Documente Academic
Documente Profesional
Documente Cultură
A.Davous, 01/02/2009
FOREWORD
No absolute security as long as system is accessed In system administration, the evil is in details
For questions, contact is antoine.davous@aviler.com with [ESGI] in subject field otherwise, mail will be considered as spam by server rules.
A.Davous, 01/02/2009 Unix Security Advanced Admin 2
INTRODUCTION
UNIX FLAVORS COMMON SENSE RULES OF SECURITY HOW SECURITY IS COMPROMISED UNIX DAEMONS, SERVICES AND SERVERS HANDS-ON : SUN VIRTUAL BOX
A.Davous, 01/02/2009
WELL-KNOWN EXAMPLES
Sendmail debug commands mode as sendmail runs with setuid root so user can run any command with root power (try sudo and vi !...) Command passwd f : no control of entered GECOS field so user can add any new line in password file Buffer overflow is a variant User can execute shellcode (to get run root shell) previously saved at some memory address for programs that accepts any entry without control (exploit) SYN flooding : by sending high rate of TCP open session requests (SYN), server is filling its queue with half-open sessions data SQL-injection : SQL request to database may be forged to execute malicious code
A.Davous, 01/02/2009 Unix Security Advanced Admin 4
Solaris
Linux
2001
2003 2005
Kernel 2.4
Fedora Core Kernel 2.6
2008
Fedora 10
A.Davous, 17/09/2008
A.Davous, 01/02/2009
A.Davous, 01/02/2009
WELL-KNOWN ATTACKS
Name Sniffing Category Network Definition Get information from network transactions
Spoofing or masquerading
Denial of service Replaying
Network
Network Authentication
Repudiation
Spam Phishing Hoax Dictionary Brute force Social engineering
A.Davous, 01/02/2009
Authentication
Mail Mail Mail Password Password All
Bomb
Exploit
Most of these can be detected locally (by signature) except some exploits that can be detected at network level (firewall)
A.Davous, 01/02/2009 Unix Security Advanced Admin 9
STRATEGIES
Strategies : Accept threat but have a recovery plan Reduce threat by appropriate means Transfer threat to a vendor Bypass threat by blocking access Understanding is key: Example of mail user privilege Protect all layers example of firewalls Reduce exposed surface Protect but detect and answer administrate ! Security is or must be part of : conception, operation and deployment
A.Davous, 01/02/2009 Unix Security Advanced Admin 11
A.Davous, 01/02/2009
12
HOW TO DO
In-depth (passive) protection (Physical premises access) Network filtering Passwords Encryption Backup (Active) security process Monitor and add corrections Full audit Upgrade
A.Davous, 01/02/2009 Unix Security Advanced Admin 13
SECURED DESIGN
Open design or secret design debate (hidden flaws, issues discovered by community, provocation to exploits) Common breaches Least user access (chroot as solution) Buffer overflow Printf function (insert conversion keys into string) Web programming (URL forging) Transactions, client/server (man-in-the middle, encryption, hashing as solutions)
A.Davous, 01/02/2009
14
REMINDER : PROCESSES
Processes have four identities : real (for accounting) and effective (for access permissions) UID and GID ; usually the same except with setuid or setgid bit set Command ps Find setuid and setgid files over the system: find / -type f perm /u+s,g+s -ls
Kinds of processes Interactive controlled with & (run in background), ^Z (stop job), bg (restart in background), jobs (list current jobs) Batch Daemons
A.Davous, 01/02/2009
16
A.Davous, 01/02/2009
17
Description
