Unix+Security+Advanced+Admin+ Session1 Feb7

7/29/2019 Unix+Security+Advanced+Admin+ Session1 Feb7

1/30

UNIX SYSTEM SECURITYAND ADVANCEDADMINISTRATION

(SCURIT SYSTME SOUS UNIX ET ADMINISTRATION

AVANCE)

A.Davous, 01/02/2009 1Unix Security Advanced Admin


2/30

FOREWORD

No absolute security as long as system isaccessed

In system administration, the evil is in details

For questions, contact [email protected]

with [ESGI] in subject field otherwise, mail will

be considered as spam by server rules.A.Davous, 01/02/2009 2Unix Security Advanced Admin
mailto:[email protected]:[email protected]


3/30

INTRODUCTION

UNIX FLAVORS COMMON SENSE RULES OF SECURITY HOW SECURITY IS COMPROMISED

UNIX DAEMONS, SERVICES AND SERVERS HANDS-ON : SUN VIRTUAL BOX



4/30

WELL-KNOWN EXAMPLES

Sendmail debug commands modeas sendmail runs with setuid rootso user can run any command with root power(try sudo and vi !...)

Command passwd f : no control of entered GECOS fieldso user can add any new line in password file Buffer overflow is a variant

User can execute shellcode (to get run root shell) previouslysaved at some memory address for programs that accepts

any entry without control (exploit) More generally, any software that do not control file

ownership you just have to link to any system file

A.Davous, 01/02/2009 Unix Security Advanced Admin 4


5/30

FOR INFORMATION UNIX RELEASESUNIX Solaris Linux

1969 AT&T Labs Unix

1977 Berkeley BSD Unix

1983 System V From BSD & SysV :

From scratch :

1991 Solaris 1.0 (= SunOS 4) Linus Torwalds Linux

1992 FreeBSD, OpenBSD

1993 Slackware ; Debian

1994 Kernel 1.0 stable

RedHat1995 Solaris 2.5 (= SunOS 5.5)

2000 Solaris 8 (= SunOS 5.8)

2001 Solaris 9 (= SunOS 5.9) Kernel 2.4

2003 Fedora Core Kernel2.6

A.Davous, 17/09/2008 5Solaris vs. Linux


6/30

FOR INFORMATION UNIX FLAVORS

Unix time linehttp://www.levenez.com/unix/

Linux distributions time linehttps://reader009.{domain}/reader009/h

http://www.levenez.com/unix/http://futurist.se/gldt/gldt76.pnghttp://futurist.se/gldt/gldt76.pnghttp://www.levenez.com/unix/


7/30

REMINDER UNIX MANDATORY

Read, read again documentationman, man k, makewhatis -u

vi what else could be expected ?vimbut config and security

Shells : sh best choice for scriptingthen tcsh orbash (current :ps)

find, diff, touch, sort [-n] xargs

grep, egrep, awk, Perl, expect



8/30

WELL-KNOWN ATTACKS

Name Category Definition

Sniffing Network Get information from networktransactions

Spoofing ormasquerading

Network Take identity of someone else

Denial ofservice

Network Try to stop or degrade service

Replaying Authentication Replay abusive authentication ortransaction

Repudiation Authentication Reject authentication or transaction

Spam Mail Undesirable mail

Phishing Mail Disguised mail to get confidential data

Hoax Mail Joke with more or less consequencesDictionary Password Test with list of most current wordsA.Davous, 01/02/2009 Unix Security Advanced Admin 8


9/30

MALICIOUS PROGRAMS (MALWARES)

Name Definition

Virus Insert malicious code on machine

Worm Separate process that exploited security holes innetwork

Trojan horses Malicious program disguised as something innocuousor desirable

Backdoor Method to bypass normal authentication procedures

Rootkit Software set installed to get abusive rights, installbackdoor and stay hidden

Spyware Gather information for commercial purposeKey logger Copies down the users keystrokes

Exploit Exploit a security breach of a software



10/30

SECURITY KEY CONCEPTS

3 security goals:confidentiality, integrity, availability

3 usual answers to threats:ignore, improvise or try to over secure

Right answer:determine field,identify and evaluate cost of resources (financial,confidentiality or production),

determine security risks and strategy,monitor,upgrade



11/30

STRATEGIES Strategies :

