SECURITY

-HARIPRIYA PURUSHOTHAMAN

SEVEN COMMON – SENSE RULES OF SECURITY

Avoid putting files on the system that are likely to be interesting to hackers

Plug the holes that hackers can use to gain access to the system

Don’t provide places for hackers to build nests on the system

Set the traps to detect intrusions and attempted intrusions

RULES – CONTD

Monitor the reports generated by these security tools

Teach ourselves about UNIX system security Prowl around looking for an unusual activity

HOW THE SECURITY PROBLEMS ARE COMPROMISED

• Unreliable wetware• Human users are the weakest links in the chain of security • Teaching the users about proper security hygiene

• Software bugs • By exploiting the errors hackers could manipulate Unix into

doing whatever they want • Keeping up wit patches and security bulletins

• Open doors • Gaining access by exploiting software features that would be

helpful • Making sure that we haven’t put a welcome mat for hackers

/ETC/PASSWD FILE

Contents of this file determine who can log and what they can do once they get inside

This file is the systems first line of defense against the intruders

On FreeBSD systems this file is derived from /etc/master.passwd

/ETC/PASSWD

Password checking and selection Important to continually verify that every login has a

password Pseudo users should have a star(*) in the encrypted

password field Following command finds the null passwords

perl –F: -ane ‘print if not $F[1];’ /etc/passwd

/etc/passwd and /etc/group must be readable by the world but writable only by the root

/ETC/PASSWD

/etc/shadow file should be neither readable or writable by the world

Passwords are normally changed with passwd command

/ETC/PASSWD

Need for Shadow passwords Since /etc/passwd/ is world readable , encrypted

password string is available to all the users Evildoers can encrypt selected dictionaries or words

and compare the results with the strings in the /etc/passwd and can find the password

To impose restrictions passwords are put in a separate file that is readable only by the root

This file wit the actual password information is then called the shadow password file

/ETC/PASSWD

Group logins and shared logins Instead of having “root” as a group login , use sudo

program to control access to rootly powers Password aging

Facility that allows us to compel the users to change their passwords

User shells Rootly entries

More than one entry in the passwd file that uses UID of zero , so more than one way to log in as root

Defense against this subterfuge is a mini script perl –F: -ane ‘print if not $F[2];’ /etc/passwd

SETUID PROGRAMS

Prone to security problems Especially Setuid shellscripts cause security

problems Setuid and setgid could be disabled through the

use of – o nosuid option to the mount Disks should be scanned periodically to look for

new setuid programs For eg, find will mail a list of all setuid root files

to the “netadmin”

FILE PERMISSIONS

Device file /dev/kmem allows access to the kernels own virtual address space

This file should only be readable by the owner and group , never by the world

/dev/drum and /dev/mem provide unfettered access to the systems swap space and physical memory

/etc/passwd and /etc/group should not be world –writable and should have owner root

FILE PERMISIONS

Directories that are accessible thru anonymous FTP should not be publicly writable

Only root should have both read and write permission on device disk file

Group owner is given read permissions to facilitate backups , but there shd be no permissions for the world

MISCELLANEOUS SECURITY ISSUES

Remote event logging Syslog allows log info for both the kernel and user

processes to be forwarded to file , users or another host on our network

Secure host that acts as central logging machine and prints out security violations on an old line printer could be set up

MISCELLANEOUS SECURITY ISSUES

Secure terminals Secure channels are usually specified as a list of TTY

devices or as a keyword in a configuration file On solaris the file is /etc/default/login On HP-UX and red hat linux , the file is /etc/securetty On FreeBSD it is /etc/ttys

