Unix System Security and Advanced Administration: (Sécurité Système Sous Unix Et Administration Avancée)

UNIX SYSTEM SECURITY AND ADVANCED ADMINISTRATION
(SCURIT SYSTME SOUS UNIX ET ADMINISTRATION AVANCE)
A.Davous, 01/02/2009
Unix Security Advanced Admin
FOREWORD
No absolute security as long as system is accessed In system administration, the evil is in details
For questions, contact is antoine.davous@aviler.com with [ESGI] in subject field otherwise, mail will be 01/02/2009 considered as spam by server rules. A.Davous, Unix Security Advanced Admin
INTRODUCTION
UNIX FLAVORS COMMON SENSE RULES OF SECURITY HOW SECURITY IS COMPROMISED UNIX DAEMONS, SERVICES AND SERVERS HANDS-ON : SUN VIRTUAL BOX
A.Davous, 01/02/2009
WELL-KNOWN EXAMPLES
Sendmail debug commands mode as sendmail runs with setuid root so user can run any command with root power (try sudo and vi !...) Command passwd f : no control of entered GECOS field so user can add any new line in password file Buffer overflow is a variant User can execute shellcode (to get run root shell) previously saved at some memory address for programs that accepts any entry without control (exploit) More generally, any software that do not control file ownership you just have to link to any system file
A.Davous, 01/02/2009
FOR INFORMATION UNIX RELEASES

UNIX 1969 1977 1983 1991 1992 1993 1994 1995 2000 2001 2003 A.Davous, 17/09/2008 Solaris 2.5 (= SunOS 5.5) Solaris 8 (= SunOS 5.8) Solaris 9 (= SunOS 5.9)
Solaris vs. Linux
Solaris
Linux
AT&T Labs Unix Berkeley BSD Unix System V

From BSD & SysV : From scratch :
Solaris 1.0 (= SunOS 4) FreeBSD, OpenBSD
Linus Torwalds Linux
Slackware ; Debian Kernel 1.0 stable RedHat
Kernel 2.4 Fedora Core Kernel 2.6

5
FOR INFORMATION UNIX FLAVORS Unix time line http://www.levenez.com/unix/ Linux distributions time line http://futurist.se/gldt/gldt76.png
A.Davous, 01/02/2009
REMINDER UNIX MANDATORY

Read, read again documentation man, man k, makewhatis -u vi what else could be expected ? vim but config and security Shells : sh best choice for scripting then tcsh or bash (current : ps) find, diff, touch, sort [-n] xargs grep, egrep, awk, Perl, expect
A.Davous, 01/02/2009
WELL-KNOWN ATTACKS
Name Sniffing Category Network Definition Get information from network transactions Take identity of someone else
Spoofing or Network masquerading Denial of service Replaying Repudiation Spam Phishing Hoax Dictionary
A.Davous, 01/02/2009
Network
Try to stop or degrade service
Authentication Replay abusive authentication or transaction Authentication Reject authentication or transaction Mail Mail Mail Password Undesirable mail Disguised mail to get confidential data Joke with more or less consequences
Test with list of most current words
MALICIOUS PROGRAMS (MALWARES)

Name Virus Worm Trojan horses Backdoor Rootkit Spyware Key logger Exploit Definition Insert malicious code on machine Separate process that exploited security holes in network Malicious program disguised as something innocuous or desirable Method to bypass normal authentication procedures Software set installed to get abusive rights, install backdoor and stay hidden Gather information for commercial purpose Copies down the users keystrokes Exploit a security breach of a software
A.Davous, 01/02/2009
SECURITY KEY CONCEPTS

3 security goals: confidentiality, integrity, availability 3 usual answers to threats: ignore, improvise or try to over secure Right answer: determine field, identify and evaluate cost of resources (financial, confidentiality or production), determine security risks and strategy, monitor, upgrade
A.Davous, 01/02/2009 Unix Security Advanced Admin 10
STRATEGIES
Strategies : Accept threat but have a recovery plan Reduce threat by appropriate means Transfer threat to a vendor Bypass threat by blocking access Understanding is key: Example of mail user privilege Protect all layers example of firewalls Reduce exposed surface Protect but detect and answer administrate ! Security is or must be part of : conception, operation and deployment
RISKS AND STRATEGY

