1 / 42

Security Issues in HP-UX and Linux

Security Issues in HP-UX and Linux. Kwang H. Paick kwang@hp73.pvamu.edu Prairie View A&M University. Common Attacks. Physical access Access to the command line Network access. Security Setup. 1. Physical security 2. File and Directory Permission 3. User Accounts 4. Log Files

eden
Télécharger la présentation

Security Issues in HP-UX and Linux

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security Issues in HP-UX and Linux Kwang H. Paick kwang@hp73.pvamu.edu Prairie View A&M University kwang paick

  2. Common Attacks Physical access Access to the command line Network access kwang paick

  3. Security Setup 1. Physical security 2. File and Directory Permission 3. User Accounts 4. Log Files 5. Correct network configuration kwang paick

  4. I. Physical Security Physical access BIOS and Console Passwords Anti-theft devices kwang paick

  5. Most Unix systems are not secured because Default installation includes a wide range of vulnerabilities Software patches are not installed, and Systems are not well maintained kwang paick

  6. II. File and Directory Permissions HP-UX systems contain > 20,000 in 10.20 The most common permission problems are write access for group or other on almost any file or directory in the base installation Some files and directories require group or other ‘write’ permissions e.g. Temporary directories (group and others) Spool directories for the lpr system must be group writeable kwang paick

  7. Common Permission Problems The number one problem has been ownership of the /etc directory by bin • the /etc directory must be owned by root, and writable only be the owner • HP-UX systems allow bin to own many other directories as well (only 48 out of 1200 directories were not owned by bin kwang paick

  8. HP-UX and ACLs HP-UX includes the ability to provide a finer degree of access control through access control lists A user-group pair is written as user group • The symbol % represents no particular user or group; (u.g, rwx) specific user, specific group (u.%, rwx) specific user, no specific group (%.g, rwx) no specific user, specific group (%.%, rwx) no specific user, no specific group kwang paick

  9. HP-UX and ACLs • Most backup utilities ignore the ACL information for compatibility with POSIX standards • Only the fbackup and frecover file archive utilities handle access control lists properly • Change ACLs with thechacl command -rw-r--r-- -rw-r--r--+ lsacl xx (lon.%,rw-)(don.%,rw-)(%.hep,r--)(%.%,r--) xx ACLs are rarely used. kwang paick

  10. III. User Accounts User accounts must be maintained correctly • The accounts’ database must be checked for correctness • New accounts must be monitored, and old accounts disabled • Accounts with unusual user-ids checked • User home directories correctly configured • Passwords “checked” and protected kwang paick

  11. /etc/passwd Must be readable by all , but writable only be the root • Any account with the user id of zero is granted root’s privileges • The home directory should exist, be owned by the user, and not writeable by group or other • The use of temporary directories as the home directory is a scurity problem • The COPS tool can check the existence, ownership and permission of each home directory kwang paick

  12. Home Directory Shell startup files must specify a safe PATH: • System directories before any local directries • DOT last if present in PATH ( makes Trojan horses less effective) • root PATH • Never have DOT in root’s PATH • never includes writable directories in search path • umask • user’s default umaks 033 • root’s umaks 077 kwang paick

  13. Home Directory Dangerous startup files permitted • A .rhosts file permits user to control who may log into their account remotely via the “r” commands • The .netrc files contain unencrypted passwords for remote logins. COPS and TIGER check for these problems, as do commercial tool kwang paick

  14. Shadow Password A goal in many attacks is to get a copy of the encrypted passwords in the /etc/passwd file • These attacks can be foiled by moving the encrypted passwords into a different file, only readable by the root • These files have the generic name shadow password files kwang paick

  15. Shadow Password Some versions of UNIX come with shadow files, others must be converted • Solaris use /etc/shadow by default • Linux uses /etc/shadow after conversion • Pwconv-merge old /etc/passwd records into a new shadow database • Pwchk- verification and synching between /etc/shadow and /etc/passwd • Pwuncov- back to /etc/passwd kwang paick

