Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security. Computer Center, CS, NCTU 2 FreeBSD Security Advisories – (1) 

Published byBetty Sutton Modified over 9 years ago

Similar presentations

Presentation on theme: "Security. Computer Center, CS, NCTU 2 FreeBSD Security Advisories – (1) "— Presentation transcript:

1 Security

2 Computer Center, CS, NCTU 2 FreeBSD Security Advisories – (1)  http://www.freebsd.org/security/advisories.html http://www.freebsd.org/security/advisories.html

3 Computer Center, CS, NCTU 3 FreeBSD Security Advisories – (2)

4 Computer Center, CS, NCTU 4 FreeBSD Security Advisories – (3)  freebsd-security-notifications Mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications

5 Computer Center, CS, NCTU 5 FreeBSD Security Advisories – (4)  Example compress

6 Computer Center, CS, NCTU 6 FreeBSD Security Advisories – (5)  CVE-2011-2895 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2895

7 Computer Center, CS, NCTU 7 FreeBSD Security Advisories – (6)  Example Problem Description

8 Computer Center, CS, NCTU 8 FreeBSD Security Advisories – (7)  Example Workaround

9 Computer Center, CS, NCTU 9 FreeBSD Security Advisories – (8)  Example Solution

10 Computer Center, CS, NCTU 10 Common Security Problems  Unreliable wetware Phishing site  Software bugs FreeBSD security advisor portaudit (ports-mgmt/portaudit)  Open doors Accounts’ password Disk share with the world

11 Computer Center, CS, NCTU 11 portaudit (1)  portaudit Checks installed ports against a list of security vulnerabilities portaudit –Fda  -F: Fetch the current database from the FreeBSD servers.  -d: Print the creation date of the database.  -a: Print a vulnerability report for all installed packages.  Security Output

12 Computer Center, CS, NCTU 12 portaudit (2)  portaudit -Fda  http://www.freshports.org/ / auditfile.tbz 100% of 71 kB 92 kBps New database installed. Database created: Mon Dec 12 02:10:00 CST 2011 Affected package: gnutls-2.12.7 Type of problem: gnutls -- client session resumption vulnerability. Reference: http://portaudit.FreeBSD.org/bdec8dc2-0b3b-11e1-b722-001cc0476564.html Affected package: apache-worker-2.2.19 Type of problem: apache -- Range header DoS vulnerability. Reference: http://portaudit.FreeBSD.org/7f6108d2-cea8-11e0-9d58-0800279895ea.html 2 problem(s) in your installed packages found. You are advised to update or deinstall the affected package(s) immediately.

13 Computer Center, CS, NCTU 13 Common trick  Tricks ssh scan and hack  ssh guard  sshit  … smtp-auth / pop3 / imap Phishing XSS & sql injection …  Objective Spam Jump gateway File sharing …

14 Computer Center, CS, NCTU 14 Process file system - procfs  Procfs A view of the system process table # mount –t procfs proc /proc

15 Computer Center, CS, NCTU 15 Simple SQL injection example  User/pass authentication  No input validation SELECT * FROM usrTable WHERE user = AND pass = ; SELECT * FROM usrTable WHERE user = ‘test’ AND pass = ‘a’ OR ‘a’ = ‘a’

16 Computer Center, CS, NCTU 16 setuid programs  passwd /etc/master.passwd is of mode 600 (-rw-------) !  setuid executables are especially apt to cause security holes Minimize the number of setuid programs  /etc/periodic/security/100.chksetuid Disable the setuid execution on individual filesystems  -o nosuid zfs[~] -chiahung- ls -al /usr/bin/passwd -r-sr-xr-x 2 root wheel 8224 Dec 5 22:00 /usr/bin/passwd

17 Computer Center, CS, NCTU 17 rlogin – (1)  sudo  Trusted remote host and user name database /etc/hosts.equiv and ~/.rhosts Allow user to execute shell (rsh), login (rlogin) and copy files (rcp) between machines without passwords Format:  Simple: hostname [username]  Complex: [+-][hostname|@netgroup] [[+-][username|@netgorup]] Example  bar.com foo(trust user “ foo ” from host “ bar.com ” )  +@adm_cs_cc(trust all from amd_cs_cc group)  +@adm_cs_cc -@chwong ---s--x--x 2 root wheel /usr/local/bin/sudo

18 Computer Center, CS, NCTU 18 rlogin – (2)  Becoming other users A pseudo-user for services, sometimes shared by multiple users sudo –u wwwadm –s (?) /etc/inetd.conf  login stream tcp nowait root /usr/libexec/rlogind rlogind ~wwwadm/.rhosts  localhost pyhsu rlogin -l wwwadm localhost User_Alias wwwTA=pyhsu Runas_Alias WWWADM=wwwadm wwwTA ALL=(WWWADM) ALL Too dirty!

