Linux Security Haifa Linux Club 21 10 99
Linux’ Security Haifa Linux Club 21. 10. 99 Orr Dunkelman
What is a Secure System? • Secure system is an abstract concept • Defined as “Robust”, it depends on what you need, how much time you are willing to put in, and what resources are at your disposal
P. C. vs. Server • Close all services • Close as much services as possible • Don’t open accounts to • Make sure users have good passwords - use everyone. Only to crack-lib. Demand good and trusted periodical password people changes
P. C. vs. Server (cont(. • Don’t install what you don’t know its origin • Download only from known places (www. linux. org, etc(. • Remove Suid’s if you are not the only user • Remove as more Suid’s as possible
Securing Passwords • Crack-lib them. Ensure passwords are not too short, and not too easy to crack • Shadow them. Don’t put them in /etc/passwd but in /etc/shadow (today’s default in RH 6. 1 installation( • Connect to remote system using SSH and SCP (FTP over SSH channel) to prevent passwords from being sent as cleartext
S vs. R • SSH require password • RSH doesn’t require or a RSA phrase (SSH any password agent( • SCP require password • RCP - no passwords (no one will sent files needed without authorization( • Several Authentication • Work with Kreberos method are available solely
S vs. R • Use Compression • Plain Connection • Don’t require password at all - no password is moved, if one of the encryption functions has been broken - no one get the password!
Authentication • Prevents IP spoofing (claiming to be other IP then you are( • Sometimes the algorithm allows also setting up a key for the rest of the session (Kreberos for example( • Slow a little bit the connection (in the beginning( • Known (and used) algorithms - Kreberos, RSA Challenges.
Dangerous Permissions • Suid/Sgid - Check very carefully. Especially when the file is owned by root/wheel • Write to all (xx 2( • Nouser/Nogroup • . rhosts file (open R-services( • Use “find” to find the files
Example - How to remove Suid’s? • First find them - find -perm 4000/ • Then check if you need them - login, wanted deamons (Qmail, telnet, SSH, FTP( • Close services not needed in the /etc/inetd. conf • Use TCP Wrappers to the rest of the ports (Those you usually get nuked - 139(
Monitor your Computer! • Be the hacker yourself. Check for scripts and exploits which might be used against you • Port scan your machine once in a while ensure no ports and services are open (unless you opened them( • Put Firewall. Hiding behind a firewall might help in reducing hackability (though those who pass it, are likely to hack better(
Introduction to Hacker 1 • Use port scanner on the machine you are about to attack (nmap does great, and helps you in finding the OS running on the computer( • Go to hackers web-sites, and look for the right exploits and scripts • Try to examine the Services code, maybe you’ll find a backdoor
Security HOWTO • Restrict physical approach (locks etc(. • Consider BIOS and LILO passwords • Lock workstation when you’re not near (vlock/xlock( • Try to reduce root access to one of tty declared in /etc/securetty • Try to use “su -” instead of login as root
Security HOWTO - Files • When you need to allow root-like access minimize it using sudo • Don’t allow Suid/Sgid where non-root users write to hard drive (mount as nosuid( • Umask the right access permissions • Limit resources in the machine (Nproc, CPUtime, etc(. • Set /var/log/wtmp /var/run/utmp permissions to 644
Security HOWTO (cont(. • Use chattr to set special permission (disable deleting, creating symbolic links etc(. • Run Integrity Checker (like Tripwire) routinely (find changed files( • Install PGP for users • Install PAM (Plugable Authentication Module( • Secure X connections (ssh for example(
Security HOWTO (cont(. • Backup! • Don’t use NFS/NIS without really needing it (and secure it when you does, those things are really not secure( • Look at your logs once in awhile (/vat/log(/ • Look at the system log file
Auditing • Audit your system • Check Network once in awhile (Denial of Service attacks can be identified using this( • Check who log on and from where. Check if it make sense
Virtual Machine Concept • Use the VM (like VMWare) to be the machine which the rest of the world access • Make sure the VM has privileges to change only where it should (no access to write to root partition, etc(. • Check the VM is secure (!) your counting on that the VM can’t access what it’s not allowed
Tips and Ideas
Basic Concepts • Use PAM (change of passwords etc. is not at your responsibility - less vulnerability( • Check permissions before actions • Check overflow/underflow. Be as Robust as you can • If you are writing a deamon double check everything (and quad check it again. (
Basic Concepts (cont(. • Use available security tools - PGP (mail), SSH (telnet connections), SCP (ftp connections), Kreberos (Authenticate), IPSec (Network), etc. • Enable Verbose mode - help users find problems which might affect them and their security
Basic Concepts (cont(. • Check if you can hack the thing (be a malicious user( • Treat carefully any file, before overwrite backup. Before delete check if the file is a system one. • Log all actions (in case someone use your program to hack and cause damage, for tracing purpose(
Links • Hackers Search Engine - Neworder. box. sk • Security policy - RFC 2196 ietf. org/rfc 2196. txt • Krebero FAQ www. nrl. navy. mil/CCS/people/kenh/kerberosfaq. html • Linux Security HOWTO www. linuxhq. com/HOWTO/Security. HOWTO. html
Links (cont(. • Security Links www. linuxhq. com/HOWTO/Security-HOWTO-11. html • SSH FAQ - wwwfg. rz. uni-karlsruhe. de/~ig 25/sshfaq/ • Homepage of PGP - www. pgpi. org/
- Slides: 24