First process Syslog logging Mail MTA Mail Transfer Agent Print scheduler Cron process scheduler Terminal support Disk buffer management Swap management Main daemon to start on-demand TCP/IP services as telnetd, ftpd, rshd see /etc/inetd.conf Bind DNS Dynamic Name Resolution TCP/IP routing daemons DHCP Dynamic Host Configuration Protocol Port service resolution for RPC Remote Procedure Call NFS Network File System Samba
httpd
timed, ntpd, xntpd A.Davous, 01/02/2009
init DAEMON
First process to run after system boot Always have PID 1 and is ancestor of all other processes After startup, init consults /etc/inittab (or for BSD /etc/ttys) to determine on which physical ports it should expect users to log in (getty processes even tough large use of network daemons today, or xdm for graphical interface) Also take care of zombie processes (not running but listed) Init defines run levels (passed as argument to it from boot loader) : 0 to 6 and s (single-user) Additional layer is given with startup scripts in /etc/init.d, linked to startup and stop scripts in /etc/rcX.d
A.Davous, 01/02/2009
19
Solaris x86/64
Solaris x86/64
ROM BIOS
MBR of boot device
Boot loader
(GRUB since 5.10) Boot loader (GRUB since 5.10, see /boot/grub/menu.lst)
Boot loader
Device configuration
touch /RECONFIGURE Device configuration touch /RECONFIGURE
Level 0 ::shut down (init 0) --Level 1 or S ::single user (init s) --Level 6 ::reboot (init 6) Level 0 shut down (init 0) Level 1 or S single user (init s) Level 6 reboot (init 6) Scripts management none or see 5.10 Scripts management none or see 5.10 Configuration ::/etc/default Configuration /etc/default
Multiuser mode
Multiuser mode /usr/sbin/shutdown g secs i6 (reboot) Shutdown /usr/sbin/shutdown gi6 (shut down) /usr/sbin/shutdown g secs secs i0 /usr/sbin/shutdown gi0 (single user) /usr/sbin/shutdown g secs secs iS (skip scandisk) /usr/sbin/shutdown g secs iS
Level 0 : shut Level s (init 0) - Level 1 or S : down : the same Scripts management :- chkconfig single user (init s) Level 6 : reboot Configuration : /etc/sysconfig (init 6) Scripts management : chkconfig Configuration : /etc/sysconfig
Shutdown Shutdown
/usr/sbin/shutdown secs r Shutdown /usr/sbin/shutdown secs hr /usr/sbin/shutdown secs /usr/sbin/shutdown secs h /usr/sbin/shutdown secs f /usr/sbin/shutdown secs f
A.Davous, 17/09/2008
20
OTHER CONCEPTS
Command dmesg Core dump : ulimit c Path : - try not modify root profile PATH variable - do not set empty or . in PATH variable - in scripts (and configurations like cron), always use full path for commands (as variables at beginning) Disk quotas may be use to isolate an application (vs. original purpose) vi and other editors dump files feature History of shell commands who r cp -p
A.Davous, 01/02/2009
21
ANSWERS TO QUESTIONS - 1
Gentoo (2003) Visible on time line ; derives from Enoch (1999) which was build from scratch. Compile on installation taking into account processors instruction set. ESCAPING TO SHELL WITH VI, MORE, Type : (semi column) to get into command mode Then ! (exclamation mark) to run any shell command Type any command locate updatedb Search of a pattern ( *file* ) instead of a filename ( file ) locate ntp == find / -name *ntp* locate b \ntp == find / -name ntp History length : on sh or bash this is set with $HISTSIZE (tcsh $HISTORY). See following profiles slide and hands-on (depending on shell, use man, setenv or printenv)
A.Davous, 01/02/2009 Unix Security Advanced Admin 22
ANSWERS TO QUESTIONS - 2