Accept threat but have a recovery planReduce threat by appropriate means

Transfer threat to a vendor

Bypass threat by blocking access Understanding is key:

Example of mail user privilegeProtect all layers example of firewalls

Reduce exposed surfaceProtect but detect and answer administrate ! Security is or must be part of :

conception, operation and deployment



12/30

RISKS AND STRATEGY

Risks

Human malicious but often from authorizedusers

Technical hardware (physical access), software This is up to sysadmin to decide what are they

and right level of protection

Strategy

Security and comfort is a compromise Have a security policy especially recovery

procedure



13/30

HOW TO DO

In-depth (passive) protection

(Physical premises access)

Network filtering

Passwords Encryption Backup

(Active) security process

Monitor and add corrections Full audit Upgrade



14/30

SECURED DESIGN Open design or secret design debate

(hidden flaws, issues discovered by community,provocation to exploits)

Common breaches

Least user access (chroot as solution) Buffer overflow Printf function (insert conversion keys into string) Web programming (URL forging) Transactions, client/server (man-in-the middle,

encryption, hashing as solutions)



15/30

SOME TABLE LAWS

If someone can execute something on your computer or ifsomeone can modify your OS, or if someone can physicallyaccess to your computer, it will not belong to you anymore

As well, if someone can execute something on your website, it will not belong to you anymore

Weak passwords leads to security breach System is as secured as sysadmin wants Encrypted data are as secured as the used key to encrypt An anti-virus not updated is as useful as no anti-virus Anonymity is not useful but confidentiality is Technology is not be-all Security measures works well when they are simple to use

for sysadmin and transparent to users



16/30

REMINDER : PROCESSES

Processes have four identities : real (for accounting) andeffective (for access permissions) UID and GID ; usually the sameexcept with setuid or setgid bit set

Commandps

Kinds of processes Interactive controlled with &, ^Z, jobs Batch Daemons



17/30

DAEMONS, SERVERS, SERVICES

Daemon, server, service concepts Daemon : programs not part of kernel ; process that

performs a specific function or system-related task Start at boot time or on demand

Specific system daemons init primordial process

cron that schedule commands inetdthat manages some of them



18/30

WELL KNOWN DAEMONSName Description

init First process

syslogd, rsyslogd Syslog logging

sendmail Mail MTA Mail Transfer Agent

lpd, lpsched Print scheduler

crond Cron process scheduler

getty, mingetty Terminal support

syncd, fsflush, bdflush, pdflush Disk buffer management

pagedaemon, swapper, kswap Swap management

inetd Main daemon to start on-demand TCP/IP services as telnetd,ftpd, rshd see /etc/inetd.conf

named Bind DNS Dynamic Name Resolution

routed, gated TCP/IP routing daemons

dhcpd DHCP Dynamic Host Configuration Protocol

portmap, rpcbind Port service resolution for RPC Remote Procedure Call

nfsd NFS Network File System

smbd, nmbd Samba

httpd Apache HTTP server

timed, ntpd, xntpd NTP Network Time Protocol



19/30

init DAEMON

First process to run after system boot Always have PID 1 and is ancestor of all other processes After startup, init consults /etc/inittab (or for BSD

/etc/ttys) to determine on which physical ports it should

expect users to log in (getty processes even tough largeuse of network daemons today, or xdmfor graphicalinterface)

Also take care of zombie processes (not running but listed) Init defines run levels (passed as argument to it from boot

loader) : 0 to 6 and s (single-user) Additional layer is given with startup scripts in

/etc/init.d, linked to startup and stop scripts in/etc/rcX.d



20/30

REMINDER : BOOTING SHUTTINGDOWN

Solaris SPARC Solaris x86/64 Linux (Fedora Core)

Boot PROM(device detection)

Access with STOP-Aboot s : single-userboot r : reconfigure

See ls l /dev/rdsk/c0t0d0s0

ROM BIOS

MBR of boot device

Boot loader(GRUB since 5.10,

see /boot/grub/menu.lst)

Boot loader(GRUB see /boot/grub/menu.lst)

