securing linux

securing linux

attacks from the inside

chapters 5,8,9

reoccurring theme

• kernel updates & patches• application updates & patches• disable not needed services / daemons• disable or remove not needed software• close open ports• strong passwords • restrict root access• restrict physical access

more worries

• history scrounging • locate file database –exposing hidden files• lost & found directories• applications with hidden passwords• /tmp file systems• backup file systems• single user booting / live CD boot accessing file

system• employee damage intentional and unintentional

introduction

• most attacks are internal! – FBI– yet only 9% are reported

• root access is the goal– ability to alter system files– ability to alter log files– ability to activate daemons– ability to facilitate future access

• strategy:– regular user => system user => root user

overview

• basic terminology

• social engineering

• access to equipment

• types of attacks

• what comes after root access

• countermeasures

basic terminology

• trojan horse– a program designed to circumvent security

disguised as something benign– must rely on a user to accomplish its goals

• must be delivered to a computer system

• must be activated on the computer system

• malware– malicious software – catch-all term to refer to any software designed

to cause damage

basic terminology

• virus– more than a simple stand-alone program; once

activated it will infect other files on the host– must rely on a user to accomplish its goals

• must be delivered to a computer system• must be activated on the computer system

• cookies (small text file)– cookies are a legitimate tool used by many

websites to track visitor information – the only websites that are supposed to be able

to retrieve the information stored in a cookie are the websites that wrote the information

basic terminology

• spyware– cookie abuse - they may track your web

surfing habits across many different websites without informing you, typically considered as an invasion of privacy

– spyware can also do some nasty things to ensure that the spyware keeps running and keeps influencing what you see

trojan horses and viruses

• methods of delivery: trojan horse and virus– from friends– usenet / forum posts– e-mail– P2P file sharing– browsing malicious websites – security software: fixes, tests, proofs of

concept


• counter-measures:– never run a program from an untrusted source– know what the program does before you run it– run MD5 or SHA1 hash against programs– run the program on a dedicated host– run the program in a chroot jail– never run any program as root user– “when in doubt, throw it out!”


• more specific countermeasures:– verify vendor notices

• e.g., confirm e-mail information with web site visit

– verify PGP signatures and MD5 checksums– perform a code review (if open source)– be sure to logout / lockscreen when away from

computer– be attentive to computer when returning

• fake login screen

• fake screen saver


• linux has not been susceptible to attacks by viruses

• linux systems are much harder to infect

• some viruses attack dual boot systems (windows + linux) by attacking from the windows partition

• win32 /lindos 1st cross-platform virus

basic terminology

• worm– program that can infect both the local host and

also remote hosts over a network– does NOT rely on a user to accomplish its

goals– a worm is a specific type of virus that

propagates itself across many computers

basic terminology

• time bomb– usually has malicious intent– typically attacks the host file system– a program designed to activate at some

specified time in the future

worms and time bombs

• countermeasures:– keep software up to date– monitor

• systems logs for suspicious activity

• system files for any changes in file properties

social engineering

• too often system cracking has nothing to do with computer theory, cracker software, or exotic strategies

• system cracking is made trivial by weaknesses in human nature

• all social engineering mind games apply as discussed on week 3

social engineering• countermeasures:

– be paranoid! perhaps anal is a better word?• question everything

• verify the source

• ask for identification

– just say “no”– educate system users

• do not leave passwords on post-it notes

• do not leave passwords in desk drawer

– pay attention to what you throw away• document shredding policy

limit access to equipment• access to computer / server rooms

– limit access to hardware to authorized personnel company and vendors

– log access / entry

• access to user workstations– most susceptible to social engineering

• worker's name• worker's family

– post-it notes with passwords– develop a document shredding policy– develop a clean work area policy

boot access

• boot access is root access!– if a person can boot a system, then a person

owns everything on that system• can copy

• can modify

• can delete

• can reformat the entire device!

– a simple boot floppy, boot cd-rom (liveCD), boot USB

boot access

• countermeasures:– password protect BIOS– disable all bootable devices except the fixed

disk• either a simple short circuit of motherboard• or removal of battery undoes BIOS settings, so ...

– place system in a secure and visible room– install security cameras in vulnerable areas– use a chassis lock / server rack locks– hot glue gun to USB ports

boot access• countermeasures (cont'd)

– disable the “three-finger salute” [ctrl][alt][delete]• /etc/inittab

– either #ca::ctrlaltdel:/sbin/shutdown -t 3 -r now

– or ca::ctrlaltdel:/usr/local/sbin/cad_warn

» cad_warn is a script file to generate e-mail which identifies users who use the three-finger salute

– protect the boot loader configuration• chown root:root grub.conf

• chmod 600 grub.conf

– password protect all but the default option for the boot loader

boot access

• countermeasures (cont'd)– be careful with single-user mode (runlevel 1)

• /etc/inittab must contain the entry– su:S:wait:/sbin/sulogin

• if /etc/passwd or /etc/shadow have been corrupted– then sulogin will spawn a shell for repair

general user access

• even if a cracker has gained access to a user's account, he or she may not be able to take advantage of information– encrypted file systems!

