Security Issues in HP-UX and Linux
description
Transcript of Security Issues in HP-UX and Linux
chep2000 kwang paick 1
Security Issues in HP-UX and Linux
Kwang H. [email protected]
Prairie View A&M University
chep2000 kwang paick 2
Common Attacks
• Physical access• Access to the command line• Network access
chep2000 kwang paick 3
Security Setup
1. Physical security2. File and Directory Permission3. User Accounts4. Log Files5. Correct network configuration
chep2000 kwang paick 4
I. Physical Security
• Physical access• BIOS and Console Passwords• Anti-theft devices
chep2000 kwang paick 5
Most Unix systems are not secured because
• Default installation includes a wide range of vulnerabilities
• Software patches are not installed, and• Systems are not well maintained
chep2000 kwang paick 6
II. File and Directory PermissionsHP-UX systems contain > 20,000 in 10.20 The most common permission problems are write
access for group or other on almost any file or directory in the base installation
Some files and directories require group or other ‘write’ permissions
e.g. Temporary directories (group and others)Spool directories for the lpr system must be group writeable
chep2000 kwang paick 7
Common Permission ProblemsThe number one problem has been ownership
of the /etc directory by bin• the /etc directory must be owned by root,
and writable only be the owner• HP-UX systems allow bin to own many
other directories as well (only 48 out of 1200 directories were not owned by bin
chep2000 kwang paick 8
HP-UX and ACLsHP-UX includes the ability to provide a finer degree of
access control through access control listsA user-group pair is written as user group• The symbol % represents no particular user or group; (u.g, rwx) specific user, specific group(u.%, rwx) specific user, no specific group(%.g, rwx) no specific user, specific group(%.%, rwx) no specific user, no specific group
chep2000 kwang paick 9
HP-UX and ACLs• Most backup utilities ignore the ACL information for
compatibility with POSIX standards• Only the fbackup and frecover file archive utilities
handle access control lists properly• Change ACLs with the chacl command
-rw-r--r-- -rw-r--r--+ lsacl xx(lon.%,rw-)(don.%,rw-)(%.hep,r--)(%.%,r--) xx
ACLs are rarely used.
chep2000 kwang paick 10
III. User Accounts
User accounts must be maintained correctly• The accounts’ database must be checked for correctness
• New accounts must be monitored, and old accounts disabled
• Accounts with unusual user-ids checked• User home directories correctly configured• Passwords “checked” and protected
chep2000 kwang paick 11
/etc/passwd
Must be readable by all , but writable only be the root• Any account with the user id of zero is granted root’s
privileges• The home directory should exist, be owned by the
user, and not writeable by group or other• The use of temporary directories as the home directory
is a scurity problem• The COPS tool can check the existence, ownership and
permission of each home directory
chep2000 kwang paick 12
Home DirectoryShell startup files must specify a safe PATH:• System directories before any local directries• DOT last if present in PATH ( makes Trojan horses less effective)
• root PATH– Never have DOT in root’s PATH– never includes writable directories in search path
• umask– user’s default umaks 033– root’s umaks 077
chep2000 kwang paick 13
Home Directory
Dangerous startup files permitted• A .rhosts file permits user to control who may log into their account remotely via the “r” commands
• The .netrc files contain unencrypted passwords for remote logins.
COPS and TIGER check for these problems, as do commercial tool
chep2000 kwang paick 14
Shadow Password
A goal in many attacks is to get a copy of the encrypted passwords in the /etc/passwd file
These attacks can be foiled by moving the encrypted passwords into a different file, only readable by the root
These files have the generic name shadow password files
chep2000 kwang paick 15
Shadow Password
Some versions of UNIX come with shadow files, others must be converted
Solaris use /etc/shadow by default
•Linux uses /etc/shadow after conversion • Pwconv-merge old /etc/passwd records into a new shadow
database• Pwchk- verification and synching between /etc/shadow
and /etc/passwd• Pwuncov- back to /etc/passwd
chep2000 kwang paick 16
Shadow Password
Arguments against Shadowing Makes account management more difficult, as
the /etc/passwd file can no longer just be edited account information gets scattered among many
files if converted Crashing an FTP server can reveal the shadowed
passwords in the core file
chep2000 kwang paick 17
IV. Log Files
Need to know where they are and what they contains
check permissions and ownershipsee how often they are rotated/truncatedmonitor logfile contentsArchive important logs
chep2000 kwang paick 18
Log Files
The wtmp files log user login, logout, date changes, start or stop of system accounting, reboots
•/etc/wtmp•/var/adm/wtmp--10.20, old Linux•var/log/wamp --- Linux
chep2000 kwang paick 19
Log Files
Effect of su command on /var/adm/wtmp•When su was used, it creates a new process with both the process's real UID and effective UID altered.