  16. Shadow Password Arguments against Shadowing • Makes account management more difficult, as the /etc/passwd file can no longer just be edited • account information gets scattered among many files if converted • Crashing an FTP server can reveal the shadowed passwords in the core file kwang paick

  17. IV. Log Files Need to know where they are and what they contains check permissions and ownership see how often they are rotated/truncated monitor logfile contents Archive important logs kwang paick

  18. Log Files The wtmp files log user login, logout, date changes, start or stop of system accounting, reboots • /etc/wtmp • /var/adm/wtmp--10.20, old Linux • var/log/wamp --- Linux kwang paick

  19. Log Files Effect of su command on /var/adm/wtmp • When su was used, it creates a new process with both the process's real UID and effective UID altered. • su does not change /var/adm/wtmp file, and finger command will continue to display the account to which you logged in, not the one that you su'ed to. kwang paick

  20. Log Files: wtmp files • Grow until no space • Pruning the wtmp file zero the log file • rm /var/adm/wtmp.old • ln /var/adm/wtmp.old /var/adm/wtmp • cp /dev/null /var/adm/wtmp kwang paick

  21. Log Files • Hack Tools • Hacker tools(zap) delete entries matching a user name by replacing the record with nulls • There are also zap detectors • chkwtmp at COAST kwang paick

  22. Log Files:Last Login lastlog file • /va/log/lastlog Linux • /usr/sbin/acct/lastlog 10.20 lastlogin - keep record of date each person last logged in" bug - the date shown is usually 1 more than it should be because lastlogin is run at 4am and checks the last 24 hrs worth of process accounting info (in pacct)" kwang paick

  23. Log Files:Bad Login Bad login attempts • The trouble is that these logs often contain passwords • Look for /etc/btmp on HP-UX • Make certain that these files are readable only by the root, if they exist kwang paick

  24. Log Files:su Login UNIX systems will always log the use of the su command • Located in /var/log • /var/adm/sulog (10.20) • /var/adm/messages kwang paick

  25. Log Files:su Login SU 01/31 20:08 + tty?? root-lon SU 02/01 14:56 + tty?? root-dan SU 02/01 16:06 + ttyp2 dan-kwang SU 02/01 16:06 - ttyp2 babar-root SU 02/01 16:06 + ttyp2 babar-root SU 02/01 16:28 + tty?? root-babar These logs are useful to both attackers and defenders: • Attackers can learn who knows the root password • Defenders can learn the same thing kwang paick

  26. sudo Allows select users to execute specified commands as root e.g. eject, mount, reboot, adding new acct prevent possible errors means for accountability /etc/sudoers kwang paick

  27. Log Files:Syslog The system logdaemon, or syslogd, appears in most UNIX systems Newer versions of syslog will ignore messages sent from the network by default • Use the –l flag to enable this behaviour on BSD • The –r flag is used with Linux mail.debug /var/adm/syslog/mail.log *.info;mail.none /var/adm/syslog/syslog.log kwang paick

  28. Log Files:Syslog Feb 1 17:50:38 hp73 /sbin/init.d/sendmail[1119]: #### rebooted #### • Feb 2 09:24:03 hp73 sendmail[2272]: JAA02272: from=wu, size=9112, class=0, pri=39112, nrcpts=1, msgid=<199902231524.JAA02272@hp73.pvamu.edu>, relay=wu@localhost • Feb 2 14:16:25 hp73 sendmail[22105]: OAA22104: to=<joyum@Bayou.UH.EDU>, ctladdr • =<kwang@hp73.pvamu.edu> (207/20), delay=00:00:34, xdelay=00:00:33, mailer=smtp, • relay=bayou.uh.edu. [129.7.1.7], stat=Sent (OAA06943 Message accepted for delivery) • Feb 2 14:43:13 hp73 popper[22159]: (v2.1.4-R3) Servicing request from "129.207.217.28" at 129.207.217.28 • Feb 2 14:43:41 hp73 popper[22159]: Stats: kwang 0 0 78 1096568 kwang paick

