Upload
jodie-lyons
View
245
Download
1
Tags:
Embed Size (px)
Citation preview
CSC 382: Computer Security Slide #1
CSC 382: Computer Security
UNIX Security
CSC 382: Computer Security Slide #2
Topics
1. Accounts and Groups
2. UNIX ACLs
3. UNIX Boot Process
4. Linux Services
5. Inetd
6. Cron
7. Network Services
CSC 382: Computer Security Slide #3
Accounts and Groups
User Accounts– UID identifies user to system.– User information stored in /etc/passwd.– Passwords stored in /etc/shadow.
Groups– GID identifies group to system.– User can belong to multiple groups.– Group membership stored in /etc/group.
CSC 382: Computer Security Slide #4
The /etc/passwd file
Format: one user per line, :-separated fieldsUsername:Password:UID:GID:GCOS:Homedir:Shell
Example:root:x:0:1:Super-User:/:/sbin/shdaemon:x:1:1::/:bin:x:2:2::/usr/bin:sys:x:3:3::/:adm:x:4:4:Admin:/var/adm:lp:x:71:8:Line Printer Admin:/usr/spool/lp:uucp:x:5:5:uucp Admin:/usr/lib/uucp:
CSC 382: Computer Security Slide #5
UNIX Groups
groups command lists your current groups.
Group membership stored in /etc/groupbin::2:root,bin,daemonuucp::5:root,uucpdaemon::10:root,daemonuml::605:uml,walden,smith,kangwalden::2331:waldennobody::60001:
CSC 382: Computer Security Slide #6
UNIX ACLs
Three sets of permissions:– User owner– Group owner– Other (everyone else)
Three permissions per group– read– write– execute
UID 0 can access regardless of permissions
CSC 382: Computer Security Slide #7
UNIX Access Control Model
OS checks EUID + EGID on object access.Best match applies (user >> group >> other).
Usually: EUID=UID, EGID=GID
Exception: setuid/setgid programsRun with EUID/EGID of program file owner.
CSC 382: Computer Security Slide #8
Changing Permissions: chmod
Permission set specifiers– u = user
– g = group
– o = other
Permissions– r = read
– w = write
– x = execute
# remove other accesschmod o-rwx *.c
# add group r/w accesschmod g+rw *.c
# allow only you accesschmod u=rwx *
CSC 382: Computer Security Slide #9
UNIX Boot Process
/etc/inittabControls which run level system boots into
0 Single User Mode
2 Network Boot
3 Multiuser Boot
5 X-Windows
6 Reboot
Executes start scripts for run levelScripts stored in /etc/rc#.d directories
CSC 382: Computer Security Slide #10
SYSV-Style Boot Scripts
/etc/init.d– Actual location of boot scripts
/etc/rc.d– Files are links to /etc/init.d scripts.– Executed in ASCII order during boot process.– K##servername stops a server process
Runs /etc/init.d/servername stop
– S##servername starts a server processRuns /etc/init.d/servername start
CSC 382: Computer Security Slide #11
Linux Run Levels
Number Name Login Network Filesystems
0 Halt
1 Single User Text Down Unmounted
2 Undefined
3 Multiuser Text Up Mounted
4 Undefined
5 Multiuser X GUI Up Mounted
6 Reboot
You can change the run level using /sbin/init #
CSC 382: Computer Security Slide #12
Linux Services
Servers started at boot– Started from /etc/rc.d scripts.– Perpetually running daemon processes.– Examples: nfsd, httpd, and sendmail.
Server that run only when requested.– Started from inetd.– Handle a single request then terminate.– Examples: fingerd, ftpd, telnetd.
CSC 382: Computer Security Slide #13
Managing RedHat Linux Services
/sbin/service– status: is service
running or not?– start: starts
service– stop: stops– restart: stops,
then restarts service– --status-all:
status of all services
Examples> /sbin/service sendmail statussendmail is stopped> /sbin/service sshd statussshd (pid 21149 21147 4276) is running...> /sbin/service sendmail startPermission denied [FAILED]> suPassword:# /sbin/service sendmail startStarting sendmail: [ OK ]Starting sm-client: [ OK ]# /sbin/service sendmail stop
CSC 382: Computer Security Slide #14
Configuring Boot Time Services
/sbin/chkconfig--list: show current service configuration
--add script: add a new service whose startup script will be added to /etc/init.d
--del service: remove service
--level X [on|off] service: cause service to be started (or not) when booting into run level X
CSC 382: Computer Security Slide #15
Configuring Boot Time Services# chkconfig --listatd 0:off 1:off 2:off 3:on 4:on 5:on
crond 0:off 1:off 2:on 3:on 4:on 5:onypbind 0:off 1:off 2:off 3:on 4:on 5:on
iptables 0:off 1:off 2:on 3:on 4:on 5:on
sshd 0:off 1:off 2:on 3:on 4:on 5:on
snmpd 0:off 1:off 2:off 3:off 4:off
5:off syslog 0:off 1:off 2:on 3:on 4:on 5:on…
CSC 382: Computer Security Slide #16
inetd
Centralizes startup of lightweight net servers./etc/inetd.conf
– Server name, as given in /etc/services– Socket type: stream or datagram.– Protocol Type: tcp/tcp6 (stream), udp/udp6 (dgram)– Wait/nowait:
•wait: server will process all subsequent connections•nowait: inetd will start new server for each connection
– User: which UID to run process with.– Command Args: server filename and CLI arguments.
