Security.

Slides:

Advertisements

Similar presentations

153 Configuring and Securing ARPA/Berkeley Services Version A.01 H3065S Module 13 Slides.

Advertisements

Linux’ Security Haifa Linux Club Orr Dunkelman.

Linux Security An overview notes from Linux Network Security HowTO.

Chapter 21 Security. Computer Center, CS, NCTU 2 Firewall (1)  Using ipfw 1.Add these options in kernel configuration file and recompile the kernel 2.Edit.

Securing Network using Linux. Lesson Outline Setting up a secure system TCP Wrapper configuration Firewalls in Linux Authentication Systems –NIS –Kerberos.

Homework 5b: Samba. Computer Center, CS, NCTU 2 Network-based File Sharing (1)  NFS (UNIX-based) mountd is responsible for mount request nfsd and nfsiod.

CSCE 515: Computer Network Programming Chin-Tser Huang University of South Carolina.

Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.

Firewall Vulnerabilities Presented by Vincent J. Ohm.

Chapter 3 Unix Overview. Figure 3.1 Unix file system.

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

2440: 141 Web Site Administration Remote Web Server Access Tools Instructor: Enoch E. Damson.

Penetration Testing Training Day Capture the Flag Training.

1 Web Server Administration Chapter 9 Extending the Web Environment.

Introduction to SQL Server 2000 Security Dave Watts CTO, Fig Leaf Software

Karlstad University Introduction to Vulnerability Assessment Labs Ge Zhang Dvg-C03.

Linux Security Chapter 21 (section 1-7) By Yanjun Zuo.

system hardening Act of modifying a system to make it more secure Protecting against internal and external threats Usually a balance between security.

The Saigon CTT Chapter 16 Remote Connectivity. The Saigon CTT  Objectives  Explain : telnet rsh ssh  Configure FTP.

Daemon issue 14 SSH Port Forwarding Yannis Tsopokis Wednesday, April 26 th 2006.

ITI-481: Unix Administration Meeting 3. Today’s Agenda Hands-on exercises with booting and software installation. Account Management Basic Network Configuration.

Chapter 21 Security. Computer Center, CS, NCTU 2 FreeBSD Security Advisories 

Maintain Installed Applications. Computer Center, CS, NCTU 2 In Ports Tree  / Makefile  COMMENT pkg-descr  WWW pkg-message  Shown after installed.

Bugs SATAN scans for It is interesting to look at the bugs SATAN scans for. They are easily detected by the scanners and therefore do not pose a threat.

Inetd...Server of Servers Looks at a number of ports Determines when a service is needed on any of those ports Calls the appropriate server Restarts new.

Linux Services Muhammad Amer. 2 xinetd Programs  In computer networking, xinetd, the eXtended InterNET Daemon, is an open-source super-server daemon.

User Access to Router Securing Access.

Linux security Taeho Oh

 FreeBSD firewalls › ipfw -- IP firewall and traffic shaper control program  ipfw(8) › ipf (IP Filter) - alters packet filtering lists for IP packet.

CIS 450 – Network Security Chapter 14 – Specific Exploits for UNIX.

Security. Computer Center, CS, NCTU 2 FreeBSD Security Advisories 

1 Linux Security. 2 Linux is not secure No computer system can ever be "completely secure". –make it increasingly difficult for someone to compromise.

Internet Services.  Basically, an Internet Service can be defined as any service that can be accessed through TCP/IP based networks, whether an internal.

SECURITY - HARIPRIYA PURUSHOTHAMAN. SEVEN COMMON – SENSE RULES OF SECURITY Avoid putting files on the system that are likely to be interesting to hackers.

Phil Hurvitz Securing UNIX Servers with the Secure.

1 Security. 2 Linux is not secure No computer system can ever be "completely secure". –make it increasingly difficult for someone to compromise your system.

Linux Services Configuration

Security. Computer Center, CS, NCTU 2 FreeBSD Security Advisories – (1) 

Daemons Ying Zhang CMSC691X, Summer02. Outline  Introduction  Init and Cron  System daemons  Print daemons and NFS daemons  Time synchronization.

