Contents

Topics

• Security Issues
• Security Planning
• Basics
• Prevention
• Detection
• Restoration
• The SysAdmin's Role

Assignment

Security Issues

• Threats
  • Leakage
    Unauthorized acquisition of information.
  • Tampering
    Unauthorized modifying of data. This can be directly connected to other threats, such as modifying the system to create backdoors.
  • Resource theft
    Unauthorized use of facilities.
  • Vandalism
    Interference with proper operation without specific gain. Viruses are an example of this sort of idiotic behavior.
• Methods of attack
  • Eavesdropping
    Obtaining copies of messages or data without authorization.
  • Masquerading
    Accessing or communicating with the system by using the identity of a legitimate principal without their authorization.
  • Exploitation
    Taking advantage of a weakness in a system to obtain access. This could be a physical security issue, a software issue or possibly a user issue.
  • Tampering
    Intercepting messages and modifying them, or altering data in such a way that the system's security is compromised.
  • Replaying
    Storing messages and sending them later for the purpose of mounting an attack. This is particularly difficult to detect without careful security design.
  • Denial-of-Service - Using resources in such a way that normal system or network operations are impeded.
• Types of Defense
  • Deterrence - make them think twice
  • Prevention - make it difficult
  • Detection - catch them if they do
  • Restoration - stop them and recover
• Levels of Security
  • Social/Ethical - deterrence
  • Physical - deterrence and prevention
  • Hardware - prevention, detection
  • Software - prevention, detection, restoration
  • SysAdmin - all levels

Security Planning

• Social/Ethical
  Social/Ethical deterrence is probably the single most important factor, but its hard to make that a SysAdmin job. Do unto others is pretty good advice.
• Physical
  • Machines
    • Lock the doors
    • Tie downs
    • Cabinet locks
    • Cameras
    • System Centers
    • Intrusion detection
  • Networks
    • Locking cable trays
    • Sniffers
    • Time-domain Reflectometer (TDR) or other physical media analysis tools.
• Hardware
  • Hardware passwords
  • Intrusion detection
  • Cyber-authentication
• Software
  • Host protection - prevention, detection, restoration
  • Network protection - prevention, detection, restoration
• Seven common-sense rules (from Nemeth)
  • Don't leave files on your system that are likely to be interesting to hackers or nosy people. If you do, encrypt them.
  • Plug holes hackers can use to get in and stay up to date on bulletins from vendors and security mailing lists.
  • Don't provide places for hackers to nest - anonymous ftp, group accounts and poorly passworded accounts.
  • Set basic traps using the available tools.
  • Monitor the reports that security tools generate.
  • Learn about security and don't depend on commercial solutions that may go out of date.
  • Prowl around looking for suspicious activity and know your user base.

Basics

What you want to do, is keep people from gaining access to your network and systems. Keeping them off your network is difficult unless you firewall your domain. If they get access to your network, it becomes more difficult to stop them, because they can effectively use your own resources against you. It is easier to keep them out, than to fix the problems they create.

Don't underestimate your opponent, just because people are ignorant, inconsiderate, juvenile and/or lacking in social graces doesn't mean they are stupid.

Every user on a system is a potential security threat through action or inaction. Educate them and watch them closely.

Your motto should be "I'm paranoid, but am I paranoid enough!"

Have a routine of testing, checking, monitoring and otherwise snooping around in the system.

Pay attention to details. If you aren't good at this, build programs to do it for you.

Prevention

Passwords

• Triviality checks - many systems do this automatically
• No words from dictionaries, palindromes, user names, etc.
• 8 character minimum, at least one case change, at least one special character or digit.
• Mix it up!!! Don't put things in the expected places in the password.
• Don't modify password revisions in some predicatable way.
• Use shadow passwords (the password program does much of the above).

• Password aging and password history lists.
• Locking accounts after N unsuccessful attempts
• Limiting access to specified times of the day and/or week.
• Autologout of users.

