Lesson 15-Unix Security Issues

Overview

Set up the system.

Perform user management.

Perform system management.

Set up the System

Applying patches and disabling unused default services by

modifying the system’s configuration files can help avoid

common vulnerabilities.

Set up the System

Startup files.

Services to allow.

System configuration files.

Patches.

Startup Files

Unix systems configure themselves when they boot using

the appropriate startup files.

Unix systems start services by utilizing /etc/r2.d (Red Hat)

and /etc/rc.d/rc2.d (Solaris).

Services generally started by these startup files include

inetd, NFS, NTP, routed, RPC, Sendmail, and Web servers.

Services to Allow

The inetd.conf file controls startup of services such as FTP,

telnet, and some RPC services.

Administrators should go through startup files and disable

any service that is not needed for operations.

The default services in inetd.conf that should be turned off

are chargen, discard, echo, finger, netstat, rexd, routed,

rquotad, rusersd, sprayd, systat, tftp, uucp, and walld.

Services to Allow

SSH (Secure Shell) is a more secure connection method

than telnet because SSH uses encryption while telnet

operates in plaintext.

The NFS is used to allow mounting of file systems by other

systems. However, if NFS is not required, it should be

disabled.

Services to Allow

Systems in a DMZ are not protected by perimeter defenses

such as firewalls and should be configured more securely at

the host level.

TCP Wrappers can provide additional access controls and

logging for services like telnet or FTP.

TCP Wrappers can be used on other services such as POP

and IMAP.

System Configuration Files

There are a number of changes that can be made to a Unix

system’s configuration files to increase the overall security

of the system.

Login banners can be used to display legal statements

before a user is allowed to log in.

System Configuration Files

On Linux systems, two files are used for telnet banners:

/etc/issue

/etc/issue.net

The issue file is used for directly connected terminals, while

issue.net is used when someone telnets into the system across

the network.

System Configuration Files

There are actually three steps to proper password

management on a Unix system:

Setting up proper password requirements.

Preventing logins without passwords.

Establishing appropriate password content requirements.

System Configuration Files

File access is controlled by file permissions on Unix systems

and can be changed by using the chmod command.

The permissions used on Unix are read, write, and execute.

Solaris and Linux allow you to limit root login to the console.

System Configuration Files

It is a good practice to restrict root logins to the console

even for administrators.

Administrators should log in as themselves first and then

use the su command to obtain root access or the sudo

command to execute root commands.

Patches

UNIX is no different from any of the Windows operating

systems in patches to correct bugs and security issues with

software.

Patches should be applied on a regular basis to remove

these vulnerabilities.

The various UNIX vendors have been adding tools to assist

in patch management.

Perform User Management

Adding users to the system.

Removing users from the system.

Adding Users to the system

Most Unix versions provide tools for adding users to the

system. The key tasks are as follows:

Adding the user name to the password file.

Assigning an appropriate user ID number.

Assigning an appropriate group ID number.

Defining an appropriate shell for login.

Adding Users to the system

Other key tasks are as follows:

Adding the user name to the shadow file.

Assigning an appropriate initial password.

Defining an appropriate electronic mail alias.

Creating a home directory for the user.

Removing Users from the System

On a UNIX system, all user files are owned by the user’s UID

(user ID number).

If the user’s UID is reused for a new account, that new

account will hold ownership of all the old user’s files.

Initially, when the user no longer needs the account, it should

be locked.

After an appropriate amount of time (usually 30 days), the

user’s files can be removed.

Perform System Management

Managing Unix systems consists of establishing appropriate

logging and watching for suspicious activities.

Syslog, an extensive logging tool is provided by most UNIX

systems.

Solaris allows you to capture failed login attempts.

Hidden files can pose a problem in a UNIX system by

allowing hackers to hide their files and activities.

Perform System Management

If a system is put into promiscuous mode, it is capturing all

packets on the wire.

The netstat command can be used to identify ports that are

listening and active on the system.

Perform System Management

One disadvantage of the netstat tool is that it cannot tell

you which process is holding a port open.

Another disadvantage is that when an intruder successfully

accesses a system, they may change files to allow

continued access to the system.

Perform System Management

Rootkits may install sniffers and commonly include binary

replacements for the following programs: ftpd, inetd, login,

netstat, passwd, ps, ssh, and telnetd.

To determine if a system file has been replaced, compare the

checksum of a known good file to the current file.

If a system is suspected to have been compromised,

recalculate the checksums and compare them to the originals.

Summary

Unix systems configure themselves when they boot using

the appropriate startup files.

The inetd.conf file controls startup of several services such

as FTP, telnet, and some RPC services.

Login banners can be used to display legal statements

before a user is allowed to log in.

Summary

Most Unix versions provide tools for adding users to the

system.

Managing Unix systems consists of establishing appropriate

logging and watching for suspicious activities.

Syslog an extensive logging tool is provided by most UNIX

systems.