Professional Documents
Culture Documents
George M. Doss
ISBN 1-55622-773-6
10 9 8 7 6 5 4 3 2 1
0007
All inquiries for volume purchases of this book should be addressed to Wordware Publishing, Inc.,
at the above address. Telephone inquiries may be made by calling:
(972) 423-0090
iii
Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
20
21
21
22
22
22
23
23
23
24
24
25
25
26
26
26
27
27
Contents
Components of a Good Security Policy
Policy Flexibility . . . . . . . . . . . .
Security Management System. . . . .
Services and Security Policy . . . . . .
Procedures and Security Policy . . . .
Incident Handling and Security Policy
Responsibility and Security Policy . . .
Maintenance and Security Policy . . .
Tools and Security Policy . . . . . . .
Password Security Policy Framework. . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
27
28
28
28
30
34
35
36
36
36
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
55
55
55
56
56
57
57
57
58
59
60
61
61
62
62
63
63
64
64
64
65
65
65
66
66
67
vi
Contents
Workstation with Internet Access. . . . . . . . . . . . . . . . . . . . 69
The User and the Security Management System . . . . . . . . . . . . 69
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
107
107
107
108
109
109
112
112
114
116
118
Chapter 8 Internet . . . . . . . . . . . . . . . . . . . . . . . .
Internet Overview . . . . . . . . . . . . . . . . . . . .
Basic Internet Definitions . . . . . . . . . . . . .
Basic Programs Available for the Internet Server .
Basic Steps in Setting Up an Internet Server . . .
Dial-up IP Protocol Driver (dip) Functionality . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
120
121
121
123
123
124
vii
Contents
Dummy Interface . . . . . . . . . . . . . . . . . . . .
Security and Serial Communication Devices . . . . . .
DNS Tools . . . . . . . . . . . . . . . . . . . . . . . .
File Transfer Protocol (FTP) Service. . . . . . . . . . .
The /etc/hosts File. . . . . . . . . . . . . . . . . . . .
The /etc/services File . . . . . . . . . . . . . . . . . .
Important File Locations for Internet Services . . . . .
Red Hat Linux Packages that Support Internet Services.
Firewall Server Overview . . . . . . . . . . . . . . . . . . .
Important Networking Options for a Firewall . . . . . .
Firewall Security . . . . . . . . . . . . . . . . . . . . .
Basic Steps for Masquerading a Firewall . . . . . . . .
File Transfer Protocol (FTP) Security . . . . . . . . . . . . .
Mail Security . . . . . . . . . . . . . . . . . . . . . . . . .
Telnet Security . . . . . . . . . . . . . . . . . . . . . . . .
Security for Web Development . . . . . . . . . . . . . . . .
Web Protocols and Security . . . . . . . . . . . . . . .
TCP/IP Considerations. . . . . . . . . . . . . . . . . .
Serial Line Internet Protocol (SLIP) . . . . . . . . . . .
Basic Steps for IP Interface Configuration. . . . . . . .
Parallel Internet Protocol (PLIP). . . . . . . . . . . . .
Adding an Ethernet Interface . . . . . . . . . . . . . .
Point-to-Point Protocol (PPP) Considerations . . . . . .
Documentation . . . . . . . . . . . . . . . . . . . . . . . .
DNS RFCs . . . . . . . . . . . . . . . . . . . . . . . .
Firewalling RFCs . . . . . . . . . . . . . . . . . . . .
IPv6 RFCs . . . . . . . . . . . . . . . . . . . . . . . .
PPP RFCs . . . . . . . . . . . . . . . . . . . . . . . .
TCP/IP RFCs . . . . . . . . . . . . . . . . . . . . . .
WWW Server RFCs . . . . . . . . . . . . . . . . . . .
HOWTOs and Internet Functionality . . . . . . . . . .
Chapter 9 Peripherals . . . . . . . . . . . . . . . . . . . . .
Printers . . . . . . . . . . . . . . . . . . . . . . . .
Fax Machines . . . . . . . . . . . . . . . . . . . . .
General Hardware Information . . . . . . . . . . . .
Identifying the Mouse . . . . . . . . . . . . . .
Setting up Serial Communication Devices. . . .
Modems . . . . . . . . . . . . . . . . . . . . .