• Use PAM - Pluggable Authentication Modules
  This requires virtually no effort, just install it and packages that need PAM will set up the necessary support and configuration files. The config stuff is in /etc/pam.d and tells PAM how to handle authentication for each service - login, passwd, xdm, xserver, samba and so on.
• Run a password cracker against your password file on a regular basis. (PAM may do this automatically).

File Permissions

• Don't give unnecessary permissions to anything and stop users from doing this also.
• Your root user umask should be 007, or even 006.
• Be especially careful of permissions on ~root, /etc/, /var, /usr, /bin and /sbin and their subdirectories,
• Be careful about adding people to groups - do this only when absolutely necessary.
• Make sure that programs that run as root are limited and check to make sure that they don't get replaced with something nefarious.
  SUID bit - chmod 4755 sets the program to run as the owner.
  chmod u+s SGID bit - chmod 2755 sets the program to run as the owner group. chmod u+g
• If you give some users access to privileged resources via a group, you could create holes for others to slink through.
  If I have admin group privileges and am a member of the users group, and if my .cshrc file is writable by users, someone could ostensibly modify my .cshrc so that when I run as admin I damage the system.

        alias ls scriptomagic
      
        uid = id | cut -d= -f2 | cut -d"(" -f1
        if uid == 0 then
           rm -f /etc/passwd
        else
           ls
        fi 
        

Root User

Stay out of /tmp when you are root. Don't ever execute anything in /tmp or any other directory writable by general users. Also, remember that things you create are owned by root. If someone else has access and modifies the file, or executes a script you could be in trouble.

    cp some-silly-file /tmp/here-is-the-file-you-wanted
    chmod 777 /tmp/here-is-the-file-you-wanted
    

Keeping the &^$%&* Out

• Don't set up terminals to be secure in /etc/securetty (possibly gettydefs, or some other place) unless necessary. These terminals allow root logins.

Secure Shell

A replacement for telnet that transmits passwords in an encrypted mode. Note: could be a security hole in this.
• http://www.ssg.org (www.cs.hut.fi/ssh)
• Download to /usr/local/src/ssh
• gunzip ssh.X.X.XX.tar.gz
• tar -xf ssh.X.X.XX.tar
• cd ssh.X.X.XX
• ./configure
• make
• make install
• Configure sshd

• or get the RPM file at ftp://ftp.zedz.net and use your RPM tools.

Wrappers

Wrappers were originally only TCP wrappers, based on the tcpd daemon and inetd. This has been replaced with xinetd, which handles most of the tcpd wrapper functionality, but some services still use the tcp wrapper configuration files.
• /etc/xinetd.conf
  /etc/xinetd.conf is modified to run applications under certain restrictions. xinetd includes most of the features provided by tcp wrappers in a form that is more flexible.

• /etc/hosts.deny
  • All things that are not allowed - hosts.deny
• /etc/hosts.allow
  • All things that are allowed - hosts.allow

Virus Prevention

While viruses have not been a big problem in the Linux world, they could be. Any program that can damage a system or users file space, or misuse the resources of a system is a problem for system administrators regardless of the total impact. As Linux become more popular, users become less sophisticated and the capabilities and demands of mailers, web agents and other applications increases, viruses will become a problem.

A good place to check out what is available is:

linux.org

Virus scanners for Unix/Linux are available from McAfee, Trend Micro and others if you want a proprietary solution.

The primary entry point for viruses is email, and there are several email virus scanners. There are also wrappers that will integrate a proprietary scanner into your Linux email subsystem.

AMaViS (www.amavis.org) produces an GPL-licensed email scanner and provides regular updates for new virus types.

Closing the Holes

Never use on of these programs against a system that you do not have permission to use it against. Ever. Not only is it rude, but it could be illegal or a violation of policy, depending on the situation.

SATAN - Security Administrator Tool for Analyzing Networks

An outside agent that scans a system looking for vulnerabilities and providing fixes. It is controversial, in that it can be used to probe for vulnerabilities on systems. You should never use SATAN on a system or network without permission of the system administrator, and possible with institutional permission as some sites monitor traffic looking the SATAN footprint.