MISCELLANEOUS SECURITY ISSUES

/etc/hosts.eqiv and ~/.rhosts Allows users to login(via rlogin) and copy

files(via rcp) without typing the passwords The server processes rshd and rlogind that

read them should be disabled

MISCELLANEOUS SECURITY ISSUES

rexd,rexecd, and tftpd Rexd- poorly secured remote command execution

server which shd be disabled Rexecd – another remote command execution

daemon Server for rexec library routine requests sent to this include plaintext password

tftpd –server for Trivial File Transfer Protocol Allows machines on the network to request files from ur hard

disk

MISCELLANEOUS SECURITY ISSUES

fingerd finger prints a short report about the particular user Information returned by

finger user@hostWhen supported by fingerd daemon on remote host is

potentially useful to hackers

NIS (Network Information Service) Sun database distribution tool that many sites use to

maintain and distribute files Easy information access for the hackers

MISCELLANEOUS SECURITY ISSUES

Sendmail Massive network system that runs as root Often subjected to attacks of hackers and

numerous vulnerabilities Backups

Backup tapes shd be kept under lock and key Trojan horses

Programs that are not what they seem to be

SECURITY POWER TOOLS

Nmap - network port scanner Checks a set of target hosts to see which TCP and UDP ports

have servers listening to them command looks like

%nmap –sT host1.uexample.com -sT argument asks nmap to try and connect to each TCP port on

the target host in the normal way It probes ports without initializing an actual connection the –o option gives the nmap the ability to guess what OS a

remote system is running

SECURITY POWER TOOLS

SAINT : Similar to nmap in finding out what servers

they are running Unlike nmap , it knows quite a lot about the

actual UNIX server pgms and their vulnerabilities

Its user interface is entirely web based

SECURITY POWER TOOLS

Crack: Sophisticated tool that implements several

password guessing techniques Passwords should be crack resistant

tcpd: Referred as “TCP wrappers” package Allows to log connections to TCP services Piggybacks on top of inetd

SECURITY POWER TOOLS

COPS (Computer Oracle an Password System) It’s a classic tool that identifies many classic security

problems Warns us of the potential problem by sending emails

tripwire Monitors the permission and checksums of important

system files so that we can easily detect files that have been replaced

CRYPTOGRAPHIC SECURITY TOOLS

Kerberos Its an authentication system Facility that guarantees that users and services are in

fact who they claim to be Uses DES to construct nested set of credentials

called “tickets”. Tickets are passed around network to certify the

identity and to provide access It never transmits unencrypted passwords and

relieves the users from typing the passwords repeatedly

CRYPTOGRAPHIC SECURITY TOOLS

PGP :Pretty Good Privacy Focused primarily on email security Used to encrypt data , generate signatures

and to verify the origin of files and messages Software packages are often distributed with

PGP signature file that guarantees the origin and purity of software

CRYPTOGRAPHIC SECURITY TOOLS

SSH : the secure shell Confirms user’s identity and encrypts all communications

between two hosts The server daemon sshd authenticates in different ways

Method A: user logged in automatically if the name of the remote host that user is logging is in ~/.rhosts or equivalent files

Method B: uses public key crytography to verify the identity of remote host

Method C : uses public key cryptography to establish users identity

Method D : allows user to enter his or her normal login password

CRYPTOGRAPHIC SECURITY TOOLS

SRP : Secure Remote Password Highly secure way to verify passwords over

public network telnet and ftp could be used

One Time Passwords in Everything Instead of encrypting passwords , its jus

made sure that they work only once One time passwords are generated on our

behalf

FIREWALLS – basic tool for network security

Its only a supplemental security measure Packet filtering firewalls

Limits the types of traffic that can pass thru the internet gateway based on information on the packet header

How the services are filtered the daemons that provide these services bind to the

appropriate ports and wait for connectiions from remote sites

Service specific filtering is based on the assumption that the client will use a non privileged port to contact a privileged port on the server

FIREWALLS

Service proxy fire walls service proxies intercepts the connections to and

from the outside world establishes new connections to services inside our

network Acts as a sort of shuttle or chaperone between the

worlds . Stateful inspection firewalls

Designed to inspect the traffic that flows through them and compare the actual network activity to what “should” be happening

What to do when a site has been attacked

1. Don’t panic 2. Decide on an appropriate level of response 3. Hoard all available tracking information 4. Assess your degree of exposure 5. Pull the plug 6. Devise a recovery plan7. Communicate the recovery plan 8. Implement the recovery plan 9. Report the incident to authorities