old linux security talk

Tanner Lovelace - 03/00 - Slide 1

Linux SecurityLinux Security

Tanner LovelaceTanner Lovelace

15-March-200015-March-2000


OutlineOutline

• What do we mean by security?What do we mean by security?

• What do we want to accomplish with our securityWhat do we want to accomplish with our security

• Types of securityTypes of security

• What do you do if you get cracked?What do you do if you get cracked?

• SummarySummary

• QuestionsQuestions


What is Security?What is Security?

““A computer is secure if you can depend on it and A computer is secure if you can depend on it and its software to behave as you expect.” -- its software to behave as you expect.” -- Practical Practical Unix & Internet SecurityUnix & Internet Security, p.6., p.6.


A different definition...A different definition...

Security is being able to keep your system safe Security is being able to keep your system safe from misuse by unauthorized users...from misuse by unauthorized users...


OutlineOutline

• What do we mean by security?

• What do we want to accomplish with our securityWhat do we want to accomplish with our security

• Types of security

• What do you do if you get cracked?

• Summary

• Questions


Initial QuestionsInitial Questions

• What level of threat do you have to protect What level of threat do you have to protect against?against?

• What risks should you take?What risks should you take?

• How vulnerable is your system as a result of those How vulnerable is your system as a result of those decisionsdecisions


More Questions...More Questions...

• What are you protecting?What are you protecting?

• Why are you protecting it?Why are you protecting it?

• What value does it have?What value does it have?

• How long would it take to retrieve/recreate any How long would it take to retrieve/recreate any lost data?lost data?

• How secure is secure enough?How secure is secure enough?


OutlineOutline


• What do we want to accomplish with our security

• Types of securityTypes of security


• Summary

• Questions


Three Aspects of SecurityThree Aspects of Security

• Physical SecurityPhysical Security

• System SecuritySystem Security

• Network SecurityNetwork Security


Physical SecurityPhysical Security

• Home systemsHome systems

–Keep your doors locked. :-)Keep your doors locked. :-)

–Locked cabinets, cables, etc…Locked cabinets, cables, etc…

• LaptopsLaptops

–Never leave your laptop unattendedNever leave your laptop unattended

–If you’re worried consider a small travel alarmIf you’re worried consider a small travel alarm


Physical Access SecurityPhysical Access Security

• BIOS PasswordsBIOS Passwords

• Boot loader passwordsBoot loader passwords

• Screensaver passwordsScreensaver passwords

–xlock, vlock, etc...xlock, vlock, etc...


System SecuritySystem Security

• Backups, backups, backupsBackups, backups, backups

• Choosing good passwordsChoosing good passwords

• Correct file permissionsCorrect file permissions

• Don’t have too many usersDon’t have too many users

• Don’t log in as root!Don’t log in as root!


BackupsBackups

If something is critical there should be more than one If something is critical there should be more than one copy of it somewhere.copy of it somewhere.

• Many different ways to make backupsMany different ways to make backups

– Floppy diskFloppy disk

– Zip diskZip disk

– TapeTape

– CD-RCD-R


What’s your password?What’s your password?

• Passwords should not be easy to guessPasswords should not be easy to guess

– Names (especially your own), places, pets are badNames (especially your own), places, pets are bad

– Word combinations or acronyms are much betterWord combinations or acronyms are much better

» Ex. misc*NSAEx. misc*NSA

– Short is bad, longer is betterShort is bad, longer is better

– Make use of the fact that passwords are case sensitiveMake use of the fact that passwords are case sensitive

» gooD*paSSWord != Good*PasswordgooD*paSSWord != Good*Password


Keeping Your Password SafeKeeping Your Password Safe

• Make sure your passwords are not easily accessible.Make sure your passwords are not easily accessible.

– Never leave an unencrypted password anywhereNever leave an unencrypted password anywhere

– Never give your password to anyoneNever give your password to anyone

– Use shadow passwordsUse shadow passwords

– Never send your password over the network Never send your password over the network unencryptedunencrypted

» Use ssh instead of telnet or rsh/rloginUse ssh instead of telnet or rsh/rlogin


File PermissionsFile Permissions

• Set UID bit can let a program run as the user who Set UID bit can let a program run as the user who owns it.owns it.

–This can be This can be bad newsbad news if a program is owned by if a program is owned by root and doesn’t need to run as root.root and doesn’t need to run as root.