grep # egrep pattern file(s) Shows filenames & lines that match [ filename: line ] # egrep L pattern file(s) Lists files that does not contain any line matching awk # ifconfig -a | awk 'BEGIN {printf "%-4s %-19s %-15s\n","If","MAC","IP"} / Link/ {a=a+1 ; printf "%.4s %17s",$1,$5 ; getline ; printf "%15s\n",substr($2,6,15)} END {print "Total nbr:", a}' If MAC IP eth0 00:09:5B:BD:FA:D2 192.168.0.1 eth1 00:0E:A6:9F:7C:AA 89.156.6.39 lo 127.0.0.1 Total nbr: 3
A.Davous, 01/02/2009
23
Main shells
Startup
Upon termination
Any command or script specified using
Other
sh
tcsh
trap command 0
.logout
(login shells)
.history
history based on "$savehist")
(saves
.cshdirs
directory stack)
(saves
bash
.bash_logout
(login shells)
.inputrc
initialization)
(readline
A.Davous, 01/02/2009
24
Crack
Locations: /usr/share/crack ; /usr/libexec/crack ; /usr/bin Quick-start commands: # umask 077 # ~/scripts/shadmrg.sv /etc/passwd /etc/shadow > /root/unshadp # Crack nice 5 /root/unshadp # CrackReporter Results in ~/run directory Locations: /usr/share/john ; /usr/libexec/john Quick start commands: # umask 077 # unshadow /etc/passwd /etc/shadow > /root/unshadp # john [--rules --wordfile=FILE] /root/unshadp Results in ~/john.pot
A.Davous, 01/02/2009
25
A.Davous, 01/02/2009
26
c/s: 4880
trying: Sunshine1
^C
password: cathy
c/s: 4891
trying: decembers
^C
password: djk7sdf 0 time: 0:00:00:34 37% (2) c/s: 4886 trying: blondie? ^C
A.Davous, 01/02/2009
27
A.Davous, 01/02/2009
ALL = (ALL) ALL fs1 = /sbin/mount, /mnt/cdrom FILESERVERS = SOFTWARE fs2 = (operator) /bin/ls
The most important : sudoers config should be set to span over multiples servers (by simple file transfer and copy) Last : the user dgb may run /bin/ls, but only as operator eg, # sudo u operator /bin/ls
A.Davous, 01/02/2009 Unix Security Advanced Admin 31
(reminder : /etc/services)
Even tough (x)inetd is a mandatory service (think about installing embedded servers with no SSH package installed yet), controlled services are more and more disabled for security reasons why ? For example, telnet and FTP are sending clear-text passwords ! Other : installation with core, verbose mode
A.Davous, 01/02/2009
33
TCPWRAPPERS
Package that secure connections to given well-known services those handled by (x)inetd for sure, but others (SSH) which ones ? For sshd example : # strings f /sbin/sshd | grep hosts_access /usr/sbin/sshd: hosts_access (YES ! If no line returned, no) TcpWrappers is transparently inserted between network and service ; adds access control and logging features Binary: tcpd but not a daemon (invoked at connection). This is why no service to restart after configuration modification Configuration files: /etc/hosts.allow /etc/hosts.deny Syntax of configuration lines service_list : host_list [ : (command to log) ] host_list may be an hostname, a list, an IP address or network, a keyword (ALL, LOCAL) but never use EXCEPT as shown in documentation
A.Davous, 01/02/2009
34
Where root can directly login to Configurable in /etc/securetty Security Should be all disabled (by commenting with #) except console and/or tty1
A.Davous, 01/02/2009
35
Kerberos
POP-3 RPC
AD
3268, 3269
A.Davous, 01/02/2009
36
PORT SCANNING
TCP ports scanning Normal handshake, port open : SYN, SYN+ACK, ACK Normal handshake, port closed : SYN, RST+ACK (note : this is logged ! ) Half-open SYN scan, port open : SYN, SYN+ACK, RST Half-open SYN scan, port closed : SYN, RST+ACK (note : this may not be logged but usually is) Anyhow, some systems (FW) will think about SYN flooding. So nmap can be used with T option to slow down flood Probe = malformed TCP packet (i.e. FIN probe with FIN flag set, or XMAS probe with FIN, URG, PUSH, TCP flags set, NULL probe with TCP set) Stealth TCP scan, port open : TCP probe, No response (this is garbage) Stealth TCP scan, port closed : TCP probe, RST+ACK (notes : also named inverse TCP flag ; Windows does not respect standard and does not send RST from a closed port ; nmap can use options for each kind of probe : sF, sX, sN) Some other techniques : analysis of ACK probe, TTL field, window field UDP ports scanning UDP probe, port open : UDP probe, No response UDP probe, port closed : UDP probe, ICMP dest port unreachable (note : nmap can use option sU) Using specific UDP service clients to test server not realistic for large number of ports