While SATAN, more or less, invented this class of software, it has has been improved by others, such as ISS (Internet Security Scanner), Abacus, SARA (Security Auditors Research Assistant) and SAINT (Security Administrator's Integrated Network Tool). Each has advantages, but SAINT is probably the best combination of flexibility, power and ease-of-use. However, none of these tools is open source, but free versions are typically available. Make sure that you download a version from a reputable site, as a nefarious version could make your life miserable.

We will take a look at SAINT, based on version 3.3.6-1.

SAINT Discussion

Learning to use SAINT or other vulnerability scanners is somewhat of an artform. You have to learn to pick the right tests and to properly interpret the results. The best way to do that is to run it against a system with known vulnerabilities and study the results.

If you are concerned that someone might being running a product like this against your system, gabriel and courtney are two tools designed to detect unauthorized use of SATAN and similar products.

Nessus

Nessus is another remote security scanner which is more complete than the others. It also has a nice web-based configuration and reporting interface.

nmap - Port Scanner

nmap is a port scanner that will perform an analysis of network ports attempting to find weaknesses. As with any program that probes a network or system, don't do it unless you have permission.

nmap Discussion

Packet Filtering

Packet filtering (ipchains or iptables) are sophisticated tools for limiting all traffic to or from a system. They are based on capabilities that are built into the kernel and are therefore, quite efficient. This is essentially the front-end of a firewall. Linux comes (usually) with a packet filter called ipchains or a newer version, iptables. iptables is based on a kernel process known as netfilter.

Firewalls are typically packet filtering routers, with two or more network interfaces. Rules are established that determine which packets are passed through and how. Most firewalls can filter packets, filter applications, or forward packets. We are interested in packet filtering without routing for the purpose of protecting a system.

IPTables Discussion

netfilter and IPTables are far more powerful than discussed here, as you will see in dicussions of NAT.

Detection

Use scripting

   tail -f messages | grep "(su)" -- watch for su's
   

• Use the mailer to find out

        tail -f messages | grep "(su)" | mail admin 
        

find

Find can be used to build lists of files that have changed, particularly in directories where you don't expect changes.

•    find /bin -mtime 1   # find files modified in the last day.
     

File Lists

You can also make lists of files and their sizes in bytes which can be compared with diff. Make a list of critical files - say those in /boot, /etc, /bin, /sbin, /usr/bin and /usr/sbin with their date of modification. Then run a script to list those file and compare them to your stored list. If anything changes, either you caused it, or something is wrong. Encrypt the files.

      ls -l /usr/bin/* usr_bin_list | crypt 8478392

      crypt 8478392 < usr_bin_list > temp
      ls -l /usr/bin/* | diff - temp
      

cksum and m5sum

Use the cksum command to build a CRC checksum for important files and store them. This can be be really useful, because it is virtually impossible for someone to change a file and give it the same checksum. cksum doesn't do directories. m5sum is another possibility that builds a better checksum. Encrypt the files.

      Checksum your kernel OS
      cksum /boot/vmlinux

      1831988827 586968

      Checksum the files in /usr/bin other than
          directories
      cat /usr/bin/* | cksum > usr_bin_cksum | crypt 8478392
      

• Any information you glean from the system should be encrypted so that it can't be modified by an intruder.

COPS - Computer Oracle and Password System

This is a nifty tool that audits your system and tells you if it finds incorrect permissions, problems in passwd or group and checks for other security problems. It also attempts to determine if there are ways for users to become root. It can be configured to run every night and mail you a report.

Designed for Sun's, so it expects things to be in wierd places.

tripwire

tripwire is probably the most widely used file integrity checker available. It attempts to detect intrusions by testing files for changes. It is a mature product with a large number of options and is quite flexible and powerful.