Kernel loading and initialization

Device configurationtouch /RECONFIGURE

Device detection and configuration

Execution of startup scriptsLevel 0 : shut down (init 0) - Level 1 or S : single user (init s) - Level 6 : reboot

(init 6)Scripts management none or see 5.10

Configuration : /etc/default

Execution of startup scriptsLevel 0 : shut down (init 0) - Level 1 or S

: single user (init s) - Level 6 : reboot(init 6)

Scripts management : chkconfig

Configuration : /etc/sysconfig

Multiuser mode

Shutdown/usr/sbin/shutdown g secs i6/usr/sbin/shutdown g secs i0/usr/sbin/shutdown g secs iS

Shutdown/usr/sbin/shutdown secs r/usr/sbin/shutdown secs h

/usr/sbin/shutdown secs f

A.Davous, 17/09/2008 Solaris vs. Linux 20

Solaris SPARC Solaris x86/64 Linux (Fedora Core)

Boot PROM(device detection)Access with STOP-A

boot s : single-userboot r : reconfigure

See ls l /dev/rdsk/c0t0d0s0

ROM BIOSMBR of boot device

Boot loader(GRUB since 5.10)

Boot loader(GRUB see /boot/grub/menu.lst)

Kernel loading and initialization

Device configurationtouch /RECONFIGURE

Device detection andconfig.

Execution of startup scriptsLevel 0 : shut down (init 0) - Level 1 or S : single user (init s) - Level 6 : reboot

(init 6)Scripts management none or see 5.10

Configuration : /etc/default

Exec. of startupscripts

Level s : the sameScripts management : chkconfigConfiguration : /etc/sysconfig

Multiuser mode

Shutdown/usr/sbin/shutdown g secs i6 (reboot)/usr/sbin/shutdown g secs i0 (shut down)/usr/sbin/shutdown g secs iS (single user)

(skip scandisk)

Shutdown/usr/sbin/shutdown secs r/usr/sbin/shutdown secs h

/usr/sbin/shutdown secs f


21/30

OTHER CONCEPTS

Command dmesg Core dump : ulimit c Path :

- try not modify root profile PATH variable

- do not set empty or . in PATH variable- in scripts (and configurations like cron), always use fullpath for commands (as variables at beginning)

Disk quotas may be use to isolate an application (vs.original purpose)

vi and other editors dump files feature History of shell commands who r

cp -p



22/30

PASSWORD CRACK TOOLSUsage of these tools are illegal on computers where you have not been explicitly

authorized to do it.But it is recommended to test your own password files anyhow, crackers will do it withthem.

Crack

Locations: /usr/share/crack ; /usr/libexec/crack ; /usr/bin Quick-start commands:

# umask 077# ~/scripts/shadmrg.sv /etc/passwd /etc/shadow > /root/unshadp

# Crack nice 5 /root/unshadp

# CrackReporter

Results in ~/run directory

John the Ripper

Locations: /usr/share/john ; /usr/libexec/john Quick start commands:

# umask 077

# unshadow /etc/passwd /etc/shadow > /root/unshadp

# john [--rules --wordfile=FILE] /root/unshadp

Results in ~/john.pot



23/30

ROOT PASSWORD RECOVERY

To show importance of physical access Grub bootloader must have timeout

(/boot/grub/menu.lst) suppress it (0) or set a passwordto bootloader

Simplest procedure using single user mode case ofFedora 10

When Grub screen, edit current boot line (e) Edit kernel line (e) by adding single at end (single user

mode) Save and boot (b) Commandpasswdcan be entered with root privileges to

reset root password

A.Davous, 17/09/2008 Solaris vs. Linux 23


24/30

Sun xVM VirtualBox - 1

VirtualBox release 2.1.2 found at www.virtualbox.org(accept installation of USB and network drivers)Host and guest concepts, see manualGuest additions concept

Fedora 10 found at fedoraproject.org/en/get-fedora(F10-i686-Live.iso, 32 bits although 64 supported by xVM, English

edition, installable Live CD)

http://www.virtualbox.org/http://www.virtualbox.org/http://www.virtualbox.org/http://www.virtualbox.org/


25/30

Sun xVM VirtualBox - 2 Installation procedure (example is Fedora)

New machine ; choose OS, select memory size (2 GB but less thanhost !), add virtual disk (fixed, 10 GB).Mount OS ISO local file as CD/DVD-ROMStart !... (ignore both messages no additions installed yet)

When started, use Install on hard disk icon. Select Frenchkeyboard.Shut down, unmount CD/DVD and restart.Upgrade system and application packages (Yum).Install dkms package (Dynamic Kernel Module SupportFramework).