CSC 382: Computer Security Slide #17
/etc/inetd.conf
ftp stream tcp6 nowait root /usr/sbin/in.ftpd in.ftpdtelnet stream tcp6 nowait root /usr/sbin/in.telnetd in.telnetdshell stream tcp nowait root /usr/sbin/in.rshd in.rshdlogin stream tcp6 nowait root /usr/sbin/in.rlogind in.rlogindexec stream tcp nowait root /usr/sbin/in.rexecd in.rexecdtalk dgram udp wait root /usr/sbin/in.talkd in.talkduucp stream tcp nowait root /usr/sbin/in.uucpd in.uucpdfinger stream tcp6 nowait nobody /usr/sbin/in.fingerd in.fingerdtime stream tcp6 nowait root internaltime dgram udp6 wait root internalecho stream tcp6 nowait root internalecho dgram udp6 wait root internaldiscard stream tcp6 nowait root internaldiscard dgram udp6 wait root internaldaytime stream tcp6 nowait root internalchargen stream tcp6 nowait root internalchargen dgram udp6 wait root internal
CSC 382: Computer Security Slide #18
Securing inetd
Use TCP wrappers– Replace server command with tcpd.– Uses ACLs based on source IP address:
• /etc/hosts.allow• /etc/hosts.deny
Use xinetd– inetd with built-in TCP wrapper ACLs.
– uses /etc/xinetd.d configuration directory.
Use host-based firewall.– iptables for Linux.
CSC 382: Computer Security Slide #19
cron
Daemon to run scheduled programs.
Configuration: /etc/crontabminute hour day month dow program
– minute 0-59– hour 0-23– day of month 1-31– month 1-12 (or names)– day of week 0-7 (0 or 7 is Sun)
CSC 382: Computer Security Slide #20
Application Security Flaws
Both remote and local attacks exploit the same software security flaws we’ve discussed in the past:– Buffer overflow– Canonicalization bugs (directory traversal)– Race Conditions– Input validation flaws– Insecure configuration
CSC 382: Computer Security Slide #21
Sun RPC
Remote Procedure Call (RPC) services– RPC is an alternative to sending messages.– CORBA and Java RMI are other RPC types.
Sun RPC– Common RPC method for UNIX net services.– XDR used to represent binary data with
uniform byte order and network encoding.
CSC 382: Computer Security Slide #22
portmapper
• portmap/rpcbind process• Dynamically allocates TCP/UDP ports to
RPC servers on start.• When client requests access to an RPC
server, portmapper tells client which port that server is currently using.
• Disadvantage: complicates firewalls, as there’s no constant port number to filter.
CSC 382: Computer Security Slide #23
rpcinfo> rpcinfo -p sun16 program vers proto port service 100000 4 tcp 111 rpcbind 100000 3 tcp 111 rpcbind 100000 2 tcp 111 rpcbind 100000 4 udp 111 rpcbind 100000 3 udp 111 rpcbind 100000 2 udp 111 rpcbind 100024 1 udp 32781 status 100024 1 tcp 32773 status 100232 10 udp 32782 sadmind
100011 1 udp 32784 rquotad 100002 2 udp 32787 rusersd
100002 3 udp 32787 rusersd
CSC 382: Computer Security Slide #24
RPC Security
Portmapper listed services may not be running– Portmapper may use list in /etc/rpc.– Some services may be started by inetd.
RPC Authentication– AUTH_NONE: default anonymous access.– AUTH_DES: “Secure RPC” uses encryption.– AUTH_KRB: Uses Kerberos security.
CSC 382: Computer Security Slide #25
NFSNetwork FileSystem
– RPC service running on port 2049– Stateless, but auxiliary protocols provide some state.
