You are on page 1of 30

UNIX SYSTEM SECURITY AND ADVANCED ADMINISTRATION

(SCURIT SYSTME SOUS UNIX ET ADMINISTRATION AVANCE)

A.Davous, 01/02/2009

Unix Security Advanced Admin

FOREWORD
No absolute security as long as system is accessed In system administration, the evil is in details

For questions, contact is antoine.davous@aviler.com with [ESGI] in subject field otherwise, mail will be 01/02/2009 considered as spam by server rules. A.Davous, Unix Security Advanced Admin

INTRODUCTION
UNIX FLAVORS COMMON SENSE RULES OF SECURITY HOW SECURITY IS COMPROMISED UNIX DAEMONS, SERVICES AND SERVERS HANDS-ON : SUN VIRTUAL BOX

A.Davous, 01/02/2009

Unix Security Advanced Admin

WELL-KNOWN EXAMPLES
Sendmail debug commands mode as sendmail runs with setuid root so user can run any command with root power (try sudo and vi !...) Command passwd f : no control of entered GECOS field so user can add any new line in password file Buffer overflow is a variant User can execute shellcode (to get run root shell) previously saved at some memory address for programs that accepts any entry without control (exploit) More generally, any software that do not control file ownership you just have to link to any system file

A.Davous, 01/02/2009

Unix Security Advanced Admin

FOR INFORMATION UNIX RELEASES


UNIX 1969 1977 1983 1991 1992 1993 1994 1995 2000 2001 2003 A.Davous, 17/09/2008 Solaris 2.5 (= SunOS 5.5) Solaris 8 (= SunOS 5.8) Solaris 9 (= SunOS 5.9)
Solaris vs. Linux

Solaris

Linux

AT&T Labs Unix Berkeley BSD Unix System V


From BSD & SysV : From scratch :

Solaris 1.0 (= SunOS 4) FreeBSD, OpenBSD

Linus Torwalds Linux

Slackware ; Debian Kernel 1.0 stable RedHat

Kernel 2.4 Fedora Core Kernel 2.6


5

FOR INFORMATION UNIX FLAVORS Unix time line http://www.levenez.com/unix/ Linux distributions time line http://futurist.se/gldt/gldt76.png

A.Davous, 01/02/2009

Unix Security Advanced Admin

REMINDER UNIX MANDATORY


Read, read again documentation man, man k, makewhatis -u vi what else could be expected ? vim but config and security Shells : sh best choice for scripting then tcsh or bash (current : ps) find, diff, touch, sort [-n] xargs grep, egrep, awk, Perl, expect

A.Davous, 01/02/2009

Unix Security Advanced Admin

WELL-KNOWN ATTACKS
Name Sniffing Category Network Definition Get information from network transactions Take identity of someone else

Spoofing or Network masquerading Denial of service Replaying Repudiation Spam Phishing Hoax Dictionary
A.Davous, 01/02/2009

Network

Try to stop or degrade service

Authentication Replay abusive authentication or transaction Authentication Reject authentication or transaction Mail Mail Mail Password Undesirable mail Disguised mail to get confidential data Joke with more or less consequences
Unix Security Advanced Admin

Test with list of most current words

MALICIOUS PROGRAMS (MALWARES)


Name Virus Worm Trojan horses Backdoor Rootkit Spyware Key logger Exploit Definition Insert malicious code on machine Separate process that exploited security holes in network Malicious program disguised as something innocuous or desirable Method to bypass normal authentication procedures Software set installed to get abusive rights, install backdoor and stay hidden Gather information for commercial purpose Copies down the users keystrokes Exploit a security breach of a software

A.Davous, 01/02/2009

Unix Security Advanced Admin

SECURITY KEY CONCEPTS


3 security goals: confidentiality, integrity, availability 3 usual answers to threats: ignore, improvise or try to over secure Right answer: determine field, identify and evaluate cost of resources (financial, confidentiality or production), determine security risks and strategy, monitor, upgrade
A.Davous, 01/02/2009 Unix Security Advanced Admin 10