Risks Human malicious but often from authorized users Technical hardware (physical access), software This is up to sysadmin to decide what are they and right level of protection Strategy Security and comfort is a compromise Have a security policy especially recovery procedure
HOW TO DO
In-depth (passive) protection (Physical premises access) Network filtering Passwords Encryption Backup (Active) security process Monitor and add corrections Full audit Upgrade
SECURED DESIGN
Open design or secret design debate (hidden flaws, issues discovered by community, provocation to exploits) Common breaches Least user access (chroot as solution) Buffer overflow Printf function (insert conversion keys into string) Web programming (URL forging) Transactions, client/server (man-in-the middle, encryption, hashing as solutions)
A.Davous, 01/02/2009
14
SOME TABLE LAWS

If someone can execute something on your computer or if someone can modify your OS, or if someone can physically access to your computer, it will not belong to you anymore As well, if someone can execute something on your web site, it will not belong to you anymore Weak passwords leads to security breach System is as secured as sysadmin wants Encrypted data are as secured as the used key to encrypt An anti-virus not updated is as useful as no anti-virus Anonymity is not useful but confidentiality is Technology is not be-all Security measures works well when they are simple to use for sysadmin and transparent to users
Unix Security Advanced Admin 15
A.Davous, 01/02/2009
REMINDER : PROCESSES
Processes have four identities : real (for accounting) and effective (for access permissions) UID and GID ; usually the same except with setuid or setgid bit set Command ps Kinds of processes Interactive controlled with &, ^Z, jobs Batch Daemons
A.Davous, 01/02/2009
16
DAEMONS, SERVERS, SERVICES

Daemon, server, service concepts Daemon : programs not part of kernel ; process that performs a specific function or system-related task Start at boot time or on demand Specific system daemons init primordial process cron that schedule commands inetd that manages some of them
A.Davous, 01/02/2009
17
WELL KNOWN DAEMONS

Name init syslogd, rsyslogd sendmail lpd, lpsched crond getty, mingetty syncd, fsflush, bdflush, pdflush pagedaemon, swapper, kswap inetd named routed, gated dhcpd portmap, rpcbind nfsd smbd, nmbd httpd timed, ntpd, xntpd A.Davous, 01/02/2009 Description First process Syslog logging Mail MTA Mail Transfer Agent Print scheduler Cron process scheduler Terminal support Disk buffer management Swap management Main daemon to start on-demand TCP/IP services as telnetd, ftpd, rshd see /etc/inetd.conf Bind DNS Dynamic Name Resolution TCP/IP routing daemons DHCP Dynamic Host Configuration Protocol Port service resolution for RPC Remote Procedure Call NFS Network File System Samba Apache HTTP server NTP Network Time Protocol Unix Security Advanced Admin 18
init DAEMON
First process to run after system boot Always have PID 1 and is ancestor of all other processes After startup, init consults /etc/inittab (or for BSD /etc/ttys) to determine on which physical ports it should expect users to log in (getty processes even tough large use of network daemons today, or xdm for graphical interface) Also take care of zombie processes (not running but listed) Init defines run levels (passed as argument to it from boot loader) : 0 to 6 and s (single-user) Additional layer is given with startup scripts in /etc/init.d, linked to startup and stop scripts in /etc/rcX.d
A.Davous, 01/02/2009
REMINDER : BOOTING SHUTTING DOWN Solaris SPARC Solaris x86/64 Linux (Fedora Core)
(device detection) Access with STOP-A Boot boot s : PROM single-user (device boot r :detection) reconfigure with STOP-A See lsAccess l /dev/rdsk/c0t0d0s0 boot s : single-user boot r : reconfigure See ls l /dev/rdsk/c0t0d0s0
Boot PROM Solaris SPARC
Solaris x86/64
ROM BIOS Linux (Fedora Core)

MBR of boot device (GRUB see /boot/grub/menu.lst) Boot loader
MBR of ROM boot BIOS device Boot loader

