to services you intend to offer. • Helps prevent hostile scanning for accidentally open services. • In Linux 2.0.x look for ipfwadm, in 2.2.x ipchains. • For more information see • <URL: http://www.xos.nl/linux/ipfwadm/>
Other Security Issues • Remote Event Logging • Use "syslog" to send important events to a secure machine • Secure Terminals • Restrict root logins to specific terminals by listing them in /etc/securettys • Be very careful with /etc/hosts.equiv and .rhosts files • NIS and NFS • Security and Sendmail
Security Tools • COPS -- Computer Oracle and Password System • COPS does many scans for common security problems on Unix systems. • Warns you of problems. You have to fix them. • Crack • Tries to guess passwords by using dictionary words, encrypting them, and comparing with the encrypted password
Security Tools (cont.) • TCP wrapper (tcpd) • A package that is used to monitor incoming IP connections • Allows you to selectively block hosts and provides logging of all connections via syslog • /etc/inetd.conf telnet stream tcp nowait root etc/in.telnetd in.telnetd you can change this to: telnet stream tcp nowait root /usr/ets/tcpd in.telnetd
Security Tools (cont.) • Tripwire • A file integrity checker • Notifies you of changes to important system files • SATAN • Analyzes hosts on your network for certain well-known (and dangerous) vulnerabilities
Miscellaneous • Backups • Have regular backups • To recover from destructive attacks • To have a known "clean" configuration to compare against • Trojan Horses • Be careful with software off the net • Get software from known sources • Don't compile things right away. • Don't install it if you can't get source, unless you're sure of what it is
Miscellaneous (cont.) • Packet Filtering • Controlling access to a network by analyzing the incoming and outgoing packets • Packet filtering is one technique, among many, for implementing security firewalls • Kerberos • an authentication system developed at MIT • uses DES encryption • requires a secure "authentication" server