Unix+Security+Advanced+Admin+ Session2 Feb14

UNIX SYSTEM SECURITY AND ADVANCED ADMINISTRATION
(SCURIT SYSTME SOUS UNIX ET ADMINISTRATION AVANCE)
A.Davous, 01/02/2009
Unix Security Advanced Admin
FOREWORD
No absolute security as long as system is accessed In system administration, the evil is in details
For questions, contact is antoine.davous@aviler.com with [ESGI] in subject field otherwise, mail will be considered as spam by server rules.
A.Davous, 01/02/2009 Unix Security Advanced Admin 2
INTRODUCTION
UNIX FLAVORS COMMON SENSE RULES OF SECURITY HOW SECURITY IS COMPROMISED UNIX DAEMONS, SERVICES AND SERVERS HANDS-ON : SUN VIRTUAL BOX
A.Davous, 01/02/2009
WELL-KNOWN EXAMPLES
Sendmail debug commands mode as sendmail runs with setuid root so user can run any command with root power (try sudo and vi !...) Command passwd f : no control of entered GECOS field so user can add any new line in password file Buffer overflow is a variant User can execute shellcode (to get run root shell) previously saved at some memory address for programs that accepts any entry without control (exploit) SYN flooding : by sending high rate of TCP open session requests (SYN), server is filling its queue with half-open sessions data SQL-injection : SQL request to database may be forged to execute malicious code
FOR INFORMATION UNIX RELEASES

UNIX
1969 1977 1983 1991 1992 1993 1994 1995 2000 Solaris 2.5 (= SunOS 5.5) Solaris 8 (= SunOS 5.8) FreeBSD, OpenBSD Slackware ; Debian Kernel 1.0 stable RedHat AT&T Labs Unix Berkeley BSD Unix System V
From BSD & SysV : From scratch :
Solaris
Linux
Solaris 1.0 (= SunOS 4)
Linus Torwalds Linux
2001
2003 2005
Solaris 9 (= SunOS 5.9)

Solaris 10
Kernel 2.4
Fedora Core Kernel 2.6
2008
Fedora 10
A.Davous, 17/09/2008
Solaris vs. Linux
FOR INFORMATION UNIX FLAVORS

Unix time line http://www.levenez.com/unix/ Linux distributions time line http://futurist.se/gldt/gldt76.png
A.Davous, 01/02/2009
REMINDER UNIX MANDATORY

Read, read again documentation man, man k, makewhatis -u vi what else could be expected ? vim but config and security Shells : sh best choice for scripting then tcsh or bash (current : ps) find, diff, touch, sort [-n] xargs grep, egrep, awk, Perl, expect
A.Davous, 01/02/2009
WELL-KNOWN ATTACKS
Name Sniffing Category Network Definition Get information from network transactions
Spoofing or masquerading
Denial of service Replaying
Network
Network Authentication
Take identity of someone else

Try to stop or degrade service usually by flooding technique Replay abusive authentication or transaction
Repudiation
Spam Phishing Hoax Dictionary Brute force Social engineering
A.Davous, 01/02/2009
Authentication
Mail Mail Mail Password Password All
Reject authentication or transaction

Undesirable mail Disguised mail to get confidential data Joke with more or less consequences Test with list of most current words By trying a large number of possibilities Getting personal information by any mean (physical, social network, )
MALICIOUS PROGRAMS (MALWARES)

Name Virus Worm Trojan horses Backdoor Rootkit Spyware Key logger Definition Insert malicious code on machine Separate process that exploited security holes in network Malicious program disguised as something innocuous or desirable Method to bypass normal authentication procedures Software set installed to get abusive rights, install backdoor and stay hidden Gather information for commercial purpose Copies down the users keystrokes
Bomb
Exploit
Crash the system at a given time

Exploit a security breach of a software
Most of these can be detected locally (by signature) except some exploits that can be detected at network level (firewall)
SECURITY KEY CONCEPTS

Security goals: confidentiality, integrity, availability authentication, non-repudiation 3 usual answers to threats: ignore, improvise or try to over secure Right answer: determine field, identify and evaluate cost of resources (financial, confidentiality or production), determine security risks and strategy, monitor, upgrade
STRATEGIES
Strategies : Accept threat but have a recovery plan Reduce threat by appropriate means Transfer threat to a vendor Bypass threat by blocking access Understanding is key: Example of mail user privilege Protect all layers example of firewalls Reduce exposed surface Protect but detect and answer administrate ! Security is or must be part of : conception, operation and deployment
RISKS AND STRATEGY