• Some programs legitimately need this (i.e. X, Some programs legitimately need this (i.e. X, sendmail)sendmail)

• Check permissions regularly on suspicious and Check permissions regularly on suspicious and note when something changes.note when something changes.


How do I check if a file is SUID root?How do I check if a file is SUID root?

• How do you check if something is SUID root?How do you check if something is SUID root?

% ls –l <filename>% ls –l <filename>

-rw-rwssr-xr-x root <filename>r-xr-x root <filename>

• How to you change something to be How to you change something to be notnot suid root? suid root?

% chmod u-s <filename>% chmod u-s <filename>

• How do you check all your files?How do you check all your files?

% find / -perm +u+s -uid 0 -print% find / -perm +u+s -uid 0 -print


UsersUsers

• If someone never uses your machine, don’t give If someone never uses your machine, don’t give them an account.them an account.

• Unless there is a need, don’t setup a guest account.Unless there is a need, don’t setup a guest account.

–This is one of the most common ways of gaining This is one of the most common ways of gaining unauthorized access.unauthorized access.

• Always make sure there is at least one normal user Always make sure there is at least one normal user account and use that for everything you do.account and use that for everything you do.


Never Log in as Root!Never Log in as Root!

• Repeat after me...Repeat after me...

– Never log in as root!Never log in as root!



• If you need to do something that requires root privileges If you need to do something that requires root privileges use the use the susu command command

– If you just need to do one thing, use:If you just need to do one thing, use:» su –c <command>su –c <command>


Network SecurityNetwork Security

Network security is the hardest thing to get right Network security is the hardest thing to get right and the easiest thing to exploit.and the easiest thing to exploit.

• GuidelinesGuidelines

–Only run the minimum network services you Only run the minimum network services you needneed

–Set up some network filtersSet up some network filters


ServicesServices

• A network service is a program that runs all the time and A network service is a program that runs all the time and responds to requests from the network.responds to requests from the network.

– Sendmail, Apache, Finger, Talk, POP, Telnet, Ftp, ...Sendmail, Apache, Finger, Talk, POP, Telnet, Ftp, ...

• Identify which services you need to run and turn Identify which services you need to run and turn everything else offeverything else off

– i.e. a local home machine doesn’t need to run a POP e-i.e. a local home machine doesn’t need to run a POP e-mail servermail server

• Some don’t run all the time, but are started by a Some don’t run all the time, but are started by a “superserver” called inetd.“superserver” called inetd.


InetdInetd

• Inetd listens on many different ports and when it Inetd listens on many different ports and when it hears a connection it starts up the appropriate hears a connection it starts up the appropriate service.service.

• Keeps memory requirements low because services Keeps memory requirements low because services only run when needed.only run when needed.

• Makes it easy to turn off servicesMakes it easy to turn off services

–Just comment them out in /etc/inetd.conf.Just comment them out in /etc/inetd.conf.


inetd.confinetd.conf

ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -aftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -a

telnet stream tcp nowait root /usr/sbin/tcpd in.telnetdtelnet stream tcp nowait root /usr/sbin/tcpd in.telnetd

#shell stream tcp nowait root /usr/sbin/tcpd in.rshd#shell stream tcp nowait root /usr/sbin/tcpd in.rshd

#login stream tcp nowait root /usr/sbin/tcpd in.rlogind#login stream tcp nowait root /usr/sbin/tcpd in.rlogind

#exec stream tcp nowait root /usr/sbin/tcpd in.rexecd#exec stream tcp nowait root /usr/sbin/tcpd in.rexecd

#comsat dgram udp wait root /usr/sbin/tcpd in.comsat#comsat dgram udp wait root /usr/sbin/tcpd in.comsat

#talk dgram udp wait root /usr/sbin/tcpd in.talkd#talk dgram udp wait root /usr/sbin/tcpd in.talkd

#ntalk dgram udp wait root /usr/sbin/tcpd in.ntalkd#ntalk dgram udp wait root /usr/sbin/tcpd in.ntalkd

#dtalk stream tcp waut nobody /usr/sbin/tcpd in.dtalkd#dtalk stream tcp waut nobody /usr/sbin/tcpd in.dtalkd

#pop-2 stream tcp nowait root /usr/sbin/tcpd ipop2d#pop-2 stream tcp nowait root /usr/sbin/tcpd ipop2d

#pop-3 stream tcp nowait root /usr/sbin/tcpd ipop3d#pop-3 stream tcp nowait root /usr/sbin/tcpd ipop3d

#imap stream tcp nowait root /usr/sbin/tcpd imapd#imap stream tcp nowait root /usr/sbin/tcpd imapd


Standalone servicesStandalone services

• ApacheApache

• SendmailSendmail

• LinuxconfLinuxconf

• NFSNFS

Consult your documentation on how to turn these Consult your documentation on how to turn these services off.services off.


