CIT 380: Securing Computer Systems

Slides:



Advertisements
Similar presentations
Unix Refresher This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen.
Advertisements

Netprog: daemons and inetd1 Daemons & inetd Refs: Chapter 13.
Securing Network using Linux. Lesson Outline Setting up a secure system TCP Wrapper configuration Firewalls in Linux Authentication Systems –NIS –Kerberos.
Linux+ Guide to Linux Certification, Second Edition Chapter 14 Network Configuration.
Security Tools CS-480b Dick Steflik. CACLS Windows NT, W2000, XP Displays or modifies access control lists (ACLs) of files.
TCP/IP - Security Perspective Upper Layers CS-431 Dick Steflik.
Chapter 3 Unix Overview. Figure 3.1 Unix file system.
Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.
1 Network File System. 2 Network Services A Linux system starts some services at boot time and allow other services to be started up when necessary. These.
Linux System Administration LINUX SYSTEM ADMINISTRATION.
1.  The Linux system of permissions is much more difficult than that of Windows  System administrators are given more control with the use of three.
1 Linux Networking and Security Chapter 3. 2 Configuring Client Services Configure DNS name resolution Configure dial-up network access using PPP Understand.
1 Web Server Administration Chapter 9 Extending the Web Environment.
Network Protocols. Why Protocols?  Rules and procedures to govern communication Some for transferring data Some for transferring data Some for route.
Mid 1960 ’ s - Multics - proposed by AT&T, Honeywell, GE & MIT; funded by DARPA Thompson & Ritchie create Unix 1978 to 84 - Bill Joy & Chuck Haley.
1 Network File Sharing. 2 Module - Network File Sharing ♦ Overview This module focuses on configuring Network File System (NFS) for servers and clients.
Linux Security Anthony Albrecht – Services & Accounts
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Scanning.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Application Layer Functionality and Protocols.
Network Services CSCI N321 – System and Network Administration Copyright © 2000, 2007 by Scott Orr and the Trustees of Indiana University.
CSC 382: Computer SecuritySlide #1 CSC 382: Computer Security UNIX Security.
Saeed Darvish Pazoki – MCSE, CCNA Abstracted From: Cisco Press – ICND 1 – Chapter 9 Ethernet Switch Configuration 1.
Linux+ Guide to Linux Certification, Second Edition Chapter 14 Network Configuration.
Bugs SATAN scans for It is interesting to look at the bugs SATAN scans for. They are easily detected by the scanners and therefore do not pose a threat.
Inetd...Server of Servers Looks at a number of ports Determines when a service is needed on any of those ports Calls the appropriate server Restarts new.
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.
Linux Services Muhammad Amer. 2 xinetd Programs  In computer networking, xinetd, the eXtended InterNET Daemon, is an open-source super-server daemon.
CSC 382: Computer SecuritySlide #1 Firewalls. CSC 382: Computer SecuritySlide #2 Single Host Firewall Simplest type of firewall—one host acts as a gateway.
Application Layer Khondaker Abdullah-Al-Mamun Lecturer, CSE Instructor, CNAP AUST.
Linux Security. Module 13 – Linux Security ♦ Overview Linux is more prone today to security loopholes and attacks, both inside and outside the network.
Networking in Linux. ♦ Introduction A computer network is defined as a number of systems that are connected to each other and exchange information across.
TCP/IP (Transmission Control Protocol / Internet Protocol)
Internet Services.  Basically, an Internet Service can be defined as any service that can be accessed through TCP/IP based networks, whether an internal.
Phil Hurvitz Securing UNIX Servers with the Secure.
Security and Firewalls Ref: Keeping Your Site Comfortably Secure: An Introduction to Firewalls John P. Wack and Lisa J. Carnahan NIST Special Publication.
1 Security. 2 Linux is not secure No computer system can ever be "completely secure". –make it increasingly difficult for someone to compromise your system.
1 Securing Network Services. 2 How TCP Works Set up connection between port on source host to port on destination host Each connection consists of sequence.
Daemons Ying Zhang CMSC691X, Summer02. Outline  Introduction  Init and Cron  System daemons  Print daemons and NFS daemons  Time synchronization.
Unix System Administration Chapter 31 Daemons. Out of the Goo, the Primordial Process l Init l Always the first process to run after system boot l Always.
SSH. 2 SSH – Secure Shell SSH is a cryptographic protocol – Implemented in software originally for remote login applications – One most popular software.
Services and Security ● Find out what's listening to the net ● Find out what services are running ● Find out what they do ● Disable or remove any that.
LINUX SYSTEM ADMINISTRATION
Chapter 7: Using Windows Servers
Ssh: secure shell.
The Transport Layer Implementation Services Functions Protocols
Instructor Materials Chapter 5 Providing Network Services
System Programming and administration CS 308
LINUX ADMINISTRATION
SECURE SHELL MONIKA GUPTA COT 4810.
Network Wiring and Reference
Module 4 Remote Login.
Hacking Unix/Linux.
Understand the OSI Model Part 2
SUBMITTED BY: NAIMISHYA ATRI(7TH SEM) IT BRANCH
CIT 480: Securing Computer Systems
Understand Networking Services
CIT 480: Securing Computer Systems
Lecture 6: TCP/IP Networking By: Adal Alashban
Overview of Unix Jagdish S. Gangolly School of Business
Network Services CSCI N321 – System and Network Administration
– Chapter 3 – Device Security (B)
Chapter 27: System Security
Network Services.
– Chapter 3 – Device Security (B)
LINUX SYSTEM ADMINISTRATION
CIT 470: Advanced Network and System Administration
Daemons & inetd Refs: Chapter 12.
Linux Filesystem Management
Chapter 7 Network Applications
(DNS – Domain Name System)
Presentation transcript:

