Security
we need explanation
Colin Meyer,
cmeyer@helvella.org
* How machines are attacked
* Dangers of local attacks:
* change critical files (/etc/passwd, /etc/hosts.equiv, etc)
* read or change private data
* monitor usage or network traffic (sniff passwords, private data)
* Network attacks:
* once someone is in the machine, dangers are the same as
local attacks
* motives for attacks:
* access data (financial info, passwords to other systems)
* access machine to use in other attacks, automated or otherwise
* Network Basics
* interfaces, ip addresses and dns
* services and ports (/etc/services)
* services are serviced by either the inetd daemon, or
a seperate daemon dedicated to that particular service
* telnet - 23
* smtp (email) - 25
* ssh - 22
* http (www) - 80
* Overview of network attacks:
* sniffed passwords / brute force
* trick a network service
* buffer overruns,
* spoofing ...
* man in the middle attacks
* Essence of safety
* Shut down unnecessary services!
* replace weak services with stronger, encrypted services
* How to detect what network services are running on a given machine.
* testing from localhost:
netstat --listen
* testing from a foreign host (aka port scan):
nmap -v -sT -O hostname
* found at www.insecure.org/nmap
* useful for testing what services are visible from other networks
or outside of your firewall
* How to tighten network services
* Using your system's tools:
* on SuSE
* YaST: System Administration: Network
: Change Configuration File
/etc/rc.config, SuSEConfig
* RedHat:
* chkconfig, ???
* Network services served via inetd
* inetd.conf, tcpd and /etc/{allow,deny}
* edit, kill -1 (restart) inetd
* kill -1 `ps ax |perl -nale 'print $F[0] if m{/inetd$}'`
* /sbin/init.d/inetd restart
/etc/rc.d/init.d/inetd restart
* Services served via individual daemons
* /etc/init.d, runlevel - default runlevel
* 0 is system halt, 1 or S is single user, 2 is network
3 is xdm or graphical login
* /sbin/rc.d or /etc/rc.d
* in this directory are scripts that control the system's daemons
* rcn.d/ (where n is a runlevel, 0 through 6 or S) control the
daemons for each runlevel
* full of links to the controlling scripts
* the link names start with either a 'S' or 'K' and a number
* to stop a service from being started in a particular runlevel,
delete the appropriate links from that runlevel's directory
[and kill the daemon, if it is currently running]
* you can mess up your system mucking around here
* Secure alternatives to common services
* Replace telnet and ftp with ssh
* www.openssl.org, www.openssh.org
* all network traffic is encrypted
* Replace sendmail with qmail (http://cr.yp.to/qmail.html) or
postfix (http://www.postfix.org/)
* Tighten remaining services (www as an example)
* put it on a separate box outside of your firewall
* delete unused cgi programs (or disable cgi entirely)
* use https and password authentication for sensitive data
* be sure that the webserver is configured properly
* server doesn't let users view sensitive files
* server can't write to any sensitive files (including its own
configuration files)
* additional security practices
* encrypting private data
* changing passwords regularly (yeah, right!)
* don't pass sensitive data over unencrypted channels:
* telnet, email, ftp
Resources:
Linux Network Administrator's Guide
http://linuxdoc.org/LDP/nag2/
Linux Administrator's Security Guide
http://linuxdoc.org/LDP/lasg/
Linux Security Quick Reference Guide
http://linuxdoc.org/LDP/ls*quickref/QuickRefCard.pdf
Underground: Tales of hacking, madness and obsession on the electronic
frontier http://www.underground-book.com/
