SECURITY - HARIPRIYA PURUSHOTHAMAN

SEVEN COMMON – SENSE RULES OF SECURITY Avoid putting files on the system that are likely to be interesting to hackers Plug the holes that hackers can use to gain access to the system Don’t provide places for hackers to build nests on the system Set the traps to detect intrusions and attempted intrusions

RULES – CONTD Monitor the reports generated by these security tools Teach ourselves about UNIX system security Prowl around looking for an unusual activity

HOW THE SECURITY PROBLEMS ARE COMPROMISED Unreliable wetware Human users are the weakest links in the chain of security Teaching the users about proper security hygiene Software bugs By exploiting the errors hackers could manipulate Unix into doing whatever they want Keeping up wit patches and security bulletins Open doors Gaining access by exploiting software features that would be helpful Making sure that we haven’t put a welcome mat for hackers

/ETC/PASSWD FILE Contents of this file determine who can log and what they can do once they get inside This file is the systems first line of defense against the intruders On FreeBSD systems this file is derived from /etc/master.passwd

/ETC/PASSWD Password checking and selection Important to continually verify that every login has a password Pseudo users should have a star(*) in the encrypted password field Following command finds the null passwords perl –F: -ane ‘print if not $F[1];’ /etc/passwd /etc/passwd and /etc/group must be readable by the world but writable only by the root

/ETC/PASSWD /etc/shadow file should be neither readable or writable by the world Passwords are normally changed with passwd command

/ETC/PASSWD Need for Shadow passwords Since /etc/passwd/ is world readable, encrypted password string is available to all the users Evildoers can encrypt selected dictionaries or words and compare the results with the strings in the /etc/passwd and can find the password To impose restrictions passwords are put in a separate file that is readable only by the root This file wit the actual password information is then called the shadow password file

/ETC/PASSWD Group logins and shared logins Instead of having “root” as a group login, use sudo program to control access to rootly powers Password aging Facility that allows us to compel the users to change their passwords User shells Rootly entries More than one entry in the passwd file that uses UID of zero, so more than one way to log in as root Defense against this subterfuge is a mini script perl –F: -ane ‘print if not $F[2];’ /etc/passwd

SETUID PROGRAMS Prone to security problems Especially Setuid shellscripts cause security problems Setuid and setgid could be disabled through the use of – o nosuid option to the mount Disks should be scanned periodically to look for new setuid programs For eg, find will mail a list of all setuid root files to the “netadmin”

FILE PERMISSIONS Device file /dev/kmem allows access to the kernels own virtual address space This file should only be readable by the owner and group, never by the world /dev/drum and /dev/mem provide unfettered access to the systems swap space and physical memory /etc/passwd and /etc/group should not be world –writable and should have owner root

FILE PERMISIONS Directories that are accessible thru anonymous FTP should not be publicly writable Only root should have both read and write permission on device disk file Group owner is given read permissions to facilitate backups, but there shd be no permissions for the world

MISCELLANEOUS SECURITY ISSUES Remote event logging Syslog allows log info for both the kernel and user processes to be forwarded to file, users or another host on our network Secure host that acts as central logging machine and prints out security violations on an old line printer could be set up

MISCELLANEOUS SECURITY ISSUES Secure terminals Secure channels are usually specified as a list of TTY devices or as a keyword in a configuration file On solaris the file is /etc/default/login On HP-UX and red hat linux, the file is /etc/securetty On FreeBSD it is /etc/ttys

MISCELLANEOUS SECURITY ISSUES /etc/hosts.eqiv and ~/.rhosts Allows users to login(via rlogin) and copy files(via rcp) without typing the passwords The server processes rshd and rlogind that read them should be disabled

MISCELLANEOUS SECURITY ISSUES rexd,rexecd, and tftpd Rexd- poorly secured remote command execution server which shd be disabled Rexecd – another remote command execution daemon Server for rexec library routine requests sent to this include plaintext password tftpd –server for Trivial File Transfer Protocol Allows machines on the network to request files from ur hard disk