CIT 380: Securing Computer Systems UNIX Service Security CIT 380: Securing Computer Systems

CIT 380: Securing Computer Systems Topics The Boot Process Linux Services Inetd Cron Network Services CIT 380: Securing Computer Systems

CIT 380: Securing Computer Systems UNIX Boot Process /etc/inittab Controls which run level system boots into 0 Single User Mode 2 Network Boot 3 Multiuser Boot 5 X-Windows 6 Reboot Executes start scripts for run level Scripts stored in /etc/rc#.d directories CIT 380: Securing Computer Systems

SYSV-Style Boot Scripts /etc/init.d Actual location of boot scripts /etc/rc.d Files are links to /etc/init.d scripts. Executed in ASCII order during boot process. K##servername stops a server process Runs /etc/init.d/servername stop S##servername starts a server process Runs /etc/init.d/servername start CIT 380: Securing Computer Systems

CIT 380: Securing Computer Systems Linux Run Levels Number Name Login Network Filesystems Halt 1 Single User Text Down Unmounted 2 Undefined 3 Multiuser Up Mounted 4 5 Multiuser X GUI 6 Reboot You can change the run level using /sbin/init # CIT 380: Securing Computer Systems

CIT 380: Securing Computer Systems Linux Services Servers started at boot Started from /etc/rc.d scripts. Perpetually running daemon processes. Examples: nfsd, httpd, and sendmail. Server that run only when requested. Started from inetd. Handle a single request then terminate. Examples: fingerd, ftpd, telnetd. CIT 380: Securing Computer Systems

Managing RedHat Linux Services /sbin/service status: is service running or not? start: starts service stop: stops restart: stops, then restarts service --status-all: status of all services Examples > /sbin/service sendmail status sendmail is stopped > /sbin/service sshd status sshd (pid 21149 21147 4276) is running... > /sbin/service sendmail start Permission denied [FAILED] > su Password: # /sbin/service sendmail start Starting sendmail: [ OK ] Starting sm-client: [ OK ] # /sbin/service sendmail stop CIT 380: Securing Computer Systems

Configuring Boot Time Services /sbin/chkconfig --list: show current service configuration --add script: add a new service whose startup script will be added to /etc/init.d --del service: remove service --level X [on|off] service: cause service to be started (or not) when booting into run level X CIT 380: Securing Computer Systems

Configuring Boot Time Services # chkconfig --list atd 0:off 1:off 2:off 3:on 4:on 5:on crond 0:off 1:off 2:on 3:on 4:on 5:on ypbind 0:off 1:off 2:off 3:on 4:on 5:on iptables 0:off 1:off 2:on 3:on 4:on 5:on sshd 0:off 1:off 2:on 3:on 4:on 5:on snmpd 0:off 1:off 2:off 3:off 4:off 5:off syslog 0:off 1:off 2:on 3:on 4:on 5:on … CIT 380: Securing Computer Systems

CIT 380: Securing Computer Systems inetd Centralizes startup of lightweight net servers. /etc/inetd.conf Server name, as given in /etc/services Socket type: stream or datagram. Protocol Type: tcp/tcp6 (stream), udp/udp6 (dgram) Wait/nowait: wait: server will process all subsequent connections nowait: inetd will start new server for each connection User: which UID to run process with. Command Args: server filename and CLI arguments. CIT 380: Securing Computer Systems