Checking for the CD-ROM Driver . . . . . . . .
Ethernet Devices . . . . . . . . . . . . . . . . .
HOWTOs on Hardware Devices . . . . . . . . .
Hardware Device Man Pages . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
124
125
125
126
128
128
128
129
130
131
131
134
135
135
137
137
138
142
146
147
147
147
148
149
149
150
150
150
151
151
152
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
153
154
155
155
157
157
158
159
159
159
160
viii
Contents
Network File System (NFS) Management. . . . . . . . . . . . . . . 162
Remote (r-) Commands . . . . . . . . . . . . . . . . . . . . . . . . 167
Chapter 11 Networking . . . . . . . . . . . . . . . . . . . . .
Overview of the tcpd System . . . . . . . . . . . . .
Secure Shell (SSH) . . . . . . . . . . . . . . . . . .
Service and Process Management . . . . . . . . . . .
Important Networking Commands . . . . . . . . . .
Networking Daemons . . . . . . . . . . . . . . . . .
Automating Tasks . . . . . . . . . . . . . . . . . . .
Using the linuxconf Tool . . . . . . . . . . . . . . .
Shutting Down a Network. . . . . . . . . . . . . . .
Preparing for a System Crash . . . . . . . . . . . . .
Checking the Storage Space. . . . . . . . . . . . . .
Basic Strategy for Keeping a System Up to Date . . .
Networking Requests for Comments . . . . . . . . .
Package Support for Basic Networking . . . . . . . .
Man Pages and Networking Management. . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
169
170
171
172
176
177
178
178
178
179
180
180
180
185
185
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
188
188
190
190
192
Chapter 13 Standards . . . . . . . . . . . . . . . . . . . . . .
ISO Standards . . . . . . . . . . . . . . . . . . . . .
BS7799 Information Security Management. . . . . .
NIST Special Publication 800-7 . . . . . . . . . . . .
Federal Information Processing Standards (FIPS) . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
195
195
196
196
202
Chapter 14 Audits . . . . .
Audit Plan . . .
Auditing Tools .
Data Collecting
Audit Process .
Important RFCs
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
204
205
208
209
210
211
Chapter 15 Authentication . . . . . . . . . . . . . . . . . . .
Authentication Defined . . . . . . . . . . . . . . . .
Authentication Techniques . . . . . . . . . . . . . .
Basic HTTP Authentication . . . . . . . . . . . . . .
Host-Based Authentication . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
214
214
215
218
218
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
ix
Contents
Pluggable Authentication Modules . . .
Authentication RFCs . . . . . . . . . .
Future Development of Authentication .
Biometrics . . . . . . . . . . . . .
Smart Cards . . . . . . . . . . . .
Internet Authentication Security Issues .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
218
219
221
221
222
222
Chapter 16 Encryption . . . . . . . . . . . . . . . . . . . . .
Encryption Defined . . . . . . . . . . . . . . . . . .
Cryptographic Software Criteria . . . . . . . . . . .
Encryption Software Benefits . . . . . . . . . . . . .
Secure Shell (SSH) . . . . . . . . . . . . . . . . . .
Data Encryption Standard (DES) . . . . . . . . . . .
Password Shadowing . . . . . . . . . . . . . . . . .
Encryption in a Mixed OS Environment . . . . . . .
Internet Sites and Resources . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
224
224
225
226
226
227
228
231
232
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
233
233
234
234
234
235
235
235
236
236
This is the third book in this series on Red Hat Linux. I would
like to thank the very fine people at Wordware Publishing in
their professional efforts to take my draft and make an
engaging viewing experience. The two people responsible for
this are Martha McCuller, interior design; and Alan McCuller,
cover design. In addition, editor Beth Kohler, has to be
thanked many times in many languages. Finally, to Jim Hill,
the publisher, who had faith in my writing skills.
Any omissions or technical misinterpretations are, of course,
mine.
xi
Introduction
This book is based on the premise that the system administrator who
does not enforce an integrated network security system is the weakest
link in the system. Security is more than the technical aspects of using a
Linux operating system such as permissions or TCP/IP wrappers. There
are the human aspects that may be in the end more important than the
technical. The simplest human error, such as posting a password on an
office wall, can do in the best technical security efforts. The fundamental word in the first sentence is integrated. Integration here means
bringing all the parts of a system together to act as one. The sum of the
parts should be greater than the whole.