NFS Filehandles– Unique identifier used by client to refer to file, using:
• filesystem identifier: id’s partition containing file• file identifier: inode of file• generation count: ++ when unlinked+recreated
– Easily guessable• fsid and generation count are small integers• inode: 2 for root directory, 3 for lost+found (fsirand)
CSC 382: Computer Security Slide #26
NFS processes
• nfsd– Perform file transfers– Many (8-64) nfsd’s run on NFS servers
• mountd– Allows clients to mount NFS filesystems– Gives filesystem identifier to client
• lockd– Provides file locking over NFS
• statd– Keeps state to allow for lock recovery in case of
program/host crash
CSC 382: Computer Security Slide #27
NFS mounts
Server can share/export filesystems Unsharing/unexporting a filesystem does not disallow access to clients who have currently mounted filesystem.– /etc/dfs/dfstab (Solaris)share -F nfs -o rw /homeshare -F nfs -o ro=unixhosts /usr/man2share -F nfs -o rw=unixhosts /usr/local– Limit access to read-only (ro) or read-write (rw)– Limit access to a netgroup of hosts (unixhosts)
CSC 382: Computer Security Slide #28
NFS mounts (cont’d)
> showmount -e 10.0.0.1export list for 10.0.0.1:/home (everyone)/usr/man2 unixhosts/usr/local unixhosts
> mount 10.0.0.1:/home /mnt/home
CSC 382: Computer Security Slide #29
NFS Security
Uses standard UNIX user/group file ACLs– Root is mapped to user nobody
• Clients cannot override root permissions as a result.
– Client can bypass all other file ACLs by changing UID and GID as needed.
• NFS shell automates attack with ftp-like interface.• Users bin and daemon often own dangerous files.• If home directories are exported, attacker can trojan
horse login files to gain access.
CSC 382: Computer Security Slide #30
NFS Recommendations
• Disable if not required• Disable lockd + statd if locking not
required.• Only export necessary directories:
– Limit mount to subdirectories of filesystem.– Limit mount to read-only access if possible– Limit mounts to trusted set of hosts.– Set security options: nosub, nosuid– Run fsirand to randomize inodes.
CSC 382: Computer Security Slide #31
Network Services
Port Service Port Service
20,21/tcp ftp 110/tcp IMAP
22/tcp ssh 113/tcp identd
23/tcp telnet 119/tcp NNTP
25/tcp SMTP 123/udp NTP
53/tcp,udp DNS 161,162/udp SNMP
68/udp DHCP 512/tcp rexec
69/udp tftpd 513,514/tcp rshd,rlogind
79/tcp finger 520/udp RIP
109/tcp POP 6000-63/tcp XWindows
CSC 382: Computer Security Slide #32
TCP ports 20,21: ftpFile Transfer ProtocolActive Mode (PORT)
– Client file tells server IP and port to send file to.– Server opens data connection to that port.– Problems:
• Firewalls don’t know what port server will use• NAT routing must identify return connection• FTP bounce attack
Passive Mode (PASV)1. Client requests file.2. Server tells client which port to connect to.3. Client opens data channel to port to obtain file.
CSC 382: Computer Security Slide #33
TCP ports 20,21: ftp
Anonymous FTP– File transfer without authentication.– ftpd uses chroot() to change root to ftp user
home directory:•bin: must contain /bin/ls•etc: must contain limited copy of /etc/passwd•lib: must contain any shared library dependencies.
•pub: contains file made available for transfer.
CSC 382: Computer Security Slide #34
TCP ports 20,21: ftp
Security Issues:– Use of arbitrary ports makes filtering difficult– Cleartext passwords– Complex protocol, with history of security bugs.– Writable anonymous FTP sites can be used by crackers
to store copyrighted software or pornography.
Recommendations:– Disable ftp for users, use ssh instead.– Limit anonymous ftp access as much as possible
• Disable PUT unless clients must be able to u/l files.• Limit access to chroot() jail carefully.
CSC 382: Computer Security Slide #35
TCP port 22: ssh
Secure Shell– file copying– port forwarding (TCP tunneling)
Security Issues– sshd must run as root.– Version 1 of ssh protocol is insecure.– Trusts hosts listed in:
•~/.rhosts or ~/.shosts•/etc/rhosts.equiv or /etc/shosts.equiv
CSC 382: Computer Security Slide #36
TCP port 23: telnet
• Remote login service
• Authenticates via username/password
• Cleartext traffic creates vulnerabilities:– Packet sniffing– TCP session hijacking
• Recommendation: disable, use ssh instead.
