Unix+Security+Advanced+Admin+ Session1 Feb7
-
Upload
rattnakishore-nandamuri -
Category
Documents
-
view
224 -
download
0
Transcript of Unix+Security+Advanced+Admin+ Session1 Feb7
-
7/29/2019 Unix+Security+Advanced+Admin+ Session1 Feb7
1/30
UNIX SYSTEM SECURITYAND ADVANCEDADMINISTRATION
(SCURIT SYSTME SOUS UNIX ET ADMINISTRATION
AVANCE)
A.Davous, 01/02/2009 1Unix Security Advanced Admin
-
7/29/2019 Unix+Security+Advanced+Admin+ Session1 Feb7
2/30
FOREWORD
No absolute security as long as system isaccessed
In system administration, the evil is in details
For questions, contact [email protected]
with [ESGI] in subject field otherwise, mail will
be considered as spam by server rules.A.Davous, 01/02/2009 2Unix Security Advanced Admin
mailto:[email protected]:[email protected] -
7/29/2019 Unix+Security+Advanced+Admin+ Session1 Feb7
3/30
INTRODUCTION
UNIX FLAVORS COMMON SENSE RULES OF SECURITY HOW SECURITY IS COMPROMISED
UNIX DAEMONS, SERVICES AND SERVERS HANDS-ON : SUN VIRTUAL BOX
A.Davous, 01/02/2009 3Unix Security Advanced Admin
-
7/29/2019 Unix+Security+Advanced+Admin+ Session1 Feb7
4/30
WELL-KNOWN EXAMPLES
Sendmail debug commands modeas sendmail runs with setuid rootso user can run any command with root power(try sudo and vi !...)
Command passwd f : no control of entered GECOS fieldso user can add any new line in password file Buffer overflow is a variant
User can execute shellcode (to get run root shell) previouslysaved at some memory address for programs that accepts
any entry without control (exploit) More generally, any software that do not control file
ownership you just have to link to any system file
A.Davous, 01/02/2009 Unix Security Advanced Admin 4
-
7/29/2019 Unix+Security+Advanced+Admin+ Session1 Feb7
5/30
FOR INFORMATION UNIX RELEASESUNIX Solaris Linux
1969 AT&T Labs Unix
1977 Berkeley BSD Unix
1983 System V From BSD & SysV :
From scratch :
1991 Solaris 1.0 (= SunOS 4) Linus Torwalds Linux
1992 FreeBSD, OpenBSD
1993 Slackware ; Debian
1994 Kernel 1.0 stable
RedHat1995 Solaris 2.5 (= SunOS 5.5)
2000 Solaris 8 (= SunOS 5.8)
2001 Solaris 9 (= SunOS 5.9) Kernel 2.4
2003 Fedora Core Kernel2.6
A.Davous, 17/09/2008 5Solaris vs. Linux
-
7/29/2019 Unix+Security+Advanced+Admin+ Session1 Feb7
6/30
FOR INFORMATION UNIX FLAVORS
Unix time linehttp://www.levenez.com/unix/
Linux distributions time linehttps://reader009.{domain}/reader009/h
A.Davous, 01/02/2009 Unix Security Advanced Admin 6
http://www.levenez.com/unix/http://futurist.se/gldt/gldt76.pnghttp://futurist.se/gldt/gldt76.pnghttp://www.levenez.com/unix/ -
7/29/2019 Unix+Security+Advanced+Admin+ Session1 Feb7
7/30
REMINDER UNIX MANDATORY
Read, read again documentationman, man k, makewhatis -u
vi what else could be expected ?vimbut config and security
Shells : sh best choice for scriptingthen tcsh orbash (current :ps)
find, diff, touch, sort [-n] xargs
grep, egrep, awk, Perl, expect
A.Davous, 01/02/2009 7Unix Security Advanced Admin
-
7/29/2019 Unix+Security+Advanced+Admin+ Session1 Feb7
8/30
WELL-KNOWN ATTACKS
Name Category Definition
Sniffing Network Get information from networktransactions
Spoofing ormasquerading
Network Take identity of someone else
Denial ofservice
Network Try to stop or degrade service
Replaying Authentication Replay abusive authentication ortransaction
Repudiation Authentication Reject authentication or transaction
Spam Mail Undesirable mail
Phishing Mail Disguised mail to get confidential data
Hoax Mail Joke with more or less consequencesDictionary Password Test with list of most current wordsA.Davous, 01/02/2009 Unix Security Advanced Admin 8
-
7/29/2019 Unix+Security+Advanced+Admin+ Session1 Feb7
