SECURITY -HARIPRIYA PURUSHOTHAMAN
SECURITY
-HARIPRIYA PURUSHOTHAMAN
SEVEN COMMON – SENSE RULES OF SECURITY
Avoid putting files on the system that are likely to be interesting to hackers
Plug the holes that hackers can use to gain access to the system
Don’t provide places for hackers to build nests on the system
Set the traps to detect intrusions and attempted intrusions
RULES – CONTD
Monitor the reports generated by these security tools
Teach ourselves about UNIX system security Prowl around looking for an unusual activity
HOW THE SECURITY PROBLEMS ARE COMPROMISED
• Unreliable wetware• Human users are the weakest links in the chain of security • Teaching the users about proper security hygiene
• Software bugs • By exploiting the errors hackers could manipulate Unix into
doing whatever they want • Keeping up wit patches and security bulletins
• Open doors • Gaining access by exploiting software features that would be
helpful • Making sure that we haven’t put a welcome mat for hackers
/ETC/PASSWD FILE
Contents of this file determine who can log and what they can do once they get inside
This file is the systems first line of defense against the intruders
On FreeBSD systems this file is derived from /etc/master.passwd
/ETC/PASSWD
Password checking and selection Important to continually verify that every login has a
password Pseudo users should have a star(*) in the encrypted
password field Following command finds the null passwords
perl –F: -ane ‘print if not $F[1];’ /etc/passwd
/etc/passwd and /etc/group must be readable by the world but writable only by the root
/ETC/PASSWD
/etc/shadow file should be neither readable or writable by the world
Passwords are normally changed with passwd command
/ETC/PASSWD
Need for Shadow passwords Since /etc/passwd/ is world readable , encrypted
password string is available to all the users Evildoers can encrypt selected dictionaries or words
and compare the results with the strings in the /etc/passwd and can find the password
To impose restrictions passwords are put in a separate file that is readable only by the root
This file wit the actual password information is then called the shadow password file
/ETC/PASSWD
Group logins and shared logins Instead of having “root” as a group login , use sudo
program to control access to rootly powers Password aging
Facility that allows us to compel the users to change their passwords
User shells Rootly entries
More than one entry in the passwd file that uses UID of zero , so more than one way to log in as root
Defense against this subterfuge is a mini script perl –F: -ane ‘print if not $F[2];’ /etc/passwd
SETUID PROGRAMS
Prone to security problems Especially Setuid shellscripts cause security
problems Setuid and setgid could be disabled through the
use of – o nosuid option to the mount Disks should be scanned periodically to look for
new setuid programs For eg, find will mail a list of all setuid root files
to the “netadmin”
FILE PERMISSIONS
Device file /dev/kmem allows access to the kernels own virtual address space
This file should only be readable by the owner and group , never by the world
/dev/drum and /dev/mem provide unfettered access to the systems swap space and physical memory
/etc/passwd and /etc/group should not be world –writable and should have owner root
FILE PERMISIONS
Directories that are accessible thru anonymous FTP should not be publicly writable
Only root should have both read and write permission on device disk file
Group owner is given read permissions to facilitate backups , but there shd be no permissions for the world
MISCELLANEOUS SECURITY ISSUES
Remote event logging Syslog allows log info for both the kernel and user
processes to be forwarded to file , users or another host on our network
Secure host that acts as central logging machine and prints out security violations on an old line printer could be set up
MISCELLANEOUS SECURITY ISSUES
Secure terminals Secure channels are usually specified as a list of TTY
devices or as a keyword in a configuration file On solaris the file is /etc/default/login On HP-UX and red hat linux , the file is /etc/securetty On FreeBSD it is /etc/ttys
MISCELLANEOUS SECURITY ISSUES
/etc/hosts.eqiv and ~/.rhosts Allows users to login(via rlogin) and copy
files(via rcp) without typing the passwords The server processes rshd and rlogind that
read them should be disabled
MISCELLANEOUS SECURITY ISSUES
rexd,rexecd, and tftpd Rexd- poorly secured remote command execution
server which shd be disabled Rexecd – another remote command execution
daemon Server for rexec library routine requests sent to this include plaintext password
