CIT 470: Advanced Network and System Administration

CIT 470: Advanced Network and System Administration Slide #1

CIT 470: Advanced Network and System Administration

Security


Topics

1. Risk Management

2. Security Policies

3. OS Hardening

4. Authentication

5. PAM

6. Passwords

7. Incident Response


Risk Management

Risk is the relationship between your assets, the vulnerabilities characteristic to those assets, and attackers who wish to access or modify those assets.


Assets

1. Login account.

2. Network bandwidth.

3. Disk space.

4. Data.

5. Reputation.


Security Goals

Data confidentialityCustomer account data (credit cards, identity)

Trade secrets

Administrative data (passwords, configuration)

Data integrityAdministrative data

Software downloads (patches, free tools)

Web pages


Security Goals

System integritySystem binaries

Kernel

System/network availabilityNetwork bandwidth

Network services (auth, file, mail, print)

Disk space


Threats

Financial motivesIdentity theftPhishingSpamExtortionBotnets

Political motivesDanish sites hacked after Mohammed cartoons.

Personal motivesJust for fun.Insider revenge.


Vulnerabilities

1. Bad/default passwords.

2. Unused services with open ports.

3. Unpatched software vulnerabilities.

4. Transmitting confidential data in cleartext.

5. Open modems or wireless networks.

6. Physical access to critical systems.

7. Uneducated users.


Attack Trees


Defense Types

Perimeter Security– Firewall off network to prevent intrusions.– What about wireless?– What about mobile computing?

Defense in Depth– Secure systems at all levels:

• Network perimeter (firewall)

• Intrusion detection

• System hardening


Defenses

Vulnerability mitigationUse secure authentication systems.

Deploy software in secure configuration.

Patch security flaws quickly.

Attack mitigationFirewalls to prevent network attacks.

IDS to detect attacks.

Virus/spyware scanners.


Security Policies

User Level PoliciesUsers must sign before receiving resources.

1. Acceptable Use Policy

2. Monitoring and Privacy Policy

3. Remote Access Policy

Business Level Policies1. Network Connectivity Policy

2. Log Retention Policy


OS Hardening1. Secure the physical system.2. Install only necessary software.3. Keep security patches up to date.4. Delete or disable unnecessary user accounts.5. Use secure passwords.6. Disable remote access except where necessary.7. Use sudo instead of su.8. Run publicly accessible services in a jail.9. Check logs regularly.10. Configure firewall on each host.11. Run security scanner to check security.12. Document security configuration.


Secure the physical system

1. Place servers in a physically secure location.

2. Physically secure the case.

3. Place ID tags on all hardware.

4. Password protect the BIOS.

5. Disable booting from removable media.


Install only Necessary Software

Put different services on different hosts.A compromise in ftp shouldn’t compromise mail.

Improves reliability and maintainability too.

Common unnecessary packagesX-Windows

Software development (gcc, gdb, etc.)


Security PatchesSubscribe to vendor security patch list.

Or know vendor’s update schedule.

MS Windows updates on 2nd Tuesday.

Update test host first.yum update

Patches can sometimes break services.

Update other hosts after that.May need to schedule downtown if reboot required.


Jails

Complete isolation: virtual machines.

Partial isolation: chrootchroot /var/httpd httpd

chroot filesystem needs:/var/httpd/etc: limited /etc/{passwd,shadow,group}

/var/httpd/usr/lib shared libraries

/var/httpd/bin: extra binaries

/var/httpd/var/log: log space

/var/httpd/tmp: temporary space


Check Logs

Review logs every morning.

Better yet, have a program scan them.logwatch

swatch

Send logs to a central server forsecurity: attacker can’t hide tracks by deleting

ease of use: you can read all logs in one place


Security Scanning

Scan host securityRun bastille on host.

Scan network securityScan for open ports with nmap.

Scan for vulnerabilities with nessus.


Intrusion Detection

Host-based intrusion detectionCheck if system files are modified.

