Security Issues in HP-UX and Linux - PowerPoint PPT Presentation

About This Presentation
Title:

Security Issues in HP-UX and Linux

Description:

Systems are not well maintained. chep2000. kwang paick. 6. II. File ... User home directories correctly configured. Passwords 'checked' and protected. chep2000 ... – PowerPoint PPT presentation

Number of Views:123
Avg rating:3.0/5.0
Slides: 43
Provided by: kwang2
Category:

less

Transcript and Presenter's Notes

Title: Security Issues in HP-UX and Linux


1
Security Issues in HP-UX and Linux
  • Kwang H. Paick
  • kwang_at_hp73.pvamu.edu
  • Prairie View AM University

2
Common Attacks
  • Physical access
  • Access to the command line
  • Network access

3
Security Setup
  • 1. Physical security
  • 2. File and Directory Permission
  • 3. User Accounts
  • 4. Log Files
  • 5. Correct network configuration

4
I. Physical Security
  • Physical access
  • BIOS and Console Passwords
  • Anti-theft devices

5
Most Unix systems are not secured because
  • Default installation includes a wide range of
    vulnerabilities
  • Software patches are not installed, and
  • Systems are not well maintained

6
II. File and Directory Permissions
  • HP-UX systems contain gt 20,000 in 10.20
  • The most common permission problems are write
    access for group or other on almost any file or
    directory in the base installation
  • Some files and directories require group or other
    write permissions
  • e.g. Temporary directories (group and others)
  • Spool directories for the lpr system must be
    group writeable

7
Common Permission Problems
  • The number one problem has been ownership of the
    /etc directory by bin
  • the /etc directory must be owned by root, and
    writable only be the owner
  • HP-UX systems allow bin to own many other
    directories as well (only 48 out of 1200
    directories were not owned by bin

8
HP-UX and ACLs
  • HP-UX includes the ability to provide a finer
    degree of access control through access control
    lists
  • A user-group pair is written as user group
  • The symbol represents no particular user or
    group
  • (u.g, rwx) specific user, specific group
  • (u., rwx) specific user, no specific group
  • (.g, rwx) no specific user, specific group
  • (., rwx) no specific user, no specific group

9
HP-UX and ACLs
  • Most backup utilities ignore the ACL information
    for compatibility with POSIX standards
  • Only the fbackup and frecover file archive
    utilities handle access control lists properly
  • Change ACLs with the chacl command
  • -rw-r--r-- -rw-r--r--
  • lsacl xx
  • (lon.,rw-)(don.,rw-)(.hep,r--)(.,r--) xx
  • ACLs are rarely used.

10
III. User Accounts
  • User accounts must be maintained correctly
  • The accounts database must be checked for
    correctness
  • New accounts must be monitored, and old accounts
    disabled
  • Accounts with unusual user-ids checked
  • User home directories correctly configured
  • Passwords checked and protected

11
/etc/passwd
  • Must be readable by all , but writable only be
    the root
  • Any account with the user id of zero is granted
    roots privileges
  • The home directory should exist, be owned by the
    user, and not writeable by group or other
  • The use of temporary directories as the home
    directory is a scurity problem
  • The COPS tool can check the existence, ownership
    and permission of each home directory

12
Home Directory
  • Shell startup files must specify a safe PATH
  • System directories before any local directries
  • DOT last if present in PATH ( makes Trojan horses
    less effective)
  • root PATH
  • Never have DOT in roots PATH
  • never includes writable directories in search
    path
  • umask
  • users default umaks 033
  • roots umaks 077

13
Home Directory
  • Dangerous startup files permitted
  • A .rhosts file permits user to control who may
    log into their account remotely via the r
    commands
  • The .netrc files contain unencrypted passwords
    for remote logins.
  • COPS and TIGER check for these problems, as do
    commercial tool

14
Shadow Password
  • A goal in many attacks is to get a copy of the
    encrypted passwords in the /etc/passwd file
  • These attacks can be foiled by moving the
    encrypted passwords into a different file, only
    readable by the root
  • These files have the generic name shadow password
    files

15
Shadow Password
  • Some versions of UNIX come with shadow files,
    others must be converted
  • Solaris use /etc/shadow by default
  • Linux uses /etc/shadow after conversion
  • Pwconv-merge old /etc/passwd records into a new
    shadow database
  • Pwchk- verification and synching between
    /etc/shadow and /etc/passwd
  • Pwuncov- back to /etc/passwd

