Security Computer Center CS NCTU 2 Free BSD
Security
Computer Center, CS, NCTU 2 Free. BSD Security Advisories – (1) q http: //www. freebsd. org/security/advisories. html
Computer Center, CS, NCTU 3 Free. BSD Security Advisories – (2)
Computer Center, CS, NCTU 4 Free. BSD Security Advisories – (3) q freebsd-security-notifications Mailing list • http: //lists. freebsd. org/mailman/listinfo/freebsd-security-notifications
Computer Center, CS, NCTU 5 Free. BSD Security Advisories – (4) q Example • compress
Computer Center, CS, NCTU 6 Free. BSD Security Advisories – (5) q CVE-2011 -2895 • http: //web. nvd. nist. gov/view/vuln/detail? vuln. Id=CVE-2011 -2895
Computer Center, CS, NCTU 7 Free. BSD Security Advisories – (6) q Example • Problem Description
Computer Center, CS, NCTU 8 Free. BSD Security Advisories – (7) q Example • Workaround
Computer Center, CS, NCTU 9 Free. BSD Security Advisories – (8) q Example • Solution
Computer Center, CS, NCTU Common Security Problems q Unreliable wetware • Phishing site q Software bugs • Free. BSD security advisor • portaudit (ports-mgmt/portaudit) q Open doors • Accounts’ password • Disk share with the world 10
Computer Center, CS, NCTU portaudit (1) q portaudit • Checks installed ports against a list of security vulnerabilities • portaudit –Fda Ø -F: Fetch the current database from the Free. BSD servers. Ø -d: Print the creation date of the database. Ø -a: Print a vulnerability report for all installed packages. q Security Output 11
Computer Center, CS, NCTU portaudit (2) q portaudit -Fda auditfile. tbz 100% of 71 k. B 92 k. Bps New database installed. Database created: Mon Dec 12 02: 10: 00 CST 2011 Affected package: gnutls-2. 12. 7 Type of problem: gnutls -- client session resumption vulnerability. Reference: http: //portaudit. Free. BSD. org/bdec 8 dc 2 -0 b 3 b-11 e 1 -b 722 -001 cc 0476564. html Affected package: apache-worker-2. 2. 19 Type of problem: apache -- Range header Do. S vulnerability. Reference: http: //portaudit. Free. BSD. org/7 f 6108 d 2 -cea 8 -11 e 0 -9 d 58 -0800279895 ea. html 2 problem(s) in your installed packages found. You are advised to update or deinstall the affected package(s) immediately. q http: //www. freshports. org/<category>/<portname> 12
Computer Center, CS, NCTU Common trick q Tricks • ssh scan and hack Ø ssh guard Ø sshit Ø… • • smtp-auth / pop 3 / imap Phishing XSS & sql injection … q Objective • • 13 Spam Jump gateway File sharing …
Computer Center, CS, NCTU 14 Process file system - procfs q Procfs • A view of the system process table # mount –t procfs proc /proc
Computer Center, CS, NCTU 15 Simple SQL injection example q User/pass authentication SELECT * FROM usr. Table WHERE user = AND pass = ; q No input validation SELECT * FROM usr. Table WHERE user = ‘test’ AND pass = ‘a’ OR ‘a’ = ‘a’
Computer Center, CS, NCTU setuid programs q passwd zfs[~] -chiahung- ls -al /usr/bin/passwd -r-sr-xr-x 2 root wheel 8224 Dec 5 22: 00 /usr/bin/passwd • /etc/master. passwd is of mode 600 (-rw-------) ! q setuid executables are especially apt to cause security holes • Minimize the number of setuid programs Ø /etc/periodic/security/100. chksetuid • Disable the setuid execution on individual filesystems Ø -o nosuid 16
Computer Center, CS, NCTU rlogin – (1) q sudo ---s--x--x 2 root wheel /usr/local/bin/sudo q Trusted remote host and user name database • /etc/hosts. equiv and ~/. rhosts • Allow user to execute shell (rsh), login (rlogin) and copy files (rcp) between machines without passwords • Format: Ø Simple: hostname [username] Ø Complex: [+-][hostname|@netgroup] [[+-][username|@netgorup]] • Example Ø bar. com foo (trust user “foo” from host “bar. com”) Ø +@adm_cs_cc (trust all from amd_cs_cc group) Ø +@adm_cs_cc -@chwong 17
Computer Center, CS, NCTU rlogin – (2) q Becoming other users • A pseudo-user for services, sometimes shared by multiple users User_Alias www. TA=pyhsu Runas_Alias WWWADM=wwwadm www. TA ALL=(WWWADM) ALL • sudo –u wwwadm –s • /etc/inetd. conf (? ) Too dirty! Ø login stream tcp nowait root /usr/libexec/rlogind • ~wwwadm/. rhosts Ø localhost pyhsu • rlogin -l wwwadm localhost 18
Computer Center, CS, NCTU Security tools q nmap q john, crack q PGP q CA q… q Firewall q TCP Wrapper q… 19