Tripwire Discussion

portsentry

portsentry will watch ports for traffic and attempt to discern attempts to attack a system with port scans or other port based attacks.

portsentry Discussion

hostsentry

hostsentry will watch the /var/log/wtmp file and attempt to detect anomalous login/logout behavior. It will then log that information and in the future, do lots of other things. This is a relatively new product and many features are not yet implemented (as of version 0.02). Nevertheless, it looks like a product worth watching. It is also from Psionic (as is portsentry).

snort

snort is a network intrusion detection system (NIDS) that provides a variety of features, including:
• Detect threats including buffer overflows, stealth port scans, CGI attacks, SMB probes, NetBIOS queries, NMAP and other portscanners, backdoor attacks and system vulnerabilities
• A sophisticated alert system for informing administrators.
• A dynamic system for creating and downloading new rules.
• Recordable playbacks of attempts or break-ings.
• Can be used as a passive trap to find the presence of unwanted traffic.
• Internet connection monitoring

So Snort does everything you want, apparently. In any case, it is quite powerful and has dynamically updated rules tables, which is important in the era of widespread distribution of information regarding vulnerabilities.

snort Discussion

logcheck

logcheck is another Psionic product that provides a simple and effective tool for checking log files. This one area where system administrators fail due to the simple lack of time to analyze the logs.

logcheck Discussion

Track the Users

• last - shows all logins since the file was created (/var/log/wtmp)
• lastb - shows all failed logins since the file was created (/var/log/btmp)
• User accounting - no longer provided by Red Hat, but still available in other distributions. Data stored in /var/log/wtmp and accessed with the ac command.
• Process accounting - Not provided by Red Hat but can be downloaded (psacct). Data stored in /var/log/pacct and access with the sa command.

Turn on History on root

   set history = 100
   set savehist

   export HISTSIZE=100
   export HISTFILE=/var/log/.root_hist
   

ttysnoop

ttysnoop is a login session snooper. It allows a sysadmin to watch and record a tty session. If you believe that a user is up to no good, or if you have identified and intruder, this is one way to see what they are doing.

The best source of information is the ttysnoop manpage

Packet Filtering

Watch the reports from you packet filtering monitor. It will tell you if someone is up to no good.

---

Restoration

• Unplug from the network.
• Look to find out what may have been compromised and fix the vulnerability.
• Restore from backup.

---

The SysAdmin's Role

• Be aware, the world needs wares.
• Inform the users. Informed users tend to create fewer problems.
• Set up detection mechanisms and monitor.
• Learn the newsgroups and sites for keeping up with the security alarms on your OS.
• Find the web sites and other places where the enemy may leave information.

---

Assignment

1. Check to see what your login/password system allows in terms of password sanity checking. Is it sufficient?
2. Download nmap and install it. Use it to scan your machine to determine what vulnerabilities you find. Prepare a short report on what you found out and what you should think about fixing. Under no circumstances should you scan any other hosts. The switches and routers are configured to detect such activity when possible and report it.
3. Recompile your kernel as necessary to get netfilter and iptables installed. Then start with with a completely closed policies (INPUT, OUTPUT and FORWARD drop all packets). Then add telnet out, but not in, DNS out, sendmail in and out and other things that you would like. You might take a look at http://www.linuxguruz.org/iptables for some very good examples to go by. In the end, you want a system that only allows what is necessary.
4. Check the permissions of the directories and files that are critical to protecting the system - etc, boot, var, /usr/bin, /usr/lib, and so on. Do they seem reasonable.
5. Write a script and find files that have been changed recently - one day or so. Use it to check significant files. Also, try looking for files whose permissions are wrong (perm option).
6. Write a script to make a list of important files on your machine and store them somewhere. It should encrypt, but it isn't necessary. The script should be adaptable to new and different file systems that need to be tracked.
7. Add cksum to your script to checksum important directories and files.
8. Install COPS or tripwire on your system and try it out. What important information does it give you? DO NOT PUT THESE ON ANY MSU MACHINE, other than the ones in 259A!!
9. Set up and test your tcp wrappers.

---