Install GNU make, gcc packages.Mount Guest Additions ISO with Devices, Install GuestAdditions xVM menu.Run Suns script (cd /media/VBOXADDITIONS_2.1.2_41885/ ; sh./VBoxLinuxAdditions-x86.run)Restart.



26/30

Sun xVM VirtualBox - 3 Installation procedure particularities for Debian 4

Installation of small image via Internet.Disk partitioning without LVM, one root partition.Desktop and system packages.Synaptic Package Manager used for package installation : make,

gcc and kernel headers (linux-headers-2.6.18-6 and linux-headers-2.6.18-6-686 ; check release with command uname a).



27/30

REMOTE ACCESS TO SYSTEM

Xming XLaunch utility But otherwise, X specific, exporting display :

Run your X server on PC (nothing required ifPuTTY used because X protocol is SSHdencapsulated - port 22 ; otherwise, ports XDMCP177 and 6000 should be opened)

Then, on client :setenv DISPLAY server:0.0

echo $DISPLAY Putty



28/30

USEFUL LINKShttp://www.dwheeler.com/secure-programs/ Secure Programming for Linux and Unix HOWTO

www.cpan.org Perl packages and more

http://www.sun.com/software/security/jass Suns JASS Solaris Security Toolkit

http://www.digilife.be/quickreferences/quickrefs.htm Quick Reference Cards useful for those related toUnix

http://www.cert.org/cert/ CERT Security information

http://www.auscert.org.au/5816 AusCERT Unix and Linux Security Checklist v3.0

http://www.protocols.com/pbook/tcpip1.htm#MAP RADCOM protocols.com web site (protocols map)

http://www.dwheeler.com/secure-programs/http://www.cpan.org/http://www.sun.com/software/security/jasshttp://www.digilife.be/quickreferences/quickrefs.htmhttp://www.cert.org/cert/http://www.cert.org/cert/http://www.auscert.org.au/5816http://www.protocols.com/pbook/tcpip1.htmhttp://www.protocols.com/pbook/tcpip1.htmhttp://www.auscert.org.au/5816http://www.cert.org/cert/http://www.digilife.be/quickreferences/quickrefs.htmhttp://www.sun.com/software/security/jasshttp://www.cpan.org/http://www.dwheeler.com/secure-programs/


29/30

WORTH READING

Unix System Administration Handbook Evi Nemeth,

Garth Snyder, Scott Seebass, Trent R. Hein PrenticeHall

Essential System Administration Aeleen Frisch OReilly

TCP/IP illustrated Richard StevensTCP/IP Network Administration Craig Hunt OReilly



30/30

WINDOWS TOOLS USED DURING THIS SESSION

Wireshark(prev. Ethereal), network protocolanalyzer

http://www.wireshark.org

PuTTY, SSH client http://www.chiark.greenend.org.uk/~s

Xming, PC X server http://www.straightrunning.com/Xmin

VirtualBox, virtualization http://www.virtualbox.org/

EasyBCD, Windows Vista bootloader utility http://neosmart.net/

ApacheJMeter, HTTP workbench http://jakarta.apache.org/jmeter/

http://www.wireshark.org/http://www.chiark.greenend.org.uk/~sgtatham/putty/http://www.straightrunning.com/XmingNotes/http://www.virtualbox.org/http://neosmart.net/http://jakarta.apache.org/jmeter/http://jakarta.apache.org/jmeter/http://neosmart.net/http://www.virtualbox.org/http://www.straightrunning.com/XmingNotes/http://www.chiark.greenend.org.uk/~sgtatham/putty/http://www.wireshark.org/

Unix+Security+Advanced+Admin+ Session1 Feb7

Documents

Transcript of Unix+Security+Advanced+Admin+ Session1 Feb7