Table of Contents

Previous Chapter

Unix System Security.

13 Unix System Security.

• Knowing how the system may be attacked
  
• Knowing how to protect against these attacks
  
• Monitoring your system
  
• Teaching users how to be "safe" and getting them to work with you
  
• Knowing what to do when you detect you've been hit
  

13.1 Knowing how the system may be attacked

• Guide to Cracking Unix article
  
• Usenet computer-security FAQ files
  
• Compromise FAQ
  

13.1.1 Detecting an attack

• System crashes
  
  • Repeat crashes usually hardware related
    
  • Read log files/console for panic reasons
    
  • Any patterns (e.g., time of day) should raise suspicion
    
• New accounts
  
  • Especially with UID 0
    
• New files
  
  • With setuid/setgid bits or root ownership
    
  • Hidden directories (e.g., "..." or with control characters in the name, such as backspace)
    
• Modified file
  
  • System programs (e.g., login, sh, csh, ps)
    
  • Configuration files (e.g., /etc/rc, /etc/aliases, /etc/hosts.equiv)
    
  • User files (e.g., .login, .cshrc, .history, .rhosts)
    
• Poor Performance
  
  • May indicate password cracking or packet sniffing programs
    
  • Programs to use: ps, iostat, vmstat, pstat, sar, netstat
    
• Denial of service
  
  • Exhaustion of finite resources
    
    • File space on partitions (e.g., filling /tmp)
      
    • inode table
      
    • process table
      
    • open files
      
    • virutal memory
      
    • network services
      
  • Destruction of data
    
    • Deleting user files/system configuration files/system programs
      

13.2 Knowing how to protect against these attacks

• Security Patches FAQ
  

• The COAST project at Purdue University
  
• The National Institute of Standards and Technology's (NIST)Computer Security Division (CSD)
  
• Unix Security Information from the Advanced Laboratory Workstation Project at the National Institute of Health (NIH)
  
• The Computer Emergency Response Team (CERT)
  
• Computer and Network Security Reference Index (Note: this site is in Australia)
  

• Put access controls on IP services with tcp_wrapper
  
• Remove IP services you don't really need, such as fingerd, sendmail, and tftp
  

13.3 Monitoring your system

• At the very least, log access with something like tcp_wrapper - add to effectiveness by logging to another host (see "man syslogd")
  
• Read your log files, or use a tool like swatch
  
• Detect modified programs with tripwire
  

13.4 Teaching users how to be "safe" and getting them to work with you

• Select Good Passwords (and change them regularly)
  
• Take care with .rhosts files
  
• Don't share accounts/passwords (one person, one account)
  
• Understand how to safely use the X Window System
  

13.5 Knowing what to do when you detect you've been hit

• Have security policies in place. COAST has example security policies, including examples from several Universities.
  
• There are some good guidelines in RFC1244 (chapters 5 and 6) on post-incident response, but it also provides much information on developing policies and procedures
  
• Send email to help@cac.washington.edu to report the incident
  
• Gather and preserve evidence - it may be needed by law enforcement investigators
  

13.6 Unix System Security Checklist

13.7 Vendor Security/Patch Web Sites

• Silicon Graphics -- http://www.sgi.com/Support/security/security.html
  
• IBM -- http://www.ibm.com/Security/html/resources.html
  
• Digital Equipment -- http://www.service.digital.com/patches/index.html
  
• Sun -- http://sunsolve.sun.com/
  
• RedHat (Linux) -- http://www.redhat.com/docs/errata.html
  
• Microsoft -- http://www.microsoft.com/security/
  

13.8 Computer Security related sites on the Internet

• http://crimelab.com/bugtraq/bugtraq.html (Bugtraq archive)
  
• http://www.cs.purdue.edu/coast/coast.html (Purdue's COAST home page)
  
• http://csrc.ncsl.nist.gov/ (NIST Clearning Security Resource Clearinghouse)
  
• http://www.openmarket.com/info/intindex/ (Internet Facts)
  
• http://www.dct.ac.uk/www/books/hacker-crackdown/hacker.html(Hacker Crackdown book)
  
• http://www-ns.rutgers.edu/www-security/reference.html(Rutgers WWW Security References)
  
• http://www.commerce.net:8000/directories/jumpstation/sectools.html(Electronic Commerce Jumpstation - Security Tools)
  
• http://www.underground.org/
  
• http://www.alw.nih.gov/Security/security-docs.html (NIH web pages)
  
• http://www.faqs.org/faqs/sgi/faq/security/l (SGI Security FAQ)
  
• http://sites.inka.de/~W1012/freefire-l/tools.html (Freefire project)
  

13.9 Example Problems and Reading

• Get a copy of Crack (a password cracker) from cert.sei.cmu.edu and run it against your /etc/passwd file. See how many passwords it can break.
  
• Get a copy of COPS (a system security checker) from cert.sei.cmu.edu and run it on your system to see what it finds. You may wish to set this up so it runs under cron to regularly check your system.
  
• Here are some interesting articles/papers on system security issues.
  

Table of Contents

Next Chapter