Check for config / process modifications.

Tools: tripwrite, osiris, samhain

Network-based intrusion detectionNIDS = Sniffer + traffic analysis + alert system.

Check for suspicious activities: port scans, etc.

Check for attack signatures: worms, etc.

Tools: snort, air snort


Security Auditing

Internal and External Audits– Internal: by a group within organization.– External: by a group external to organization.

Audit areas– Check compliance with security policy.– Check physical security of building, data center.– Check that machines have up to date patches.– Scan networks to verify hosts + services.– Penetration testing.


Authentication

Binding of an identity to a subject

Based on:1. What the entity knows (e.g., passwords)

2. What the entity has (e.g., access card)

3. What the entity is (e.g., fingerprints)

4. Where the entity is (e.g., local terminal)

Two-factor authentication


Purpose of Authentication

Access Control– Most systems base access rights on identity of

principal executing the process.

Accountability– Logging and auditing functions.– Need to track identity across account/role

changes (e.g., su, sudo).


Access Control MatrixGroup Dev RE Fin Res HR Ops Infra Sec

Developers W R R

Release Engineers R W R

Finance W R

Human Resources R W

Operations R R W

System Administration A A A A A A A

Security A A A A A A A A

Dev = developer, RE = release engineering, Fin = finance,Res = corporate resource (intranet), HR = human resources, Ops = operations,Inf = infrastructure (mail/auth servers, etc.), Sec=security (firewalls, IDS)A = administrative access, R = read, W = write


Single-sign on

Login once to access all computing resourcesUNIX

Windows

Web Applications

Databases

Remote access

Difficult to achieve in practice.Kerberos (Active Directory)


PAM

Problem:Many programs require authentication.

Ex: ftp, rlogin, ssh, etc.

New auth schemes require rewrites.Ex: longer passwords, keys, one-time passwords

Solution:Separate authentication from programs.Use Pluggable Authentication Modules for auth.Programs choose PAMs to use at runtime by

reading config files.


PAM Configuration

Configured under /etc/pam.dEach PAM-aware service has a file there.

Format: <module interface> <control flag> <module name> <module arguments>Module interface: one of 4 module types.

Control flag: how module will react to failure or success (multiple successes may be required.)

Module name: PAM shared library.

Module args: Files to use, other options.


Module Interfaces

auth — Authenticates use of service. For example, it may request and verify a password.

account — Verifies that access is permitted, e.g. check for expired accounts or location/time.

password — Sets and verifies passwords. session — Configures and manages user

sessions, e.g. mounting user home directories or mailboxes.


Module Stacking Example

rlogin PAM requirementsThe file /etc/nologin must not be present.Root may not login over network (securetty.)Environment variables may be loaded.~/.rhosts entry allows login without password.Otherwise perform standard password login.

PAM config fileauth required pam_nologin.so auth required pam_securetty.so auth required pam_env.so auth sufficient pam_rhosts_auth.soauth required pam_stack.so service=system-auth


Control Flagsrequired — Module result must be successful for

authentication to continue. User is not notified on failure until results on all modules referencing that interface are available.

requisite — Module result must be successful for authentication to continue. User is notified immediately with a message reflecting the first failed required or requisite module.

sufficient — Module result ignored if it fails. If a sufficient flagged module result is successful and no required flagged modules above it have failed, then no other results are required and the user is authenticated to the service.

optional — Module result is ignored. Only necessary for successful authentication when no other modules reference the interface.


PAM Files

/etc/pam.d: PAM configuration files.

/lib/libpam.so: Main PAM library.Reads configuration files.

Loads other PAM modules.

/lib/security: Pluggable modules.

/usr/share/doc/*pam*: Documentation.


Use Secure PasswordsAttacks against Passwords

Password sniffing

Password guessing via login

Password cracking

DefencesDo not transfer passwords over the network.

Secure /etc/{passwd,shadow}

Configure password quality/aging rules.

