9-December-1998


Central Missouri UNIX Users Group / 
Mizzou Linux Users Group / 
Alternative Computing @Mizzou


Tymm Twillman
Ryan Dooley

Basic UNIX Systems Security And Setup

  • Overview
  • Basic Services and Problems
  • How to Protect Yourself
  • Basic Security Precautions (ProActive and ReActive)
  • Information Resources
  • Programming with Security in Mind

Overview

  • How Do People Get In?
    • The script kiddies
    • Services that are programmed insecurely
    • Packet Sniffing
    • Shoulder Surfing or other acts of Social Engineering
    • Poor systems installation (Generic setup with defaults on)
    • Boot Disks/Media
    • Man in the Middle Attacks (Authorization Spoofing)
    • Brute Force attacks

  • Why Do People Hack/Crack?
    • Curiosity
    • Power Trips
    • Profit
    • Access to Confidential Information (Grades, Trade Secrets)
    • Job
    • Revenge

  • What Are Exploits Used For?
    • To Hack Systems for the purpose of ???
    • Disrupt Services on the remote system
    • Running (CPU) Intensive Tasks

Problems with Basic Services

  • Mail Services
  • NIS Services
  • Berkeley R-Command set (RSH, RLOGIN, RCP)

  • HTTP Services
  • FTP Services
  • NFS Services  
  • SMB Services
  • TELNET Services
  • Secure Shell Services
  • LPR Services
  • BOOTP/DHCP Services
  • Finger Services
  • TFTP Services

How to Protect Yourself (Proactive and Reactive)

  • Disable services you don't need in /etc/inetd.conf
  • Even if it appears harmless or seems to be an unused service, something may pop up
  • People are not very likely to keep unused services updated
  • Services that are less used, probably haven't been updated recently
  • After installing a new package, look for SUID/SGID, and world writable files that may have been installed by the package
  • Keep informed about your system and network
  • Be pro-active instead of re-active during your administration of your machines/network
  • Don't use stupid passwords
  • Use the root account (or other administrative that may have been given 0 for a UID/GID) as little as possible.  Use sudo instead
  • Avoid stupid paths in the environment (like '.' in the path of the root account in older versions of slackware).
  • Restrict Network services with programs like rpcbind/portmap/tcpd
  • Use shadow passwords if possible
  • Use a 'good' anonymous FTP server if providing that service
  • Install and use Tripwire after you install a system
  • Try to hack your own system.
  • "Use the Force, Read the Source".
  • Never send confidential information (passwords, logs, etc.) over an unprotected/unencrypted network.
  • Rember, Trojan programs can look like the real thing (ROOT KIT)
  • Know your OS kernel and it's capabilities (SysReq Keys :)
  • Use Firewalls and Masquerade Hosts if possible
    • Don't assume that a Firewall protects you against everything ... you may have problems on the other side of the Firewall
  • Don't give access to those you don't trust.
  • Change passwords on a regular basis. Change administrative passwords after an administrator leaves.
  • Check your logs on a regular basis.  Syslog, UTMP, Tripwire,and web logs are a good place to start.
    • Back up your logs
    • Setup a log host
  • Check file access times (stat under IRIX and Linux)  
  • Watch for odd system behavior (config files may have been changed)
    • New users in /etc/passwd
    • Warez directories appearing
    • Mail from other admins informing you of problems they are having from a user on your machines
    • Sudden loss of files
  • More than one admin on your site
  • Use encryption programs (ssh, kerberos, ssleay, pgp, s/key, etc.)
  • Keep up with BUQTRAQ, AUCERT, ROOTSHELL, and other FAQs
  • Keep your software current
  • Use Auditing tools
    • SATAN/SAINT
    • Strobe
    • CPM (check promisc. on ether devices)
    • Crack/John the Ripper
  • Use Xauth over Xhost
  • Wait for prompts before typing in passwords
  • Keep in mind that networks have almost no inherent security
  • Keep on and off site backups
  • Do NOT reuse passwords
  • Watch your users with in reason
    • Check for writable home directories
    • Check for insecure ~/.rhosts and like files
  • Invoke Security through Obscurity, but don't rely on it ... programs like Queso can reveal your true nature.
  • Set watch=(any any) in tcsh shells
  • Set user limitations for CPU, Process, and Memory use.

So You Have Been Compromised

  • DON'T PANIC
  • Begin Damage Control ... Make sure you are still in control of your own system
  • Backup your logs for proof and analysis later
  • Damage Control
  • Assess the level that of which you were compromised
  • Damage Control
  • Seek help
  • Damage Control :)
  • Decide how to approach the intruder(s)
    • Setup a trap
    • Report them
    • Ignore them
  • Never assume that the intruder(s) is at the remote location from which the attack on your system originated from.
  • Rebuild the system from scratch

Resources

  • http://www.rootshell.com
  • http://www.geek-girl.com (for Buqtraq archives)
  • ftp://gont.cs.purdue.edu (for COAST archives)
  • Your Vendors website(s)
    • http://support.sgi.com
  • http://www.cert.org (HOWEVER they are slow, inefficient and will only release information with vendor approval)
  • Folks like abuse@missouri.edu

Programming With Security in Mind

 
last modified 9-dec-1998
ryan dooley