Risks Human malicious but often from authorized users Technical hardware (physical access), software This is up to sysadmin to decide what are they and right level of protection Strategy Security and comfort is a compromise Have a security policy especially recovery procedure
A.Davous, 01/02/2009
12
HOW TO DO
In-depth (passive) protection (Physical premises access) Network filtering Passwords Encryption Backup (Active) security process Monitor and add corrections Full audit Upgrade
SECURED DESIGN
Open design or secret design debate (hidden flaws, issues discovered by community, provocation to exploits) Common breaches Least user access (chroot as solution) Buffer overflow Printf function (insert conversion keys into string) Web programming (URL forging) Transactions, client/server (man-in-the middle, encryption, hashing as solutions)
A.Davous, 01/02/2009
14
SOME TABLE LAWS

If someone can execute something on your computer or if someone can modify your OS, or if someone can physically access to your computer, it will not belong to you anymore As well, if someone can execute something on your web site, it will not belong to you anymore Weak passwords leads to security breach System is as secured as sysadmin wants Encrypted data are as secured as the used key to encrypt An anti-virus not updated is as useful as no anti-virus Anonymity is not useful but confidentiality is Technology is not be-all Security measures works well when they are simple to use for sysadmin and transparent to users
REMINDER : PROCESSES
Processes have four identities : real (for accounting) and effective (for access permissions) UID and GID ; usually the same except with setuid or setgid bit set Command ps Find setuid and setgid files over the system: find / -type f perm /u+s,g+s -ls
Kinds of processes Interactive controlled with & (run in background), ^Z (stop job), bg (restart in background), jobs (list current jobs) Batch Daemons
A.Davous, 01/02/2009
16
DAEMONS, SERVERS, SERVICES

Daemon, server, service concepts Daemon : programs not part of kernel ; process that performs a specific function or system-related task Start at boot time or on demand Specific system daemons init primordial process cron that schedule commands inetd that manages some of them
A.Davous, 01/02/2009
17
WELL KNOWN DAEMONS

Name
init syslogd, rsyslogd sendmail lpd, lpsched crond getty, mingetty syncd, fsflush, bdflush, pdflush pagedaemon, swapper, kswap inetd named routed, gated dhcpd portmap, rpcbind nfsd smbd, nmbd
Description
First process Syslog logging Mail MTA Mail Transfer Agent Print scheduler Cron process scheduler Terminal support Disk buffer management Swap management Main daemon to start on-demand TCP/IP services as telnetd, ftpd, rshd see /etc/inetd.conf Bind DNS Dynamic Name Resolution TCP/IP routing daemons DHCP Dynamic Host Configuration Protocol Port service resolution for RPC Remote Procedure Call NFS Network File System Samba
httpd
timed, ntpd, xntpd A.Davous, 01/02/2009
Apache HTTP server

NTP Network Time Protocol Unix Security Advanced Admin 18
init DAEMON
First process to run after system boot Always have PID 1 and is ancestor of all other processes After startup, init consults /etc/inittab (or for BSD /etc/ttys) to determine on which physical ports it should expect users to log in (getty processes even tough large use of network daemons today, or xdm for graphical interface) Also take care of zombie processes (not running but listed) Init defines run levels (passed as argument to it from boot loader) : 0 to 6 and s (single-user) Additional layer is given with startup scripts in /etc/init.d, linked to startup and stop scripts in /etc/rcX.d
A.Davous, 01/02/2009
19
REMINDER : BOOTING SHUTTING DOWN

Solaris SPARC
Solaris SPARC Boot PROM (device detection) Access with STOP-A Boot PROM boot s detection) (device : single-user boot r with STOP-A Access : reconfigure See ls l /dev/rdsk/c0t0d0s0 boot s : single-user boot r : reconfigure See ls l /dev/rdsk/c0t0d0s0
Solaris x86/64
Solaris x86/64
Linux (Fedora Core)
ROM BIOS
MBR of boot device
Linux (Fedora Core)
MBR ofROM BIOS device boot
Boot loader
Kernel loading and initialization

Kernel loading and initialization
(GRUB since 5.10) Boot loader (GRUB since 5.10, see /boot/grub/menu.lst)
(GRUB see /boot/grub/menu.lst) Boot loader (GRUB see /boot/grub/menu.lst)
Boot loader
Device configuration
touch /RECONFIGURE Device configuration touch /RECONFIGURE
Device detection and config.

