SECURITY

1
SECURITY

• -HARIPRIYA PURUSHOTHAMAN

2
SEVEN COMMON SENSE RULES OF SECURITY

• Avoid putting files on the system that are likely
  to be interesting to hackers
  
• Plug the holes that hackers can use to gain
  access to the system
  
• Dont provide places for hackers to build nests
  on the system
  
• Set the traps to detect intrusions and attempted
  intrusions

3
RULES CONTD

• Monitor the reports generated by these security
  tools
  
• Teach ourselves about UNIX system security
• Prowl around looking for an unusual activity

4
HOW THE SECURITY PROBLEMS ARE COMPROMISED

• Unreliable wetware
• Human users are the weakest links in the chain of
  security
  
• Teaching the users about proper security hygiene
  
  
• Software bugs
• By exploiting the errors hackers could manipulate
  Unix into doing whatever they want
  
• Keeping up wit patches and security bulletins
• Open doors
• Gaining access by exploiting software features
  that would be helpful
  
• Making sure that we havent put a welcome mat for
  hackers
  

5
/ETC/PASSWD FILE

• Contents of this file determine who can log and
  what they can do once they get inside
  
• This file is the systems first line of defense
  against the intruders
  
• On FreeBSD systems this file is derived from
  /etc/master.passwd

6
/ETC/PASSWD

• Password checking and selection
• Important to continually verify that every login
  has a password
  
• Pseudo users should have a star() in the
  encrypted password field
  
• Following command finds the null passwords
• perl F -ane print if not F1 /etc/passwd
• /etc/passwd and /etc/group must be readable by
  the world but writable only by the root
  

7
/ETC/PASSWD

• /etc/shadow file should be neither readable or
  writable by the world
  
• Passwords are normally changed with passwd
  command

8
/ETC/PASSWD

• Need for Shadow passwords
• Since /etc/passwd/ is world readable , encrypted
  password string is available to all the users
  
• Evildoers can encrypt selected dictionaries or
  words and compare the results with the strings in
  the /etc/passwd and can find the password
  
• To impose restrictions passwords are put in a
  separate file that is readable only by the root
  
• This file wit the actual password information is
  then called the shadow password file
  

9
/ETC/PASSWD

• Group logins and shared logins
• Instead of having root as a group login , use
  sudo program to control access to rootly powers
  
• Password aging
• Facility that allows us to compel the users to
  change their passwords
  
• User shells
• Rootly entries
• More than one entry in the passwd file that uses
  UID of zero , so more than one way to log in as
  root
  
• Defense against this subterfuge is a mini script
  
  
• perl F -ane print if not F2
  /etc/passwd
  

10
SETUID PROGRAMS

• Prone to security problems
• Especially Setuid shellscripts cause security
  problems
  
• Setuid and setgid could be disabled through the
  use of o nosuid option to the mount
  
• Disks should be scanned periodically to look for
  new setuid programs
  
• For eg, find will mail a list of all setuid root
  files to the netadmin

11
FILE PERMISSIONS

• Device file /dev/kmem allows access to the
  kernels own virtual address space
  
• This file should only be readable by the owner
  and group , never by the world
  
• /dev/drum and /dev/mem provide unfettered access
  to the systems swap space and physical memory
  
• /etc/passwd and /etc/group should not be world
  writable and should have owner root

12
FILE PERMISIONS

• Directories that are accessible thru anonymous
  FTP should not be publicly writable
  
• Only root should have both read and write
  permission on device disk file
  
• Group owner is given read permissions to
  facilitate backups , but there shd be no
  permissions for the world
  

13
MISCELLANEOUS SECURITY ISSUES

• Remote event logging
• Syslog allows log info for both the kernel and
  user processes to be forwarded to file , users or
  another host on our network
  
• Secure host that acts as central logging machine
  and prints out security violations on an old line
  printer could be set up
  

14
MISCELLANEOUS SECURITY ISSUES

• Secure terminals
• Secure channels are usually specified as a list
  of TTY devices or as a keyword in a configuration
  file
  
• On solaris the file is /etc/default/login
• On HP-UX and red hat linux , the file is
  /etc/securetty
  
• On FreeBSD it is /etc/ttys

15
MISCELLANEOUS SECURITY ISSUES

• /etc/hosts.eqiv and /.rhosts
• Allows users to login(via rlogin) and copy
  files(via rcp) without typing the passwords
  
• The server processes rshd and rlogind that read
  them should be disabled
  

16
MISCELLANEOUS SECURITY ISSUES

• rexd,rexecd, and tftpd
• Rexd- poorly secured remote command execution
  server which shd be disabled
  
• Rexecd another remote command execution daemon
  
  
• Server for rexec library routine
• requests sent to this include plaintext password
  
