Security - PowerPoint PPT Presentation

1 / 28
About This Presentation
Title:

Security

Description:

Crack Tries to guess passwords by using dictionary words, encrypting them, and comparing with the encrypted password * * Title: Simulations and Analysis – PowerPoint PPT presentation

Number of Views:41
Avg rating:3.0/5.0
Slides: 29
Provided by: BoYe5
Category:

less

Transcript and Presenter's Notes

Title: Security


1
Security
  • Bo Ye,
  • Quanhua Lu

2
Overview
  • Unix vs. Security
  • Basic Unix Security Issues
  • How to Secure Linux Box
  • Other Security Issues
  • Security Tools
  • Miscellaneous

3
Unix vs. Security
  • Unix was not designed to be secure.
  • Unix was designed by researchers to be an easy,
    friendly way to conduct and share research.
    (Security 1 / Convenience)
  • Unix permissions are pretty much "all-or-nothing"
    -- root vs. everybody else.
  • Many Unix administrative functions are in
    programs external to the kernel, able to be
    inspected by the world.

4
Your responsibility
  • Remember that breaking into a computer is a
    crime. People have been and will be prosecuted
    and sent to jail for it, so don't get tempted to
    try it.
  • If you discover a security problem, you should
  • Alert your system administrators (if you aren't
    the administrator).
  • Alert the vendor of your version of Unix.
  • Inform the Computer Emergency Response Team
    (CERT)

5
Seven Common-sense Rules of Security
  • Don't put files on your system that are likely to
    be interesting to hackers.
  • Plug holes that hackers can use to gain access to
    you system.
  • Don't provide places for hackers to build nests
    on your system.
  • Set basic traps on systems that are connected to
    the Internet.

6
Seven Common-sense Rules of Security (cont.)
  • Monitor the reports generated by these security
    tools.
  • Teach yourself about UNIX system security.
    Traditional know-how and common sense are the
    most important parts of a site secure.
  • Prowl around looking for unusual activity.

7
  • Basic Unix Security Issues

8
/etc/passwd file
  • Have no accounts without passwords.
  • Regularly verify that every login has a password.
    putawk -F ' if (2 "") print 1 '
    etc/passwd in a file and execute with cron and
    have results mailed
  • Avoid accounts with weak passwords.
  • Chose a good password.
  • Use npasswd or passed instead of passwd force
    users to select reasonably secure passwords.
  • Avoid share accounts
  • Avoid Group Logins and Shared Logins.
  • Use sudo to control access to rootly powers.

9
/etc/passwd files (cont.)
  • Shadow your passwords
  • If at all possible, use shadow passwords.
  • "shadow passwords" put the passwords in a
    separate file, readable only by root.
  • Password Aging
  • Change passwords regularly, In particular, the
    root password should be changed on a regular
    basis
  • Beware of extra entries in your passwd file that
    are UID 0, or any other suspicious entries.

10
/etc/passwd files (cont.)
  • Rootly Entries
  • Regularly verify that only the root login has id
    0 by running the script awk -F'if(3 0)
    print 1'etc/passwd
  • Modify it to verify group ids and UID s of key
    individuals.

11
Setuid Programs
  • If you are writing setuid programs Minimize the
    number of setuid programs and keep the followings
    seven rules in minds
  • Don't write setuid shell scripts.
  • You dont have a enough control inside a shell
    script.
  • Don't use any library routines that invoke a
    shell.
  • These includes popen and system.
  • Don't use execlp()or execvp() to run another
    program
  • They allow you to give the program name without
    the path, which is very dangerous.

12
Setuid Programs (cont.)
  • Always use full pathnames to identify files and
    programs.
  • Dont rely on any kind of searching mechanism to
    find files.
  • Don't make the program setuid to root unless you
    have to.
  • Make a pseudo-users name or group name instead.
  • Don't make setuid-programs world-readable.
  • This can allow bad guys to attack and exploit
    your codes.
  • Dont put secret back-door escapes in your code.
  • These features dont stay secret for long.

13
Setuid Program (cont.)
  • Check regularly for new setuid programs, or for
    changes in setuid programs.
  • Can help you catch an intruder early on.
  • Regularly compare the output of the following
    script to spot clandestine setuid programs.
  • /usr/bin/find / -user root -perm -4000
    -print /usr/ucb/mail -s "Setuid root files"
    netadmin

14
Special File Permissions
  • /dev/kmem (which maps kernel memory) should not
    be world-readable.
  • /etc/passwd and /etc/group should not be
    world-writable (for obvious reasons).
  • Do not have world-writable anonymous ftp
    directories.
  • Give no "world" permissions to disk device files.