STRATEGIES
Strategies : Accept threat but have a recovery plan Reduce threat by appropriate means Transfer threat to a vendor Bypass threat by blocking access Understanding is key: Example of mail user privilege Protect all layers example of firewalls Reduce exposed surface Protect but detect and answer administrate ! Security is or must be part of : conception, operation and deployment
A.Davous, 01/02/2009 Unix Security Advanced Admin 11

RISKS AND STRATEGY


Risks Human malicious but often from authorized users Technical hardware (physical access), software This is up to sysadmin to decide what are they and right level of protection Strategy Security and comfort is a compromise Have a security policy especially recovery procedure
A.Davous, 01/02/2009 Unix Security Advanced Admin 12

HOW TO DO
In-depth (passive) protection (Physical premises access) Network filtering Passwords Encryption Backup (Active) security process Monitor and add corrections Full audit Upgrade
A.Davous, 01/02/2009 Unix Security Advanced Admin 13

SECURED DESIGN
Open design or secret design debate (hidden flaws, issues discovered by community, provocation to exploits) Common breaches Least user access (chroot as solution) Buffer overflow Printf function (insert conversion keys into string) Web programming (URL forging) Transactions, client/server (man-in-the middle, encryption, hashing as solutions)

A.Davous, 01/02/2009

Unix Security Advanced Admin

14

SOME TABLE LAWS


If someone can execute something on your computer or if someone can modify your OS, or if someone can physically access to your computer, it will not belong to you anymore As well, if someone can execute something on your web site, it will not belong to you anymore Weak passwords leads to security breach System is as secured as sysadmin wants Encrypted data are as secured as the used key to encrypt An anti-virus not updated is as useful as no anti-virus Anonymity is not useful but confidentiality is Technology is not be-all Security measures works well when they are simple to use for sysadmin and transparent to users
Unix Security Advanced Admin 15

A.Davous, 01/02/2009

REMINDER : PROCESSES
Processes have four identities : real (for accounting) and effective (for access permissions) UID and GID ; usually the same except with setuid or setgid bit set Command ps Kinds of processes Interactive controlled with &, ^Z, jobs Batch Daemons

A.Davous, 01/02/2009

Unix Security Advanced Admin

16

DAEMONS, SERVERS, SERVICES


Daemon, server, service concepts Daemon : programs not part of kernel ; process that performs a specific function or system-related task Start at boot time or on demand Specific system daemons init primordial process cron that schedule commands inetd that manages some of them

A.Davous, 01/02/2009

Unix Security Advanced Admin

17

WELL KNOWN DAEMONS


Name init syslogd, rsyslogd sendmail lpd, lpsched crond getty, mingetty syncd, fsflush, bdflush, pdflush pagedaemon, swapper, kswap inetd named routed, gated dhcpd portmap, rpcbind nfsd smbd, nmbd httpd timed, ntpd, xntpd A.Davous, 01/02/2009 Description First process Syslog logging Mail MTA Mail Transfer Agent Print scheduler Cron process scheduler Terminal support Disk buffer management Swap management Main daemon to start on-demand TCP/IP services as telnetd, ftpd, rshd see /etc/inetd.conf Bind DNS Dynamic Name Resolution TCP/IP routing daemons DHCP Dynamic Host Configuration Protocol Port service resolution for RPC Remote Procedure Call NFS Network File System Samba Apache HTTP server NTP Network Time Protocol Unix Security Advanced Admin 18

init DAEMON
First process to run after system boot Always have PID 1 and is ancestor of all other processes After startup, init consults /etc/inittab (or for BSD /etc/ttys) to determine on which physical ports it should expect users to log in (getty processes even tough large use of network daemons today, or xdm for graphical interface) Also take care of zombie processes (not running but listed) Init defines run levels (passed as argument to it from boot loader) : 0 to 6 and s (single-user) Additional layer is given with startup scripts in /etc/init.d, linked to startup and stop scripts in /etc/rcX.d
Unix Security Advanced Admin 19