9/30
MALICIOUS PROGRAMS (MALWARES)
Name Definition
Virus Insert malicious code on machine
Worm Separate process that exploited security holes innetwork
Trojan horses Malicious program disguised as something innocuousor desirable
Backdoor Method to bypass normal authentication procedures
Rootkit Software set installed to get abusive rights, installbackdoor and stay hidden
Spyware Gather information for commercial purposeKey logger Copies down the users keystrokes
Exploit Exploit a security breach of a software
A.Davous, 01/02/2009 Unix Security Advanced Admin 9
-
7/29/2019 Unix+Security+Advanced+Admin+ Session1 Feb7
10/30
SECURITY KEY CONCEPTS
3 security goals:confidentiality, integrity, availability
3 usual answers to threats:ignore, improvise or try to over secure
Right answer:determine field,identify and evaluate cost of resources (financial,confidentiality or production),
determine security risks and strategy,monitor,upgrade
A.Davous, 01/02/2009 Unix Security Advanced Admin 10
-
7/29/2019 Unix+Security+Advanced+Admin+ Session1 Feb7
11/30
STRATEGIES Strategies :
Accept threat but have a recovery planReduce threat by appropriate means
Transfer threat to a vendor
Bypass threat by blocking access Understanding is key:
Example of mail user privilegeProtect all layers example of firewalls
Reduce exposed surfaceProtect but detect and answer administrate ! Security is or must be part of :
conception, operation and deployment
A.Davous, 01/02/2009 Unix Security Advanced Admin 11
-
7/29/2019 Unix+Security+Advanced+Admin+ Session1 Feb7
12/30
RISKS AND STRATEGY
Risks
Human malicious but often from authorizedusers
Technical hardware (physical access), software This is up to sysadmin to decide what are they
and right level of protection
Strategy
Security and comfort is a compromise Have a security policy especially recovery
procedure
A.Davous, 01/02/2009 Unix Security Advanced Admin 12
-
7/29/2019 Unix+Security+Advanced+Admin+ Session1 Feb7
13/30
HOW TO DO
In-depth (passive) protection
(Physical premises access)
Network filtering
Passwords Encryption Backup
(Active) security process
Monitor and add corrections Full audit Upgrade
A.Davous, 01/02/2009 Unix Security Advanced Admin 13
-
7/29/2019 Unix+Security+Advanced+Admin+ Session1 Feb7
14/30
SECURED DESIGN Open design or secret design debate
(hidden flaws, issues discovered by community,provocation to exploits)
Common breaches
Least user access (chroot as solution) Buffer overflow Printf function (insert conversion keys into string) Web programming (URL forging) Transactions, client/server (man-in-the middle,
encryption, hashing as solutions)
A.Davous, 01/02/2009 Unix Security Advanced Admin 14
-
7/29/2019 Unix+Security+Advanced+Admin+ Session1 Feb7
15/30
SOME TABLE LAWS
If someone can execute something on your computer or ifsomeone can modify your OS, or if someone can physicallyaccess to your computer, it will not belong to you anymore
As well, if someone can execute something on your website, it will not belong to you anymore
Weak passwords leads to security breach System is as secured as sysadmin wants Encrypted data are as secured as the used key to encrypt An anti-virus not updated is as useful as no anti-virus Anonymity is not useful but confidentiality is Technology is not be-all Security measures works well when they are simple to use
for sysadmin and transparent to users
A.Davous, 01/02/2009 Unix Security Advanced Admin 15
-
7/29/2019 Unix+Security+Advanced+Admin+ Session1 Feb7
16/30
REMINDER : PROCESSES
Processes have four identities : real (for accounting) andeffective (for access permissions) UID and GID ; usually the sameexcept with setuid or setgid bit set
