Security

Computer Center, CS, NCTU 2 FreeBSD Security Advisories – (1) 

Computer Center, CS, NCTU 3 FreeBSD Security Advisories – (2)

Computer Center, CS, NCTU 4 FreeBSD Security Advisories – (3)  freebsd-security-notifications Mailing list

Computer Center, CS, NCTU 5 FreeBSD Security Advisories – (4)  Example compress

Computer Center, CS, NCTU 6 FreeBSD Security Advisories – (5)  CVE

Computer Center, CS, NCTU 7 FreeBSD Security Advisories – (6)  Example Problem Description

Computer Center, CS, NCTU 8 FreeBSD Security Advisories – (7)  Example Workaround

Computer Center, CS, NCTU 9 FreeBSD Security Advisories – (8)  Example Solution

Computer Center, CS, NCTU 10 Common Security Problems  Unreliable wetware Phishing site  Software bugs FreeBSD security advisor portaudit (ports-mgmt/portaudit)  Open doors Accounts’ password Disk share with the world

Computer Center, CS, NCTU 11 portaudit (1)  portaudit Checks installed ports against a list of security vulnerabilities portaudit –Fda  -F: Fetch the current database from the FreeBSD servers.  -d: Print the creation date of the database.  -a: Print a vulnerability report for all installed packages.  Security Output

Computer Center, CS, NCTU 12 portaudit (2)  portaudit -Fda  / auditfile.tbz 100% of 71 kB 92 kBps New database installed. Database created: Mon Dec 12 02:10:00 CST 2011 Affected package: gnutls Type of problem: gnutls -- client session resumption vulnerability. Reference: Affected package: apache-worker Type of problem: apache -- Range header DoS vulnerability. Reference: 2 problem(s) in your installed packages found. You are advised to update or deinstall the affected package(s) immediately.

Computer Center, CS, NCTU 13 Common trick  Tricks ssh scan and hack  ssh guard  sshit  … smtp-auth / pop3 / imap Phishing XSS & sql injection …  Objective Spam Jump gateway File sharing …

Computer Center, CS, NCTU 14 Process file system - procfs  Procfs A view of the system process table # mount –t procfs proc /proc

Computer Center, CS, NCTU 15 Simple SQL injection example  User/pass authentication  No input validation SELECT * FROM usrTable WHERE user = AND pass = ; SELECT * FROM usrTable WHERE user = ‘test’ AND pass = ‘a’ OR ‘a’ = ‘a’

Computer Center, CS, NCTU 16 setuid programs  passwd /etc/master.passwd is of mode 600 (-rw ) !  setuid executables are especially apt to cause security holes Minimize the number of setuid programs  /etc/periodic/security/100.chksetuid Disable the setuid execution on individual filesystems  -o nosuid zfs[~] -chiahung- ls -al /usr/bin/passwd -r-sr-xr-x 2 root wheel 8224 Dec 5 22:00 /usr/bin/passwd

Computer Center, CS, NCTU 17 rlogin – (1)  sudo  Trusted remote host and user name database /etc/hosts.equiv and ~/.rhosts Allow user to execute shell (rsh), login (rlogin) and copy files (rcp) between machines without passwords Format:  Simple: hostname [username]  Complex: Example  bar.com foo(trust user “ foo ” from host “ bar.com ” )  all from amd_cs_cc group)  ---s--x--x 2 root wheel /usr/local/bin/sudo

Computer Center, CS, NCTU 18 rlogin – (2)  Becoming other users A pseudo-user for services, sometimes shared by multiple users sudo –u wwwadm –s (?) /etc/inetd.conf  login stream tcp nowait root /usr/libexec/rlogind rlogind ~wwwadm/.rhosts  localhost pyhsu rlogin -l wwwadm localhost User_Alias wwwTA=pyhsu Runas_Alias WWWADM=wwwadm wwwTA ALL=(WWWADM) ALL Too dirty!

