CSC 382: Computer SecuritySlide #1 CSC 382: Computer Security UNIX Security

CSC 382: Computer Security Slide #1

CSC 382: Computer Security

UNIX Security


Topics

1. Accounts and Groups

2. UNIX ACLs

3. UNIX Boot Process

4. Linux Services

5. Inetd

6. Cron

7. Network Services


Accounts and Groups

User Accounts– UID identifies user to system.– User information stored in /etc/passwd.– Passwords stored in /etc/shadow.

Groups– GID identifies group to system.– User can belong to multiple groups.– Group membership stored in /etc/group.


The /etc/passwd file

Format: one user per line, :-separated fieldsUsername:Password:UID:GID:GCOS:Homedir:Shell

Example:root:x:0:1:Super-User:/:/sbin/shdaemon:x:1:1::/:bin:x:2:2::/usr/bin:sys:x:3:3::/:adm:x:4:4:Admin:/var/adm:lp:x:71:8:Line Printer Admin:/usr/spool/lp:uucp:x:5:5:uucp Admin:/usr/lib/uucp:


UNIX Groups

groups command lists your current groups.

Group membership stored in /etc/groupbin::2:root,bin,daemonuucp::5:root,uucpdaemon::10:root,daemonuml::605:uml,walden,smith,kangwalden::2331:waldennobody::60001:


UNIX ACLs

Three sets of permissions:– User owner– Group owner– Other (everyone else)

Three permissions per group– read– write– execute

UID 0 can access regardless of permissions


UNIX Access Control Model

OS checks EUID + EGID on object access.Best match applies (user >> group >> other).

Usually: EUID=UID, EGID=GID

Exception: setuid/setgid programsRun with EUID/EGID of program file owner.


Changing Permissions: chmod

Permission set specifiers– u = user

– g = group

– o = other

Permissions– r = read

– w = write

– x = execute

# remove other accesschmod o-rwx *.c

# add group r/w accesschmod g+rw *.c

# allow only you accesschmod u=rwx *


UNIX Boot Process

/etc/inittabControls which run level system boots into

0 Single User Mode

2 Network Boot

3 Multiuser Boot

5 X-Windows

6 Reboot

Executes start scripts for run levelScripts stored in /etc/rc#.d directories


SYSV-Style Boot Scripts

/etc/init.d– Actual location of boot scripts

/etc/rc.d– Files are links to /etc/init.d scripts.– Executed in ASCII order during boot process.– K##servername stops a server process

Runs /etc/init.d/servername stop

– S##servername starts a server processRuns /etc/init.d/servername start


Linux Run Levels

Number Name Login Network Filesystems

0 Halt

1 Single User Text Down Unmounted

2 Undefined

3 Multiuser Text Up Mounted

4 Undefined

5 Multiuser X GUI Up Mounted

6 Reboot

You can change the run level using /sbin/init #


Linux Services

Servers started at boot– Started from /etc/rc.d scripts.– Perpetually running daemon processes.– Examples: nfsd, httpd, and sendmail.

Server that run only when requested.– Started from inetd.– Handle a single request then terminate.– Examples: fingerd, ftpd, telnetd.


Managing RedHat Linux Services

/sbin/service– status: is service

running or not?– start: starts

service– stop: stops– restart: stops,

then restarts service– --status-all:

status of all services

Examples> /sbin/service sendmail statussendmail is stopped> /sbin/service sshd statussshd (pid 21149 21147 4276) is running...> /sbin/service sendmail startPermission denied [FAILED]> suPassword:# /sbin/service sendmail startStarting sendmail: [ OK ]Starting sm-client: [ OK ]# /sbin/service sendmail stop


Configuring Boot Time Services

/sbin/chkconfig--list: show current service configuration

--add script: add a new service whose startup script will be added to /etc/init.d

--del service: remove service

--level X [on|off] service: cause service to be started (or not) when booting into run level X


