Chep2000kwang paick1 Security Issues in HP-UX and Linux Kwang H. Paick [email protected] Prairie...

chep2000 kwang paick 1

Security Issues in HP-UX and Linux

Kwang H. Paick

[email protected]

Prairie View A&M University


Common Attacks

• Physical access

• Access to the command line

• Network access


Security Setup

1. Physical security

2. File and Directory Permission

3. User Accounts

4. Log Files

5. Correct network configuration


I. Physical Security

• Physical access

• BIOS and Console Passwords

• Anti-theft devices


Most Unix systems are not secured because

• Default installation includes a wide range of vulnerabilities

• Software patches are not installed, and

• Systems are not well maintained


II. File and Directory Permissions

HP-UX systems contain > 20,000 in 10.20 The most common permission problems are write

access for group or other on almost any file or directory in the base installation

Some files and directories require group or other ‘write’ permissions

e.g. Temporary directories (group and others)Spool directories for the lpr system must be group writeable


Common Permission Problems

The number one problem has been ownership of the /etc directory by bin

• the /etc directory must be owned by root, and writable only be the owner

• HP-UX systems allow bin to own many other directories as well (only 48 out of 1200 directories were not owned by bin


HP-UX and ACLs

HP-UX includes the ability to provide a finer degree of access control through access control lists

A user-group pair is written as user group• The symbol % represents no particular user or group; (u.g, rwx) specific user, specific group(u.%, rwx) specific user, no specific group(%.g, rwx) no specific user, specific group(%.%, rwx) no specific user, no specific group


HP-UX and ACLs

• Most backup utilities ignore the ACL information for compatibility with POSIX standards

• Only the fbackup and frecover file archive utilities handle access control lists properly

• Change ACLs with the chacl command-rw-r--r-- -rw-r--r--+

lsacl xx(lon.%,rw-)(don.%,rw-)(%.hep,r--)(%.%,r--) xx

ACLs are rarely used.


III. User Accounts

User accounts must be maintained correctly• The accounts’ database must be checked for correctness

• New accounts must be monitored, and old accounts disabled

• Accounts with unusual user-ids checked• User home directories correctly configured• Passwords “checked” and protected


/etc/passwd

Must be readable by all , but writable only be the root• Any account with the user id of zero is granted root’s

privileges• The home directory should exist, be owned by the

user, and not writeable by group or other• The use of temporary directories as the home directory

is a scurity problem• The COPS tool can check the existence, ownership and

permission of each home directory


Home Directory

Shell startup files must specify a safe PATH:• System directories before any local directries• DOT last if present in PATH ( makes Trojan horses less effective)

• root PATH– Never have DOT in root’s PATH

– never includes writable directories in search path

• umask– user’s default umaks 033

– root’s umaks 077


Home Directory

Dangerous startup files permitted• A .rhosts file permits user to control who may log into their account remotely via the “r” commands

• The .netrc files contain unencrypted passwords for remote logins.

COPS and TIGER check for these problems, as do commercial tool


Shadow Password

A goal in many attacks is to get a copy of the encrypted passwords in the /etc/passwd file

These attacks can be foiled by moving the encrypted passwords into a different file, only readable by the root

These files have the generic name shadow password files


Shadow Password

Some versions of UNIX come with shadow files, others must be converted

Solaris use /etc/shadow by default

•Linux uses /etc/shadow after conversion • Pwconv-merge old /etc/passwd records into a new

shadow database

• Pwchk- verification and synching between /etc/shadow and /etc/passwd

• Pwuncov- back to /etc/passwd


Shadow Password

Arguments against Shadowing Makes account management more difficult, as

the /etc/passwd file can no longer just be edited account information gets scattered among many

files if converted Crashing an FTP server can reveal the shadowed

passwords in the core file


IV. Log Files

Need to know where they are and what they contains

check permissions and ownership

see how often they are rotated/truncated

monitor logfile contents

Archive important logs


Log Files

The wtmp files log user login, logout, date changes, start or stop of system accounting, reboots

•/etc/wtmp

•/var/adm/wtmp--10.20, old Linux

•var/log/wamp --- Linux


Log Files

Effect of su command on /var/adm/wtmp

•When su was used, it creates a new process with both the process's real UID and effective UID altered.

•su does not change /var/adm/wtmp file, and finger command will continue to display the account to which you logged in, not the one that you su'ed to.


Log Files: wtmp files

•Grow until no space

•Pruning the wtmp file

zero the log file

•rm /var/adm/wtmp.old

•ln /var/adm/wtmp.old /var/adm/wtmp

•cp /dev/null /var/adm/wtmp


Log Files

•Hack Tools– Hacker tools(zap) delete entries matching a user

name by replacing the record with nulls

•There are also zap detectors – chkwtmp at COAST


Log Files:Last Login

lastlog file•/va/log/lastlog Linux

•/usr/sbin/acct/lastlog 10.20lastlogin - keep record of date each person last logged in"

bug - the date shown is usually 1 more than it should be because lastlogin is run at 4am and checks the last 24 hrs worth of process accounting info (in pacct)"


Log Files:Bad Login

Bad login attemptsThe trouble is that these logs often contain passwords

Look for /etc/btmp on HP-UXMake certain that these files are readable only by the root, if they exist


Log Files:su Login

UNIX systems will always log the use of the su command

•Located in /var/log

• /var/adm/sulog (10.20)

• /var/adm/messages


Log Files:su Login

SU 01/31 20:08 + tty?? root-lon

SU 02/01 14:56 + tty?? root-dan

SU 02/01 16:06 + ttyp2 dan-kwang

SU 02/01 16:06 - ttyp2 babar-root

SU 02/01 16:06 + ttyp2 babar-root

SU 02/01 16:28 + tty?? root-babar

These logs are useful to both attackers and defenders:

Attackers can learn who knows the root password Defenders can learn the same thing


sudo

Allows select users to execute specified commands as root

e.g. eject, mount, reboot, adding new acct

prevent possible errorsmeans for accountability

/etc/sudoers


Log Files:Syslog

The system logdaemon, or syslogd, appears in most UNIX systems

Newer versions of syslog will ignore messages sent from the network by default

Use the –l flag to enable this behaviour on BSD The –r flag is used with Linux

mail.debug /var/adm/syslog/mail.log

*.info;mail.none /var/adm/syslog/syslog.log


Log Files:Syslog

Feb 1 17:50:38 hp73 /sbin/init.d/sendmail[1119]: #### rebooted ####

• Feb 2 09:24:03 hp73 sendmail[2272]: JAA02272: from=wu, size=9112, class=0, pri=39112, nrcpts=1, msgid=<[email protected]>, relay=wu@localhost

• Feb 2 14:16:25 hp73 sendmail[22105]: OAA22104: to=<[email protected]>, ctladdr

• =<[email protected]> (207/20), delay=00:00:34, xdelay=00:00:33, mailer=smtp,

• relay=bayou.uh.edu. [129.7.1.7], stat=Sent (OAA06943 Message accepted for delivery)

• Feb 2 14:43:13 hp73 popper[22159]: (v2.1.4-R3) Servicing request from "129.207.217.28" at 129.207.217.28

• Feb 2 14:43:41 hp73 popper[22159]: Stats: kwang 0 0 78 1096568


V. Network Configuration

Any server is a potential hole.• ‘r’ commands• public services:

– poorly configured anonymous FTP servers

– mail servers

– older version of Linux

– web servers


Network Configuration

Protecting Data in Transit

•Replace telnet, rlogin, rsh and rcp with ssh, slogin, ssh, scp

•Secure Shell-ssh use latest version – http://www.slac.stanford.edu/comp/unix/ssh.htm



Anonymous FTPdirectory permission• ftp 555 with root ownership.. users to read

and execute• /ftp/bin 555 with root ownership• /ftp/bin/ls 111 with root ownership…users to execute only• /ftp/etc 555 with root ownership• /ftp/etc/passwd

444 with root ownership. Users to read-only access


Network Configuration:FTP

• FTP bounce attack

• Erroneous file permissions

• The SITE EXEC bug

create restricted FTP access

• /etc/ftpusers—restricted users access file—name appears—denies

• etc:bin, daemon, room, uucp,..

• /etc/ftpaccess—core configuration file



ftphosts—used to allow or deny access to certain accounts from various host

• ( wild card supported• allow [username] [host or host pattern]

• deny [username] [host or host pattern]

• allow doe *.xyz.com

• deny doe *.abc.com

alternative is to use SSLftp-Secure Sockets Layer--- current version is 0.8


Network Configuration:SMTP

Trust everyone;

•Protect the server from penetration

•Protect smtp service from misuse, such as outsiders exploiting your mail server to send spam or fake mail

•Current version 8.9.3– earlier version—update ASAP



To check sendmail version: telnet to port 25 and vew

• telnet abc.xyz.edu 25

• .

• .

• 220 abc.xyz.edu ESMTP 8.9.3/8.9.3; -- version number



Several places recommended replace sendmail with Qmail

• ftp://moni.msci.memphis.edu/pub/qmail• developer offered a $1,000 reward to anyone who could break Qmail.

– Sendmail offers high-powered SMTP service and excellent compatibility with existing UNIX utilities.

– Qmail strives to be small, fast and secure


TOOLS

Security tool that detects system vulnerabilities• COPS-The computer Oracle and Password System

Port based scanner• SATAN (Security Administrator's Tool for Analyzing Networks

• ISS-Internet security Scanner

– faster than Satan; less information

• SAINT-Security Administrator's Integrated Network Tool

– updated version of SATAN


References

Defending against Scanner Attacks• Courtney-SATAN and SAINT Detector

Sites with Defensive software• COAST:

• ftp//coast.cs.purdue.edu/pub/tools

• http://www.cs.purdue.edu/coast/archive/Archive_indexing.html

• NIST:http://cs-www-ncsl.nist.gov/tools/tols.htm


References

• NIH htttp://www.alw.nih.gov/Security/prog-full.htm

• CIAC– ftp://ciac.llnl.gov/pub/ciac/sectools/unix

– http://ciac.lnl.gov/ciac

• CIRT– http://www.cert.org

• FIRST http://www.first.org• Trinux tools http://www/trinux.org


References

• HP-UX support:– http://us-support.external.hp.com

– [email protected] for bulletins

• Linux Security News– http://security.linuxtoday.com

• Redhat support– http://www.redhat.com/support/errata

• UNIX support– http://www.usenix.rg


References

Books– S. Garfinkle, G. Spafford, Practical UNIX Security,

O’Reilly & Associates, Sebastopol, CA 1996, 2nd ed.

– Anonymous, Maximum Linux Security, SAMS, Indianapolis, IN 1999


Monitor SUID and SGID Files– SUID and SGID Files

• two speciial file permissions:

• SGID (set group ID, octal 2000 or S)• SUID (set user ID, octal 4000, or s)

• find / -perm +4000• owner’s permission are enforced even when other

users executed them.

Chep2000kwang paick1 Security Issues in HP-UX and Linux Kwang H. Paick [email protected] Prairie...

Documents

Transcript of Chep2000kwang paick1 Security Issues in HP-UX and Linux Kwang H. Paick [email protected] Prairie...