CIT 380: Securing Computer Systems /etc/inetd.conf ftp stream tcp6 nowait root /usr/sbin/in.ftpd in.ftpd telnet stream tcp6 nowait root /usr/sbin/in.telnetd in.telnetd shell stream tcp nowait root /usr/sbin/in.rshd in.rshd login stream tcp6 nowait root /usr/sbin/in.rlogind in.rlogind exec stream tcp nowait root /usr/sbin/in.rexecd in.rexecd talk dgram udp wait root /usr/sbin/in.talkd in.talkd uucp stream tcp nowait root /usr/sbin/in.uucpd in.uucpd finger stream tcp6 nowait nobody /usr/sbin/in.fingerd in.fingerd time stream tcp6 nowait root internal time dgram udp6 wait root internal echo stream tcp6 nowait root internal echo dgram udp6 wait root internal discard stream tcp6 nowait root internal discard dgram udp6 wait root internal daytime stream tcp6 nowait root internal chargen stream tcp6 nowait root internal chargen dgram udp6 wait root internal CIT 380: Securing Computer Systems

CIT 380: Securing Computer Systems Securing inetd Use TCP wrappers Replace server command with tcpd. Uses ACLs based on source IP address: /etc/hosts.allow /etc/hosts.deny Use xinetd inetd with built-in TCP wrapper ACLs. uses /etc/xinetd.d configuration directory. Use host-based firewall. iptables for Linux. CIT 380: Securing Computer Systems

CIT 380: Securing Computer Systems cron Daemon to run scheduled programs. Configuration: /etc/crontab minute hour day month dow program minute 0-59 hour 0-23 day of month 1-31 month 1-12 (or names) day of week 0-7 (0 or 7 is Sun) CIT 380: Securing Computer Systems

Application Security Flaws Both remote and local attacks exploit the same software security flaws we’ve discussed in the past: Buffer overflow Canonicalization bugs (directory traversal) Race Conditions Input validation flaws Insecure configuration CIT 380: Securing Computer Systems

CIT 380: Securing Computer Systems Sun RPC Remote Procedure Call (RPC) services RPC is an alternative to sending messages. CORBA and Java RMI are other RPC types. Sun RPC Common RPC method for UNIX net services. XDR used to represent binary data with uniform byte order and network encoding. CIT 380: Securing Computer Systems

CIT 380: Securing Computer Systems portmapper portmap/rpcbind process Dynamically allocates TCP/UDP ports to RPC servers on start. When client requests access to an RPC server, portmapper tells client which port that server is currently using. Disadvantage: complicates firewalls, as there’s no constant port number to filter. CIT 380: Securing Computer Systems

CIT 380: Securing Computer Systems rpcinfo > rpcinfo -p sun16 program vers proto port service 100000 4 tcp 111 rpcbind 100000 3 tcp 111 rpcbind 100000 2 tcp 111 rpcbind 100000 4 udp 111 rpcbind 100000 3 udp 111 rpcbind 100000 2 udp 111 rpcbind 100024 1 udp 32781 status 100024 1 tcp 32773 status 100232 10 udp 32782 sadmind 100011 1 udp 32784 rquotad 100002 2 udp 32787 rusersd 100002 3 udp 32787 rusersd CIT 380: Securing Computer Systems

CIT 380: Securing Computer Systems RPC Security Portmapper listed services may not be running Portmapper may use list in /etc/rpc. Some services may be started by inetd. RPC Authentication AUTH_NONE: default anonymous access. AUTH_DES: “Secure RPC” uses encryption. AUTH_KRB: Uses Kerberos security. CIT 380: Securing Computer Systems

CIT 380: Securing Computer Systems NFS Network FileSystem RPC service running on port 2049 Stateless, but auxiliary protocols provide some state. NFS Filehandles Unique identifier used by client to refer to file, using: filesystem identifier: id’s partition containing file file identifier: inode of file generation count: ++ when unlinked+recreated Easily guessable fsid and generation count are small integers inode: 2 for root directory, 3 for lost+found (fsirand) CIT 380: Securing Computer Systems

CIT 380: Securing Computer Systems NFS processes nfsd Perform file transfers Many (8-64) nfsd’s run on NFS servers mountd Allows clients to mount NFS filesystems Gives filesystem identifier to client lockd Provides file locking over NFS statd Keeps state to allow for lock recovery in case of program/host crash CIT 380: Securing Computer Systems