CSC 382: Computer Security Slide #37
TCP port 25: SMTP
Simple Mail Transfer Protocol (SMTP)Mail Transfer Agents (MTAs):
– sendmail– qmail– postfix
Cleartext traffic vulnerabilities– Packet Sniffing– Banner often reveals MTA name and version
CSC 382: Computer Security Slide #38
TCP port 25: SMTP• DoS
– Too many large mail files can fill up disks• Mail Delivery to programs
– Mail filters/mailing list servers may be vulnerable• MTA program security flaws
– Buffer overflows, backdoors, race conditions• Spam
– Limit relaying so that only mail to/from local domain accepted
• Viruses– Filter virus mail so MS Windows clients aren’t infected
CSC 382: Computer Security Slide #39
TCP/UDP port 53: DNS
Information hidingZone Transfers
Cache poisoningIncorrect information loaded into DNS cache
Dynamic DNSAutomatic updates from dynamic IP addresses
(DHCP) can be used to deceive server if not authenticated
CSC 382: Computer Security Slide #40
UDP port 68: DHCP
Dynamic Host Configuration Protocol
Configures network clients on boot– Client broadcasts request for network info– No server authentication– Server responds with network configuration:
• client IP address
• gateway IP address
• IP addresses for DNS servers
CSC 382: Computer Security Slide #41
UDP port 69: tftpd
Trivial File Transfer ProtocolNo security
– Allows read/write of files w/o authentication– Allows workstations to boot over network
Recommendations:– Don’t use unless necessary– Limit files accessible by tftpd– Use TCP wrappers to limit which hosts can
access tftpd
CSC 382: Computer Security Slide #42
TCP port 79: fingerd
finger provides user information– No argument: lists all users, with username, full name,
location, login time– Name argument: prints detailed information for every
user whose username or full name matches your query• Lists .plan and .project files: could view any
file in past by symlinking .plan to target file– @hostname: queries fingerd on remote machine
Recommendations: – disable fingerd,– use TCP wrappers
CSC 382: Computer Security Slide #43
TCP port 109: POP
Post Office Protocol (POP)Lets client hosts retrieve mail from server
Common serversqpopper, UW popd
Authentication MethodsCleartext passwordsAPOP: simple challenge/response system
Securing POPSSL/TLS tunnel (port 993)
CSC 382: Computer Security Slide #44
TCP port 110: IMAP
Internet Message Access ProtocolPOP + additional features
Common ServersUW imapd, Cyrus imapd
AuthenticationCleartext passwordsSASL: GSSAPI, S/Key, Kerberos 5
Securing IMAPSSL/TLS tunnel (port 995)
CSC 382: Computer Security Slide #45
TCP port 113: identd
• Supports queries for username that corresponds to a particular TCP connection.– Differs from other authentication mechanisms
in that authentication not delivered as part of original client TCP connection.
• Security: – Some sites believes it reveals too much
information.– Cannot trust a remote site’s ident information.
CSC 382: Computer Security Slide #46
TCP port 119: NNTP
Network News Transport ProtocolAllows clients to read/post Usenet articles.
Accepts/delivers Usenet articles to other servers.
SecurityACLs for clients and servers
Ensure that internal news groups remain internal.
Huge volume: potential for disk/network DoS.
CSC 382: Computer Security Slide #47
UDP port 123: NTP• Network Time Protocol
– set of protocols to synchronize clocks.• Security Ramifications of Synchronization
– Audit trail requires valid timestamps to compare log files from different hosts.
– Kerberos, SSH, and other cryptographic protocols require absolute time to function properly.
• NTP Security Considerations– NTP must run as root to adjust clock.– Spoofed time updates apparently from master server
• Prevent: require updates to be encrypted with symmetric key.
CSC 382: Computer Security Slide #48
UDP ports 161, 162: SNMP
Simple Network Management ProtocolRemote management of networked devices
Client: network managerServer: remote agent
Management Information Base (MIB) MIB includes: config, operational status, performance
Requestsget: retrieve a data object from the MIBget-next: retrieve next data object from MIBset: set a data object in the MIBtrap: error message sent from remote agent on port 162
CSC 382: Computer Security Slide #49
SNMP Authentication
v1: passwords (community names)Default passwords never changed in most cases
Transmitted as cleartext
v3: User Security Model (USM)authKey used for hash-based authentication
privKey used for encrypting packets
Encrypted timestamps used to avoid UDP replay attacks
CSC 382: Computer Security Slide #50
SNMP demo> snmpwalk -c public -v 1 sun15 systemSNMPv2-MIB::sysDescr.0 = STRING: Sun SNMP Agent, Sun-Blade-100
SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.42.2.1.1
SNMPv2-MIB::sysUpTime.0 = Timeticks: (1323311123) 153 days, 3:51:51.23
SNMPv2-MIB::sysContact.0 = STRING: System administrator
SNMPv2-MIB::sysName.0 = STRING: sun15SNMPv2-MIB::sysLocation.0 = STRING: System administrators office
SNMPv2-MIB::sysServices.0 = INTEGER: 72
CSC 382: Computer Security Slide #51
SNMP Recommendations
Disable SNMP unless required– SNMP runs on MSWindows, UNIX, some printers, and
on many network appliances like switches and routers.
