Linux’ SecurityHaifa Linux Club

21.10.99

Orr Dunkelman

What is a Secure System?

• Secure system is an abstract concept

• Defined as “Robust”, it depends on what you need, how much time you are willing to put in, and what resources are at your disposal

P.C. vs. Server

• Close all services

• Don’t open accounts to everyone. Only to good and trusted people

• Close as much services as possible

• Make sure users have good passwords - use crack-lib. Demand periodical password changes

P.C. vs. Server (cont.)

• Don’t install what you don’t know its origin

• Download only from known places (www.linux.org, etc.)

• Remove Suid’s if you are not the only user

• Don’t install what you don’t know its origin

• Download only from known places (www.linux.org, etc.)

• Remove as more Suid’s as possible

Securing Passwords

• Crack-lib them. Ensure passwords are not too short, and not too easy to crack

• Shadow them. Don’t put them in /etc/passwd but in /etc/shadow (today’s default in RH 6.1 installation)

• Connect to remote system using SSH and SCP (FTP over SSH channel) to prevent passwords from being sent as cleartext

S vs. R

• SSH require password or a RSA phrase (SSH agent)

• SCP require password (no one will sent files without authorization)

• Several Authentication method are available

• RSH doesn’t require any password

• RCP - no passwords needed

• Work with Kreberos solely

S vs. R

• Use Compression • Plain Connection

• Don’t require password at all - no password is moved, if one of the encryption functions has been broken - no one get the password!

Authentication

• Prevents IP spoofing (claiming to be other IP then you are)

• Sometimes the algorithm allows also setting up a key for the rest of the session (Kreberos for example)

• Slow a little bit the connection (in the beginning)

• Known (and used) algorithms - Kreberos, RSA Challenges.

Dangerous Permissions

• Suid/Sgid - Check very carefully. Especially when the file is owned by root/wheel

• Write to all (xx2)

• Nouser/Nogroup

• .rhosts file (open R-services)

• Use “find” to find the files

Example - How to remove Suid’s?

• First find them - find -perm 4000 /

• Then check if you need them - login, wanted deamons (Qmail, telnet, SSH, FTP)

• Close services not needed in the /etc/inetd.conf

• Use TCP Wrappers to the rest of the ports (Those you usually get nuked - 139)

Monitor your Computer!

• Be the hacker yourself. Check for scripts and exploits which might be used against you

• Port scan your machine once in a while - ensure no ports and services are open (unless you opened them)

• Put Firewall. Hiding behind a firewall might help in reducing hackability (though those who pass it, are likely to hack better)

Introduction to Hacker 1

• Use port scanner on the machine you are about to attack (nmap does great, and helps you in finding the OS running on the computer)

• Go to hackers web-sites, and look for the right exploits and scripts

• Try to examine the Services code, maybe you’ll find a backdoor

Security HOWTO

• Restrict physical approach (locks etc.)

• Consider BIOS and LILO passwords

• Lock workstation when you’re not near (vlock/xlock)

• Try to reduce root access to one of tty declared in /etc/securetty

• Try to use “su -” instead of login as root

Security HOWTO - Files

• When you need to allow root-like access minimize it using sudo

• Don’t allow Suid/Sgid where non-root users write to hard drive (mount as nosuid)

• Umask the right access permissions

• Limit resources in the machine (Nproc, CPUtime, etc.)

• Set /var/log/wtmp /var/run/utmp permissions to 644

Security HOWTO (cont.)

• Use chattr to set special permission (disable deleting, creating symbolic links etc.)

• Run Integrity Checker (like Tripwire) routinely (find changed files)

• Install PGP for users• Install PAM (Plugable Authentication

Module)• Secure X connections (ssh for example)

Security HOWTO (cont.)

• Backup!

• Don’t use NFS/NIS without really needing it (and secure it when you does, those things are really not secure)

• Look at your logs once in awhile (/vat/log/)

• Look at the system log file

Auditing

• Audit your system

• Check Network once in awhile (Denial of Service attacks can be identified using this)

• Check who log on and from where. Check if it make sense

Virtual Machine Concept

• Use the VM (like VMWare) to be the machine which the rest of the world access

• Make sure the VM has privileges to change only where it should (no access to write to root partition, etc.)

• Check the VM is secure (!) your counting on that the VM can’t access what it’s not allowed

Tips and Ideas

Basic Concepts

• Use PAM (change of passwords etc. is not at your responsibility - less vulnerability)

• Check permissions before actions

• Check overflow/underflow. Be as Robust as you can

• If you are writing a deamon double check everything (and quad check it again).

Basic Concepts (cont.)

• Use available security tools - PGP (mail), SSH (telnet connections), SCP (ftp connections), Kreberos (Authenticate), IPSec (Network), etc.

• Enable Verbose mode - help users find problems which might affect them and their security

Basic Concepts (cont.)

• Check if you can hack the thing (be a malicious user)

• Treat carefully any file, before overwrite backup. Before delete check if the file is a system one.

• Log all actions (in case someone use your program to hack and cause damage, for tracing purpose)

Links

• Hackers Search Engine - Neworder.box.sk • Security policy - RFC 2196 -

ietf.org/rfc/rfc2196.txt

• Krebero FAQ - www.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html

• Linux Security HOWTO - www.linuxhq.com/HOWTO/Security-HOWTO.html

Links (cont.)

• Security Links - www.linuxhq.com/HOWTO/Security-HOWTO-11.html

• SSH FAQ - wwwfg.rz.uni-karlsruhe.de/~ig25/ssh-faq/

• Homepage of PGP - www.pgpi.org/