Linux Security Zuo

8/14/2019 Linux Security Zuo

1/40

Linux Security

Chapter 21 (section 1-7)

ByYanjun Zuo


2/40

Morris worm Robert Morris, a graduate student

at Connell university, released an

Internet worm in 1988This worm made use of the open

nature of mail transport agents (adebug program) to spread

Since then, computer securityentered a new stage


3/40

Security A recent survey (by CSI/FBI in April

2001) showed 91% of organizations

have reported security breaches in thepast 12 months

95% of these reporting organizationsused security tools such as commercial

firewalls This facts at least teach us security is a

complicated issue and some

commercial security products are not


4/40

Linux security Like other OS, Linux is not secure - Linux is optimized for convenience and

doesnt make security easy or nature - Linux security is effectively binary: all

or nothing in term of power. Facilitiessuch as setuid execution tend to give a

way in the middle - Linux is developed by a large

community of programmers and is opensource


5/40

Linux securityThe most important security issues

to consider for a Linux system

- Packet filtering: there must be apacket filtering router or firewallbetween the Linux system and theoutside world (iptables)

- Unnecessary services (examinethe contents of /etc/inetd.conf)


6/40

Linux security - Software patches: update software

security patches regularly and as soon

as possible - Backups: any other methods may fail

so it is important to make backups - Passwords: it is no longer secure to

send plaintext reusable passwords online. Use SSH or other authenticationsystems


7/40

How security is

compromised Unreliable wetware: human users

and administrators may be the

weakest link in the chain ofsecurity

Software bugs: user programs,system, and networkvulnerabilities

Open doors: many software areconfigured as not-so-secure by

default


8/40

/etc/passwd and

/etc/shadow filesThese two files are the systems

first line of defense against

intruders It is very important to regularly

check every login has a password

Pseudo-users such as daemonwho own files but never loginshould have a star (*) in theirencrypted password field


9/40

/etc/passwd and

/etc/shadow filesThe command

perl F: -ane `print if not $F[1];` /etc/shadow

can be used to find null passwords Use the cron program to run this

command and send mail to youabout any null password


10/40

/etc/passwd and

/etc/shadow files /etc/shadow is read only by root /etc/passwd and /etc/group should

be written only by root Passwords chosen by users should

be at least 8 character long and

should include numbers,punctuation, or changes in case


11/40

PAM: pluggable

authentication module PAM can be used to integrate login

services with different

authentication technologies, suchas RSA, DCE, Kerberos, S/Key, andsmart card based authentication

systems [1]


12/40

PAM: pluggable

authentication module Applications enabled to make use of

PAM can beplugged-in to new

technologies without modifying theexisting applications. This flexibilityallows administrators to do thefollowing:

Select any authentication service on the system for anapplication

Use multiple authentication mechanisms for a given service Add new authentication service modules without modifying

existing applications

Use a previously entered password for authentication withmultiple modules [2]


13/40

PAM: pluggable

authentication module The concept of Linux-PAM: programs

that require authentication only need to

know that there is a module availablethat will perform the authentication forthem

PAM is set up so that modules can be

added,deleted, and reconfigured at anytime- it is not necessary for modules tobe linked in at the time a utility iscompiled


14/40

PAM: pluggable

authentication module It is the purpose of the Linux-PAM

project to separate the

development of privilege grantingsoftware from the development ofsecure and appropriate

authentication schemes. This isaccomplished by providing alibrary of functions that an

application may use to requestthat a user be authenticated 3


15/40

Format of PAM

configuration file entries Configuration file for PAM is in the

directory of /etc/pam.d

- entry of the configure file has theformat:

module-type control-flag module-patharguments


16/40

Format of PAM

configuration file entries Module-type field: auth, account,

session, or password

Control-flag field: required,requisite, sufficient, or optional

Module-path: pathname for the

dynamically loaded module objectArgument: the argument for the

dynamically loaded module object


17/40

An example of PAM Additions to /etc/pam.d/passwd to

enable the passwd to perform

strong password checking by usinga PAM module derived from thecrack library might look like this:

password required pam-cracklib.so retry=3password required pam_pwdb.so use_authtok


18/40

Group logins and shared

logins Dont recommend to allow users to

share logins with family or friends Recommend to use sudo program

to control access to rootly power


19/40

Rootly entries A common way for hackers to install a

back door once they have obtained a

root shell is to edit new root logins into/etc/passwd

The following script can be used to findany lines in the passwd file that have

null or 0 UIDs

perl F: -ane `print if not $F[2];` /etc/passwd


20/40

Setuid programs The setuid commands distributed with

Linux are theoretically secure; but theyhave security holes

Try to minimize the number of setuidprograms

Although a shell spawned to execute a

script doesnt necessarily read theusers shell configuration files, it can beinfluenced by the users environment,by the contents of the current directory,

or by the manner in which the script isinvoked


21/40

Setuid program A setuid program can be run as a

pseudo user instead of root Use a low UID for the pseudo user,

put a star in the passwd field, andmake the pseudo users home

directory be /etc/null


22/40

Setuid programs Setuid and Setgid execution on

individual filesystem can be

disabled through use of the onosuid option to mount


23/40

Setuid programs It is useful to scan disks periodically to

look for new setuid programs

A hacker who has breached the securityof your system will sometimes create aprivate setuid shell or utility to facilityrepeat virists