Computer Center, CS, NCTU 20 TCP Wrapper – (1) q TCP Wrapper • Provide support for every server daemon under its control Ø libwrap implements the actual functionality • Before: inetd + tcpd with libwrap
Computer Center, CS, NCTU TCP Wrapper – (2) q Now… $ ldd `which inetd` /usr/sbin/inetd: libutil. so. 8 => /libutil. so. 8 (0 x 800651000) libwrap. so. 6 => /usr/libwrap. so. 6 (0 x 800761000) libipsec. so. 4 => /libipsec. so. 4 (0 x 80086 a 000) libc. so. 7 => /libc. so. 7 (0 x 800971000) $ ldd `which sshd` /usr/sbin/sshd: libssh. so. 5 => /usr/libssh. so. 5 (0 x 800681000) libutil. so. 8 => /libutil. so. 8 (0 x 8007 cb 000) libz. so. 5 => /libz. so. 5 (0 x 8008 db 000) libwrap. so. 6 => /usr/libwrap. so. 6 (0 x 8009 f 0000) libpam. so. 5 => /usr/libpam. so. 5 (0 x 800 af 9000). . . 21
Computer Center, CS, NCTU 22 TCP Wrapper – (3) q libwrap – hosts_access(3) • In sshd source code
Computer Center, CS, NCTU TCP Wrapper – (4) q There are something that a firewall will not handle • Sending text back to the source q TCP wrapper • • Provide support for every server daemon under its control Logging support Return message Permit a daemon to only accept internal connections q Configuration files • /etc/hosts. allow, /etc/hosts. deny(optional) 23
Computer Center, CS, NCTU Super Server – inetd q To see what daemons are controlled by inetd, see /etc/inetd. conf #ftp #telnet stream tcp tcp 6 shell stream tcp #shell stream tcp 6 login stream tcp #login stream tcp 6 nowait nowait root nowait q In /etc/rc. conf • inetd_enable="YES" 24 root root /usr/libexec/ftpd /usr/libexec/telnetd ftpd -l telnetd /usr/libexec/rshd /usr/libexec/rlogind
Computer Center, CS, NCTU /etc/hosts. allow – (1) q In /etc/hosts. allow • Format: daemon : address : action Ø Ø daemon is the daemon name which inetd started address can be hostname, IPv 4 addr, IPv 6 addr, net/prefixlen action can be “allow” or “deny” Keyword “ALL” can be used in daemon and address fields to means everything q First rule match semantic • Meaning that the configuration file is scanned in ascending order for a matching rule • When a match is found, the rule is applied and the search process will stop 25
Computer Center, CS, NCTU /etc/hosts. allow – (2) q Example ALL : localhost, loghost @adm_cc_cs : allow ptelnetd pftpd sshd: @sun_cc_cs, @bsd_cc_cs, @linux_cc_cs : allow ptelnetd pftpd sshd: zeiss, chbsd, sabsd : allow identd : ALL : allow portmap : 140. 113. 17. ALL : allow sendmail : ALL : allow rpc. rstatd : @all_cc_cs 140. 113. 17. 203: allow rpc. rusersd : @all_cc_cs 140. 113. 17. 203: allow ALL : deny q TCP wrapper should not be considered a replacement of a good firewall • Instead, it should be used in conjunction with a firewall or other security tools • Good at rpc based services 26
Computer Center, CS, NCTU /etc/hosts. allow – (3) q Advance configuration • External commands (twist option) Ø twist will be called to execute a shell command or script (exec) # The rest of the daemons are protected. telnet : ALL : severity auth. info : twist /bin/echo "You are not welcome to use %d from %h. " • External commands (spawn option) Ø spawn is like twist, but it will not send a reply back to the client (fork/exec) # We do not allow connections from example. com: ALL : . example. com : spawn (/bin/echo %a from %h attempted to access %d >> /var/log/connections. log) : deny 27
Computer Center, CS, NCTU /etc/hosts. allow – (4) • Wildcard (PARANOID option) Ø Match any connection that is made from an IP address that differs from its hostname # Block possibly spoofed requests to sendmail: sendmail : PARANOID : deny q See • hosts_access(5) • hosts_options(5) 28
Computer Center, CS, NCTU tcpdmatch q In /etc/hosts. allow ALL : localhost 127. 0. 0. 1 [: : 1] : allow ALL : cshome 2 : allow sshd : csduty linuxhome cshome : allow rpc. lockd : 140. 113. 235. 0/255. 0 : allow rpc. statd : 140. 113. 235. 0/255. 0 : allow rpcbind : 140. 113. 235. 0/255. 0 : allow ALL : deny q tcpdmatch(8) example 29 $ tcpdmatch ssh 140. 113. 12. 34 warning: ssh: no such process name in /etc/inetd. conf client: address 140. 113. 12. 34 server: process ssh matched: /etc/hosts. allow line 12 option: deny access: denied
Computer Center, CS, NCTU 30 When you perform any change. q Philosophy of SA • Know how things really work • Plan it before you do it • Make it reversible • Make changes incrementally • Test before you unleash it
- Slides: 30