Test your passwords by cracking them.


Password Quality

Use pam_cracklib.so in system-auth

Optionsretry=#: Maximum # of retries.

minlen=#: Minimum password length.

lcredit=#: Min # of lower case letters.

ucredit=#: Min # of upper case letters.

dcredit=#: Min # of digits.

ocredit=#: Min # of other chars.


Password AgingConfigure /etc/login.defs before creating accounts.

PASS_MAX_DAYS: Max # of days before password expires. PASS_MIN_DAYS: Min # of days before user can change pw.PASS_WARN_AGE: # of days for pw change notice given.

Also configure /etc/default/useraddINACTIVE: # of days after pw expiration that account is disabled. EXPIRE: Account expiration date in format YYYY-MM-DD.

Remember old passwords with pam_unix.soPrevents users from changing password back to old value.Modify /etc/pam.d/system-authSet pam_unix.so option remember=26Create /etc/security/opasswd to store old passwords.


One-Time Passwords

A password that’s invalidated once used.

Challenge: number of auth attemptResponse: one-time password

Problems– Generation of one-time passwords

• Use hash or crytographic function

– Synchronization of the user and the system• Number or timestamp passwords


BiometricsIdentify by physical chars

– Fingerprint– Iris scan

Unique identifiers.– Not secrets.– Can’t be changed at will.

Possible outcomes:1. Correct person accepted2. Imposter rejected3. Correct person rejected

(False Rejection)4. Imposter accepted (False

Acceptance)

A tradeoff always existsbetween false acceptancesand false rejections.


Disable Unnecessary Accounts

/etc/passwd contains application accounts.Delete unnecessary application accounts.

Common ex: uucp, games, gdm, xfs, rpcuser, rpc

All should have locked passwords.

Set shell to /bin/noshell or /bin/false.

Disable user accounts immediately on termination of employment.


Disabling Remote Access

Disable cleartext protocolstelnet, ftp, rsh, rlogin

Disable root access via ssh.Set PermitRootLogin to “no” in sshd_config

Remove root non-terminal consolesSet in /etc/securetty

Disable password access via sshUse keys instead.


sudo

Login as root only for single-user mode.

Use sudo instead of su.sudo command

Advantages:Uses user password instead of root’s password.

Logs who executed what commands as root.

Can delegate limited powers to some users.


What is an Incident?

Violation of security policy:– Unauthorized access of information– Unauthorized access to machines– Embezzlement– Virus or worm attack– Denial of service attacks– Email spam or harassment


Incident Response Goals

1. Determine if a security breach occurred.

2. Contain intrusion to prevent further damage.

3. Recover systems and data.

4. Prevent future intrusions of same kind.

5. Investigate and/or prosecute intrusion.

6. Prevent public knowledge of incident.


Incident Response

Phases to restore system to satisfy site security policy:

1. Preparation for attack (before attack detected)2. Identification of attack3. Containment of attack (confinement)4. Damage assessment5. Preserve evidence (if necessary)6. Eradication of attack (stop attack)7. Recovery from attack (restore system to secure state)8. Follow-up to attack (analysis and other actions)


References1. Michael D. Bauer, Linux Server Security, 2nd edition, O’Reilly, 2005.2. Aeleen Frisch, Essential System Administration, 3rd edition, O’Reilly,

2002.3. Simson Garfinkel, Gene Spafford, and Alan Schartz, Practical UNIX

and Internet Security, 3rd edition, O’Reilly & Associates, 2003.4. Andrew Morgan, Linux PAM System Administrator’s Guide,

http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam.html, 2002.

5. Evi Nemeth et al, UNIX System Administration Handbook, 3rd edition, Prentice Hall, 2001.

6. RedHat, Red Hat Enterprise Linux 4 Reference Guide, http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/ref-guide/, 2005.

http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam.html

http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam.html

http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/ref-guide/



CIT 470: Advanced Network and System Administration

Documents