Security

1
Security

• Bo Ye,
• Quanhua Lu

2
Overview

• Unix vs. Security
• Basic Unix Security Issues
• How to Secure Linux Box
• Other Security Issues
• Security Tools
• Miscellaneous

3
Unix vs. Security

• Unix was not designed to be secure.
• Unix was designed by researchers to be an easy,
  friendly way to conduct and share research.
  (Security 1 / Convenience)
• Unix permissions are pretty much "all-or-nothing"
  -- root vs. everybody else.
• Many Unix administrative functions are in
  programs external to the kernel, able to be
  inspected by the world.

4
Your responsibility

• Remember that breaking into a computer is a
  crime. People have been and will be prosecuted
  and sent to jail for it, so don't get tempted to
  try it.
• If you discover a security problem, you should
• Alert your system administrators (if you aren't
  the administrator).
• Alert the vendor of your version of Unix.
• Inform the Computer Emergency Response Team
  (CERT)

5
Seven Common-sense Rules of Security

• Don't put files on your system that are likely to
  be interesting to hackers.
• Plug holes that hackers can use to gain access to
  you system.
• Don't provide places for hackers to build nests
  on your system.
• Set basic traps on systems that are connected to
  the Internet.

6
Seven Common-sense Rules of Security (cont.)

• Monitor the reports generated by these security
  tools.
• Teach yourself about UNIX system security.
  Traditional know-how and common sense are the
  most important parts of a site secure.
• Prowl around looking for unusual activity.

7

• Basic Unix Security Issues

8
/etc/passwd file

• Have no accounts without passwords.
• Regularly verify that every login has a password.
  putawk -F ' if (2 "") print 1 '
  etc/passwd in a file and execute with cron and
  have results mailed
• Avoid accounts with weak passwords.
• Chose a good password.
• Use npasswd or passed instead of passwd force
  users to select reasonably secure passwords.
• Avoid share accounts
• Avoid Group Logins and Shared Logins.
• Use sudo to control access to rootly powers.

9
/etc/passwd files (cont.)

• Shadow your passwords
• If at all possible, use shadow passwords.
• "shadow passwords" put the passwords in a
  separate file, readable only by root.
• Password Aging
• Change passwords regularly, In particular, the
  root password should be changed on a regular
  basis
• Beware of extra entries in your passwd file that
  are UID 0, or any other suspicious entries.

10
/etc/passwd files (cont.)

• Rootly Entries
• Regularly verify that only the root login has id
  0 by running the script awk -F'if(3 0)
  print 1'etc/passwd
• Modify it to verify group ids and UID s of key
  individuals.

11
Setuid Programs

• If you are writing setuid programs Minimize the
  number of setuid programs and keep the followings
  seven rules in minds
• Don't write setuid shell scripts.
• You dont have a enough control inside a shell
  script.
• Don't use any library routines that invoke a
  shell.
• These includes popen and system.
• Don't use execlp()or execvp() to run another
  program
• They allow you to give the program name without
  the path, which is very dangerous.

12
Setuid Programs (cont.)

• Always use full pathnames to identify files and
  programs.
• Dont rely on any kind of searching mechanism to
  find files.
• Don't make the program setuid to root unless you
  have to.
• Make a pseudo-users name or group name instead.
• Don't make setuid-programs world-readable.
• This can allow bad guys to attack and exploit
  your codes.
• Dont put secret back-door escapes in your code.
• These features dont stay secret for long.

13
Setuid Program (cont.)

• Check regularly for new setuid programs, or for
  changes in setuid programs.
• Can help you catch an intruder early on.
• Regularly compare the output of the following
  script to spot clandestine setuid programs.
• /usr/bin/find / -user root -perm -4000
  -print /usr/ucb/mail -s "Setuid root files"
  netadmin

14
Special File Permissions

• /dev/kmem (which maps kernel memory) should not
  be world-readable.
• /etc/passwd and /etc/group should not be
  world-writable (for obvious reasons).
• Do not have world-writable anonymous ftp
  directories.
• Give no "world" permissions to disk device files.

15
How to secure linux box

• Disable unused services.
• User and password security.
• Keep used services updated.
• Use ssh wherever possible.
• Packet filtering.

