Linux’ Security Haifa Linux Club 21.10.99 Orr Dunkelman.
-
Upload
shavonne-montgomery -
Category
Documents
-
view
222 -
download
1
Transcript of Linux’ Security Haifa Linux Club 21.10.99 Orr Dunkelman.
Linux’ SecurityHaifa Linux Club
21.10.99
Orr Dunkelman
What is a Secure System?
• Secure system is an abstract concept
• Defined as “Robust”, it depends on what you need, how much time you are willing to put in, and what resources are at your disposal
P.C. vs. Server
• Close all services
• Don’t open accounts to everyone. Only to good and trusted people
• Close as much services as possible
• Make sure users have good passwords - use crack-lib. Demand periodical password changes
P.C. vs. Server (cont.)
• Don’t install what you don’t know its origin
• Download only from known places (www.linux.org, etc.)
• Remove Suid’s if you are not the only user
• Don’t install what you don’t know its origin
• Download only from known places (www.linux.org, etc.)
• Remove as more Suid’s as possible
Securing Passwords
• Crack-lib them. Ensure passwords are not too short, and not too easy to crack
• Shadow them. Don’t put them in /etc/passwd but in /etc/shadow (today’s default in RH 6.1 installation)
• Connect to remote system using SSH and SCP (FTP over SSH channel) to prevent passwords from being sent as cleartext
S vs. R
• SSH require password or a RSA phrase (SSH agent)
• SCP require password (no one will sent files without authorization)
• Several Authentication method are available
• RSH doesn’t require any password
• RCP - no passwords needed
• Work with Kreberos solely
S vs. R
• Use Compression • Plain Connection
• Don’t require password at all - no password is moved, if one of the encryption functions has been broken - no one get the password!
Authentication
• Prevents IP spoofing (claiming to be other IP then you are)
• Sometimes the algorithm allows also setting up a key for the rest of the session (Kreberos for example)
• Slow a little bit the connection (in the beginning)
• Known (and used) algorithms - Kreberos, RSA Challenges.
Dangerous Permissions
• Suid/Sgid - Check very carefully. Especially when the file is owned by root/wheel
• Write to all (xx2)
• Nouser/Nogroup
• .rhosts file (open R-services)
• Use “find” to find the files
Example - How to remove Suid’s?
• First find them - find -perm 4000 /
• Then check if you need them - login, wanted deamons (Qmail, telnet, SSH, FTP)
• Close services not needed in the /etc/inetd.conf
• Use TCP Wrappers to the rest of the ports (Those you usually get nuked - 139)
Monitor your Computer!
• Be the hacker yourself. Check for scripts and exploits which might be used against you
• Port scan your machine once in a while - ensure no ports and services are open (unless you opened them)
• Put Firewall. Hiding behind a firewall might help in reducing hackability (though those who pass it, are likely to hack better)
Introduction to Hacker 1
• Use port scanner on the machine you are about to attack (nmap does great, and helps you in finding the OS running on the computer)
• Go to hackers web-sites, and look for the right exploits and scripts
• Try to examine the Services code, maybe you’ll find a backdoor
Security HOWTO
• Restrict physical approach (locks etc.)
• Consider BIOS and LILO passwords
• Lock workstation when you’re not near (vlock/xlock)
• Try to reduce root access to one of tty declared in /etc/securetty
• Try to use “su -” instead of login as root
Security HOWTO - Files
• When you need to allow root-like access minimize it using sudo
• Don’t allow Suid/Sgid where non-root users write to hard drive (mount as nosuid)
• Umask the right access permissions
• Limit resources in the machine (Nproc, CPUtime, etc.)
• Set /var/log/wtmp /var/run/utmp permissions to 644
Security HOWTO (cont.)
• Use chattr to set special permission (disable deleting, creating symbolic links etc.)
• Run Integrity Checker (like Tripwire) routinely (find changed files)
• Install PGP for users• Install PAM (Plugable Authentication
Module)• Secure X connections (ssh for example)
Security HOWTO (cont.)
• Backup!
• Don’t use NFS/NIS without really needing it (and secure it when you does, those things are really not secure)
• Look at your logs once in awhile (/vat/log/)
• Look at the system log file
Auditing
• Audit your system
• Check Network once in awhile (Denial of Service attacks can be identified using this)
• Check who log on and from where. Check if it make sense
Virtual Machine Concept
• Use the VM (like VMWare) to be the machine which the rest of the world access
• Make sure the VM has privileges to change only where it should (no access to write to root partition, etc.)
• Check the VM is secure (!) your counting on that the VM can’t access what it’s not allowed
Tips and Ideas
Basic Concepts
• Use PAM (change of passwords etc. is not at your responsibility - less vulnerability)
• Check permissions before actions
• Check overflow/underflow. Be as Robust as you can
• If you are writing a deamon double check everything (and quad check it again).
Basic Concepts (cont.)
• Use available security tools - PGP (mail), SSH (telnet connections), SCP (ftp connections), Kreberos (Authenticate), IPSec (Network), etc.
• Enable Verbose mode - help users find problems which might affect them and their security
Basic Concepts (cont.)
• Check if you can hack the thing (be a malicious user)
• Treat carefully any file, before overwrite backup. Before delete check if the file is a system one.
• Log all actions (in case someone use your program to hack and cause damage, for tracing purpose)
Links
• Hackers Search Engine - Neworder.box.sk • Security policy - RFC 2196 -
ietf.org/rfc/rfc2196.txt
• Krebero FAQ - www.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html
• Linux Security HOWTO - www.linuxhq.com/HOWTO/Security-HOWTO.html
Links (cont.)
• Security Links - www.linuxhq.com/HOWTO/Security-HOWTO-11.html
• SSH FAQ - wwwfg.rz.uni-karlsruhe.de/~ig25/ssh-faq/
• Homepage of PGP - www.pgpi.org/