Computer Center, CS, NCTU 19 Security tools  nmap  john, crack  PGP  CA  …  Firewall  TCP Wrapper  …

Computer Center, CS, NCTU 20 TCP Wrapper – (1)  TCP Wrapper Provide support for every server daemon under its control  libwrap implements the actual functionality Before: inetd + tcpd with libwrap

Computer Center, CS, NCTU 21 TCP Wrapper – (2)  Now… $ ldd `which inetd` /usr/sbin/inetd: libutil.so.8 => /lib/libutil.so.8 (0x ) libwrap.so.6 => /usr/lib/libwrap.so.6 (0x ) libipsec.so.4 => /lib/libipsec.so.4 (0x80086a000) libc.so.7 => /lib/libc.so.7 (0x ) $ ldd `which sshd` /usr/sbin/sshd: libssh.so.5 => /usr/lib/libssh.so.5 (0x ) libutil.so.8 => /lib/libutil.so.8 (0x8007cb000) libz.so.5 => /lib/libz.so.5 (0x8008db000) libwrap.so.6 => /usr/lib/libwrap.so.6 (0x8009f0000) libpam.so.5 => /usr/lib/libpam.so.5 (0x800af9000).....

Computer Center, CS, NCTU 22 TCP Wrapper – (3)  libwrap – hosts_access(3) In sshd source code

Computer Center, CS, NCTU 23 TCP Wrapper – (4)  There are something that a firewall will not handle Sending text back to the source  TCP wrapper Provide support for every server daemon under its control Logging support Return message Permit a daemon to only accept internal connections  Configuration files /etc/hosts.allow, /etc/hosts.deny(optional)

Computer Center, CS, NCTU 24 Super Server – inetd  To see what daemons are controlled by inetd, see /etc/inetd.conf  In /etc/rc.conf inetd_enable="YES" #ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l #ftp stream tcp6 nowait root /usr/libexec/ftpd ftpd -l #telnet stream tcp nowait root /usr/libexec/telnetd telnetd #telnet stream tcp6 nowait root /usr/libexec/telnetd telnetd shell stream tcp nowait root /usr/libexec/rshd rshd #shell stream tcp6 nowait root /usr/libexec/rshd rshd login stream tcp nowait root /usr/libexec/rlogind rlogind #login stream tcp6 nowait root /usr/libexec/rlogind rlogind

Computer Center, CS, NCTU 25 /etc/hosts.allow – (1)  In /etc/hosts.allow Format: daemon : address : action  daemon is the daemon name which inetd started  address can be hostname, IPv4 addr, IPv6 addr, net/prefixlen  action can be “ allow ” or “ deny ”  Keyword “ ALL ” can be used in daemon and address fields to means everything  First rule match semantic Meaning that the configuration file is scanned in ascending order for a matching rule When a match is found, the rule is applied and the search process will stop

Computer Center, CS, NCTU 26 /etc/hosts.allow – (2)  Example  TCP wrapper should not be considered a replacement of a good firewall Instead, it should be used in conjunction with a firewall or other security tools Good at rpc based services ALL : localhost, : allow ptelnetd @linux_cc_cs : allow ptelnetd pftpd sshd: zeiss, chbsd, sabsd : allow identd : ALL : allow portmap : ALL : allow sendmail : ALL : allow rpc.rstatd : allow rpc.rusersd : allow ALL : ALL : deny

Computer Center, CS, NCTU 27 /etc/hosts.allow – (3)  Advance configuration External commands (twist option)  twist will be called to execute a shell command or script (exec) External commands (spawn option)  spawn is like twist, but it will not send a reply back to the client (fork/exec) # The rest of the daemons are protected. telnet : ALL \ : severity auth.info \ : twist /bin/echo "You are not welcome to use %d from %h." # We do not allow connections from example.com: ALL :.example.com \ : spawn (/bin/echo %a from %h attempted to access %d >> \ /var/log/connections.log) \ : deny

Computer Center, CS, NCTU 28 /etc/hosts.allow – (4) Wildcard (PARANOID option)  Match any connection that is made from an IP address that differs from its hostname  See hosts_access(5) hosts_options(5) # Block possibly spoofed requests to sendmail: sendmail : PARANOID : deny

Computer Center, CS, NCTU 29 tcpdmatch  In /etc/hosts.allow  tcpdmatch(8) example ALL : localhost [::1] : allow ALL : cshome2 : allow sshd : csduty linuxhome cshome : allow rpc.lockd : / : allow rpc.statd : / : allow rpcbind : / : allow ALL : ALL : deny $ tcpdmatch ssh warning: ssh: no such process name in /etc/inetd.conf client: address server: process ssh matched: /etc/hosts.allow line 12 option: deny access: denied

Computer Center, CS, NCTU 30 When you perform any change.  Philosophy of SA Know how things really work Plan it before you do it Make it reversible Make changes incrementally Test before you unleash it