•su does not change /var/adm/wtmp file, and finger command will continue to display the account to which you logged in, not the one that you su'ed to.
chep2000 kwang paick 20
Log Files: wtmp files
•Grow until no space •Pruning the wtmp file
zero the log file•rm /var/adm/wtmp.old•ln /var/adm/wtmp.old /var/adm/wtmp•cp /dev/null /var/adm/wtmp
chep2000 kwang paick 21
Log Files
•Hack Tools– Hacker tools(zap) delete entries matching a user
name by replacing the record with nulls
•There are also zap detectors – chkwtmp at COAST
chep2000 kwang paick 22
Log Files:Last Login
lastlog file•/va/log/lastlog Linux•/usr/sbin/acct/lastlog 10.20lastlogin - keep record of date each person last logged in"
bug - the date shown is usually 1 more than it should be because lastlogin is run at 4am and checks the last 24 hrs worth of process accounting info (in pacct)"
chep2000 kwang paick 23
Log Files:Bad Login
Bad login attemptsThe trouble is that these logs often contain passwords
Look for /etc/btmp on HP-UXMake certain that these files are readable only by the root, if they exist
chep2000 kwang paick 24
Log Files:su Login
UNIX systems will always log the use of the su command
•Located in /var/log• /var/adm/sulog (10.20)• /var/adm/messages
chep2000 kwang paick 25
Log Files:su Login
SU 01/31 20:08 + tty?? root-lonSU 02/01 14:56 + tty?? root-danSU 02/01 16:06 + ttyp2 dan-kwangSU 02/01 16:06 - ttyp2 babar-rootSU 02/01 16:06 + ttyp2 babar-rootSU 02/01 16:28 + tty?? root-babar
These logs are useful to both attackers and defenders:
Attackers can learn who knows the root password Defenders can learn the same thing
chep2000 kwang paick 26
sudo
Allows select users to execute specified commands as root
e.g. eject, mount, reboot, adding new acct
prevent possible errorsmeans for accountability
/etc/sudoers
chep2000 kwang paick 27
Log Files:Syslog
The system logdaemon, or syslogd, appears in most UNIX systems
Newer versions of syslog will ignore messages sent from the network by default
Use the –l flag to enable this behaviour on BSD The –r flag is used with Linux
mail.debug /var/adm/syslog/mail.log*.info;mail.none /var/adm/syslog/syslog.log
chep2000 kwang paick 28
Log Files:Syslog
Feb 1 17:50:38 hp73 /sbin/init.d/sendmail[1119]: #### rebooted ####• Feb 2 09:24:03 hp73 sendmail[2272]: JAA02272: from=wu, size=9112,
class=0, pri=39112, nrcpts=1, msgid=<[email protected]>, relay=wu@localhost
• Feb 2 14:16:25 hp73 sendmail[22105]: OAA22104: to=<[email protected]>, ctladdr
• =<[email protected]> (207/20), delay=00:00:34, xdelay=00:00:33, mailer=smtp,
• relay=bayou.uh.edu. [129.7.1.7], stat=Sent (OAA06943 Message accepted for delivery)
• Feb 2 14:43:13 hp73 popper[22159]: (v2.1.4-R3) Servicing request from "129.207.217.28" at 129.207.217.28
• Feb 2 14:43:41 hp73 popper[22159]: Stats: kwang 0 0 78 1096568
chep2000 kwang paick 29
V. Network Configuration
Any server is a potential hole.• ‘r’ commands• public services:
– poorly configured anonymous FTP servers– mail servers– older version of Linux – web servers
chep2000 kwang paick 30
Network Configuration
Protecting Data in Transit•Replace telnet, rlogin, rsh and rcp with
ssh, slogin, ssh, scp•Secure Shell-ssh use latest version
– http://www.slac.stanford.edu/comp/unix/ssh.htm
chep2000 kwang paick 31
Network Configuration