The technical security architecture must have a supporting set of policies that define user actions both on and off the computer or terminal.
The broad foundation of any Linux technical security architecture
includes the following:
n Encryption and decryption
n Intrusion detection
n Logs
n Managed access control
n Network access control
n User and group accounts
Another basis of the book is the recognition that in many cases there is
no single way to do a security action. Similar commands can be used to
achieve a function. Commands have multiple options based on multiple
requirements. As no two Linux filesystems are identical because of basic
hardware and software network configurations, once an administrator
makes one change to the original installation of a Red Hat Linux distribution, the change can ripple through the system in a manner similar to
a pebble being thrown into a pool of water.
A potential confusion exists because since Linux is UNIX-like one might
think the security issues are the same. They are similar. Because Linux
has been developed in a freelance environment, there is a need to make
a conscious decision to have a security management system. The book
tries to detail the meaning of a security management system. It does
imply that security is not a group of actions done in separate moments
of time but a set of integrated actions that has a continuous thread of
xiii
Introduction
action. Because of Linuxs UNIX heritage, there is a potential for similar
security threats. The heritage includes the following:
n Common development language of C
n Multitasking support
n Multi-user sessions
n Hierarchical directory and file systems
n Internet protocol support
xiv
Introduction
n
n
xv
Introduction
Chapter 6: Servers and Services The chapter discusses security
issues about intranet servers and services. When appropriate, the
related configuration techniques are suggested. Some of the servers and
services included in the chapter are the following:
n E-mail
n Newsgroups
n DNS
n Web
n FTP
n SAMBA
n Apache
Chapter 7: Network The chapter discusses security issues about the
network and the related configuration techniques. Network management as used here means secure access control (passwords and
permissions) and the correct configuration of the infrastructure. The
ideas discussed in the chapter include:
n Passwords
n Permissions
n User and group accounts
n File archiving and compressing
n Logging
Chapter 8: Internet The chapter discusses security issues about the
Internet connection and the related configuration techniques. A primary
concern in having an Internet server is security. With Internet access,
you open your intranet (network) in an uncontrolled, ubiquitous, and
unmanageable environment. This is where firewalls and gateways come
into play. The areas discussed in the chapter include security for:
n Internet server
n Firewalls
n FTP
n Mail
n Telnet
n Web protocols
Chapter 9: Peripherals The chapter highlights certain information
that is relevant to the security management of two peripherals that are
ignored, but can generate security threats: printers and fax machines.
General hardware information and specific devices are also highlighted.
xvi
Introduction
Chapter 10: Remote Access The chapter discusses security issues
about remote access and the related configuration techniques. The
chapter looks at Network File System management and the use of rcommands.
Chapter 11: Networking The chapter discusses security issues for
networking and the related configuration techniques. Networking management as used here means secure data transmission from one point
to another or process control and the administration of the status and
usage of this transmission.
xvii
Introduction
n
n
n
n
n
Appendices
Appendix A: Terms and Acronyms The appendix defines some of
the common words used in network and Internet security in the context
of a Red Hat Linux filesystem.
Appendix B: Important Linux Security Commands The appendix gives some of the commands important to a security management
system.
Appendix C: Linux Security Weaknesses The appendix briefly
discusses some of the known security holes in Red Hat Linux. Special
lists are given for Linux 6.0 and 6.1.
xviii
Introduction
Appendix D: Security and the Web The appendix lists some of
the World Wide Web sites that focus on issues related to the concepts,
ideas, tools, and techniques discussed in the book.
Appendix E: Listing of Networking HOWTOs The appendix
gives a list of HOWTOs that are relevant to a security management system for Linux.
Appendix F: Networking Requests for Comments (RFCs) The
appendix gives a list of Requests for Comments that are relevant to a
security management system.