Configuring Boot Time Services# chkconfig --listatd 0:off 1:off 2:off 3:on 4:on 5:on

crond 0:off 1:off 2:on 3:on 4:on 5:onypbind 0:off 1:off 2:off 3:on 4:on 5:on

iptables 0:off 1:off 2:on 3:on 4:on 5:on

sshd 0:off 1:off 2:on 3:on 4:on 5:on

snmpd 0:off 1:off 2:off 3:off 4:off

5:off syslog 0:off 1:off 2:on 3:on 4:on 5:on…


inetd

Centralizes startup of lightweight net servers./etc/inetd.conf

– Server name, as given in /etc/services– Socket type: stream or datagram.– Protocol Type: tcp/tcp6 (stream), udp/udp6 (dgram)– Wait/nowait:

•wait: server will process all subsequent connections•nowait: inetd will start new server for each connection

– User: which UID to run process with.– Command Args: server filename and CLI arguments.


/etc/inetd.conf

ftp stream tcp6 nowait root /usr/sbin/in.ftpd in.ftpdtelnet stream tcp6 nowait root /usr/sbin/in.telnetd in.telnetdshell stream tcp nowait root /usr/sbin/in.rshd in.rshdlogin stream tcp6 nowait root /usr/sbin/in.rlogind in.rlogindexec stream tcp nowait root /usr/sbin/in.rexecd in.rexecdtalk dgram udp wait root /usr/sbin/in.talkd in.talkduucp stream tcp nowait root /usr/sbin/in.uucpd in.uucpdfinger stream tcp6 nowait nobody /usr/sbin/in.fingerd in.fingerdtime stream tcp6 nowait root internaltime dgram udp6 wait root internalecho stream tcp6 nowait root internalecho dgram udp6 wait root internaldiscard stream tcp6 nowait root internaldiscard dgram udp6 wait root internaldaytime stream tcp6 nowait root internalchargen stream tcp6 nowait root internalchargen dgram udp6 wait root internal


Securing inetd

Use TCP wrappers– Replace server command with tcpd.– Uses ACLs based on source IP address:

• /etc/hosts.allow• /etc/hosts.deny

Use xinetd– inetd with built-in TCP wrapper ACLs.

– uses /etc/xinetd.d configuration directory.

Use host-based firewall.– iptables for Linux.


cron

Daemon to run scheduled programs.

Configuration: /etc/crontabminute hour day month dow program

– minute 0-59– hour 0-23– day of month 1-31– month 1-12 (or names)– day of week 0-7 (0 or 7 is Sun)


Application Security Flaws

Both remote and local attacks exploit the same software security flaws we’ve discussed in the past:– Buffer overflow– Canonicalization bugs (directory traversal)– Race Conditions– Input validation flaws– Insecure configuration


Sun RPC

Remote Procedure Call (RPC) services– RPC is an alternative to sending messages.– CORBA and Java RMI are other RPC types.

Sun RPC– Common RPC method for UNIX net services.– XDR used to represent binary data with

uniform byte order and network encoding.


portmapper

• portmap/rpcbind process• Dynamically allocates TCP/UDP ports to

RPC servers on start.• When client requests access to an RPC

server, portmapper tells client which port that server is currently using.

• Disadvantage: complicates firewalls, as there’s no constant port number to filter.


rpcinfo> rpcinfo -p sun16 program vers proto port service 100000 4 tcp 111 rpcbind 100000 3 tcp 111 rpcbind 100000 2 tcp 111 rpcbind 100000 4 udp 111 rpcbind 100000 3 udp 111 rpcbind 100000 2 udp 111 rpcbind 100024 1 udp 32781 status 100024 1 tcp 32773 status 100232 10 udp 32782 sadmind

100011 1 udp 32784 rquotad 100002 2 udp 32787 rusersd

100002 3 udp 32787 rusersd


RPC Security

Portmapper listed services may not be running– Portmapper may use list in /etc/rpc.– Some services may be started by inetd.

RPC Authentication– AUTH_NONE: default anonymous access.– AUTH_DES: “Secure RPC” uses encryption.– AUTH_KRB: Uses Kerberos security.


NFSNetwork FileSystem

– RPC service running on port 2049– Stateless, but auxiliary protocols provide some state.