Change community strings from default values:– public: read-only access– private: read-write access
Block SNMP traffic from outside.Segregate network management traffic.
CSC 382: Computer Security Slide #52
TCP port 512: rexec
Remote execution daemonSpecify username, password, command to run.
Security issuesCleartext passwords can be sniffedOffers separate messages for
invalid usernameinvalid password
Recommendation: disable, use ssh instead.
CSC 382: Computer Security Slide #53
TCP ports 513, 514: rshd, rlogind
rlogin: remote terminal service like telnet.
rshd: remote command executionObtains username from client host
Trusted hosts/users can login w/o passwords~/.rhosts and /etc/hosts.equiv
Recommendation: disable, use ssh instead.
CSC 382: Computer Security Slide #54
UDP port 514: syslogd
Remote logging service.
Configured using /etc/syslog.conf*.err;kern.notice /dev/console
*.err @loghost
*.* /var/adm/messages
*.alert;kern.er operator
*.alert;user.none root
*.emerg;user.none *
CSC 382: Computer Security Slide #55
UDP port 520: RIP
Routing Information Protocol
RIPv1 has no security
RIPv2 offers shared key securityUnsigned routes not accepted.
Recommendation:Use static routes if you only have one gateway.
CSC 382: Computer Security Slide #56
XWindowsNetwork-based windowing system
server: a graphical display running X serverTCP ports 6000-6063
client: any X-based program (xclock, xterm)X security
All or nothing: client can access server or notSeveral different ACL systems.
If a client has access to a display, they can:Log keystrokes (xscan)View any window (xwatchwin)
CSC 382: Computer Security Slide #57
X Access Control Systems
xhostlist of hosts whose clients can access server
xhost +(host) adds host to ACL
xhost –(host) removes host from ACL
MIT-MAGIC-COOKIE-1Restricts accesses to processes that supply 128-bit cookie
to server when requesting connection.
Cookie stored in ~/.Xauthority file.
Cookies transmitted in clear text.
CSC 382: Computer Security Slide #58
X Access Control Systems
XDM-AUTHORIZATION-1Creates 56-bit DES key and 64-bit random authenticator
in ~/.Xauthority file.Each client uses DES key to encrypt 192-bit packet sent
to X server to validate connection.
SUN-DES-1Encrypts communication to X server using X server’s
public key.xhost user@host
Requires Sun Secure RPC (Solaris)
CSC 382: Computer Security Slide #59
X Access Control Systems
MIT-KERBEROS-5Uses Kerberos ticket and encryption system.xhost krb5:username
Recommendations:Use MIT-MAGIC-COOKIE or betterUse “xhost –” if only xhost available.Tunnel remote X connections over ssh
Set X11Forwarding option to “yes”
CSC 382: Computer Security Slide #60
Key Points
• UNIX Accounts and ACLs.
• UNIX Services– Boot-time: started by init.– Runtime: started by inetd.– Automatic: started by cron.
• Network service security– Avoid using insecure services.– Disable all unused services.
CSC 382: Computer Security Slide #61
References1. Cheswick, William, Bellovin, Steven, and Rubin, Aviel, Firewalls
and Internet Security, 2nd edition, 2003.2. Frisch, Aeleen, Essential System Administration, 3rd edition,
O’Reilly & Associates, 2002.3. Garfinkel, Simson, Spafford, Gene, and Schartz, Alan, Practical
UNIX and Internet Security, 3rd edition, O’Reilly & Associates, 2003.
4. McClure, Stuart, Scambray, Joel, Kurtz, George, Hacking Exposed, 3rd edition, McGraw-Hill, 2001.
5. Redhat, Red Hat Linux System Administration Primer, http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/admin-primer/, 2003.
6. Skoudis, Ed, Counter Hack, Prentice Hall, 2002.7. Zwicky, Elizabeth, Chapman, Brent, and Cooper, Simon, Building
Internet Firewalls, 2nd edition, O’Reilly & Associates, 2000.