16
Shadow Password
  • Arguments against Shadowing
  • Makes account management more difficult, as the
    /etc/passwd file can no longer just be edited
  • account information gets scattered among many
    files if converted
  • Crashing an FTP server can reveal the shadowed
    passwords in the core file

17
IV. Log Files
  • Need to know where they are and what they
    contains
  • check permissions and ownership
  • see how often they are rotated/truncated
  • monitor logfile contents
  • Archive important logs

18
Log Files
  • The wtmp files log user login, logout, date
    changes, start or stop of system accounting,
    reboots
  • /etc/wtmp
  • /var/adm/wtmp--10.20, old Linux
  • var/log/wamp --- Linux

19
Log Files
  • Effect of su command on /var/adm/wtmp
  • When su was used, it creates a new process with
    both the process's real UID and effective UID
    altered.
  • su does not change /var/adm/wtmp file, and finger
    command will continue to display the account to
    which you logged in, not the one that you su'ed
    to.

20
Log Files wtmp files
  • Grow until no space
  • Pruning the wtmp file
  • zero the log file
  • rm /var/adm/wtmp.old
  • ln /var/adm/wtmp.old /var/adm/wtmp
  • cp /dev/null /var/adm/wtmp

21
Log Files
  • Hack Tools
  • Hacker tools(zap) delete entries matching a user
    name by replacing the record with nulls
  • There are also zap detectors
  • chkwtmp at COAST

22
Log FilesLast Login
  • lastlog file
  • /va/log/lastlog Linux
  • /usr/sbin/acct/lastlog 10.20
  • lastlogin - keep record of date each person last
    logged in"
  • bug - the date shown is usually 1 more than it
    should be because lastlogin is run at 4am and
    checks the last 24 hrs worth of process
    accounting info (in pacct)"

23
Log FilesBad Login
  • Bad login attempts
  • The trouble is that these logs often contain
    passwords
  • Look for /etc/btmp on HP-UX
  • Make certain that these files are readable only
    by the root, if they exist

24
Log Filessu Login
  • UNIX systems will always log the use of the su
    command
  • Located in /var/log
  • /var/adm/sulog (10.20)
  • /var/adm/messages

25
Log Filessu Login
  • SU 01/31 2008 tty?? root-lon
  • SU 02/01 1456 tty?? root-dan
  • SU 02/01 1606 ttyp2 dan-kwang
  • SU 02/01 1606 - ttyp2 babar-root
  • SU 02/01 1606 ttyp2 babar-root
  • SU 02/01 1628 tty?? root-babar
  • These logs are useful to both attackers and
    defenders
  • Attackers can learn who knows the root password
  • Defenders can learn the same thing

26
sudo
  • Allows select users to execute specified commands
    as root
  • e.g. eject, mount, reboot, adding new acct
  • prevent possible errors
  • means for accountability
  • /etc/sudoers

27
Log FilesSyslog
  • The system logdaemon, or syslogd, appears in most
    UNIX systems
  • Newer versions of syslog will ignore messages
    sent from the network by default
  • Use the l flag to enable this behaviour on BSD
  • The r flag is used with Linux
  • mail.debug /var/adm/syslog/mail.log
  • .infomail.none /var/adm/syslog/syslog.log

28
Log FilesSyslog
  • Feb 1 175038 hp73 /sbin/init.d/sendmail1119
    rebooted
  • Feb 2 092403 hp73 sendmail2272 JAA02272
    fromwu, size9112, class0, pri39112, nrcpts1,
    msgidlt199902231524.JAA02272_at_hp73.pvamu.edugt,
    relaywu_at_localhost
  • Feb 2 141625 hp73 sendmail22105 OAA22104
    toltjoyum_at_Bayou.UH.EDUgt, ctladdr
  • ltkwang_at_hp73.pvamu.edugt (207/20), delay000034,
    xdelay000033, mailersmtp,
  • relaybayou.uh.edu. 129.7.1.7, statSent
    (OAA06943 Message accepted for delivery)
  • Feb 2 144313 hp73 popper22159 (v2.1.4-R3)
    Servicing request from "129.207.217.28" at
    129.207.217.28
  • Feb 2 144341 hp73 popper22159 Stats kwang
    0 0 78 1096568