Unix network Services. Configuring a network interface In Unix there are essentially two commands that are used to enable TCP/IP. ifconfig route.

system hardening Act of modifying a system to make it more secure Protecting against internal and external threats Usually a balance between security.

Enumeration. Definition Scanning identifies live hosts and running services Enumeration probes the identified services more fully for known weaknesses.

SECURE SHELL MONIKA GUPTA COT OUTLINE What is SSH ? What is SSH ? History History Functions of Secure Shell ? Functions of Secure Shell ? Elements.

SSH. 2 SSH – Secure Shell SSH is a cryptographic protocol – Implemented in software originally for remote login applications – One most popular software.

Chapter 7: Using Network Clients The Complete Guide To Linux System Administration.

Microsoft OS Vulnerabilities April 1, 2010 MIS 4600 – MBA © Abdou Illia.

Chapter 7: Identifying Advanced Attacks

World Wide Web policy.

Some Practical Security

LINUX ADMINISTRATION

SECURE SHELL MONIKA GUPTA COT 4810.

Exercise 7 Samba.

LINUX ADMINISTRATION 1

Hacking Unix/Linux.

Chapter 21 (section 1-7) By Yanjun Zuo

Chapter 3 Rootly Powers.

Web Server Administration

Overview of Unix Jagdish S. Gangolly School of Business

IS3440 Linux Security Unit 6 Using Layered Security for Access Control

Chapter 27: System Security

Haifa Linux Club Orr Dunkelman

Access Control Lists CCNA 2 v3 – Module 11

Lab 7 - Topics Establishing SSH Connection Install SSH Configure SSH

Linux Security.

Daemons & inetd Refs: Chapter 12.

Chapter 7 Network Applications

Presentation transcript:

Security

FreeBSD Security Advisories http://www.freebsd.org/security/advisories.html

FreeBSD Security Advisories Advisory Security information Where to find it Web page (Security Advisories Channel) http://www.freebsd.org

FreeBSD Security Advisories Where to find it freebsd-security-notifications Mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications

FreeBSD Security Advisories Example openssl

FreeBSD Security Advisories CVE-2010-3864 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3864

FreeBSD Security Advisories Example Problem Description

FreeBSD Security Advisories Example Workaround

FreeBSD Security Advisories Example Solution Upgrade to Source code patch Binary patch

Common Security Problems Software bugs FreeBSD security advisor portaudit (ports-mgmt/portaudit) Unreliable wetware Phishing site Open doors Account password Disk share with the world

portaudit (1) portaudit Security Output Checks installed ports against a list of security vulnerabilities portaudit –Fda -F: Fetch the current database from the FreeBSD servers. -d: Print the creation date of the database. -a: Print a vulnerability report for all installed packages. Security Output

portaudit (2) portaudit -Fda http://www.freshports.org/<category>/<portname> http://www.freshports.org/databases/postgresql84-server/ auditfile.tbz 100% of 58 kB 38 kBps New database installed. Database created: Tue Nov 17 16:50:00 CST 2009 Affected package: libpurple-2.5.8 Type of problem: pidgin -- MSN overflow parsing SLP messages. Reference: <http://portaudit.FreeBSD.org/59e7af2d-8db7-11de-883b-001e3300a30d.html> Affected package: finch-2.5.8 2 problem(s) in your installed packages found. You are advised to update or deinstall the affected package(s) immediately.

portaudit (3)

Common trick Tricks Objective ssh scan and hack Phishing ssh guard sshit … Phishing XSS & sql injection Objective Spam Jump gateway File sharing

Process file system - procfs A view of the system process table Normally mount on /proc mount –t procfs proc /proc

Simple SQL injection example User/pass authentication No input validation SELECT * FROM usrTable WHERE user = AND pass = ; SELECT * FROM usrTable WHERE user = ‘test’ AND pass = ‘a’ OR ‘a’ = ‘a’

setuid program passwd /etc/master.passwd is of mode 600 (-rw-------) ! Setuid shell scripts are especially apt to cause security problems Minimize the number of setuid programs Disable the setuid execution on individual filesystems -o nosuid zfs[~] -chiahung- ls -al /usr/bin/passwd -r-sr-xr-x 2 root wheel 8224 Dec 5 22:00 /usr/bin/passwd /usr/bin/find / -user root –perm -4000 –print | /bin/mail –s “Setuid root files” username

