1 Security Bo Ye, Quanhua Lu
2 Overview 4 Unix vs. Security 4 Basic Unix Security Issues 4 How to Secure Linux Box 4 Other Security Issues 4 Security Tools 4 Miscellaneous
3 Unix vs. Security 4Unix was not designed to be secure. 4Unix was designed by researchers to be an easy, friendly way to conduct and share research. (Security = 1 / Convenience) 4Unix permissions are pretty much "all-or- nothing" -- root vs. everybody else. 4Many Unix administrative functions are in programs external to the kernel, able to be inspected by the world.
4 Your responsibility 4Remember that breaking into a computer is a crime. People have been and will be prosecuted and sent to jail for it, so don't get tempted to try it. 4If you discover a security problem, you should *Alert your system administrators (if you aren't the administrator). * Alert the vendor of your version of Unix. * Inform the Computer Emergency Response Team (CERT)
5 Seven Common-sense Rules of Security 4Don't put files on your system that are likely to be interesting to hackers. 4Plug holes that hackers can use to gain access to you system. 4Don't provide places for hackers to build nests on your system. 4Set basic traps on systems that are connected to the Internet.
6 Seven Common-sense Rules of Security (cont.) 4Monitor the reports generated by these security tools. 4Teach yourself about UNIX system security. Traditional know-how and common sense are the most important parts of a site secure. 4Prowl around looking for unusual activity.
7 Basic Unix Security Issues
8 /etc/passwd file 4Have no accounts without passwords. Regularly verify that every login has a password. put: awk -F: '{ if ($2 == "") print $1 }' etc/passwd in a file and execute with cron and have results mailed 4Avoid accounts with weak passwords. *Chose a good password. Use npasswd or passed+ instead of passwd force users to select reasonably secure passwords. 4Avoid share accounts *Avoid Group Logins and Shared Logins. Use sudo to control access to rootly powers.
9 /etc/passwd files (cont.) 4Shadow your passwords *If at all possible, use shadow passwords. "shadow passwords" put the passwords in a separate file, readable only by root. Password Aging Change passwords regularly, In particular, the root password should be changed on a regular basis Beware of extra entries in your passwd file that are UID 0, or any other suspicious entries.
10 /etc/passwd files (cont.) 4Rootly Entries Regularly verify that only the root login has id 0 by running the script: awk -F:'{if($3 == 0) print $1}'etc/passwd *Modify it to verify group ids and UID s of key individuals.
11 Setuid Programs If you are writing setuid programs: Minimize the number of setuid programs and keep the followings seven rules in minds: *Don't write setuid shell scripts. vYou don’t have a enough control inside a shell script. *Don't use any library routines that invoke a shell. vThese includes popen and system. Don't use execlp() or execvp() to run another program vThey allow you to give the program name without the path, which is very dangerous.
12 Setuid Programs (cont.) Always use full pathnames to identify files and programs. Don’t rely on any kind of searching mechanism to find files. Don't make the program setuid to root unless you have to. Make a pseudo-users name or group name instead. Don't make setuid-programs world-readable. This can allow bad guys to attack and exploit your codes. Don’t put secret back-door escapes in your code. These features don’t stay secret for long.
13 Setuid Program (cont.) 4Check regularly for new setuid programs, or for changes in setuid programs. *Can help you catch an intruder early on. *Regularly compare the output of the following script to spot clandestine setuid programs. /usr/bin/find / -user root -perm print /usr/ucb/mail -s "Setuid root files" netadmin
14 Special File Permissions /dev/kmem (which maps kernel memory) should not be world-readable. /etc/passwd and /etc/group should not be world-writable (for obvious reasons). 4 Do not have world-writable anonymous ftp directories. 4Give no "world" permissions to disk device files.
15 How to secure linux box 4Disable unused services. 4User and password security. 4Keep used services updated. 4Use ssh wherever possible. 4Packet filtering.
16 Disable Unused Services Edit /etc/inetd.conf and comment out unused services: ftp, telnet, rstatd, etc. Run ‘ps aux’ and exam the output carefully, look for extra daemons: sendmail, named, nfsd, etc. *If you don’t need it, kill it.
17 Disable Unused Services (cont.) Run ‘ netstat -a | fgrep LISTEN’ and look for unusual ports. This will print up something like this tcp 0 0 *:6000 *:* LISTEN tcp 0 0 *:www *:* LISTEN tcp 0 0 *:auth *:* LISTEN tcp 0 0 *:finger *:* LISTEN tcp 0 0 *:shell *:* LISTEN tcp 0 0 *:sunrpc *:* LISTEN
18 Keep Used Services Updated 4Install Updateme, a handy script for keeping your system up-to-date. 4Learn how your vendor provides software updates! Many packages have security problems discovered with them after release, and Linux vendors will release new versions to fix these. *Redhead 5.2: v *SuSE 6.0: v
19 User and password Security Run ‘ pwconv’ to turn on shadow passwords. If possible, get PAM (Pluggable Authentication Modules) installed. 4Don’t run routinely as root. Use sudo to aid in delegating root tasks.
20 Installing ssh 4Download source: * 4Unpack source: tar -xzof ssh tar.gz 4Configure: cd ssh ; sh configure 4Build: make 4Install: (as root) make install 4You may also wish to install ssh version 2 after version1.
21 Using ssh 4Other end must run sshd server. Use just like telnet or rlogin. Like rlogin can use a different remote username by adding ‘-l name’. Use config file (see ssh manpage) to set common parameters persistently. Use scp to copy files like rcp. Example: scp pcecs237.cs.umbc.edu:myprog.c.
22 Packet Filtering 4Allows you control what packets reach your machine from the network,and only allow in data to services you intend to offer. 4Helps prevent hostile scanning for accidentally open services. 4In Linux 2.0.x look for ipfwadm, in 2.2.x ipchains. 4For more information see *
23 Other Security Issues 4Remote Event Logging *Use "syslog" to send important events to a secure machine 4Secure Terminals Restrict root logins to specific terminals by listing them in /etc/securettys Be very careful with /etc/hosts.equiv and.rhosts files 4NIS and NFS 4Security and Sendmail
24 Security Tools 4COPS -- Computer Oracle and Password System COPS does many scans for common security problems on Unix systems. Warns you of problems. You have to fix them. 4Crack Tries to guess passwords by using dictionary words, encrypting them, and comparing with the encrypted password
25 Security Tools (cont.) 4TCP wrapper (tcpd) *A package that is used to monitor incoming IP connections Allows you to selectively block hosts and provides logging of all connections via syslog v/etc/inetd.conf telnet stream tcp nowait root etc/in.telnetd in.telnetd you can change this to : telnet stream tcp nowait root /usr/ets/tcpd in.telnetd
26 Security Tools (cont.) 4Tripwire *A file integrity checker *Notifies you of changes to important system files 4SATAN *Analyzes hosts on your network for certain well- known (and dangerous) vulnerabilities
27 Miscellaneous 4Backups *Have regular backups *To recover from destructive attacks *To have a known "clean" configuration to compare against 4Trojan Horses *Be careful with software off the net *Get software from known sources *Don't compile things right away. *Don't install it if you can't get source, unless you're sure of what it is
28 Miscellaneous (cont.) 4Packet Filtering *Controlling access to a network by analyzing the incoming and outgoing packets *Packet filtering is one technique, among many, for implementing security firewalls 4Kerberos *an authentication system developed at MIT *uses DES encryption *requires a secure "authentication" server