The command can find and a list of allsetuid files and mail to the admin user

find ~user root perm 4000 print | mail s Setuidroot files admin


24/40

Important file permissions /dev/kmem should only be readable by

the owner and group, never by the

world since this file allows access to thekernels own virtual address space If your /dev/kmem file is publicly

readable, a competent programmer can

then look for things like unencryptedpasswords in the kernel data structuresand buffers. Change that not allowworld readable


25/40

Important file permissions Directories that are accessible through

anonymous FTP should not be publicly

writable Such directories create a nest for

hackers to distributed illegally copiedsoftware and other sensitive files

Setting up anonymous FTP usuallyinvolves copying a skeleton passwordfile into ~ftp/etc/passwd so that ls will

work correctly


26/40

Important file permissions Having read or write permission on a

disk device file is essentially the same

as having read or write permission onevery file in the filesystem it represents Only root should have both read and

write permission The group owner is sometimes given

read permission to facilitate backups,but there should be no permissions for

the world


27/40

Remote event logging Forward log information to a file, a list

of users, or another host on the network

Set up a secure host that acts as acentral logging machine and print outsecurity violations

This precaution prevents hackers fromcovering their tracks by rewriting orerasing log files


28/40

Secure terminals Linux can be configured to restrict

root logins to specific secure

terminals It is good idea to disable root

logins on channels such as dial-up

modems Network pseudo-terminals are

often set to disable root logins


29/40

Secure terminals The secure channels are specified as a

list of TTY devices in the configuration

file /etc/securetty It is also possible to restrict nonroot

logins to particular locations withentries in the file

/etc/security/access.conf or to particulartimes with entries with entries in the file/etc/security/time.conf


30/40

/etc/hosts.equiv and

~/.rhosts These two files define hosts as being

administratively equivalent to one

another rshd and rlogind, the server processes

that read .rhosts and hosts.equiv, arerecommended to be disabled

The functionalities of telent, rlogin, rsh,or rcp can be replaced with high-security equivalents such as SSH


31/40

rexecd and tftpd Rexecd is another remote command

execution daemon, which is the serverfor the rexec library routine

Requests send to rexecd include aplaintext password

Tftpd is a server for the Trivial File

Transfer Protocol It allows machines on the network to

request files from your hard disks.Hence it is a potential security hole


32/40

fingerd finger is a Linux command that

prints a short report about a

particular user Information collected from finger is

potentially useful to hackers

It is recommended to disablefingerd in /etc/inetd.conf


33/40

Security and NIS NIS maintains and distributes files

such as /etc/group, /etc/passwd,

and /etc/hosts NISs very nature of easy

information access makes it tasty

hacker bait A late replacement is NIS+


34/40

Security and NFS Access to NFS volumes is granted by

/etc/exports

This is a weak form of security becausethe server trusts the clients to tell itwho they are

It is easy to make clients lie about their

identities The TCP wrappers package can help

limit the hosts that can access NFSfilesystems (through /etc/hosts.deny)


35/40

Security and NFS File-level access control to NFS

filesystems is managed according

to UID, GID, and file permissions Once again, the NFS sever trusts

the client to tell it who is accessingfiles

It is strongly recommended to useglobally unique UIDs and theroot_squash option


36/40

Security and NFS It is a good idea to block access toTCP and UDP ports 2049 (used by

NFS) when configuring firewallsYou should also block access to the

portmap daemon, which normally

listens on TCP and UDP ports 111


37/40

Security and sendmail Sendmail is a massive network

system and a large part of it runs

as root Sendmail accepts arbitrary user-

supplied input and deliver it tolocal users, files, or shells

It has often been subject to theattacks

Numerous vulnerabilities have

been exposed over time


38/40

Trojan horses Programs arent what they seem to

be It is remarkable how few Trojan

hose incidents there have been


39/40

References(1)http://java.sun.com/security/jaas/doc/pam.htm

l

(2)http://publib16.boulder.ibm.com/pseries/en_US/aixbman/security/pam_overview.htm

(3)http://www.tldp.org/HOWTO/User-Authentication-HOWTO/x101.html


40/40

Questions

or

Comments?

Documents

Linux Security Zuo