15
How to secure linux box
  • Disable unused services.
  • User and password security.
  • Keep used services updated.
  • Use ssh wherever possible.
  • Packet filtering.

16
Disable Unused Services
  • Edit /etc/inetd.conf and comment out unused
    services ftp, telnet, rstatd, etc.
  • Run ps aux and exam the output carefully, look
    for extra daemons sendmail, named, nfsd, etc.
  • If you dont need it, kill it.

17
Disable Unused Services (cont.)
  • Run netstat -a fgrep LISTEN and look for
    unusual ports. This will print up something like
    this
  • tcp 0 0 6000 LISTEN
  • tcp 0 0 www LISTEN
  • tcp 0 0 auth LISTEN
  • tcp 0 0 finger LISTEN
  • tcp 0 0 shell LISTEN
  • tcp 0 0 sunrpc LISTEN

18
Keep Used Services Updated
  • Install Updateme, a handy script for keeping your
    system up-to-date.
  • Learn how your vendor provides software updates!
    Many packages have security problems discovered
    with them after release, and Linux vendors will
    release new versions to fix these.
  • Redhead 5.2
  • ltURL ftp//ftp.redhat.com/linux/redhat-5.2/update
    s/gt
  • SuSE 6.0
  • ltURL ftp//ftp.suse.com/pub/SuSE-Linux/suse_updat
    e/SuSE-6.0/gt

19
User and password Security
  • Run pwconv to turn on shadow passwords.
  • If possible, get PAM (Pluggable Authentication
    Modules) installed.
  • Dont run routinely as root.
  • Use sudo to aid in delegating root tasks.

20
Installing ssh
  • Download source
  • ltURL ftp//ftp.cs.hut.fi/pub/ssh/ssh-1.2.26.tar.g
    zgt
  • Unpack source tar -xzof ssh-1.2.26.tar.gz
  • Configure cd ssh-1.2.26 sh configure
  • Build make
  • Install (as root) make install
  • You may also wish to install ssh version 2 after
    version1.

21
Using ssh
  • Other end must run sshd server.
  • Use just like telnet or rlogin. Like rlogin can
    use a different remote username by adding -l
    name. Use config file (see ssh manpage) to set
    common parameters persistently.
  • Use scp to copy files like rcp. Example
  • scp pcecs237.cs.umbc.edumyprog.c .

22
Packet Filtering
  • Allows you control what packets reach your
    machine from the network,and only allow in data
    to services you intend to offer.
  • Helps prevent hostile scanning for accidentally
    open services.
  • In Linux 2.0.x look for ipfwadm, in 2.2.x
    ipchains.
  • For more information see
  • ltURL http//www.xos.nl/linux/ipfwadm/gt

23
Other Security Issues
  • Remote Event Logging
  • Use "syslog" to send important events to a secure
    machine
  • Secure Terminals
  • Restrict root logins to specific terminals by
    listing them in /etc/securettys
  • Be very careful with /etc/hosts.equiv and .rhosts
    files
  • NIS and NFS
  • Security and Sendmail

24
Security Tools
  • COPS -- Computer Oracle and Password System
  • COPS does many scans for common security problems
    on Unix systems.
  • Warns you of problems. You have to fix them.
  • Crack
  • Tries to guess passwords by using dictionary
    words, encrypting them, and comparing with the
    encrypted password

25
Security Tools (cont.)
  • TCP wrapper (tcpd)
  • A package that is used to monitor incoming IP
    connections
  • Allows you to selectively block hosts and
    provides logging of all connections via syslog
  • /etc/inetd.conf
  • telnet stream tcp nowait root etc/in.telnetd
    in.telnetd
  • you can change this to
  • telnet stream tcp nowait root /usr/ets/tcpd
    in.telnetd

26
Security Tools (cont.)
  • Tripwire
  • A file integrity checker
  • Notifies you of changes to important system files
  • SATAN
  • Analyzes hosts on your network for certain
    well-known (and dangerous) vulnerabilities

27
Miscellaneous
  • Backups
  • Have regular backups
  • To recover from destructive attacks
  • To have a known "clean" configuration to compare
    against
  • Trojan Horses
  • Be careful with software off the net
  • Get software from known sources
  • Don't compile things right away.
  • Don't install it if you can't get source, unless
    you're sure of what it is

28
Miscellaneous (cont.)
  • Packet Filtering
  • Controlling access to a network by analyzing the
    incoming and outgoing packets
  • Packet filtering is one technique, among many,
    for implementing security firewalls
  • Kerberos
  • an authentication system developed at MIT
  • uses DES encryption
  • requires a secure "authentication" server
Write a Comment
User Comments (0)
About PowerShow.com