A.Davous, 01/02/2009
37
REMINDER : NETWORK
TCP/IP layers : application telnet, NFS, DNS, FTP, SSH transport TCP, UDP internet (OSI network) IP, ICMP network access (Ethernet, ARP) MAC address 48 bits 24 first OUI (Organizationally Unique Identifier) Service = transport protocol (TCP or UDP) + port /etc/protocols associate internet protocol (OSI network layer) and protocol identifier /etc/services associate transport protocol (transport layer) and port number IPv6 : 128 bits address (48 firsts for FAI - end for MAC) Compatible IPv4 (::FFFF:a.b.c.d) , loopback is ::1 , broadcast is FF02::1 http://www.potaroo.net/tools/ipv4/index.html
Unix Security Advanced Admin 38
A.Davous, 01/02/2009
A.Davous, 01/02/2009
39
A.Davous, 01/02/2009
40
A.Davous, 01/02/2009
41
TOOL: WIRESHARK - 1
Other well-known tcpdump (well see it later) Wireshark can import tcpdump dump file, snoop (Sun) dump file Open-source and modular conception you can add your own decoder Related to sniffing but many other obscure tools are used in real life by hackers Promiscuous mode i.e. listen to all frames on LAN (libpcap needed WinPcap for Windows environment) Can be used in text mode without GUI but not recommended (in line mode use tcpdump instead with o option to export dump to Wireshark) Configurable columns (Edit, Preferences) Filtering : when capturing (lot of options) or viewing (also) can work as ring buffer with triggers Important options : Resolutions : MAC, network, transport network should be avoided as it creates new traffic Fragmented IP are reassembled by default but configurable (Edit, Preferences, IP protocol options) Analyze, Follow TCP stream : useful to present TCP session in one window Rich statistics options Rich export and presentation options
A.Davous, 01/02/2009
42
TOOL: WIRESHARK - 2
FIELD ip.addr ip.dst ip.flags.df ip.ttl http.request icmp.type ftp.response.data dns.response FILTER ip.addr == 192.168.10.2 (ip.addr == 192.168.10.2) && (dns.response) TYPE IPv4 address IPv4 address Boolean Unsigned integer Boolean Unsigned integer Characters string Boolean MEANING Source or destination IP address Destination IP address Dont fragment flag Time to live HTTP request ICMP command type FTP data DNS response MEANING All packets coming from or going to 192.168.10.2 host All packets coming from or going to 192.168.10.2 host which are DNS responses
A.Davous, 01/02/2009
43
REMINDER : FILES
In Unix everything is a file (IO from files or from peripherals are the same) In Unix, a file belongs to a user AND to a group (no mandatory relationship between both) ; a user can belong to many groups ; so, to give access to a set of files or commands belonging to a group is done by adding the user to the group When a file is created, it belong to the user who created it and its group except if upper directory is setgid (BSD style) Commands : chown [-R], chgrp, chmod
Access rights for files (directory) : r read (can ls it), w write (can supp/rename files into), x execute (can cd into) (to be executable, a script shell needs rx, a binary only x ) umask 022 command in profile files to set permission of new files