Commandps
Kinds of processes Interactive controlled with &, ^Z, jobs Batch Daemons
A.Davous, 01/02/2009 Unix Security Advanced Admin 16
-
7/29/2019 Unix+Security+Advanced+Admin+ Session1 Feb7
17/30
DAEMONS, SERVERS, SERVICES
Daemon, server, service concepts Daemon : programs not part of kernel ; process that
performs a specific function or system-related task Start at boot time or on demand
Specific system daemons init primordial process
cron that schedule commands inetdthat manages some of them
A.Davous, 01/02/2009 Unix Security Advanced Admin 17
-
7/29/2019 Unix+Security+Advanced+Admin+ Session1 Feb7
18/30
WELL KNOWN DAEMONSName Description
init First process
syslogd, rsyslogd Syslog logging
sendmail Mail MTA Mail Transfer Agent
lpd, lpsched Print scheduler
crond Cron process scheduler
getty, mingetty Terminal support
syncd, fsflush, bdflush, pdflush Disk buffer management
pagedaemon, swapper, kswap Swap management
inetd Main daemon to start on-demand TCP/IP services as telnetd,ftpd, rshd see /etc/inetd.conf
named Bind DNS Dynamic Name Resolution
routed, gated TCP/IP routing daemons
dhcpd DHCP Dynamic Host Configuration Protocol
portmap, rpcbind Port service resolution for RPC Remote Procedure Call
nfsd NFS Network File System
smbd, nmbd Samba
httpd Apache HTTP server
timed, ntpd, xntpd NTP Network Time Protocol
A.Davous, 01/02/2009 Unix Security Advanced Admin 18
-
7/29/2019 Unix+Security+Advanced+Admin+ Session1 Feb7
19/30
init DAEMON
First process to run after system boot Always have PID 1 and is ancestor of all other processes After startup, init consults /etc/inittab (or for BSD
/etc/ttys) to determine on which physical ports it should
expect users to log in (getty processes even tough largeuse of network daemons today, or xdmfor graphicalinterface)
Also take care of zombie processes (not running but listed) Init defines run levels (passed as argument to it from boot
loader) : 0 to 6 and s (single-user) Additional layer is given with startup scripts in
/etc/init.d, linked to startup and stop scripts in/etc/rcX.d
A.Davous, 01/02/2009 Unix Security Advanced Admin 19
-
7/29/2019 Unix+Security+Advanced+Admin+ Session1 Feb7
20/30
REMINDER : BOOTING SHUTTINGDOWN
Solaris SPARC Solaris x86/64 Linux (Fedora Core)
Boot PROM(device detection)
Access with STOP-Aboot s : single-userboot r : reconfigure
See ls l /dev/rdsk/c0t0d0s0
ROM BIOS
MBR of boot device
Boot loader(GRUB since 5.10,
see /boot/grub/menu.lst)
Boot loader(GRUB see /boot/grub/menu.lst)
Kernel loading and initialization
Device configurationtouch /RECONFIGURE
Device detection and configuration
Execution of startup scriptsLevel 0 : shut down (init 0) - Level 1 or S : single user (init s) - Level 6 : reboot
(init 6)Scripts management none or see 5.10
Configuration : /etc/default
Execution of startup scriptsLevel 0 : shut down (init 0) - Level 1 or S
: single user (init s) - Level 6 : reboot(init 6)
Scripts management : chkconfig
Configuration : /etc/sysconfig
Multiuser mode
Shutdown/usr/sbin/shutdown g secs i6/usr/sbin/shutdown g secs i0/usr/sbin/shutdown g secs iS
Shutdown/usr/sbin/shutdown secs r/usr/sbin/shutdown secs h
/usr/sbin/shutdown secs f
A.Davous, 17/09/2008 Solaris vs. Linux 20
Solaris SPARC Solaris x86/64 Linux (Fedora Core)
Boot PROM(device detection)Access with STOP-A
boot s : single-userboot r : reconfigure
See ls l /dev/rdsk/c0t0d0s0
ROM BIOSMBR of boot device
Boot loader(GRUB since 5.10)
Boot loader(GRUB see /boot/grub/menu.lst)
Kernel loading and initialization
Device configurationtouch /RECONFIGURE
Device detection andconfig.