A.Davous, 01/02/2009

REMINDER : BOOTING SHUTTING DOWN Solaris SPARC Solaris x86/64 Linux (Fedora Core)
(device detection) Access with STOP-A Boot boot s : PROM single-user (device boot r :detection) reconfigure with STOP-A See lsAccess l /dev/rdsk/c0t0d0s0 boot s : single-user boot r : reconfigure See ls l /dev/rdsk/c0t0d0s0

Boot PROM Solaris SPARC

Solaris x86/64

ROM BIOS Linux (Fedora Core)


MBR of boot device (GRUB see /boot/grub/menu.lst) Boot loader

MBR of ROM boot BIOS device Boot loader


(GRUB since 5.10) Boot loader

Boot loader

Kernel loading and initialization Device configuration

(GRUB since 5.10, (GRUB see /boot/grub/menu.lst) Kernel loading and initialization see /boot/grub/menu.lst)

startup scripts Execution of startup scripts Level 0 : shut down (init 0Execution ) - Level 1 of or S : single user (init s) - Level 6 : reboot Level 0 : shut down (init 0) - Level ( 1 or S : user (init s) - Level 6 : reboot Level 0 : shut down (init 0) - Level 1 or S init 6single ) Level s : the same (init none 6) : single user (init s) Level 6 : reboot Scripts management or see 5.10 Scripts management Scripts management none or see 5.10 (init 6): chkconfig Configuration : /etc/default Configuration : /etc/sysconfig Configuration : /etc/default Scripts management : chkconfig Configuration : /etc/sysconfig

Execution of startup scripts

touch /RECONFIGURE Device configuration touch /RECONFIGURE

Device detection and config.

Device detection and configuration

Exec. of startup scripts

Multiuser mode Multiuser mode

Shutdown /usr/sbin/shutdown g secs /usr/sbin/shutdown gi6 secs i6 /usr/sbin/shutdown g secs /usr/sbin/shutdown gi0 secs i0 /usr/sbin/shutdown g secs /usr/sbin/shutdown giS secs iS

Shutdown ShutdownShutdown

/usr/sbin/shutdown (reboot)/usr/sbin/shutdown secs secs r r /usr/sbin/shutdown (shut down)/usr/sbin/shutdown secs secs h h (single user) /usr/sbin/shutdown (skip scandisk)/usr/sbin/shutdown secs secs f f

A.Davous, 17/09/2008

Solaris vs. Linux

20

OTHER CONCEPTS
Command dmesg Core dump : ulimit c Path : - try not modify root profile PATH variable - do not set empty or . in PATH variable - in scripts (and configurations like cron), always use full path for commands (as variables at beginning) Disk quotas may be use to isolate an application (vs. original purpose) vi and other editors dump files feature History of shell commands who r cp -p
Unix Security Advanced Admin 21

A.Davous, 01/02/2009

PASSWORD CRACK TOOLS


Usage of these tools are illegal on computers where you have not been explicitly authorized to do it. But it is recommended to test your own password files anyhow, crackers will do it with them.

Crack
Locations: /usr/share/crack ; /usr/libexec/crack ; /usr/bin Quick-start commands: # umask 077 # ~/scripts/shadmrg.sv /etc/passwd /etc/shadow > /root/unshadp # Crack nice 5 /root/unshadp # CrackReporter Results in ~/run directory Locations: /usr/share/john ; /usr/libexec/john Quick start commands: # umask 077 # unshadow /etc/passwd /etc/shadow > /root/unshadp # john [--rules --wordfile=FILE] /root/unshadp Results in ~/john.pot
Unix Security Advanced Admin 22

John the Ripper

A.Davous, 01/02/2009

ROOT PASSWORD RECOVERY


To show importance of physical access Grub bootloader must have timeout (/boot/grub/menu.lst) suppress it (0) or set a password to bootloader