Special access : t sticky bit (can write a dir but not supp file ; /tmp) s setuid bit (set resources access of process to owner and not to the one that run it) s setgid bit (for a file, set resources access of process to owning group and not the one that run it for a dir, see upper) find / [-user root] -xdev perm {-4000 | -2000}
Unix Security Advanced Admin 44
A.Davous, 01/02/2009
SERVICES- COMPLEMENTS
Commands : init 0, init 6, init s ps ef, kill -<signal>, pgrep, pkill, <service-script> start|stop|restart (service startup script) Command chkconfig (specific to Fedora): usage: chkconfig --list [name] chkconfig --add <name> chkconfig --del <name> chkconfig --override <name> chkconfig [--level <levels>] <name> <on|off|reset|resetpriorities> chkconfig header in startup scripts And finally, system-config-services GUI applet specific to Linux Command service and semi-graphical GUI sysvconfig, both specific to Debian
Unix Security Advanced Admin 45
A.Davous, 01/02/2009
NETWORK COMMANDS
hostname (nodename) ifconfig ping arp [-n] [-a] ... netstat [-rn] ... route [add | del ] ... traceroute nslookup, dig
Unix Security Advanced Admin 46
A.Davous, 01/02/2009
A.Davous, 01/02/2009
47
Solaris
/etc/hostname.hme0 /etc/init.d/network
Startup script
DHCP activation Daemon Client lease file
/etc/init.d/network (/sbin/ifup)
BOOTPRTO=dhcp in /etc/sysconfig/network-scripts/ifcfg_eth0 dhcpd /etc/dhcp/dhcpd-eth0.info
/etc/init.d/network
touch /etc/dhcp.hme0 Config in /etc/default/dhcpagent dhcpagent /etc/dhcp/hme0.dhc
A.Davous, 01/02/2009
48
A.Davous, 01/02/2009
49
A.Davous, 01/02/2009
50
A.Davous, 01/02/2009
51
A.Davous, 01/02/2009
52
A.Davous, 01/02/2009
53
USEFUL LINKS
http://www.dwheeler.com/secure-programs/ www.cpan.org http://www.sun.com/software/security/jass http://www.digilife.be/quickreferences/quickrefs.htm http://www.cert.org/cert/ http://www.auscert.org.au/5816 http://www.protocols.com/pbook/tcpip1.htm#MAP
Secure Programming for Linux and Unix HOWTO Perl packages and more Suns JASS Solaris Security Toolkit Quick Reference Cards useful for those related to Unix CERT Security information AusCERT Unix and Linux Security Checklist v3.0 RADCOM protocols.com web site (protocols map)
A.Davous, 01/02/2009
54
BIBLIOGRAPHY
Unix System Administration Handbook Evi Nemeth, Garth Snyder, Scott Seebass, Trent R. Hein Prentice Hall Essential System Administration Aeleen Frisch OReilly English. Third edition 2001. Few security aspects. All Unices covered (HP, Aix, Sun, RedHat, BSD). 854 p. English, but French version available (Les bases de ladministration systme). Third edition 2002. Few security aspects. All Unices covered (HP, Aix, Sun, RedHat, BSD, Tru64). 1172 p. English, but French version available (TCP/IP illustr - Vuibert). A must for TCP/IP matter. No OS privileged but Unix foundations. 592 p. English, but French version available. Third edition 2002. Covers RedHat and Solaris. 772 p. English. Second edition 2007. Covers Unix and Windows from network services breaches perspective. 478 p. French. First edition 2007. Focuses on Fedora (as it is a native secured OS). 342 p. 39 . Recommended for this course
55
TCP/IP illustrated volume 1 Richard Stevens Addison-Wesley TCP/IP Network Administration Craig Hunt OReilly Network Security Assessment Chris McNab OReilly GNU/Linux Fedora, Spcial Scurit Huet-Verhille ENI Editions
A.Davous, 01/02/2009
VirtualBox, virtualization
EasyBCD, Windows Vista bootloader utility Apache JMeter, HTTP workbench
http://neosmart.net/ http://jakarta.apache.org/jmeter/
A.Davous, 01/02/2009
56