Execution of startup scriptsLevel 0 : shut down (init 0) - Level 1 or S : single user (init s) - Level 6 : reboot
(init 6)Scripts management none or see 5.10
Configuration : /etc/default
Exec. of startupscripts
Level s : the sameScripts management : chkconfigConfiguration : /etc/sysconfig
Multiuser mode
Shutdown/usr/sbin/shutdown g secs i6 (reboot)/usr/sbin/shutdown g secs i0 (shut down)/usr/sbin/shutdown g secs iS (single user)
(skip scandisk)
Shutdown/usr/sbin/shutdown secs r/usr/sbin/shutdown secs h
/usr/sbin/shutdown secs f
-
7/29/2019 Unix+Security+Advanced+Admin+ Session1 Feb7
21/30
OTHER CONCEPTS
Command dmesg Core dump : ulimit c Path :
- try not modify root profile PATH variable
- do not set empty or . in PATH variable- in scripts (and configurations like cron), always use fullpath for commands (as variables at beginning)
Disk quotas may be use to isolate an application (vs.original purpose)
vi and other editors dump files feature History of shell commands who r
cp -p
A.Davous, 01/02/2009 Unix Security Advanced Admin 21
-
7/29/2019 Unix+Security+Advanced+Admin+ Session1 Feb7
22/30
PASSWORD CRACK TOOLSUsage of these tools are illegal on computers where you have not been explicitly
authorized to do it.But it is recommended to test your own password files anyhow, crackers will do it withthem.
Crack
Locations: /usr/share/crack ; /usr/libexec/crack ; /usr/bin Quick-start commands:
# umask 077# ~/scripts/shadmrg.sv /etc/passwd /etc/shadow > /root/unshadp
# Crack nice 5 /root/unshadp
# CrackReporter
Results in ~/run directory
John the Ripper
Locations: /usr/share/john ; /usr/libexec/john Quick start commands:
# umask 077
# unshadow /etc/passwd /etc/shadow > /root/unshadp
# john [--rules --wordfile=FILE] /root/unshadp
Results in ~/john.pot
A.Davous, 01/02/2009 Unix Security Advanced Admin 22
-
7/29/2019 Unix+Security+Advanced+Admin+ Session1 Feb7
23/30
ROOT PASSWORD RECOVERY
To show importance of physical access Grub bootloader must have timeout
(/boot/grub/menu.lst) suppress it (0) or set a passwordto bootloader
Simplest procedure using single user mode case ofFedora 10
When Grub screen, edit current boot line (e) Edit kernel line (e) by adding single at end (single user
mode) Save and boot (b) Commandpasswdcan be entered with root privileges to
reset root password
A.Davous, 17/09/2008 Solaris vs. Linux 23
-
7/29/2019 Unix+Security+Advanced+Admin+ Session1 Feb7
24/30
Sun xVM VirtualBox - 1
VirtualBox release 2.1.2 found at www.virtualbox.org(accept installation of USB and network drivers)Host and guest concepts, see manualGuest additions concept
Fedora 10 found at fedoraproject.org/en/get-fedora(F10-i686-Live.iso, 32 bits although 64 supported by xVM, English
edition, installable Live CD)
A.Davous, 01/02/2009 Unix Security Advanced Admin 24
http://www.virtualbox.org/http://www.virtualbox.org/http://www.virtualbox.org/http://www.virtualbox.org/ -
7/29/2019 Unix+Security+Advanced+Admin+ Session1 Feb7
25/30
Sun xVM VirtualBox - 2 Installation procedure (example is Fedora)
New machine ; choose OS, select memory size (2 GB but less thanhost !), add virtual disk (fixed, 10 GB).Mount OS ISO local file as CD/DVD-ROMStart !... (ignore both messages no additions installed yet)
When started, use Install on hard disk icon. Select Frenchkeyboard.Shut down, unmount CD/DVD and restart.Upgrade system and application packages (Yum).Install dkms package (Dynamic Kernel Module SupportFramework).
Install GNU make, gcc packages.Mount Guest Additions ISO with Devices, Install GuestAdditions xVM menu.Run Suns script (cd /media/VBOXADDITIONS_2.1.2_41885/ ; sh./VBoxLinuxAdditions-x86.run)Restart.