  
• tftpd server for Trivial File Transfer
  Protocol
  
• Allows machines on the network to request files
  from ur hard disk
  

17
MISCELLANEOUS SECURITY ISSUES

• fingerd
• finger prints a short report about the particular
  user
  
• Information returned by
• finger user_at_host
• When supported by fingerd daemon on remote host
  is potentially useful to hackers
  
• NIS (Network Information Service)
• Sun database distribution tool that many sites
  use to maintain and distribute files
  
• Easy information access for the hackers

18
MISCELLANEOUS SECURITY ISSUES

• Sendmail
• Massive network system that runs as root
• Often subjected to attacks of hackers and
  numerous vulnerabilities
  
• Backups
• Backup tapes shd be kept under lock and key
• Trojan horses
• Programs that are not what they seem to be

19
SECURITY POWER TOOLS

• Nmap - network port scanner
• Checks a set of target hosts to see which TCP and
  UDP ports have servers listening to them
  
• command looks like
• nmap sT host1.uexample.com
• -sT argument asks nmap to try and connect to each
  TCP port on the target host in the normal way
  
• It probes ports without initializing an actual
  connection
  
• the o option gives the nmap the ability to
  guess what OS a remote system is running

20
SECURITY POWER TOOLS

• SAINT
• Similar to nmap in finding out what servers they
  are running
  
• Unlike nmap , it knows quite a lot about the
  actual UNIX server pgms and their vulnerabilities
  
  
• Its user interface is entirely web based

21
SECURITY POWER TOOLS

• Crack
• Sophisticated tool that implements several
  password guessing techniques
  
• Passwords should be crack resistant
• tcpd
• Referred as TCP wrappers package
• Allows to log connections to TCP services
• Piggybacks on top of inetd

22
SECURITY POWER TOOLS

• COPS (Computer Oracle an Password System)
• Its a classic tool that identifies many classic
  security problems
  
• Warns us of the potential problem by sending
  emails
  
• tripwire
• Monitors the permission and checksums of
  important system files so that we can easily
  detect files that have been replaced
  

23
CRYPTOGRAPHIC SECURITY TOOLS

• Kerberos
• Its an authentication system
• Facility that guarantees that users and services
  are in fact who they claim to be
  
• Uses DES to construct nested set of credentials
  called tickets.
  
• Tickets are passed around network to certify the
  identity and to provide access
  
• It never transmits unencrypted passwords and
  relieves the users from typing the passwords
  repeatedly

24
CRYPTOGRAPHIC SECURITY TOOLS

• PGP Pretty Good Privacy
• Focused primarily on email security
• Used to encrypt data , generate signatures and to
  verify the origin of files and messages
  
• Software packages are often distributed with PGP
  signature file that guarantees the origin and
  purity of software

25
CRYPTOGRAPHIC SECURITY TOOLS

• SSH the secure shell
• Confirms users identity and encrypts all
  communications between two hosts
  
• The server daemon sshd authenticates in different
  ways
  
• Method A user logged in automatically if the
  name of the remote host that user is logging is
  in /.rhosts or equivalent files
  
• Method B uses public key crytography to verify
  the identity of remote host
  
• Method C uses public key cryptography to
  establish users identity
  
• Method D allows user to enter his or her normal
  login password

26
CRYPTOGRAPHIC SECURITY TOOLS

• SRP Secure Remote Password
• Highly secure way to verify passwords over public
  network
  
• telnet and ftp could be used
• One Time Passwords in Everything
• Instead of encrypting passwords , its jus made
  sure that they work only once
  
• One time passwords are generated on our behalf

27
FIREWALLS basic tool for network security

• Its only a supplemental security measure
• Packet filtering firewalls
• Limits the types of traffic that can pass thru
  the internet gateway based on information on the
  packet header
  
• How the services are filtered
• the daemons that provide these services bind to
  the appropriate ports and wait for connectiions
  from remote sites
  
• Service specific filtering is based on the
  assumption that the client will use a non
  privileged port to contact a privileged port on
  the server

28
FIREWALLS

• Service proxy fire walls
• service proxies intercepts the connections to
  and from the outside world
  
• establishes new connections to services inside
  our network
  
• Acts as a sort of shuttle or chaperone between
  the worlds .
  
• Stateful inspection firewalls
• Designed to inspect the traffic that flows
  through them and compare the actual network
  activity to what should be happening

29
What to do when a site has been attacked

• Dont panic
• Decide on an appropriate level of response
• Hoard all available tracking information
• Assess your degree of exposure
• Pull the plug
• Devise a recovery plan
• Communicate the recovery plan
• Implement the recovery plan
• Report the incident to authorities