• good news: cracker must identify these partitions and mount

• bad news: user must remember to unmount these partitions

general user access

• examples of encrypted file systems– CFS: Cryptographic File System– TCFS: Transparent Cryptographic File System– BestCrypt File System– PPDD– Loopback Encrypted File System– Steg File System

types of attacks

• system configuration

• elevating user privileges

• password cracking

• trail hiding

• creating backdoors

attacking system configuration

• home directory permissions– often too much visibility to other users,

especially if all users belong to a generic “users” group

• chmod 700 /home/* /root

• chmod go-rwx /home/*/* /root/*

– history file information (~/.bash_history)• history scrounging reveal much about you!

• make sure history files are only readable by the owner


• weaknesses in the “locate” database– frequently displays hidden files and secure files

to regular users• use the more secure “slocate” utility

• many distributions do this by default


• secure information found in lost+found directories– fsck saves fragments in the lost+found

directory– lost+found is often world readable!

• find / -name “lost+found” -ok chmod 700 {}\;


• unmounted backup files– limit access to backup devices

• chgrp backup /dev/*rtf0

• chmod 660 /dev/*rtf0

• encrypt tape backups


• including “.” on PATH for convenience– unlike MSDOS which looks in the current

directory first, UNIX only looks along the PATH!

– if “.” is not on PATH, then activate program• ./<program>

– root user should never have “.” on PATH!– regular users should probably not have “.” on

PATH as well

attacking system configuration• mounting file systems “noexec”

– this trick is not really very useful!• although the following command will not work

– ./sample.sh (shell script)

• the following command will work– /bin/bash sample.sh

• a program / script is in reality data to be executed by the appropriate interpreter!

– “noexec” is only meaningful in conjunction with restricted shells

• rbash

• rksh


• links create flexibility

• flexibility creates vulnerability– hard link – same i-node

• may include important system files

• may not cross partition boundary

– symbolic link – pointer to a file (its path)• may include important system files

• may cross partition boundary

• may reference a non-existent file!


• links (cont'd)– countermeasures:

• if possible, create separate partitions for important system directories

– /

– /boot

– /usr

– /var

– /home

– /tmp

• be careful when creating temporary files– potential link to capture sensitive data


• conditional scripts (used by many distributions)

• if [ -f /etc/rc.d/rc.serial ]

• then

• ./etc/rc.d/rc.serial

• fi

– a trojan horse with such a name (rc.serial) will now run at system startup as root

– countermeasures:• make such startup scripts immutable

– chattr +i

• monitor startup scripts for any changes


• kernel based attacks– kernel bugs have caused problems

• in the past!

• in the future!

– countermeasures:• upgrade the kernel as needed!

• loadable kernel modules may provide a short term solution to kernel problems until a legitimate patch is available

elevating user privileges

• who should have root privileges??– just one person– a handful– anybody

• how can we provide additional access– “wheel” group– “sudo” utility– sXid programs


• “wheel” group– identifies those users who may execute the

“su” command to become root– blocks access even if the user knows the root

password• so just login as root!!!!

– if access is granted then user has full privileges as root user


• “sudo” utility– allows regular users to perform system

administration tasks• e.g., set/change passwords or

• monitor and update web pages

– “sudo” does not grant full root user privileges


• be careful with configuration file /etc/sudoers– always user fully-qualified paths

• never rely on the default search path

– always use front-end scripts to set environment variables correctly

• export EDITOR=”/bin/vim” could be replaced by

• export EDITOR=”bin/bash”


• sXid is an all in one suid/sgid monitoring program designed to be run from cron on a regular basis

• Basically it tracks any changes in your s[ug]id files and folders. If there are any new ones, ones that aren't set any more, or they have changed bits or other modes then it reports the changes in an easy to read format via email or on the command line.

elevating user privileges• sXid program are dangerous

– suid programs execute as a different user– sgid programs execute as a different group– sXid programs are often necessary to achieve

the desired result – e.g. to login!!!• however, they open up small holes in the armor

– potential risks:• program flaws may be exploited

– buffer overflow, input format, race condition

• replace with a trojan horse– copies system files such as /etc/passwd or /etc/shadow


• countermeasures:– minimize the number of sXid programs– make sXid programs immutable– non-root suid programs are unnecessary

• create a custom group instead

– utilize atomic system calls• mkstemp () system call

• mktemp Linux command

– analyze sXid programs for:• buffer overflows and valid input checking

• activation of other programs

password cracking

• password cracking is possible at all levels– from a remote host– as a regular user on a local host– as root user on a local host

password cracking

• password cracking from a remote host– brute force attack to gain a foothold– the infamous guest/guest account– how about sysadmin/sysadmin

password cracking• password cracking as a regular user on a

local host– subtle attacks to elevate privileges– are system files world readable?