16
Disable Unused Services

• Edit /etc/inetd.conf and comment out unused
  services ftp, telnet, rstatd, etc.
• Run ps aux and exam the output carefully, look
  for extra daemons sendmail, named, nfsd, etc.
• If you dont need it, kill it.

17
Disable Unused Services (cont.)

• Run netstat -a fgrep LISTEN and look for
  unusual ports. This will print up something like
  this
• tcp 0 0 6000 LISTEN
• tcp 0 0 www LISTEN
• tcp 0 0 auth LISTEN
• tcp 0 0 finger LISTEN
• tcp 0 0 shell LISTEN
• tcp 0 0 sunrpc LISTEN

18
Keep Used Services Updated

• Install Updateme, a handy script for keeping your
  system up-to-date.
• Learn how your vendor provides software updates!
  Many packages have security problems discovered
  with them after release, and Linux vendors will
  release new versions to fix these.
• Redhead 5.2
• ltURL ftp//ftp.redhat.com/linux/redhat-5.2/update
  s/gt
• SuSE 6.0
• ltURL ftp//ftp.suse.com/pub/SuSE-Linux/suse_updat
  e/SuSE-6.0/gt

19
User and password Security

• Run pwconv to turn on shadow passwords.
• If possible, get PAM (Pluggable Authentication
  Modules) installed.
• Dont run routinely as root.
• Use sudo to aid in delegating root tasks.

20
Installing ssh

• Download source
• ltURL ftp//ftp.cs.hut.fi/pub/ssh/ssh-1.2.26.tar.g
  zgt
• Unpack source tar -xzof ssh-1.2.26.tar.gz
• Configure cd ssh-1.2.26 sh configure
• Build make
• Install (as root) make install
• You may also wish to install ssh version 2 after
  version1.

21
Using ssh

• Other end must run sshd server.
• Use just like telnet or rlogin. Like rlogin can
  use a different remote username by adding -l
  name. Use config file (see ssh manpage) to set
  common parameters persistently.
• Use scp to copy files like rcp. Example
• scp pcecs237.cs.umbc.edumyprog.c .

22
Packet Filtering

• Allows you control what packets reach your
  machine from the network,and only allow in data
  to services you intend to offer.
• Helps prevent hostile scanning for accidentally
  open services.
• In Linux 2.0.x look for ipfwadm, in 2.2.x
  ipchains.
• For more information see
• ltURL http//www.xos.nl/linux/ipfwadm/gt

23
Other Security Issues

• Remote Event Logging
• Use "syslog" to send important events to a secure
  machine
• Secure Terminals
• Restrict root logins to specific terminals by
  listing them in /etc/securettys
• Be very careful with /etc/hosts.equiv and .rhosts
  files
• NIS and NFS
• Security and Sendmail

24
Security Tools

• COPS -- Computer Oracle and Password System
• COPS does many scans for common security problems
  on Unix systems.
• Warns you of problems. You have to fix them.
• Crack
• Tries to guess passwords by using dictionary
  words, encrypting them, and comparing with the
  encrypted password

25
Security Tools (cont.)

• TCP wrapper (tcpd)
• A package that is used to monitor incoming IP
  connections
• Allows you to selectively block hosts and
  provides logging of all connections via syslog
• /etc/inetd.conf
• telnet stream tcp nowait root etc/in.telnetd
  in.telnetd
• you can change this to
• telnet stream tcp nowait root /usr/ets/tcpd
  in.telnetd

26
Security Tools (cont.)

• Tripwire
• A file integrity checker
• Notifies you of changes to important system files
  
• SATAN
• Analyzes hosts on your network for certain
  well-known (and dangerous) vulnerabilities

27
Miscellaneous

• Backups
• Have regular backups
• To recover from destructive attacks
• To have a known "clean" configuration to compare
  against
• Trojan Horses
• Be careful with software off the net
• Get software from known sources
• Don't compile things right away.
• Don't install it if you can't get source, unless
  you're sure of what it is

28
Miscellaneous (cont.)

• Packet Filtering
• Controlling access to a network by analyzing the
  incoming and outgoing packets
• Packet filtering is one technique, among many,
  for implementing security firewalls
• Kerberos
• an authentication system developed at MIT
• uses DES encryption
• requires a secure "authentication" server