Appendix G: Listing of Man Pages for Networking Administration and Maintenance The appendix gives a list of networking
man pages that are relevant to a security management system for Red
Hat Linux.
xix
Foundation
Part I36
for Security
This part of the book looks at the foundation of electronic
security thinking, which is based on types of threats, policy
development (local security standards), and Requests for
Comments (Internet security standards). Specifically the
chapters cover:
Chapter 1
General Overview of
Security Threats
This chapter gives the first answers to the following questions. The rest
of the chapters detail the answers.
n
Chapter 1
A security misuse such as posting ones user password on the computer
or on the office wall may at first be a security nuisance that can become
a potential security threat. In addition, not having an enforced password policy such as a maximum length of time of validity or having an
easy, identifiable password can lead to a security threat.
As used in this book, a hacker is a person who finds just entering a network is the challenge. A hacker thus is a security nuisance. A cracker is
a person who has a malicious intent when entering a network from
theft to destruction. A cracker thus is a security threat.
The following are examples of potential security nuisances:
n An abuse is any prohibited use of a system such as going to
non-business related URLs.
n An attack is any attempt to breach or disable your security system.
n A bug is a weakness in a program, usually human error.
n A compromise is a security breach in which data has been exposed.
n An intruder is an individual who gains unauthorized access into a
network.
Note:
degree.
Chapter 1
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
Chapter 1
n
n
n
n
n
n
n
n
n
n
n
n
n
10
11
Chapter 1
n
n
n
n
n
Network
Internet
Peripherals
Remote access
Networking
12
Spoofing
Sniffers
Malicious code
Scanners
Password Attacks
A password attack tries to circumvent, decrypt, delete, or even change
passwords. The security approach is to have add-on tools to harden
passwords, to change default product passwords, to have a password
policy that educates users on password usage, and to enforce the policy.
The potential consequence is total system compromise, that is, root
access and host control. Password attacks are where budding crackers
sharpen their fangs. This technique requires minimal technical
expertise.
In early distributions of Linux readable passwords were found in
/etc/passwd and thus were unsafe. Any user can do a concatenate, $ cat
/etc/passwd, to display the file. There are seven fields per record in
/etc/passwd:
n username
Maximum of eight lowercase characters
n passwd
Version dependent (encryption or
shadowing)
n userID
User identification number that attaches to
the users processes
n groupID
Group identification number that reflects
the users native group
n real name
Identifier that can optionally be the users
name
n user home
Users home directory
n user shell
Users default shell
When /etc/passwd is concatenated the result is similar to the following:
$ cat /etc/passwd
13
Chapter 1
root:y19tryT6:0:0:root:/root:/bin/bash
bin:*:1:1:bin:/bin:
daemon:*:2:2:daemon:/sbin:
adm:*:3:4:adm:/var/adm:
lp:*:4:7:lp:/var/spool/lpd:
sync:*:5:0:sync:/sbin:/bin/sync
shutdown:*:6:11:shutdown:/sbin:/sbin/shutdown
halt:*:7:0:halt:/sbin:/sbin/halt
mail:*:8:12:mail:/var/spool/mail:
news:*:9:13:news:/var/spool/news:
uucp:*:10:14:uucp:/var/spool/uucp:
operator:*:11:0:operator:/root:
games:*:12:100:games:/usr/games:
gopher:*:13:30:gopher:/usr/lib/gopher-data:
ftp:*:14:50:FTP User:/home/ftp:
nobody:*:99:99:Nobody:/:
postgres:!!:100:233:PostgreSQL Server:/var/lib/pgsql:/bin/bash
Beginning of user information
jdoe:HL47Cc6VzGJN:501:501:Jane Doe:/home/jdoe:/bin/bash
The password, the second field, is encrypted or scrambled. Encryption
is discussed in more detail in Chapter 16. If shadowing was used the
first line would read root:x:0:0:root:/root:/bin/bash.
A common type of password attack is the dictionary attack. Dictionary
attacks are made easy using weak user passwords and the short length
of Linux passwords. A dictionary attack uses a long list of encryption
words with a high-speed cracking tool and compares the passwords in
/etc/passwd until a match is found. The more hardened the passwords
the better.