29
V. Network Configuration
  • Any server is a potential hole.
  • r commands
  • public services
  • poorly configured anonymous FTP servers
  • mail servers
  • older version of Linux
  • web servers

30
Network Configuration
  • Protecting Data in Transit
  • Replace telnet, rlogin, rsh and rcp with
    ssh, slogin, ssh, scp
  • Secure Shell-ssh use latest version
  • http//www.slac.stanford.edu/comp/unix/ssh.htm

31
Network Configuration
  • Anonymous FTP
  • directory permission
  • ftp 555 with root ownership.. users to read
    and execute
  • /ftp/bin 555 with root ownership
  • /ftp/bin/ls 111 with root ownershipusers to
    execute only
  • /ftp/etc 555 with root ownership
  • /ftp/etc/passwd
  • 444 with root ownership. Users to read-only
    access

32
Network ConfigurationFTP
  • FTP bounce attack
  • Erroneous file permissions
  • The SITE EXEC bug
  • create restricted FTP access
  • /etc/ftpusersrestricted users access filename
    appearsdenies
  • etcbin, daemon, room, uucp,..
  • /etc/ftpaccesscore configuration file

33
Network Configuration
  • ftphostsused to allow or deny access to certain
    accounts from various host
  • ( wild card supported
  • allow username host or host pattern
  • deny username host or host pattern
  • allow doe .xyz.com
  • deny doe .abc.com
  • alternative is to use SSLftp-Secure Sockets
    Layer--- current version is 0.8

34
Network ConfigurationSMTP
  • Trust everyone
  • Protect the server from penetration
  • Protect smtp service from misuse, such as
    outsiders exploiting your mail server to send
    spam or fake mail
  • Current version 8.9.3
  • earlier versionupdate ASAP

35
Network ConfigurationSMTP
  • To check sendmail version telnet to port 25 and
    vew
  • telnet abc.xyz.edu 25
  • .
  • .
  • 220 abc.xyz.edu ESMTP 8.9.3/8.9.3 ?-- version
    number

36
Network ConfigurationSMTP
  • Several places recommended replace sendmail with
    Qmail
  • ftp//moni.msci.memphis.edu/pub/qmail
  • developer offered a 1,000 reward to anyone who
    could break Qmail.
  • Sendmail offers high-powered SMTP service and
    excellent compatibility with existing UNIX
    utilities.
  • Qmail strives to be small, fast and secure

37
TOOLS
  • Security tool that detects system vulnerabilities
  • COPS-The computer Oracle and Password System
  • Port based scanner
  • SATAN (Security Administrator's Tool for
    Analyzing Networks
  • ISS-Internet security Scanner
  • faster than Satan less information
  • SAINT-Security Administrator's Integrated Network
    Tool
  • updated version of SATAN

38
References
  • Defending against Scanner Attacks
  • Courtney-SATAN and SAINT Detector
  • Sites with Defensive software
  • COAST
  • ftp//coast.cs.purdue.edu/pub/tools
  • http//www.cs.purdue.edu/coast/archive/Archive_ind
    exing.html
  • NISThttp//cs-www-ncsl.nist.gov/tools/tols.htm

39
References
  • NIH htttp//www.alw.nih.gov/Security/prog-full.htm
  • CIAC
  • ftp//ciac.llnl.gov/pub/ciac/sectools/unix
  • http//ciac.lnl.gov/ciac
  • CIRT
  • http//www.cert.org
  • FIRST http//www.first.org
  • Trinux tools http//www/trinux.org

40
References
  • HP-UX support
  • http//us-support.external.hp.com
  • security-alert_at_hp.com for bulletins
  • Linux Security News
  • http//security.linuxtoday.com
  • Redhat support
  • http//www.redhat.com/support/errata
  • UNIX support
  • http//www.usenix.rg

41
References
  • Books
  • S. Garfinkle, G. Spafford, Practical UNIX
    Security, OReilly Associates, Sebastopol, CA
    1996, 2nd ed.
  • Anonymous, Maximum Linux Security, SAMS,
    Indianapolis, IN 1999

42
Monitor SUID and SGID Files
  • SUID and SGID Files
  • two speciial file permissions
  • SGID (set group ID, octal 2000 or S)
  • SUID (set user ID, octal 4000, or s)
  • find / -perm 4000
  • owners permission are enforced even when other
    users executed them.
Write a Comment
User Comments (0)
About PowerShow.com