CIT 380: Securing Computer Systems NFS mounts Server can share/export filesystems Unsharing/unexporting a filesystem does not disallow access to clients who have currently mounted filesystem. /etc/dfs/dfstab (Solaris) share -F nfs -o rw /home share -F nfs -o ro=unixhosts /usr/man2 share -F nfs -o rw=unixhosts /usr/local Limit access to read-only (ro) or read-write (rw) Limit access to a netgroup of hosts (unixhosts) CIT 380: Securing Computer Systems

CIT 380: Securing Computer Systems NFS mounts (cont’d) > showmount -e 10.0.0.1 export list for 10.0.0.1: /home (everyone) /usr/man2 unixhosts /usr/local unixhosts > mount 10.0.0.1:/home /mnt/home CIT 380: Securing Computer Systems

CIT 380: Securing Computer Systems NFS Security Uses standard UNIX user/group file ACLs Root is mapped to user nobody Clients cannot override root permissions as a result. Client can bypass all other file ACLs by changing UID and GID as needed. NFS shell automates attack with ftp-like interface. Users bin and daemon often own dangerous files. If home directories are exported, attacker can trojan horse login files to gain access. CIT 380: Securing Computer Systems

CIT 380: Securing Computer Systems NFS Recommendations Disable if not required Disable lockd + statd if locking not required. Only export necessary directories: Limit mount to subdirectories of filesystem. Limit mount to read-only access if possible Limit mounts to trusted set of hosts. Set security options: nosub, nosuid Run fsirand to randomize inodes. CIT 380: Securing Computer Systems

CIT 380: Securing Computer Systems Network Services Port Service 20,21/tcp ftp 110/tcp IMAP 22/tcp ssh 113/tcp identd 23/tcp telnet 119/tcp NNTP 25/tcp SMTP 123/udp NTP 53/tcp,udp DNS 161,162/udp SNMP 68/udp DHCP 512/tcp rexec 69/udp tftpd 513,514/tcp rshd,rlogind 79/tcp finger 520/udp RIP 109/tcp POP 6000-63/tcp XWindows CIT 380: Securing Computer Systems

CIT 380: Securing Computer Systems TCP ports 20,21: ftp File Transfer Protocol Active Mode (PORT) Client file tells server IP and port to send file to. Server opens data connection to that port. Problems: Firewalls don’t know what port server will use NAT routing must identify return connection FTP bounce attack Passive Mode (PASV) Client requests file. Server tells client which port to connect to. Client opens data channel to port to obtain file. CIT 380: Securing Computer Systems

CIT 380: Securing Computer Systems TCP ports 20,21: ftp Anonymous FTP File transfer without authentication. ftpd uses chroot() to change root to ftp user home directory: bin: must contain /bin/ls etc: must contain limited copy of /etc/passwd lib: must contain any shared library dependencies. pub: contains file made available for transfer. CIT 380: Securing Computer Systems

CIT 380: Securing Computer Systems TCP ports 20,21: ftp Security Issues: Use of arbitrary ports makes filtering difficult Cleartext passwords Complex protocol, with history of security bugs. Writable anonymous FTP sites can be used by crackers to store copyrighted software or pornography. Recommendations: Disable ftp for users, use ssh instead. Limit anonymous ftp access as much as possible Disable PUT unless clients must be able to u/l files. Limit access to chroot() jail carefully. CIT 380: Securing Computer Systems

CIT 380: Securing Computer Systems TCP port 22: ssh Secure Shell file copying port forwarding (TCP tunneling) Security Issues sshd must run as root. Version 1 of ssh protocol is insecure. Trusts hosts listed in: ~/.rhosts or ~/.shosts /etc/rhosts.equiv or /etc/shosts.equiv CIT 380: Securing Computer Systems

CIT 380: Securing Computer Systems TCP port 23: telnet Remote login service Authenticates via username/password Cleartext traffic creates vulnerabilities: Packet sniffing TCP session hijacking Recommendation: disable, use ssh instead. CIT 380: Securing Computer Systems

CIT 380: Securing Computer Systems TCP port 25: SMTP Simple Mail Transfer Protocol (SMTP) Mail Transfer Agents (MTAs): sendmail qmail postfix Cleartext traffic vulnerabilities Packet Sniffing Banner often reveals MTA name and version CIT 380: Securing Computer Systems

