Security Issues in HP-UX and Linux

1
Security Issues in HP-UX and Linux

• Kwang H. Paick
• kwang_at_hp73.pvamu.edu
• Prairie View AM University

2
Common Attacks

• Physical access
• Access to the command line
• Network access

3
Security Setup

• 1. Physical security
• 2. File and Directory Permission
• 3. User Accounts
• 4. Log Files
• 5. Correct network configuration

4
I. Physical Security

• Physical access
• BIOS and Console Passwords
• Anti-theft devices

5
Most Unix systems are not secured because

• Default installation includes a wide range of
  vulnerabilities
• Software patches are not installed, and
• Systems are not well maintained

6
II. File and Directory Permissions

• HP-UX systems contain gt 20,000 in 10.20
• The most common permission problems are write
  access for group or other on almost any file or
  directory in the base installation
• Some files and directories require group or other
  write permissions
• e.g. Temporary directories (group and others)
• Spool directories for the lpr system must be
  group writeable

7
Common Permission Problems

• The number one problem has been ownership of the
  /etc directory by bin
• the /etc directory must be owned by root, and
  writable only be the owner
• HP-UX systems allow bin to own many other
  directories as well (only 48 out of 1200
  directories were not owned by bin

8
HP-UX and ACLs

• HP-UX includes the ability to provide a finer
  degree of access control through access control
  lists
• A user-group pair is written as user group
• The symbol represents no particular user or
  group
• (u.g, rwx) specific user, specific group
• (u., rwx) specific user, no specific group
• (.g, rwx) no specific user, specific group
• (., rwx) no specific user, no specific group

9
HP-UX and ACLs

• Most backup utilities ignore the ACL information
  for compatibility with POSIX standards
• Only the fbackup and frecover file archive
  utilities handle access control lists properly
• Change ACLs with the chacl command
• -rw-r--r-- -rw-r--r--
• lsacl xx
• (lon.,rw-)(don.,rw-)(.hep,r--)(.,r--) xx
• ACLs are rarely used.

10
III. User Accounts

• User accounts must be maintained correctly
• The accounts database must be checked for
  correctness
• New accounts must be monitored, and old accounts
  disabled
• Accounts with unusual user-ids checked
• User home directories correctly configured
• Passwords checked and protected

11
/etc/passwd

• Must be readable by all , but writable only be
  the root
• Any account with the user id of zero is granted
  roots privileges
• The home directory should exist, be owned by the
  user, and not writeable by group or other
• The use of temporary directories as the home
  directory is a scurity problem
• The COPS tool can check the existence, ownership
  and permission of each home directory

12
Home Directory

• Shell startup files must specify a safe PATH
• System directories before any local directries
• DOT last if present in PATH ( makes Trojan horses
  less effective)
• root PATH
• Never have DOT in roots PATH
• never includes writable directories in search
  path
• umask
• users default umaks 033
• roots umaks 077

13
Home Directory

• Dangerous startup files permitted
• A .rhosts file permits user to control who may
  log into their account remotely via the r
  commands
• The .netrc files contain unencrypted passwords
  for remote logins.
• COPS and TIGER check for these problems, as do
  commercial tool

14
Shadow Password

• A goal in many attacks is to get a copy of the
  encrypted passwords in the /etc/passwd file
• These attacks can be foiled by moving the
  encrypted passwords into a different file, only
  readable by the root
• These files have the generic name shadow password
  files

15
Shadow Password

• Some versions of UNIX come with shadow files,
  others must be converted
• Solaris use /etc/shadow by default
• Linux uses /etc/shadow after conversion
• Pwconv-merge old /etc/passwd records into a new
  shadow database
• Pwchk- verification and synching between
  /etc/shadow and /etc/passwd
• Pwuncov- back to /etc/passwd

16
Shadow Password

• Arguments against Shadowing
• Makes account management more difficult, as the
  /etc/passwd file can no longer just be edited
• account information gets scattered among many
  files if converted
• Crashing an FTP server can reveal the shadowed
  passwords in the core file