NFS Filehandles– Unique identifier used by client to refer to file, using:

• filesystem identifier: id’s partition containing file• file identifier: inode of file• generation count: ++ when unlinked+recreated

– Easily guessable• fsid and generation count are small integers• inode: 2 for root directory, 3 for lost+found (fsirand)


NFS processes

• nfsd– Perform file transfers– Many (8-64) nfsd’s run on NFS servers

• mountd– Allows clients to mount NFS filesystems– Gives filesystem identifier to client

• lockd– Provides file locking over NFS

• statd– Keeps state to allow for lock recovery in case of

program/host crash


NFS mounts

Server can share/export filesystems Unsharing/unexporting a filesystem does not disallow access to clients who have currently mounted filesystem.– /etc/dfs/dfstab (Solaris)share -F nfs -o rw /homeshare -F nfs -o ro=unixhosts /usr/man2share -F nfs -o rw=unixhosts /usr/local– Limit access to read-only (ro) or read-write (rw)– Limit access to a netgroup of hosts (unixhosts)


NFS mounts (cont’d)

> showmount -e 10.0.0.1export list for 10.0.0.1:/home (everyone)/usr/man2 unixhosts/usr/local unixhosts

> mount 10.0.0.1:/home /mnt/home


NFS Security

Uses standard UNIX user/group file ACLs– Root is mapped to user nobody

• Clients cannot override root permissions as a result.

– Client can bypass all other file ACLs by changing UID and GID as needed.

• NFS shell automates attack with ftp-like interface.• Users bin and daemon often own dangerous files.• If home directories are exported, attacker can trojan

horse login files to gain access.


NFS Recommendations

• Disable if not required• Disable lockd + statd if locking not

required.• Only export necessary directories:

– Limit mount to subdirectories of filesystem.– Limit mount to read-only access if possible– Limit mounts to trusted set of hosts.– Set security options: nosub, nosuid– Run fsirand to randomize inodes.


Network Services

Port Service Port Service

20,21/tcp ftp 110/tcp IMAP

22/tcp ssh 113/tcp identd

23/tcp telnet 119/tcp NNTP

25/tcp SMTP 123/udp NTP

53/tcp,udp DNS 161,162/udp SNMP

68/udp DHCP 512/tcp rexec

69/udp tftpd 513,514/tcp rshd,rlogind

79/tcp finger 520/udp RIP

109/tcp POP 6000-63/tcp XWindows


TCP ports 20,21: ftpFile Transfer ProtocolActive Mode (PORT)

– Client file tells server IP and port to send file to.– Server opens data connection to that port.– Problems:

• Firewalls don’t know what port server will use• NAT routing must identify return connection• FTP bounce attack

Passive Mode (PASV)1. Client requests file.2. Server tells client which port to connect to.3. Client opens data channel to port to obtain file.


TCP ports 20,21: ftp

Anonymous FTP– File transfer without authentication.– ftpd uses chroot() to change root to ftp user

home directory:•bin: must contain /bin/ls•etc: must contain limited copy of /etc/passwd•lib: must contain any shared library dependencies.

•pub: contains file made available for transfer.


TCP ports 20,21: ftp

Security Issues:– Use of arbitrary ports makes filtering difficult– Cleartext passwords– Complex protocol, with history of security bugs.– Writable anonymous FTP sites can be used by crackers

to store copyrighted software or pornography.

Recommendations:– Disable ftp for users, use ssh instead.– Limit anonymous ftp access as much as possible

• Disable PUT unless clients must be able to u/l files.• Limit access to chroot() jail carefully.


TCP port 22: ssh

Secure Shell– file copying– port forwarding (TCP tunneling)

Security Issues– sshd must run as root.– Version 1 of ssh protocol is insecure.– Trusts hosts listed in:

•~/.rhosts or ~/.shosts•/etc/rhosts.equiv or /etc/shosts.equiv


TCP port 23: telnet

• Remote login service

• Authenticates via username/password

• Cleartext traffic creates vulnerabilities:– Packet sniffing– TCP session hijacking

• Recommendation: disable, use ssh instead.