19 Computer Center, CS, NCTU 19 Security tools  nmap  john, crack  PGP  CA  …  Firewall  TCP Wrapper  …

20 Computer Center, CS, NCTU 20 TCP Wrapper – (1)  TCP Wrapper Provide support for every server daemon under its control  libwrap implements the actual functionality Before: inetd + tcpd with libwrap

21 Computer Center, CS, NCTU 21 TCP Wrapper – (2)  Now… $ ldd `which inetd` /usr/sbin/inetd: libutil.so.8 => /lib/libutil.so.8 (0x800651000) libwrap.so.6 => /usr/lib/libwrap.so.6 (0x800761000) libipsec.so.4 => /lib/libipsec.so.4 (0x80086a000) libc.so.7 => /lib/libc.so.7 (0x800971000) $ ldd `which sshd` /usr/sbin/sshd: libssh.so.5 => /usr/lib/libssh.so.5 (0x800681000) libutil.so.8 => /lib/libutil.so.8 (0x8007cb000) libz.so.5 => /lib/libz.so.5 (0x8008db000) libwrap.so.6 => /usr/lib/libwrap.so.6 (0x8009f0000) libpam.so.5 => /usr/lib/libpam.so.5 (0x800af9000).....

22 Computer Center, CS, NCTU 22 TCP Wrapper – (3)  libwrap – hosts_access(3) In sshd source code

23 Computer Center, CS, NCTU 23 TCP Wrapper – (4)  There are something that a firewall will not handle Sending text back to the source  TCP wrapper Provide support for every server daemon under its control Logging support Return message Permit a daemon to only accept internal connections  Configuration files /etc/hosts.allow, /etc/hosts.deny(optional)

24 Computer Center, CS, NCTU 24 Super Server – inetd  To see what daemons are controlled by inetd, see /etc/inetd.conf  In /etc/rc.conf inetd_enable="YES" #ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l #ftp stream tcp6 nowait root /usr/libexec/ftpd ftpd -l #telnet stream tcp nowait root /usr/libexec/telnetd telnetd #telnet stream tcp6 nowait root /usr/libexec/telnetd telnetd shell stream tcp nowait root /usr/libexec/rshd rshd #shell stream tcp6 nowait root /usr/libexec/rshd rshd login stream tcp nowait root /usr/libexec/rlogind rlogind #login stream tcp6 nowait root /usr/libexec/rlogind rlogind

25 Computer Center, CS, NCTU 25 /etc/hosts.allow – (1)  In /etc/hosts.allow Format: daemon : address : action  daemon is the daemon name which inetd started  address can be hostname, IPv4 addr, IPv6 addr, net/prefixlen  action can be “ allow ” or “ deny ”  Keyword “ ALL ” can be used in daemon and address fields to means everything  First rule match semantic Meaning that the configuration file is scanned in ascending order for a matching rule When a match is found, the rule is applied and the search process will stop

26 Computer Center, CS, NCTU 26 /etc/hosts.allow – (2)  Example  TCP wrapper should not be considered a replacement of a good firewall Instead, it should be used in conjunction with a firewall or other security tools Good at rpc based services ALL : localhost, loghost @adm_cc_cs : allow ptelnetd pftpd sshd: @sun_cc_cs, @bsd_cc_cs, @linux_cc_cs : allow ptelnetd pftpd sshd: zeiss, chbsd, sabsd : allow identd : ALL : allow portmap : 140.113.17. ALL : allow sendmail : ALL : allow rpc.rstatd : @all_cc_cs 140.113.17.203: allow rpc.rusersd : @all_cc_cs 140.113.17.203: allow ALL : ALL : deny

27 Computer Center, CS, NCTU 27 /etc/hosts.allow – (3)  Advance configuration External commands (twist option)  twist will be called to execute a shell command or script (exec) External commands (spawn option)  spawn is like twist, but it will not send a reply back to the client (fork/exec) # The rest of the daemons are protected. telnet : ALL \ : severity auth.info \ : twist /bin/echo "You are not welcome to use %d from %h." # We do not allow connections from example.com: ALL :.example.com \ : spawn (/bin/echo %a from %h attempted to access %d >> \ /var/log/connections.log) \ : deny

28 Computer Center, CS, NCTU 28 /etc/hosts.allow – (4) Wildcard (PARANOID option)  Match any connection that is made from an IP address that differs from its hostname  See hosts_access(5) hosts_options(5) # Block possibly spoofed requests to sendmail: sendmail : PARANOID : deny