CIT 380: Securing Computer Systems TCP port 25: SMTP DoS Too many large mail files can fill up disks Mail Delivery to programs Mail filters/mailing list servers may be vulnerable MTA program security flaws Buffer overflows, backdoors, race conditions Spam Limit relaying so that only mail to/from local domain accepted Viruses Filter virus mail so MS Windows clients aren’t infected CIT 380: Securing Computer Systems

CIT 380: Securing Computer Systems TCP/UDP port 53: DNS Information hiding Zone Transfers Cache poisoning Incorrect information loaded into DNS cache Dynamic DNS Automatic updates from dynamic IP addresses (DHCP) can be used to deceive server if not authenticated CIT 380: Securing Computer Systems

CIT 380: Securing Computer Systems UDP port 68: DHCP Dynamic Host Configuration Protocol Configures network clients on boot Client broadcasts request for network info No server authentication Server responds with network configuration: client IP address gateway IP address IP addresses for DNS servers CIT 380: Securing Computer Systems

CIT 380: Securing Computer Systems UDP port 69: tftpd Trivial File Transfer Protocol No security Allows read/write of files w/o authentication Allows workstations to boot over network Recommendations: Don’t use unless necessary Limit files accessible by tftpd Use TCP wrappers to limit which hosts can access tftpd CIT 380: Securing Computer Systems

CIT 380: Securing Computer Systems TCP port 79: fingerd finger provides user information No argument: lists all users, with username, full name, location, login time Name argument: prints detailed information for every user whose username or full name matches your query Lists .plan and .project files: could view any file in past by symlinking .plan to target file @hostname: queries fingerd on remote machine Recommendations: disable fingerd, use TCP wrappers CIT 380: Securing Computer Systems

CIT 380: Securing Computer Systems TCP port 109: POP Post Office Protocol (POP) Lets client hosts retrieve mail from server Common servers qpopper, UW popd Authentication Methods Cleartext passwords APOP: simple challenge/response system Securing POP SSL/TLS tunnel (port 993) CIT 380: Securing Computer Systems

CIT 380: Securing Computer Systems TCP port 110: IMAP Internet Message Access Protocol POP + additional features Common Servers UW imapd, Cyrus imapd Authentication Cleartext passwords SASL: GSSAPI, S/Key, Kerberos 5 Securing IMAP SSL/TLS tunnel (port 995) CIT 380: Securing Computer Systems

CIT 380: Securing Computer Systems TCP port 113: identd Supports queries for username that corresponds to a particular TCP connection. Differs from other authentication mechanisms in that authentication not delivered as part of original client TCP connection. Security: Some sites believes it reveals too much information. Cannot trust a remote site’s ident information. CIT 380: Securing Computer Systems

CIT 380: Securing Computer Systems TCP port 119: NNTP Network News Transport Protocol Allows clients to read/post Usenet articles. Accepts/delivers Usenet articles to other servers. Security ACLs for clients and servers Ensure that internal news groups remain internal. Huge volume: potential for disk/network DoS. CIT 380: Securing Computer Systems

CIT 380: Securing Computer Systems UDP port 123: NTP Network Time Protocol set of protocols to synchronize clocks. Security Ramifications of Synchronization Audit trail requires valid timestamps to compare log files from different hosts. Kerberos, SSH, and other cryptographic protocols require absolute time to function properly. NTP Security Considerations NTP must run as root to adjust clock. Spoofed time updates apparently from master server Prevent: require updates to be encrypted with symmetric key. CIT 380: Securing Computer Systems

CIT 380: Securing Computer Systems UDP ports 161, 162: SNMP Simple Network Management Protocol Remote management of networked devices Client: network manager Server: remote agent Management Information Base (MIB) MIB includes: config, operational status, performance Requests get: retrieve a data object from the MIB get-next: retrieve next data object from MIB set: set a data object in the MIB trap: error message sent from remote agent on port 162 CIT 380: Securing Computer Systems

CIT 380: Securing Computer Systems SNMP Authentication v1: passwords (community names) Default passwords never changed in most cases Transmitted as cleartext v3: User Security Model (USM) authKey used for hash-based authentication privKey used for encrypting packets Encrypted timestamps used to avoid UDP replay attacks CIT 380: Securing Computer Systems