TCP port 25: SMTP

Simple Mail Transfer Protocol (SMTP)Mail Transfer Agents (MTAs):

– sendmail– qmail– postfix

Cleartext traffic vulnerabilities– Packet Sniffing– Banner often reveals MTA name and version


TCP port 25: SMTP• DoS

– Too many large mail files can fill up disks• Mail Delivery to programs

– Mail filters/mailing list servers may be vulnerable• MTA program security flaws

– Buffer overflows, backdoors, race conditions• Spam

– Limit relaying so that only mail to/from local domain accepted

• Viruses– Filter virus mail so MS Windows clients aren’t infected


TCP/UDP port 53: DNS

Information hidingZone Transfers

Cache poisoningIncorrect information loaded into DNS cache

Dynamic DNSAutomatic updates from dynamic IP addresses

(DHCP) can be used to deceive server if not authenticated


UDP port 68: DHCP

Dynamic Host Configuration Protocol

Configures network clients on boot– Client broadcasts request for network info– No server authentication– Server responds with network configuration:

• client IP address

• gateway IP address

• IP addresses for DNS servers


UDP port 69: tftpd

Trivial File Transfer ProtocolNo security

– Allows read/write of files w/o authentication– Allows workstations to boot over network

Recommendations:– Don’t use unless necessary– Limit files accessible by tftpd– Use TCP wrappers to limit which hosts can

access tftpd


TCP port 79: fingerd

finger provides user information– No argument: lists all users, with username, full name,

location, login time– Name argument: prints detailed information for every

user whose username or full name matches your query• Lists .plan and .project files: could view any

file in past by symlinking .plan to target file– @hostname: queries fingerd on remote machine

Recommendations: – disable fingerd,– use TCP wrappers


TCP port 109: POP

Post Office Protocol (POP)Lets client hosts retrieve mail from server

Common serversqpopper, UW popd

Authentication MethodsCleartext passwordsAPOP: simple challenge/response system

Securing POPSSL/TLS tunnel (port 993)


TCP port 110: IMAP

Internet Message Access ProtocolPOP + additional features

Common ServersUW imapd, Cyrus imapd

AuthenticationCleartext passwordsSASL: GSSAPI, S/Key, Kerberos 5

Securing IMAPSSL/TLS tunnel (port 995)


TCP port 113: identd

• Supports queries for username that corresponds to a particular TCP connection.– Differs from other authentication mechanisms

in that authentication not delivered as part of original client TCP connection.

• Security: – Some sites believes it reveals too much

information.– Cannot trust a remote site’s ident information.


TCP port 119: NNTP

Network News Transport ProtocolAllows clients to read/post Usenet articles.

Accepts/delivers Usenet articles to other servers.

SecurityACLs for clients and servers

Ensure that internal news groups remain internal.

Huge volume: potential for disk/network DoS.


UDP port 123: NTP• Network Time Protocol

– set of protocols to synchronize clocks.• Security Ramifications of Synchronization

– Audit trail requires valid timestamps to compare log files from different hosts.

– Kerberos, SSH, and other cryptographic protocols require absolute time to function properly.

• NTP Security Considerations– NTP must run as root to adjust clock.– Spoofed time updates apparently from master server

• Prevent: require updates to be encrypted with symmetric key.


UDP ports 161, 162: SNMP

Simple Network Management ProtocolRemote management of networked devices

Client: network managerServer: remote agent

Management Information Base (MIB) MIB includes: config, operational status, performance

Requestsget: retrieve a data object from the MIBget-next: retrieve next data object from MIBset: set a data object in the MIBtrap: error message sent from remote agent on port 162


SNMP Authentication

v1: passwords (community names)Default passwords never changed in most cases

Transmitted as cleartext

v3: User Security Model (USM)authKey used for hash-based authentication

privKey used for encrypting packets

Encrypted timestamps used to avoid UDP replay attacks


SNMP demo> snmpwalk -c public -v 1 sun15 systemSNMPv2-MIB::sysDescr.0 = STRING: Sun SNMP Agent, Sun-Blade-100

SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.42.2.1.1

SNMPv2-MIB::sysUpTime.0 = Timeticks: (1323311123) 153 days, 3:51:51.23

SNMPv2-MIB::sysContact.0 = STRING: System administrator

SNMPv2-MIB::sysName.0 = STRING: sun15SNMPv2-MIB::sysLocation.0 = STRING: System administrators office

SNMPv2-MIB::sysServices.0 = INTEGER: 72


SNMP Recommendations

Disable SNMP unless required– SNMP runs on MSWindows, UNIX, some printers, and

on many network appliances like switches and routers.