Security issues /etc/hosts.equiv and ~/.rhosts Trusted remote host and user name DB Allow user to login (via rlogin) and copy files (rcp) between machines without passwords Format: Simple: hostname [username] Complex: [+-][hostname|@netgroup] [[+-][username|@netgorup]] Example bar.com foo (trust user “foo” from host “bar.com”) +@adm_cs_cc (trust all from amd_cs_cc group) +@adm_cs_cc -@chwong Do not use this

Why not su nor sudo? Becoming other users A pseudo-user for services, sometimes shared by multiple users sudo –u news –s (?) /etc/inetd.conf login stream tcp nowait root /usr/libexec/rlogind rlogind ~notftpadm/.rhosts localhost wangyr rlogin -l news localhost User_Alias newsTA=wangyr Runas_Alias NEWSADM=news newsTA ALL=(NEWSADM) ALL Too dirty!

Security tools nmap john, crack PGP CA … Firewall TCP Wrapper

TCP Wrapper There are something that a firewall will not handle Sending text back to the source TCP wrapper Extend the abilities of inetd Provide support for every server daemon under its control Logging support Return message Permit a daemon to only accept internal connetions

TCP Wrapper TCP Wrapper Provide support for every server daemon under its control

TCP Wrapper To see what daemons are controlled by inetd, see /etc/inetd.conf TCP wrapper should not be considered a replacement of a good firewall. Instead, it should be used in conjunction with a firewall or other security tools #ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l #ftp stream tcp6 nowait root /usr/libexec/ftpd ftpd -l #telnet stream tcp nowait root /usr/libexec/telnetd telnetd #telnet stream tcp6 nowait root /usr/libexec/telnetd telnetd shell stream tcp nowait root /usr/libexec/rshd rshd #shell stream tcp6 nowait root /usr/libexec/rshd rshd login stream tcp nowait root /usr/libexec/rlogind rlogind #login stream tcp6 nowait root /usr/libexec/rlogind rlogind

TCP Wrapper To use TCP wrapper inetd daemon must start up with “-Ww” option (default) Or edit /etc/rc.conf Edit /etc/hosts.allow Format: daemon:address:action daemon is the daemon name which inetd started address can be hostname, IPv4 addr, IPv6 addr action can be “allow” or “deny” Keyword “ALL” can be used in daemon and address fields to means everything inetd_enable="YES" inetd_flags="-wW"

/etc/hosts.allow First rule match semantic example Meaning that the configuration file is scanned in ascending order for a matching rule When a match is found, the rule is applied and the search process will stop example ALL : localhost, loghost @adm_cc_cs : allow ptelnetd pftpd sshd: @sun_cc_cs, @bsd_cc_cs, @linux_cc_cs : allow ptelnetd pftpd sshd: zeiss, chbsd, sabsd : allow identd : ALL : allow portmap : 140.113.17. ALL : allow sendmail : ALL : allow rpc.rstatd : @all_cc_cs 140.113.17.203: allow rpc.rusersd : @all_cc_cs 140.113.17.203: allow ALL : ALL : deny

/etc/hosts.allow Advance configuration External commands (twist option) twist will be called to execute a shell command or script External commands (spawn option) spawn is like twist, but it will not send a reply back to the client # The rest of the daemons are protected. telnet : ALL \ : severity auth.info \ : twist /bin/echo "You are not welcome to use %d from %h." # We do not allow connections from example.com: ALL : .example.com \ : spawn (/bin/echo %a from %h attempted to access %d >> \ /var/log/connections.log) \ : deny

/etc/hosts.allow See Wildcard (PARANOID option) Match any connection that is made from an IP address that differs from its hostname See man 5 hosts_access man 5 hosts_options # Block possibly spoofed requests to sendmail: sendmail : PARANOID : deny

When you perform any change. Philosophy of SA Know how things really work. Plan it before you do it. Make it reversible Make changes incrementally. Test before you unleash it .