MISCELLANEOUS SECURITY ISSUES fingerd finger prints a short report about the particular user Information returned by finger When supported by fingerd daemon on remote host is potentially useful to hackers NIS (Network Information Service) Sun database distribution tool that many sites use to maintain and distribute files Easy information access for the hackers

MISCELLANEOUS SECURITY ISSUES Sendmail Massive network system that runs as root Often subjected to attacks of hackers and numerous vulnerabilities Backups Backup tapes shd be kept under lock and key Trojan horses Programs that are not what they seem to be

SECURITY POWER TOOLS Nmap - network port scanner Checks a set of target hosts to see which TCP and UDP ports have servers listening to them command looks like %nmap –sT host1.uexample.com -sT argument asks nmap to try and connect to each TCP port on the target host in the normal way It probes ports without initializing an actual connection the –o option gives the nmap the ability to guess what OS a remote system is running

SECURITY POWER TOOLS SAINT : Similar to nmap in finding out what servers they are running Unlike nmap, it knows quite a lot about the actual UNIX server pgms and their vulnerabilities Its user interface is entirely web based

SECURITY POWER TOOLS Crack: Sophisticated tool that implements several password guessing techniques Passwords should be crack resistant tcpd: Referred as “TCP wrappers” package Allows to log connections to TCP services Piggybacks on top of inetd

SECURITY POWER TOOLS COPS (Computer Oracle an Password System) It’s a classic tool that identifies many classic security problems Warns us of the potential problem by sending s tripwire Monitors the permission and checksums of important system files so that we can easily detect files that have been replaced

CRYPTOGRAPHIC SECURITY TOOLS Kerberos Its an authentication system Facility that guarantees that users and services are in fact who they claim to be Uses DES to construct nested set of credentials called “tickets”. Tickets are passed around network to certify the identity and to provide access It never transmits unencrypted passwords and relieves the users from typing the passwords repeatedly

CRYPTOGRAPHIC SECURITY TOOLS PGP :Pretty Good Privacy Focused primarily on security Used to encrypt data, generate signatures and to verify the origin of files and messages Software packages are often distributed with PGP signature file that guarantees the origin and purity of software

CRYPTOGRAPHIC SECURITY TOOLS SSH : the secure shell Confirms user’s identity and encrypts all communications between two hosts The server daemon sshd authenticates in different ways Method A: user logged in automatically if the name of the remote host that user is logging is in ~/.rhosts or equivalent files Method B: uses public key crytography to verify the identity of remote host Method C : uses public key cryptography to establish users identity Method D : allows user to enter his or her normal login password

CRYPTOGRAPHIC SECURITY TOOLS SRP : Secure Remote Password Highly secure way to verify passwords over public network telnet and ftp could be used One Time Passwords in Everything Instead of encrypting passwords, its jus made sure that they work only once One time passwords are generated on our behalf

FIREWALLS – basic tool for network security Its only a supplemental security measure Packet filtering firewalls Limits the types of traffic that can pass thru the internet gateway based on information on the packet header How the services are filtered the daemons that provide these services bind to the appropriate ports and wait for connectiions from remote sites Service specific filtering is based on the assumption that the client will use a non privileged port to contact a privileged port on the server

FIREWALLS Service proxy fire walls service proxies intercepts the connections to and from the outside world establishes new connections to services inside our network Acts as a sort of shuttle or chaperone between the worlds. Stateful inspection firewalls Designed to inspect the traffic that flows through them and compare the actual network activity to what “should” be happening

What to do when a site has been attacked 1. Don’t panic 2. Decide on an appropriate level of response 3. Hoard all available tracking information 4. Assess your degree of exposure 5. Pull the plug 6. Devise a recovery plan 7. Communicate the recovery plan 8. Implement the recovery plan 9. Report the incident to authorities