  29. V. Network Configuration Any server is a potential hole. • ‘r’ commands • public services: • poorly configured anonymous FTP servers • mail servers • older version of Linux • web servers kwang paick

  30. Network Configuration Protecting Data in Transit • Replace telnet, rlogin, rsh and rcp with ssh, slogin, ssh, scp • Secure Shell-ssh use latest version • http://www.slac.stanford.edu/comp/unix/ssh.htm kwang paick

  31. Network Configuration Anonymous FTP directory permission • ftp 555 with root ownership.. users to read and execute • /ftp/bin 555 with root ownership • /ftp/bin/ls 111 with root ownership…users to execute only • /ftp/etc 555 with root ownership • /ftp/etc/passwd 444 with root ownership. Users to read-only access kwang paick

  32. Network Configuration:FTP • FTP bounce attack • Erroneous file permissions • The SITE EXEC bug create restricted FTP access • /etc/ftpusers—restricted users access file—name appears—denies • etc:bin, daemon, room, uucp,.. • /etc/ftpaccess—core configuration file kwang paick

  33. Network Configuration ftphosts—used to allow or deny access to certain accounts from various host • ( wild card supported • allow [username] [host or host pattern] • deny [username] [host or host pattern] • allow doe *.xyz.com • deny doe *.abc.com alternative is to use SSLftp-Secure Sockets Layer--- current version is 0.8 kwang paick

  34. Network Configuration:SMTP Trust everyone; • Protect the server from penetration • Protect smtp service from misuse, such as outsiders exploiting your mail server to send spam or fake mail • Current version 8.9.3 • earlier version—update ASAP kwang paick

  35. Network Configuration:SMTP To check sendmail version: telnet to port 25 and vew • telnet abc.xyz.edu 25 • . • . • 220 abc.xyz.edu ESMTP 8.9.3/8.9.3; -- version number kwang paick

  36. Network Configuration:SMTP Several places recommended replace sendmail with Qmail • ftp://moni.msci.memphis.edu/pub/qmail • developer offered a $1,000 reward to anyone who could break Qmail. • Sendmail offers high-powered SMTP service and excellent compatibility with existing UNIX utilities. • Qmail strives to be small, fast and secure kwang paick

  37. TOOLS Security tool that detects system vulnerabilities • COPS-The computer Oracle and Password System Port based scanner • SATAN (Security Administrator's Tool for Analyzing Networks • ISS-Internet security Scanner • faster than Satan; less information • SAINT-Security Administrator's Integrated Network Tool • updated version of SATAN kwang paick

  38. References Defending against Scanner Attacks • Courtney-SATAN and SAINT Detector Sites with Defensive software • COAST: • ftp//coast.cs.purdue.edu/pub/tools • http://www.cs.purdue.edu/coast/archive/Archive_indexing.html • NIST:http://cs-www-ncsl.nist.gov/tools/tols.htm kwang paick

  39. References • NIH htttp://www.alw.nih.gov/Security/prog-full.htm • CIAC • ftp://ciac.llnl.gov/pub/ciac/sectools/unix • http://ciac.lnl.gov/ciac • CIRT • http://www.cert.org • FIRST http://www.first.org • Trinux tools http://www/trinux.org kwang paick

  40. References • HP-UX support: • http://us-support.external.hp.com • security-alert@hp.com for bulletins • Linux Security News • http://security.linuxtoday.com • Redhat support • http://www.redhat.com/support/errata • UNIX support • http://www.usenix.rg kwang paick

  41. References Books • S. Garfinkle, G. Spafford, Practical UNIX Security, O’Reilly & Associates, Sebastopol, CA 1996, 2nd ed. • Anonymous, Maximum Linux Security, SAMS, Indianapolis, IN 1999 kwang paick

  42. Monitor SUID and SGID Files • SUID and SGID Files • two speciial file permissions: • SGID (set group ID, octal 2000 or S) • SUID (set user ID, octal 4000, or s) • find / -perm +4000 • owner’s permission are enforced even when other users executed them. kwang paick

More Related