Simplest procedure using single user mode case of Fedora 10 When Grub screen, edit current boot line (e) Edit kernel line (e) by adding single at end (single user mode) Save and boot (b) Command passwd can be entered with root privileges to reset root password
A.Davous, 17/09/2008 Solaris vs. Linux 23

Sun xVM VirtualBox - 1


VirtualBox release 2.1.2 found at www.virtualbox.org (accept installation of USB and network drivers) Host and guest concepts, see manual Guest additions concept Fedora 10 found at fedoraproject.org/en/get-fedora (F10-i686-Live.iso, 32 bits although 64 supported by xVM, English edition, installable Live CD)

A.Davous, 01/02/2009

Unix Security Advanced Admin

24

Sun xVM VirtualBox - 2


Installation procedure (example is Fedora) New machine ; choose OS, select memory size (2 GB but less than host !), add virtual disk (fixed, 10 GB). Mount OS ISO local file as CD/DVD-ROM Start !... (ignore both messages no additions installed yet) When started, use Install on hard disk icon. Select French keyboard. Shut down, unmount CD/DVD and restart. Upgrade system and application packages (Yum). Install dkms package (Dynamic Kernel Module Support Framework). Install GNU make, gcc packages. Mount Guest Additions ISO with Devices, Install Guest Additions xVM menu. Run Suns script (cd /media/VBOXADDITIONS_2.1.2_41885/ ; sh ./VBoxLinuxAdditions-x86.run) Restart.
Unix Security Advanced Admin 25

A.Davous, 01/02/2009

Sun xVM VirtualBox - 3


Installation procedure particularities for Debian 4 Installation of small image via Internet. Disk partitioning without LVM, one root partition. Desktop and system packages. Synaptic Package Manager used for package installation : make, gcc and kernel headers (linux-headers-2.6.18-6 and linuxheaders-2.6.18-6-686 ; check release with command uname a).

A.Davous, 01/02/2009

Unix Security Advanced Admin

26

REMOTE ACCESS TO SYSTEM


Xming XLaunch utility But otherwise, X specific, exporting display : Run your X server on PC (nothing required if PuTTY used because X protocol is SSHd encapsulated - port 22 ; otherwise, ports XDMCP 177 and 6000 should be opened) Then, on client : setenv DISPLAY server:0.0 echo $DISPLAY Putty

A.Davous, 01/02/2009

Unix Security Advanced Admin

27

USEFUL LINKS
http://www.dwheeler.com/secure-programs/ www.cpan.org http://www.sun.com/software/security/jass http://www.digilife.be/quickreferences/quickrefs.htm

Secure Programming for Linux and Unix HOWTO Perl packages and more Suns JASS Solaris Security Toolkit Quick Reference Cards useful for those related to Unix CERT Security information AusCERT Unix and Linux Security Checklist v3.0 RADCOM protocols.com web site (protocols map)

http://www.cert.org/cert/ http://www.auscert.org.au/5816 http://www.protocols.com/pbook/tcpip1.htm#MAP

A.Davous, 01/02/2009

Unix Security Advanced Admin

28

WORTH READING
Unix System Administration Handbook Evi Nemeth, Garth Snyder, Scott Seebass, Trent R. Hein Prentice Hall Essential System Administration Aeleen Frisch OReilly TCP/IP illustrated Richard Stevens TCP/IP Network Administration Craig Hunt OReilly

A.Davous, 01/02/2009

Unix Security Advanced Admin

29

WINDOWS TOOLS USED DURING THIS SESSION


Wireshark (prev. Ethereal), network protocol analyzer PuTTY, SSH client Xming, PC X server VirtualBox, virtualization EasyBCD, Windows Vista bootloader utility Apache JMeter, HTTP workbench
http://www.wireshark.org

http://www.chiark.greenend.org.uk/~sg

http://www.straightrunning.com/Xming

http://www.virtualbox.org/

http://neosmart.net/ http://jakarta.apache.org/jmeter/

A.Davous, 01/02/2009

Unix Security Advanced Admin

30