Anonymous FTPdirectory permission• ftp 555 with root ownership.. users to read and execute• /ftp/bin 555 with root ownership• /ftp/bin/ls 111 with root ownership…users to execute only• /ftp/etc 555 with root ownership• /ftp/etc/passwd
444 with root ownership. Users to read-only access
chep2000 kwang paick 32
Network Configuration:FTP
• FTP bounce attack• Erroneous file permissions• The SITE EXEC bugcreate restricted FTP access• /etc/ftpusers—restricted users access file—
name appears—denies• etc:bin, daemon, room, uucp,..• /etc/ftpaccess—core configuration file
chep2000 kwang paick 33
Network Configuration
ftphosts—used to allow or deny access to certain accounts from various host
• ( wild card supported• allow [username] [host or host pattern]• deny [username] [host or host pattern]• allow doe *.xyz.com• deny doe *.abc.com
alternative is to use SSLftp-Secure Sockets Layer--- current version is 0.8
chep2000 kwang paick 34
Network Configuration:SMTP
Trust everyone;•Protect the server from penetration•Protect smtp service from misuse, such as outsiders exploiting your mail server to send spam or fake mail
•Current version 8.9.3– earlier version—update ASAP
chep2000 kwang paick 35
Network Configuration:SMTP
To check sendmail version: telnet to port 25 and vew
• telnet abc.xyz.edu 25• .• .• 220 abc.xyz.edu ESMTP 8.9.3/8.9.3; -- version number
chep2000 kwang paick 36
Network Configuration:SMTP
Several places recommended replace sendmail with Qmail
• ftp://moni.msci.memphis.edu/pub/qmail• developer offered a $1,000 reward to anyone who could break Qmail.
– Sendmail offers high-powered SMTP service and excellent compatibility with existing UNIX utilities.
– Qmail strives to be small, fast and secure
chep2000 kwang paick 37
TOOLS
Security tool that detects system vulnerabilities• COPS-The computer Oracle and Password System
Port based scanner• SATAN (Security Administrator's Tool for Analyzing Networks
• ISS-Internet security Scanner
– faster than Satan; less information• SAINT-Security Administrator's Integrated Network Tool
– updated version of SATAN
chep2000 kwang paick 38
References
Defending against Scanner Attacks• Courtney-SATAN and SAINT Detector
Sites with Defensive software• COAST:
• ftp//coast.cs.purdue.edu/pub/tools• http://www.cs.purdue.edu/coast/archive/
Archive_indexing.html• NIST:http://cs-www-ncsl.nist.gov/tools/tols.htm
chep2000 kwang paick 39
References
• NIH htttp://www.alw.nih.gov/Security/prog-full.htm• CIAC
– ftp://ciac.llnl.gov/pub/ciac/sectools/unix– http://ciac.lnl.gov/ciac
• CIRT– http://www.cert.org
• FIRST http://www.first.org• Trinux tools http://www/trinux.org
chep2000 kwang paick 40
References
• HP-UX support:– http://us-support.external.hp.com– [email protected] for bulletins
• Linux Security News– http://security.linuxtoday.com
• Redhat support– http://www.redhat.com/support/errata
• UNIX support– http://www.usenix.rg
chep2000 kwang paick 41
References
Books– S. Garfinkle, G. Spafford, Practical UNIX Security,
O’Reilly & Associates, Sebastopol, CA 1996, 2nd ed.– Anonymous, Maximum Linux Security, SAMS, Indianapolis, IN
1999
chep2000 kwang paick 42
Monitor SUID and SGID Files– SUID and SGID Files
• two speciial file permissions:
• SGID (set group ID, octal 2000 or S)• SUID (set user ID, octal 4000, or s)
• find / -perm +4000• owner’s permission are enforced even when other users
executed them.