17
IV. Log Files

• Need to know where they are and what they
  contains
• check permissions and ownership
• see how often they are rotated/truncated
• monitor logfile contents
• Archive important logs

18
Log Files

• The wtmp files log user login, logout, date
  changes, start or stop of system accounting,
  reboots
• /etc/wtmp
• /var/adm/wtmp--10.20, old Linux
• var/log/wamp --- Linux

19
Log Files

• Effect of su command on /var/adm/wtmp
• When su was used, it creates a new process with
  both the process's real UID and effective UID
  altered.
• su does not change /var/adm/wtmp file, and finger
  command will continue to display the account to
  which you logged in, not the one that you su'ed
  to.

20
Log Files wtmp files

• Grow until no space
• Pruning the wtmp file
• zero the log file
• rm /var/adm/wtmp.old
• ln /var/adm/wtmp.old /var/adm/wtmp
• cp /dev/null /var/adm/wtmp

21
Log Files

• Hack Tools
• Hacker tools(zap) delete entries matching a user
  name by replacing the record with nulls
• There are also zap detectors
• chkwtmp at COAST

22
Log FilesLast Login

• lastlog file
• /va/log/lastlog Linux
• /usr/sbin/acct/lastlog 10.20
• lastlogin - keep record of date each person last
  logged in"
• bug - the date shown is usually 1 more than it
  should be because lastlogin is run at 4am and
  checks the last 24 hrs worth of process
  accounting info (in pacct)"

23
Log FilesBad Login

• Bad login attempts
• The trouble is that these logs often contain
  passwords
• Look for /etc/btmp on HP-UX
• Make certain that these files are readable only
  by the root, if they exist

24
Log Filessu Login

• UNIX systems will always log the use of the su
  command
• Located in /var/log
• /var/adm/sulog (10.20)
• /var/adm/messages

25
Log Filessu Login

• SU 01/31 2008 tty?? root-lon
• SU 02/01 1456 tty?? root-dan
• SU 02/01 1606 ttyp2 dan-kwang
• SU 02/01 1606 - ttyp2 babar-root
• SU 02/01 1606 ttyp2 babar-root
• SU 02/01 1628 tty?? root-babar
• These logs are useful to both attackers and
  defenders
• Attackers can learn who knows the root password
• Defenders can learn the same thing

26
sudo

• Allows select users to execute specified commands
  as root
• e.g. eject, mount, reboot, adding new acct
• prevent possible errors
• means for accountability
• /etc/sudoers

27
Log FilesSyslog

• The system logdaemon, or syslogd, appears in most
  UNIX systems
• Newer versions of syslog will ignore messages
  sent from the network by default
• Use the l flag to enable this behaviour on BSD
• The r flag is used with Linux
• mail.debug /var/adm/syslog/mail.log
• .infomail.none /var/adm/syslog/syslog.log

28
Log FilesSyslog

• Feb 1 175038 hp73 /sbin/init.d/sendmail1119
  rebooted
• Feb 2 092403 hp73 sendmail2272 JAA02272
  fromwu, size9112, class0, pri39112, nrcpts1,
  msgidlt199902231524.JAA02272_at_hp73.pvamu.edugt,
  relaywu_at_localhost
• Feb 2 141625 hp73 sendmail22105 OAA22104
  toltjoyum_at_Bayou.UH.EDUgt, ctladdr
• ltkwang_at_hp73.pvamu.edugt (207/20), delay000034,
  xdelay000033, mailersmtp,
• relaybayou.uh.edu. 129.7.1.7, statSent
  (OAA06943 Message accepted for delivery)
• Feb 2 144313 hp73 popper22159 (v2.1.4-R3)
  Servicing request from "129.207.217.28" at
  129.207.217.28
• Feb 2 144341 hp73 popper22159 Stats kwang
  0 0 78 1096568

29
V. Network Configuration

• Any server is a potential hole.
• r commands
• public services
• poorly configured anonymous FTP servers
• mail servers
• older version of Linux
• web servers