CIT 380: Securing Computer Systems SNMP demo > snmpwalk -c public -v 1 sun15 system SNMPv2-MIB::sysDescr.0 = STRING: Sun SNMP Agent, Sun-Blade-100 SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.42.2.1.1 SNMPv2-MIB::sysUpTime.0 = Timeticks: (1323311123) 153 days, 3:51:51.23 SNMPv2-MIB::sysContact.0 = STRING: System administrator SNMPv2-MIB::sysName.0 = STRING: sun15 SNMPv2-MIB::sysLocation.0 = STRING: System administrators office SNMPv2-MIB::sysServices.0 = INTEGER: 72 CIT 380: Securing Computer Systems

CIT 380: Securing Computer Systems SNMP Recommendations Disable SNMP unless required SNMP runs on MSWindows, UNIX, some printers, and on many network appliances like switches and routers. Change community strings from default values: public: read-only access private: read-write access Block SNMP traffic from outside. Segregate network management traffic. CIT 380: Securing Computer Systems

CIT 380: Securing Computer Systems TCP port 512: rexec Remote execution daemon Specify username, password, command to run. Security issues Cleartext passwords can be sniffed Offers separate messages for invalid username invalid password Recommendation: disable, use ssh instead. CIT 380: Securing Computer Systems

TCP ports 513, 514: rshd, rlogind rlogin: remote terminal service like telnet. rshd: remote command execution Obtains username from client host Trusted hosts/users can login w/o passwords ~/.rhosts and /etc/hosts.equiv Recommendation: disable, use ssh instead. CIT 380: Securing Computer Systems

CIT 380: Securing Computer Systems UDP port 514: syslogd Remote logging service. Configured using /etc/syslog.conf *.err;kern.notice /dev/console *.err @loghost *.* /var/adm/messages *.alert;kern.er operator *.alert;user.none root *.emerg;user.none * CIT 380: Securing Computer Systems

CIT 380: Securing Computer Systems UDP port 520: RIP Routing Information Protocol RIPv1 has no security RIPv2 offers shared key security Unsigned routes not accepted. Recommendation: Use static routes if you only have one gateway. CIT 380: Securing Computer Systems

CIT 380: Securing Computer Systems XWindows Network-based windowing system server: a graphical display running X server TCP ports 6000-6063 client: any X-based program (xclock, xterm) X security All or nothing: client can access server or not Several different ACL systems. If a client has access to a display, they can: Log keystrokes (xscan) View any window (xwatchwin) CIT 380: Securing Computer Systems

X Access Control Systems xhost list of hosts whose clients can access server xhost +(host) adds host to ACL xhost –(host) removes host from ACL MIT-MAGIC-COOKIE-1 Restricts accesses to processes that supply 128-bit cookie to server when requesting connection. Cookie stored in ~/.Xauthority file. Cookies transmitted in clear text. CIT 380: Securing Computer Systems

X Access Control Systems XDM-AUTHORIZATION-1 Creates 56-bit DES key and 64-bit random authenticator in ~/.Xauthority file. Each client uses DES key to encrypt 192-bit packet sent to X server to validate connection. SUN-DES-1 Encrypts communication to X server using X server’s public key. xhost user@host Requires Sun Secure RPC (Solaris) CIT 380: Securing Computer Systems

X Access Control Systems MIT-KERBEROS-5 Uses Kerberos ticket and encryption system. xhost krb5:username Recommendations: Use MIT-MAGIC-COOKIE or better Use “xhost –” if only xhost available. Tunnel remote X connections over ssh Set X11Forwarding option to “yes” CIT 380: Securing Computer Systems

CIT 380: Securing Computer Systems Key Points UNIX Accounts and ACLs. UNIX Services Boot-time: started by init. Runtime: started by inetd. Automatic: started by cron. Network service security Avoid using insecure services. Disable all unused services. CIT 380: Securing Computer Systems

CIT 380: Securing Computer Systems References Cheswick, William, Bellovin, Steven, and Rubin, Aviel, Firewalls and Internet Security, 2nd edition, 2003. Frisch, Aeleen, Essential System Administration, 3rd edition, O’Reilly & Associates, 2002. Garfinkel, Simson, Spafford, Gene, and Schartz, Alan, Practical UNIX and Internet Security, 3rd edition, O’Reilly & Associates, 2003. McClure, Stuart, Scambray, Joel, Kurtz, George, Hacking Exposed, 3rd edition, McGraw-Hill, 2001. Redhat, Red Hat Linux System Administration Primer, http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/admin-primer/, 2003. Skoudis, Ed, Counter Hack, Prentice Hall, 2002. Zwicky, Elizabeth, Chapman, Brent, and Cooper, Simon, Building Internet Firewalls, 2nd edition, O’Reilly & Associates, 2000. CIT 380: Securing Computer Systems

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.