(GRUB since 5.10) Boot loader
Boot loader
Kernel loading and initialization Device configuration
(GRUB since 5.10, (GRUB see /boot/grub/menu.lst) Kernel loading and initialization see /boot/grub/menu.lst)
startup scripts Execution of startup scripts Level 0 : shut down (init 0Execution ) - Level 1 of or S : single user (init s) - Level 6 : reboot Level 0 : shut down (init 0) - Level ( 1 or S : user (init s) - Level 6 : reboot Level 0 : shut down (init 0) - Level 1 or S init 6single ) Level s : the same (init none 6) : single user (init s) Level 6 : reboot Scripts management or see 5.10 Scripts management Scripts management none or see 5.10 (init 6): chkconfig Configuration : /etc/default Configuration : /etc/sysconfig Configuration : /etc/default Scripts management : chkconfig Configuration : /etc/sysconfig
Execution of startup scripts
touch /RECONFIGURE Device configuration touch /RECONFIGURE
Device detection and config.
Device detection and configuration
Exec. of startup scripts
Multiuser mode Multiuser mode
Shutdown /usr/sbin/shutdown g secs /usr/sbin/shutdown gi6 secs i6 /usr/sbin/shutdown g secs /usr/sbin/shutdown gi0 secs i0 /usr/sbin/shutdown g secs /usr/sbin/shutdown giS secs iS
Shutdown ShutdownShutdown
/usr/sbin/shutdown (reboot)/usr/sbin/shutdown secs secs r r /usr/sbin/shutdown (shut down)/usr/sbin/shutdown secs secs h h (single user) /usr/sbin/shutdown (skip scandisk)/usr/sbin/shutdown secs secs f f
A.Davous, 17/09/2008
Solaris vs. Linux
20
OTHER CONCEPTS
Command dmesg Core dump : ulimit c Path : - try not modify root profile PATH variable - do not set empty or . in PATH variable - in scripts (and configurations like cron), always use full path for commands (as variables at beginning) Disk quotas may be use to isolate an application (vs. original purpose) vi and other editors dump files feature History of shell commands who r cp -p
A.Davous, 01/02/2009
PASSWORD CRACK TOOLS

Usage of these tools are illegal on computers where you have not been explicitly authorized to do it. But it is recommended to test your own password files anyhow, crackers will do it with them.
Crack
Locations: /usr/share/crack ; /usr/libexec/crack ; /usr/bin Quick-start commands: # umask 077 # ~/scripts/shadmrg.sv /etc/passwd /etc/shadow > /root/unshadp # Crack nice 5 /root/unshadp # CrackReporter Results in ~/run directory Locations: /usr/share/john ; /usr/libexec/john Quick start commands: # umask 077 # unshadow /etc/passwd /etc/shadow > /root/unshadp # john [--rules --wordfile=FILE] /root/unshadp Results in ~/john.pot
John the Ripper
A.Davous, 01/02/2009
ROOT PASSWORD RECOVERY

To show importance of physical access Grub bootloader must have timeout (/boot/grub/menu.lst) suppress it (0) or set a password to bootloader
Simplest procedure using single user mode case of Fedora 10 When Grub screen, edit current boot line (e) Edit kernel line (e) by adding single at end (single user mode) Save and boot (b) Command passwd can be entered with root privileges to reset root password
A.Davous, 17/09/2008 Solaris vs. Linux 23
Sun xVM VirtualBox - 1

VirtualBox release 2.1.2 found at www.virtualbox.org (accept installation of USB and network drivers) Host and guest concepts, see manual Guest additions concept Fedora 10 found at fedoraproject.org/en/get-fedora (F10-i686-Live.iso, 32 bits although 64 supported by xVM, English edition, installable Live CD)
A.Davous, 01/02/2009
24

Installation procedure (example is Fedora) New machine ; choose OS, select memory size (2 GB but less than host !), add virtual disk (fixed, 10 GB). Mount OS ISO local file as CD/DVD-ROM Start !... (ignore both messages no additions installed yet) When started, use Install on hard disk icon. Select French keyboard. Shut down, unmount CD/DVD and restart. Upgrade system and application packages (Yum). Install dkms package (Dynamic Kernel Module Support Framework). Install GNU make, gcc packages. Mount Guest Additions ISO with Devices, Install Guest Additions xVM menu. Run Suns script (cd /media/VBOXADDITIONS_2.1.2_41885/ ; sh ./VBoxLinuxAdditions-x86.run) Restart.
A.Davous, 01/02/2009

Installation procedure particularities for Debian 4 Installation of small image via Internet. Disk partitioning without LVM, one root partition. Desktop and system packages. Synaptic Package Manager used for package installation : make, gcc and kernel headers (linux-headers-2.6.18-6 and linuxheaders-2.6.18-6-686 ; check release with command uname a).
A.Davous, 01/02/2009
26
REMOTE ACCESS TO SYSTEM