14
lastlog
useradd
userdel
usermod
groupadd
groupdel
groupmod
The first three commands are used to convert and to unconvert shadow
passwords. The fourth command checks for password integrity. The
next three commands are used to manage user passwords. The final
three commands are used to manage group passwords. The
/etc/shadow file consists of one record per line with nine fields:
n Username
n User password
n Number of days since January 1, 1970, that the password was
changed
n Number of days left before user is permitted to change password
n Number of days left before user is forced to change password
n Number of days to change password warning
n Number of days left before password is disabled
n Number of days since January 1, 1970, that the account has been
disabled
n Reserved
The shadow suite has two important password maintenance techniques:
n Password aging
n Automatic account lockout
15
Chapter 1
Denial of Service
While denial of service (DoS) has the attention of the various journalistic media these days, it has been around in either an intentional form or
unintentional form since late 1980. In October 1980, ARPANET, an
early form of the Internet, may have experienced the first DoS when
there was a hardware malfunction that caused a major sequence of malformed network control packets. Unfortunately, since that time there
have been cracker tools developed that can generate software DoS.
These tools can be used easily by a very inexperienced cracker.
16
Spoofing
Another type of threat is spoofing. Spoofing is when an intruder
authenticates one host to another using forged packets from a trusted
host. A broader definition is any type of subversion using authentication. Three major spoofing techniques involve TCP/IP, Address
Resolution Protocol (ARP), and Domain Name Service (DNS).
The major source of security for TCP/IP is the IP address as an identifier. It is commonly used in access control for most, if not all, Internet
applications. One technique for some protection against spoofing is
good management of TCP connections and data transfers.
17
Chapter 1
IP spoofing does not affect all services. Some of the vulnerable services
include:
n Services that use IP address authentication
n Remote Procedure Call (RPC) services
n R services (rshd, rlogin, rwhod, and rexec)
n X Window System
The significance of IP authentication is that most network services use
it. The best countermeasure is to avoid using the source address for
authentication. Beyond using cryptographic authentication on the system, three additional countermeasures might be used:
n Configure the network router to reject packets from the Internet that
claim local address origination.
n Stop TCP at the firewall.
n Enable encryption at the router for any outside connections from
trusted hosts.
ARP spoofing uses a hardware address rather than an IP address. An
intruder keeps a hardware address, but assumes the IP address of a
trusted host. This is done by using false mapping information. The false
mapping information is sent to the target and the cache. Since the
cache entries expire quickly, the window of opportunity is narrow. A
form of protection is to use static ARP tables by using the arp command.
DNS spoofing compromises the DNS server and alters the host name IP
address tables. When a client requests a lookup, the user is given a
bogus address that is under the crackers control. While this type of
attack is rare, it still can lead to system-wide compromise. DNS spoofing can be detected by polling other authoritative DNS servers and
looking for a server with variant results as compared to the other
servers.
Sniffers
A fourth technique of attack is the use of sniffers. The actual name of
sniffers is protocol analyzers. Header files are used in sniffing. A sniffer
establishes a workstation condition so that it can monitor and capture
all network traffic and packets. Sniffers are dangerous because they
can:
n Capture passwords
n Capture proprietary information
n Breach the security of neighboring networks
18
Malicious Code
The malicious code technique probably gets the most press because the
two most common kinds are viruses and Trojan horses. The two most
common types of viruses are boot and file. A Trojan horse can only be
propagated through human intervention to insert hidden and unauthorized code in an application.
A technique for detecting malicious code is object reconciliation. This is
comparing what was last determined as authorized against what is the
present state of the system. Because this technique is not sufficient in
and of itself, the use of checksums should be considered.
Note:
Scanners
The sixth and final technique is the use of scanners. A scanner is a tool
that can detect system vulnerabilities. A scanner is a security tool and a
security threat. It all depends on which side of the table you sit.
A scanner can detect the obvious and the less than obvious vulnerabilities in a system. There are two types of scanners: system and network.
Examples of system problems that can be identified by a scanner
include erroneous file permissions, erroneous UID entries, and default
accounts. A network scanner tests hosts over network connections. A
scanner is used to get a system baseline, so frequent comparisons
should be done. Be sure to gain authorization to scan another host
before doing so. While a scanner is not an attack in the sense of the
other attacks, it still permits an intruder to gain valuable network system information, especially the weaknesses.
19
Chapter 10
Remote Access
This chapter discusses security issues about remote access and the
related configuration techniques. The chapter looks at Network File
System management and the use of r- commands.