tftpd –server for Trivial File Transfer Protocol Allows machines on the network to request files from ur hard
disk
MISCELLANEOUS SECURITY ISSUES
fingerd finger prints a short report about the particular user Information returned by
finger user@hostWhen supported by fingerd daemon on remote host is
potentially useful to hackers
NIS (Network Information Service) Sun database distribution tool that many sites use to
maintain and distribute files Easy information access for the hackers
MISCELLANEOUS SECURITY ISSUES
Sendmail Massive network system that runs as root Often subjected to attacks of hackers and
numerous vulnerabilities Backups
Backup tapes shd be kept under lock and key Trojan horses
Programs that are not what they seem to be
SECURITY POWER TOOLS
Nmap - network port scanner Checks a set of target hosts to see which TCP and UDP ports
have servers listening to them command looks like
%nmap –sT host1.uexample.com -sT argument asks nmap to try and connect to each TCP port on
the target host in the normal way It probes ports without initializing an actual connection the –o option gives the nmap the ability to guess what OS a
remote system is running
SECURITY POWER TOOLS
SAINT : Similar to nmap in finding out what servers
they are running Unlike nmap , it knows quite a lot about the
actual UNIX server pgms and their vulnerabilities
Its user interface is entirely web based
SECURITY POWER TOOLS
Crack: Sophisticated tool that implements several
password guessing techniques Passwords should be crack resistant
tcpd: Referred as “TCP wrappers” package Allows to log connections to TCP services Piggybacks on top of inetd
SECURITY POWER TOOLS
COPS (Computer Oracle an Password System) It’s a classic tool that identifies many classic security
problems Warns us of the potential problem by sending emails
tripwire Monitors the permission and checksums of important
system files so that we can easily detect files that have been replaced
CRYPTOGRAPHIC SECURITY TOOLS
Kerberos Its an authentication system Facility that guarantees that users and services are in
fact who they claim to be Uses DES to construct nested set of credentials
called “tickets”. Tickets are passed around network to certify the
identity and to provide access It never transmits unencrypted passwords and
relieves the users from typing the passwords repeatedly
CRYPTOGRAPHIC SECURITY TOOLS
PGP :Pretty Good Privacy Focused primarily on email security Used to encrypt data , generate signatures
and to verify the origin of files and messages Software packages are often distributed with
PGP signature file that guarantees the origin and purity of software
CRYPTOGRAPHIC SECURITY TOOLS
SSH : the secure shell Confirms user’s identity and encrypts all communications
between two hosts The server daemon sshd authenticates in different ways
Method A: user logged in automatically if the name of the remote host that user is logging is in ~/.rhosts or equivalent files
Method B: uses public key crytography to verify the identity of remote host
Method C : uses public key cryptography to establish users identity
Method D : allows user to enter his or her normal login password
CRYPTOGRAPHIC SECURITY TOOLS
SRP : Secure Remote Password Highly secure way to verify passwords over
public network telnet and ftp could be used
One Time Passwords in Everything Instead of encrypting passwords , its jus
made sure that they work only once One time passwords are generated on our
behalf
FIREWALLS – basic tool for network security
Its only a supplemental security measure Packet filtering firewalls
Limits the types of traffic that can pass thru the internet gateway based on information on the packet header
How the services are filtered the daemons that provide these services bind to the
appropriate ports and wait for connectiions from remote sites
Service specific filtering is based on the assumption that the client will use a non privileged port to contact a privileged port on the server
FIREWALLS
Service proxy fire walls service proxies intercepts the connections to and
from the outside world establishes new connections to services inside our
network Acts as a sort of shuttle or chaperone between the
worlds . Stateful inspection firewalls
Designed to inspect the traffic that flows through them and compare the actual network activity to what “should” be happening
What to do when a site has been attacked
1. Don’t panic 2. Decide on an appropriate level of response 3. Hoard all available tracking information 4. Assess your degree of exposure 5. Pull the plug 6. Devise a recovery plan7. Communicate the recovery plan 8. Implement the recovery plan 9. Report the incident to authorities