Xming XLaunch utility But otherwise, X specific, exporting display : Run your X server on PC (nothing required if PuTTY used because X protocol is SSHd encapsulated - port 22 ; otherwise, ports XDMCP 177 and 6000 should be opened) Then, on client : setenv DISPLAY server:0.0 echo $DISPLAY Putty
A.Davous, 01/02/2009
27
USEFUL LINKS
http://www.dwheeler.com/secure-programs/ www.cpan.org http://www.sun.com/software/security/jass http://www.digilife.be/quickreferences/quickrefs.htm
Secure Programming for Linux and Unix HOWTO Perl packages and more Suns JASS Solaris Security Toolkit Quick Reference Cards useful for those related to Unix CERT Security information AusCERT Unix and Linux Security Checklist v3.0 RADCOM protocols.com web site (protocols map)
http://www.cert.org/cert/ http://www.auscert.org.au/5816 http://www.protocols.com/pbook/tcpip1.htm#MAP
A.Davous, 01/02/2009
28
WORTH READING
Unix System Administration Handbook Evi Nemeth, Garth Snyder, Scott Seebass, Trent R. Hein Prentice Hall Essential System Administration Aeleen Frisch OReilly TCP/IP illustrated Richard Stevens TCP/IP Network Administration Craig Hunt OReilly
A.Davous, 01/02/2009
29
WINDOWS TOOLS USED DURING THIS SESSION

Wireshark (prev. Ethereal), network protocol analyzer PuTTY, SSH client Xming, PC X server VirtualBox, virtualization EasyBCD, Windows Vista bootloader utility Apache JMeter, HTTP workbench
http://www.wireshark.org
http://www.chiark.greenend.org.uk/~sg
http://www.straightrunning.com/Xming
http://www.virtualbox.org/
http://neosmart.net/ http://jakarta.apache.org/jmeter/
A.Davous, 01/02/2009
30

Unix System Security and Advanced Administration: (Sécurité Système Sous Unix Et Administration Avancée)

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Unix System Security and Advanced Administration: (Sécurité Système Sous Unix Et Administration Avancée)

Uploaded by

Copyright:

Available Formats

UNIX SYSTEM SECURITY AND ADVANCED ADMINISTRATION

(SCURIT SYSTME SOUS UNIX ET ADMINISTRATION AVANCE)

Unix Security Advanced Admin

Unix Security Advanced Admin

Unix Security Advanced Admin

FOR INFORMATION UNIX RELEASES

AT&T Labs Unix Berkeley BSD Unix System V

Solaris 1.0 (= SunOS 4) FreeBSD, OpenBSD

Linus Torwalds Linux

Slackware ; Debian Kernel 1.0 stable RedHat

Kernel 2.4 Fedora Core Kernel 2.6

Unix Security Advanced Admin

REMINDER UNIX MANDATORY

Unix Security Advanced Admin

Try to stop or degrade service

Test with list of most current words

MALICIOUS PROGRAMS (MALWARES)

Unix Security Advanced Admin

SECURITY KEY CONCEPTS

RISKS AND STRATEGY

Unix Security Advanced Admin

SOME TABLE LAWS

Unix Security Advanced Admin

DAEMONS, SERVERS, SERVICES

Unix Security Advanced Admin

WELL KNOWN DAEMONS

Boot PROM Solaris SPARC

ROM BIOS Linux (Fedora Core)

MBR of ROM boot BIOS device Boot loader

Kernel loading and initialization Device configuration

Execution of startup scripts

touch /RECONFIGURE Device configuration touch /RECONFIGURE

Device detection and config.

Device detection and configuration

Exec. of startup scripts

Multiuser mode Multiuser mode

Solaris vs. Linux

PASSWORD CRACK TOOLS

John the Ripper

ROOT PASSWORD RECOVERY

Sun xVM VirtualBox - 1

Unix Security Advanced Admin

Sun xVM VirtualBox - 2

Sun xVM VirtualBox - 3

Unix Security Advanced Admin

REMOTE ACCESS TO SYSTEM

Unix Security Advanced Admin

http://www.cert.org/cert/ http://www.auscert.org.au/5816 http://www.protocols.com/pbook/tcpip1.htm#MAP

Unix Security Advanced Admin

Unix Security Advanced Admin

WINDOWS TOOLS USED DURING THIS SESSION

Unix Security Advanced Admin

You might also like