Setting up Network FiltersSetting up Network Filters

• IPChainsIPChains

– Allows you to specify what kind of packets you want Allows you to specify what kind of packets you want to accept and what kind you want to reject.to accept and what kind you want to reject.

– ExamplesExamples» You probably don’t want someone remotely accessing your You probably don’t want someone remotely accessing your

NFS ports.NFS ports.

» You probably don’t want to accept packets that claim to be You probably don’t want to accept packets that claim to be from your local network that come from a remote port.from your local network that come from a remote port.

– Finding the right combination of rules can be hard.Finding the right combination of rules can be hard.


LokkitLokkit

•Written by Alan CoxWritten by Alan Cox•Helps configure correct firewall rulesHelps configure correct firewall ruleshttp://www.linux.org.uk/apps/lokkit.shtmlhttp://www.linux.org.uk/apps/lokkit.shtml


OutlineOutline




• What do you do if you get cracked?What do you do if you get cracked?

• Summary

• Questions


If you discover you’re in the process If you discover you’re in the process of being cracked right now!of being cracked right now!

• Unplug your network/modem connection Unplug your network/modem connection immediatelyimmediately

• Make backups of your system logsMake backups of your system logs

– Use to discover what the intruder didUse to discover what the intruder did

• Check your /etc/passwd file for an account, besides root, Check your /etc/passwd file for an account, besides root, with a uid of 0.with a uid of 0.

• If you can afford to...If you can afford to...

– Reformat your drive and reinstall the OS.Reformat your drive and reinstall the OS.

• Don’t reconnect your network until you are sure the Don’t reconnect your network until you are sure the intruder can’t get back in.intruder can’t get back in.


If you discover that you were crackedIf you discover that you were cracked

• Unplug your network/modem connection Unplug your network/modem connection

• Make backups of your system logsMake backups of your system logs

– Use to discover what the intruder didUse to discover what the intruder did

• Check your /etc/passwd file for an account, besides root, with a uid Check your /etc/passwd file for an account, besides root, with a uid of 0.of 0.

• If you can afford to...If you can afford to...

– Reformat your drive and reinstall the OS.Reformat your drive and reinstall the OS.

• Don’t reconnect your network until you are sure the intruder can’t Don’t reconnect your network until you are sure the intruder can’t get back in.get back in.

• Hmm... I think I have a sense of deja vu... :-)Hmm... I think I have a sense of deja vu... :-)


OutlineOutline





• SummarySummary

• Questions


Summary of Good Security PracticesSummary of Good Security Practices

• Good security is mostly common sense.Good security is mostly common sense.

• If you don’t use something, don’t run it.If you don’t use something, don’t run it.

• Always make sure your system has all the latest Always make sure your system has all the latest updates.updates.

• Don’t be afraid to ask questions and consult Don’t be afraid to ask questions and consult references.references.


OutlineOutline





• Summary

• QuestionsQuestions


Enough References to get started...Enough References to get started...

• Garfinkel, Simson & Gene Spafford, Garfinkel, Simson & Gene Spafford, Practical Practical Unix and Internet SecurityUnix and Internet Security, 1996, O’Reilly & , 1996, O’Reilly & Associates, Inc.Associates, Inc.

• ““Linux Security HOWTO” Linux Security HOWTO” ((http://www.linuxdoc.org/HOWTO/Security-HOWTO.htmlhttp://www.linuxdoc.org/HOWTO/Security-HOWTO.html))

• Lokkit (Lokkit (http://www.linux.org.uk/apps/lokkit.shtmlhttp://www.linux.org.uk/apps/lokkit.shtml) or ) or ((ftp://ftp.linux.org.uk/pub/linux/alan/Lokkit/ftp://ftp.linux.org.uk/pub/linux/alan/Lokkit/))

• Many others… (see your favorite search engine)Many others… (see your favorite search engine)

old linux security talk

Technology

security types of security

system security backups

physical security home

linux security tanner

root privileges

benotsuid root

minimum network services

shadow passwords