30
Network Configuration

• Protecting Data in Transit
• Replace telnet, rlogin, rsh and rcp with
  ssh, slogin, ssh, scp
• Secure Shell-ssh use latest version
• http//www.slac.stanford.edu/comp/unix/ssh.htm

31
Network Configuration

• Anonymous FTP
• directory permission
• ftp 555 with root ownership.. users to read
  and execute
• /ftp/bin 555 with root ownership
• /ftp/bin/ls 111 with root ownershipusers to
  execute only
• /ftp/etc 555 with root ownership
• /ftp/etc/passwd
• 444 with root ownership. Users to read-only
  access

32
Network ConfigurationFTP

• FTP bounce attack
• Erroneous file permissions
• The SITE EXEC bug
• create restricted FTP access
• /etc/ftpusersrestricted users access filename
  appearsdenies
• etcbin, daemon, room, uucp,..
• /etc/ftpaccesscore configuration file

33
Network Configuration

• ftphostsused to allow or deny access to certain
  accounts from various host
• ( wild card supported
• allow username host or host pattern
• deny username host or host pattern
• allow doe .xyz.com
• deny doe .abc.com
• alternative is to use SSLftp-Secure Sockets
  Layer--- current version is 0.8

34
Network ConfigurationSMTP

• Trust everyone
• Protect the server from penetration
• Protect smtp service from misuse, such as
  outsiders exploiting your mail server to send
  spam or fake mail
• Current version 8.9.3
• earlier versionupdate ASAP

35
Network ConfigurationSMTP

• To check sendmail version telnet to port 25 and
  vew
• telnet abc.xyz.edu 25
• .
• .
• 220 abc.xyz.edu ESMTP 8.9.3/8.9.3 ?-- version
  number

36
Network ConfigurationSMTP

• Several places recommended replace sendmail with
  Qmail
• ftp//moni.msci.memphis.edu/pub/qmail
• developer offered a 1,000 reward to anyone who
  could break Qmail.
• Sendmail offers high-powered SMTP service and
  excellent compatibility with existing UNIX
  utilities.
• Qmail strives to be small, fast and secure

37
TOOLS

• Security tool that detects system vulnerabilities
• COPS-The computer Oracle and Password System
• Port based scanner
• SATAN (Security Administrator's Tool for
  Analyzing Networks
• ISS-Internet security Scanner
• faster than Satan less information
• SAINT-Security Administrator's Integrated Network
  Tool
• updated version of SATAN

38
References

• Defending against Scanner Attacks
• Courtney-SATAN and SAINT Detector
• Sites with Defensive software
• COAST
• ftp//coast.cs.purdue.edu/pub/tools
• http//www.cs.purdue.edu/coast/archive/Archive_ind
  exing.html
• NISThttp//cs-www-ncsl.nist.gov/tools/tols.htm

39
References

• NIH htttp//www.alw.nih.gov/Security/prog-full.htm
  
• CIAC
• ftp//ciac.llnl.gov/pub/ciac/sectools/unix
• http//ciac.lnl.gov/ciac
• CIRT
• http//www.cert.org
• FIRST http//www.first.org
• Trinux tools http//www/trinux.org

40
References

• HP-UX support
• http//us-support.external.hp.com
• security-alert_at_hp.com for bulletins
• Linux Security News
• http//security.linuxtoday.com
• Redhat support
• http//www.redhat.com/support/errata
• UNIX support
• http//www.usenix.rg

41
References

• Books
• S. Garfinkle, G. Spafford, Practical UNIX
  Security, OReilly Associates, Sebastopol, CA
  1996, 2nd ed.
• Anonymous, Maximum Linux Security, SAMS,
  Indianapolis, IN 1999

42
Monitor SUID and SGID Files

• SUID and SGID Files
• two speciial file permissions
• SGID (set group ID, octal 2000 or S)
• SUID (set user ID, octal 4000, or s)
• find / -perm 4000
• owners permission are enforced even when other
  users executed them.