• /etc/password or /etc/shadow

– are there plain text password files?• apache, samba, mysql

• many people use a single password for everything!!!

• even if the cracker does not elevate his/her privileges, these accounts can be used to hide work across multiple accounts

password cracking

• password cracking as root user on a local host– root user can see everything => /etc/shadow– password cracking software

• crack the first

• john the ripper the best?

password cracking software is CPU intensive

• usually run on a compromised system

– new user/password pairs potentially provide access to additional computer systems

password cracking

• countermeasures:– ensure password files are not world readable– run password cracking software against your

own system• identify users with weak passwords and educate

them

– obtain additional wordlists and dictionaries• packetstormsecurity.org

• educate users on good password techniques

password cracking

• what are bad passwords:– your name and/or birthday– your pet's name– your phone number– characters from Dilbert, Star Trek, Star Wars,

LOTR, ...– non-English words– any of the above backwards

10 Most Common Passwords

• password• 123456• qwerty• abc123• letmein• monkey• myspace1• password1• link182• (your first name)

password cracking

• what are good passwords:– totally random string that include upper case,

lower case, digits, and punctuation– example:

• pass phrases

• I see you you see me too

– becomes:• Icuucme2

password cracking

• recommendations:– force good passwords

• in the file /etc/pam.d/passwd– password required pam_cracklib.so retry=3

minlength=10

– password required pam_unix.so use_auth ok md5

– use password aging and expiration• pros: limited usefulness for a cracker

• cons: replacement passwords generally not as good

– consider using one-time passwords (OTPs)• S/Key single use passwords

• OPIE

what comes after root access

• after successfully rooting a box, a cracker has two immediate goals:– hide one's tracks

• cracker does not want to be found!

– expand one's foothold• there can never be too many alternate ways to gain

access!

trail hiding

• trail hiding can be accomplished in several ways:– modify system logs– modify system software (trojan horses)– system trickery– invisible network access

system logs

• cracker may simply edit system log files– tighten file permissions

• chown root logs <log_file>

• chmod 640 <log_file>

– use file attributes• chattr +a <log_file>

– append log files

system logs

cracker may force logrotate to hide evidence– by size: generate large volume of log entries– by date: change date or forge ntp packets

system logs

• countermeasures:– send logs to a central server

• but cracker can see /etc/syslog.conf

• can start a DOS on central server

– use stealth logging• send log entries to a non-existent IP address!

• central server has NIC in promiscuous mode

– utilize encryption to hide log entries from packet sniffers!

system software• what are important system files

– login• login su sudo in.telnetd sshd rlogind w who last

– logging• syslogd

– process reporting• ps lsof top

– file reporting• find ls lsof locate/slocate

– network reporting• netstat lsof tcpdump route ifconfig arp

system software

• countermeasures:– file attributes

• chattr +i <system_file>

– monitor system files for changes• file integrity checking software

expanding one's foothold

• expanding one's footholdcan be accomplished in several ways:– exploiting access and authentication utilities– gaining access over the network using root

shells– trojan horse backdoors

access and authentication

• user access– create new accounts

• such as r00t

• cracker hopes these will go unnoticed!

• countermeasures– monitor files /etc/passwd and /etc/shadow

– make sure daemon accounts have no default shell

– attaching suid bit to shells• immediately elevates any user to root user status!

• most current shells now check for this gimmick

trojan horse backdoors

• countermeasures– monitor system files closely– file integrity checks

file system integrity

• Crackers have a very powerful tool in rootkits.

• System administrators have a very powerful tool in file system integrity software.

rootkits

• rootkit = prepackaged suite of trojaned binaries ready for quick installation

• Linux Root Kit (lrk) is the most popular

• rootkit detection software – looks for specific footprints of various well-known rootkits– chkrootkit– rkdet– rkhunter


• important aspects of system files:– size

• could be padded if file is shortened

– timestamp• could be forged

– md5checksums• md5sum <file_list>

• md5 is a hash– different files may have the same hash value

– file permissions– file attributes

file system integrity• key directories:

– /sbin /usr/sbin /usr/local/sbin– /bin /usr/bin /usr/local/bin– /etc– /lib

• key files:– system files– sXid files (especially root owner)

• find / \( -perm -04000 -o -perm -02000 \) -ls


• available software:– COPS – the original software package of this

type!– TAMU TIGER – Texas A&M package– tripwire– nabou– AIDE– LSAT– samhain

system hardening

• attempt to strengthen security in several standard Linux distributions– bastille

• originally written for Red Hat and Mandrake

• now extends to Debian and SuSE

– harden_suse (no longer supported!)– SE Linux

Documents

securing linux