Change community strings from default values:– public: read-only access– private: read-write access

Block SNMP traffic from outside.Segregate network management traffic.


TCP port 512: rexec

Remote execution daemonSpecify username, password, command to run.

Security issuesCleartext passwords can be sniffedOffers separate messages for

invalid usernameinvalid password

Recommendation: disable, use ssh instead.


TCP ports 513, 514: rshd, rlogind

rlogin: remote terminal service like telnet.

rshd: remote command executionObtains username from client host

Trusted hosts/users can login w/o passwords~/.rhosts and /etc/hosts.equiv

Recommendation: disable, use ssh instead.


UDP port 514: syslogd

Remote logging service.

Configured using /etc/syslog.conf*.err;kern.notice /dev/console

*.err @loghost

*.* /var/adm/messages

*.alert;kern.er operator

*.alert;user.none root

*.emerg;user.none *


UDP port 520: RIP

Routing Information Protocol

RIPv1 has no security

RIPv2 offers shared key securityUnsigned routes not accepted.

Recommendation:Use static routes if you only have one gateway.


XWindowsNetwork-based windowing system

server: a graphical display running X serverTCP ports 6000-6063

client: any X-based program (xclock, xterm)X security

All or nothing: client can access server or notSeveral different ACL systems.

If a client has access to a display, they can:Log keystrokes (xscan)View any window (xwatchwin)


X Access Control Systems

xhostlist of hosts whose clients can access server

xhost +(host) adds host to ACL

xhost –(host) removes host from ACL

MIT-MAGIC-COOKIE-1Restricts accesses to processes that supply 128-bit cookie

to server when requesting connection.

Cookie stored in ~/.Xauthority file.

Cookies transmitted in clear text.



XDM-AUTHORIZATION-1Creates 56-bit DES key and 64-bit random authenticator

in ~/.Xauthority file.Each client uses DES key to encrypt 192-bit packet sent

to X server to validate connection.

SUN-DES-1Encrypts communication to X server using X server’s

public key.xhost user@host

Requires Sun Secure RPC (Solaris)



MIT-KERBEROS-5Uses Kerberos ticket and encryption system.xhost krb5:username

Recommendations:Use MIT-MAGIC-COOKIE or betterUse “xhost –” if only xhost available.Tunnel remote X connections over ssh

Set X11Forwarding option to “yes”


Key Points

• UNIX Accounts and ACLs.

• UNIX Services– Boot-time: started by init.– Runtime: started by inetd.– Automatic: started by cron.

• Network service security– Avoid using insecure services.– Disable all unused services.


References1. Cheswick, William, Bellovin, Steven, and Rubin, Aviel, Firewalls

and Internet Security, 2nd edition, 2003.2. Frisch, Aeleen, Essential System Administration, 3rd edition,

O’Reilly & Associates, 2002.3. Garfinkel, Simson, Spafford, Gene, and Schartz, Alan, Practical

UNIX and Internet Security, 3rd edition, O’Reilly & Associates, 2003.

4. McClure, Stuart, Scambray, Joel, Kurtz, George, Hacking Exposed, 3rd edition, McGraw-Hill, 2001.

5. Redhat, Red Hat Linux System Administration Primer, http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/admin-primer/, 2003.

6. Skoudis, Ed, Counter Hack, Prentice Hall, 2002.7. Zwicky, Elizabeth, Chapman, Brent, and Cooper, Simon, Building

Internet Firewalls, 2nd edition, O’Reilly & Associates, 2000.

http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/admin-primer/

http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/admin-primer/

Documents

CSC 382: Computer SecuritySlide #1 CSC 382: Computer Security UNIX Security