29 Computer Center, CS, NCTU 29 tcpdmatch  In /etc/hosts.allow  tcpdmatch(8) example ALL : localhost 127.0.0.1 [::1] : allow ALL : cshome2 : allow sshd : csduty linuxhome cshome : allow rpc.lockd : 140.113.235.0/255.255.255.0 : allow rpc.statd : 140.113.235.0/255.255.255.0 : allow rpcbind : 140.113.235.0/255.255.255.0 : allow ALL : ALL : deny $ tcpdmatch ssh 140.113.12.34 warning: ssh: no such process name in /etc/inetd.conf client: address 140.113.12.34 server: process ssh matched: /etc/hosts.allow line 12 option: deny access: denied

30 Computer Center, CS, NCTU 30 When you perform any change.  Philosophy of SA Know how things really work Plan it before you do it Make it reversible Make changes incrementally Test before you unleash it

Download ppt "Security. Computer Center, CS, NCTU 2 FreeBSD Security Advisories – (1) "

Similar presentations

153 Configuring and Securing ARPA/Berkeley Services Version A.01 H3065S Module 13 Slides.

153 Configuring and Securing ARPA/Berkeley Services Version A.01 H3065S Module 13 Slides.
Linux’ Security Haifa Linux Club 21.10.99 Orr Dunkelman.

Linux’ Security Haifa Linux Club Orr Dunkelman.
Linux Security An overview notes from Linux Network Security HowTO.

Linux Security An overview notes from Linux Network Security HowTO.
Chapter 21 Security. Computer Center, CS, NCTU 2 Firewall (1)  Using ipfw 1.Add these options in kernel configuration file and recompile the kernel 2.Edit.

Chapter 21 Security. Computer Center, CS, NCTU 2 Firewall (1)  Using ipfw 1.Add these options in kernel configuration file and recompile the kernel 2.Edit.
Securing Network using Linux. Lesson Outline Setting up a secure system TCP Wrapper configuration Firewalls in Linux Authentication Systems –NIS –Kerberos.

Securing Network using Linux. Lesson Outline Setting up a secure system TCP Wrapper configuration Firewalls in Linux Authentication Systems –NIS –Kerberos.
Homework 5b: Samba. Computer Center, CS, NCTU 2 Network-based File Sharing (1)  NFS (UNIX-based) mountd is responsible for mount request nfsd and nfsiod.

Homework 5b: Samba. Computer Center, CS, NCTU 2 Network-based File Sharing (1)  NFS (UNIX-based) mountd is responsible for mount request nfsd and nfsiod.
CSCE 515: Computer Network Programming Chin-Tser Huang University of South Carolina.

CSCE 515: Computer Network Programming Chin-Tser Huang University of South Carolina.
Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.

Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.
TCP/IP - Security Perspective Upper Layers CS-431 Dick Steflik.

TCP/IP - Security Perspective Upper Layers CS-431 Dick Steflik.
Chapter 3 Unix Overview. Figure 3.1 Unix file system.

Chapter 3 Unix Overview. Figure 3.1 Unix file system.
CS 497C – Introduction to UNIX Lecture 35: - TCP/IP Networking Tools Chin-Chih Chang

CS 497C – Introduction to UNIX Lecture 35: - TCP/IP Networking Tools Chin-Chih Chang
1 Figure 5-4: Drivers of Performance Requirements: Traffic Volume and Complexity of Filtering Performance Requirements Traffic Volume (Packets per Second)

1 Figure 5-4: Drivers of Performance Requirements: Traffic Volume and Complexity of Filtering Performance Requirements Traffic Volume (Packets per Second)
Penetration Testing Training Day Capture the Flag Training.

Penetration Testing Training Day Capture the Flag Training.
The Linux Operating System Lecture 7: Email Tonga Institute of Higher Education.

The Linux Operating System Lecture 7: Tonga Institute of Higher Education.
Linux Security Anthony Albrecht – Services & Accounts

Linux Security Anthony Albrecht – Services & Accounts
Linux Security Chapter 21 (section 1-7) By Yanjun Zuo.

Linux Security Chapter 21 (section 1-7) By Yanjun Zuo.
The Saigon CTT Chapter 16 Remote Connectivity. The Saigon CTT  Objectives  Explain : telnet rsh ssh  Configure FTP.

The Saigon CTT Chapter 16 Remote Connectivity. The Saigon CTT  Objectives  Explain : telnet rsh ssh  Configure FTP.
Secure Shell for Computer Science Nick Czebiniak Sung-Ho Maeung.

Secure Shell for Computer Science Nick Czebiniak Sung-Ho Maeung.
ITI-481: Unix Administration Meeting 3. Today’s Agenda Hands-on exercises with booting and software installation. Account Management Basic Network Configuration.

ITI-481: Unix Administration Meeting 3. Today’s Agenda Hands-on exercises with booting and software installation. Account Management Basic Network Configuration.
Chapter 21 Security. Computer Center, CS, NCTU 2 FreeBSD Security Advisories 

Chapter 21 Security. Computer Center, CS, NCTU 2 FreeBSD Security Advisories 

Similar presentations

Ads by Google