162
Remote Access
Note: For step 3, add portmapper and the approved host list
to /etc/hosts.all. Next, add portmapper to /etc/hosts.deny and
specify ALL.
The core characteristic of NFS is that it is a stateless protocol. Each client and server request is unique or complete unto itself. This means
NFS has a robust nature. A server can go down and the clients do not
have to reboot.
Caution:
163
Chapter 10
The 16 mount options for /etc/exports options are:
all-squash
Maps to the anonymous user all user IDs (UIDs) and
group IDs (GIDs)
anongid
Sets the GID for the anonymous account
anonuid
Sets the UID for the anonymous account
insecure
Permits non-authenticated access
link_absolute
Does not convert absolute symbolic links to relative
links
link_relative
Converts absolute symbolic links to relative links
map_daemon Maps local and remote names and numeric IDs
no_root_squash Does not do mapping from the root (default)
noaccess
Excludes subdirectories from a client
no-all-squash
Opposite of all-squash (default)
ro
Mounts the file system as read-only (default)
root-squash
Does mapping from the root
rw
Mounts the file system as read-write
secure
Requires authenticated access
squash-gids
Specifies the GIDs subject to anonymous mapping
squash-uids
Specifies the UIDs subject to anonymous mapping
The basic NFS mount options are as follows:
hard
Does a hard mount (default)
intr
Does an NFS interrupt
rsize=n
Specifies the datagram size in bytes for read requests
(default is 1024 bytes)
soft
Does a soft mount
timeo=n
Specifies the wait time for a request in tenths of a
second (default is 0.7)
wsize=n
Specifies the datagram size in bytes for write requests
(default is 1024 bytes)
With a hard mount, when a client has a major timeout of 60 seconds
there is a continuous remount process until there is success. With a soft
mount, the client gets an I/O error and call processing continues without trying to do a remount.
Some of the NFS commands are the following:
domainname
Sets or displays name of current domain
rpc.portmap
Maps RPC program number to IP mapper
164
Remote Access
rpc.yppasswdd
rpcinfo
showmount
ypbind
ypcat
ypinit
ypmatch
yppasswd
yppoll
yppush
ypset
Caution:
165
Chapter 10
The NFS mount daemon is mountd. Some of the options include:
-d
Verbose logging (debugging)
-f
Specifies the export files
-h
Short help
-n
Any incoming mount request accepted
-p
Puts server into a promiscuous mode; serves any network host
-r
Allows imported NFS filesystems to be exported
-v
Reports current program version number
The rpcinfo command makes an RPC call to an RPC server and reports
what it finds. Its syntax is:
rpcinfo -p [host]
rpcinfo [-n portnum] -u host program [version]
rpcinfo [-n portnum] -t host program [version]
rpcinfo -b program version
rpcinfo -d program version
The options are:
-b
RPC broadcast to procedure 0
-d
Deletes registration for the specified RPC service
-n
Uses portnum for the -t and -u options
-p
Probes the port mapper for all registered RPC programs and
prints a list
-t
Uses TCP to make an RPC call to the specified host program
-u
Uses UDP to make an RPC call to the specified host program
The showmount command shows mount information for an NFS server.
Some of its options include:
-a
Lists the client host name and mounted directory in host:dir
format
-d
Lists directories of specified clients
-e
Shows the NFS servers export list
-h
Provides short help summary
-v
Displays current program version number
166
Remote Access
Two Requests for Comments (RFCs) are the following:
n RFC 1094 NFS: Network File System Protocol Specification. Sun
Microsystems, Inc. (March 1989)
n RFC 1813 NFS Version 3 Protocol Specification. B Callaghan, B.
Pawlowski, and P. Staubach. (June 1995)
The NFS HOWTO is by Nicolai Langfeldt (janl@math.uio.no).
For additional information, see man page nfs(5). Other man pages for
NFS are portmap, mountd, nfsd, and exports.
Three tools available for a more secure NFS are:
n Nfsbug, which locates misconfigurations and bugs to limit unauthorized access.
n Nfstrace, which monitors Ethernet traffic and collects activity data.
n Nfswatch, which monitors and provides statistics on traffic.
Caution:
167
Chapter 10
-r
rdist
rexecd
ristd
rlogin
Caution:
enabled.
rlogind
rquota
168