A.Davous, 01/02/2009 Unix Security Advanced Admin 25
-
7/29/2019 Unix+Security+Advanced+Admin+ Session1 Feb7
26/30
Sun xVM VirtualBox - 3 Installation procedure particularities for Debian 4
Installation of small image via Internet.Disk partitioning without LVM, one root partition.Desktop and system packages.Synaptic Package Manager used for package installation : make,
gcc and kernel headers (linux-headers-2.6.18-6 and linux-headers-2.6.18-6-686 ; check release with command uname a).
A.Davous, 01/02/2009 Unix Security Advanced Admin 26
-
7/29/2019 Unix+Security+Advanced+Admin+ Session1 Feb7
27/30
REMOTE ACCESS TO SYSTEM
Xming XLaunch utility But otherwise, X specific, exporting display :
Run your X server on PC (nothing required ifPuTTY used because X protocol is SSHdencapsulated - port 22 ; otherwise, ports XDMCP177 and 6000 should be opened)
Then, on client :setenv DISPLAY server:0.0
echo $DISPLAY Putty
A.Davous, 01/02/2009 Unix Security Advanced Admin 27
-
7/29/2019 Unix+Security+Advanced+Admin+ Session1 Feb7
28/30
USEFUL LINKShttp://www.dwheeler.com/secure-programs/ Secure Programming for Linux and Unix HOWTO
www.cpan.org Perl packages and more
http://www.sun.com/software/security/jass Suns JASS Solaris Security Toolkit
http://www.digilife.be/quickreferences/quickrefs.htm Quick Reference Cards useful for those related toUnix
http://www.cert.org/cert/ CERT Security information
http://www.auscert.org.au/5816 AusCERT Unix and Linux Security Checklist v3.0
http://www.protocols.com/pbook/tcpip1.htm#MAP RADCOM protocols.com web site (protocols map)
A.Davous, 01/02/2009 28Unix Security Advanced Admin
http://www.dwheeler.com/secure-programs/http://www.cpan.org/http://www.sun.com/software/security/jasshttp://www.digilife.be/quickreferences/quickrefs.htmhttp://www.cert.org/cert/http://www.cert.org/cert/http://www.auscert.org.au/5816http://www.protocols.com/pbook/tcpip1.htmhttp://www.protocols.com/pbook/tcpip1.htmhttp://www.auscert.org.au/5816http://www.cert.org/cert/http://www.digilife.be/quickreferences/quickrefs.htmhttp://www.sun.com/software/security/jasshttp://www.cpan.org/http://www.dwheeler.com/secure-programs/ -
7/29/2019 Unix+Security+Advanced+Admin+ Session1 Feb7
29/30
WORTH READING
Unix System Administration Handbook Evi Nemeth,
Garth Snyder, Scott Seebass, Trent R. Hein PrenticeHall
Essential System Administration Aeleen Frisch OReilly
TCP/IP illustrated Richard StevensTCP/IP Network Administration Craig Hunt OReilly
A.Davous, 01/02/2009 Unix Security Advanced Admin 29
-
7/29/2019 Unix+Security+Advanced+Admin+ Session1 Feb7
30/30
WINDOWS TOOLS USED DURING THIS SESSION
Wireshark(prev. Ethereal), network protocolanalyzer
http://www.wireshark.org
PuTTY, SSH client http://www.chiark.greenend.org.uk/~s
Xming, PC X server http://www.straightrunning.com/Xmin
VirtualBox, virtualization http://www.virtualbox.org/
EasyBCD, Windows Vista bootloader utility http://neosmart.net/
ApacheJMeter, HTTP workbench http://jakarta.apache.org/jmeter/
A.Davous, 01/02/2009 Unix Security Advanced Admin 30
http://www.wireshark.org/http://www.chiark.greenend.org.uk/~sgtatham/putty/http://www.straightrunning.com/XmingNotes/http://www.virtualbox.org/http://neosmart.net/http://jakarta.apache.org/jmeter/http://jakarta.apache.org/jmeter/http://neosmart.net/http://www.virtualbox.org/http://www.straightrunning.com/XmingNotes/http://www.chiark.greenend.org.uk/~sgtatham/putty/http://www.wireshark.org/