Device detection and configuration
Level 0 ::shut down (init 0) --Level 1 or S ::single user (init s) --Level 6 ::reboot (init 6) Level 0 shut down (init 0) Level 1 or S single user (init s) Level 6 reboot (init 6) Scripts management none or see 5.10 Scripts management none or see 5.10 Configuration ::/etc/default Configuration /etc/default
Execution of ofstartup scripts Execution startup scripts
Exec.Execution of startup scripts of startup scripts
Multiuser mode
Multiuser mode /usr/sbin/shutdown g secs i6 (reboot) Shutdown /usr/sbin/shutdown gi6 (shut down) /usr/sbin/shutdown g secs secs i0 /usr/sbin/shutdown gi0 (single user) /usr/sbin/shutdown g secs secs iS (skip scandisk) /usr/sbin/shutdown g secs iS
Level 0 : shut Level s (init 0) - Level 1 or S : down : the same Scripts management :- chkconfig single user (init s) Level 6 : reboot Configuration : /etc/sysconfig (init 6) Scripts management : chkconfig Configuration : /etc/sysconfig
Shutdown Shutdown
/usr/sbin/shutdown secs r Shutdown /usr/sbin/shutdown secs hr /usr/sbin/shutdown secs /usr/sbin/shutdown secs h /usr/sbin/shutdown secs f /usr/sbin/shutdown secs f
A.Davous, 17/09/2008
Solaris vs. Linux
20
OTHER CONCEPTS
Command dmesg Core dump : ulimit c Path : - try not modify root profile PATH variable - do not set empty or . in PATH variable - in scripts (and configurations like cron), always use full path for commands (as variables at beginning) Disk quotas may be use to isolate an application (vs. original purpose) vi and other editors dump files feature History of shell commands who r cp -p
A.Davous, 01/02/2009
21
ANSWERS TO QUESTIONS - 1
Gentoo (2003) Visible on time line ; derives from Enoch (1999) which was build from scratch. Compile on installation taking into account processors instruction set. ESCAPING TO SHELL WITH VI, MORE, Type : (semi column) to get into command mode Then ! (exclamation mark) to run any shell command Type any command locate updatedb Search of a pattern ( *file* ) instead of a filename ( file ) locate ntp == find / -name *ntp* locate b \ntp == find / -name ntp History length : on sh or bash this is set with $HISTSIZE (tcsh $HISTORY). See following profiles slide and hands-on (depending on shell, use man, setenv or printenv)
ANSWERS TO QUESTIONS - 2
grep # egrep pattern file(s) Shows filenames & lines that match [ filename: line ] # egrep L pattern file(s) Lists files that does not contain any line matching awk # ifconfig -a | awk 'BEGIN {printf "%-4s %-19s %-15s\n","If","MAC","IP"} / Link/ {a=a+1 ; printf "%.4s %17s",$1,$5 ; getline ; printf "%15s\n",substr($2,6,15)} END {print "Total nbr:", a}' If MAC IP eth0 00:09:5B:BD:FA:D2 192.168.0.1 eth1 00:0E:A6:9F:7C:AA 89.156.6.39 lo 127.0.0.1 Total nbr: 3
A.Davous, 01/02/2009
23
USERS ADMINISTRATION - PROFILES

Nothing specific to OS but to shell. However, it is worth to know !
Main shells
Startup
Upon termination
Any command or script specified using
Other
sh
tcsh
/etc/profile (login shells) .profile (login shells)

/etc/csh.cshrc (always) /etc/csh.login (login shells) .tcshrc (always) .cshrc (if no .tcshrc file is present) .login (login shells) /etc/profile (login shells) .bash_profile (login shells) .profile (login if no .bash_profile file is present) .bashrc (interactive non-login shells) $ENV (non-interactive shells)
trap command 0
.logout
(login shells)
.history
history based on "$savehist")
(saves
.cshdirs
directory stack)
(saves
bash
.bash_logout
(login shells)
.inputrc
initialization)
(readline
A.Davous, 01/02/2009
24
PASSWORD CRACK TOOLS

Usage of these tools are illegal on computers where you have not been explicitly authorized to do it. But it is recommended to test your own password files anyhow, crackers will do it with them.
Crack
Locations: /usr/share/crack ; /usr/libexec/crack ; /usr/bin Quick-start commands: # umask 077 # ~/scripts/shadmrg.sv /etc/passwd /etc/shadow > /root/unshadp # Crack nice 5 /root/unshadp # CrackReporter Results in ~/run directory Locations: /usr/share/john ; /usr/libexec/john Quick start commands: # umask 077 # unshadow /etc/passwd /etc/shadow > /root/unshadp # john [--rules --wordfile=FILE] /root/unshadp Results in ~/john.pot
John the Ripper
A.Davous, 01/02/2009
25
EXAMPLE FOR JOHN - 1

For this example to work, password check must be removed from PAM : # cp p /etc/pam.d/system-auth /etc/pam.d/system-auth.BAK Change pam_cracklib.so from requisite to optional. But better with Fedora : set USECRACKLIB to yes in /etc/sysconfig/authconfig. NO ! If root, it is ok ! # useradd essai1 # passwd essai1 Changing password for user essai1. New UNIX password: essai1 BAD PASSWORD: it is based on a dictionary word Retype new UNIX password: essai1 # unshadow /etc/passwd /etc/shadow > /root/essai1 # john /root/essai1 Loaded 3 password hashes with 3 different salts (FreeBSD MD5 [32/32]) essai1 (essai1) guesses: 1 time: 0:00:00:03 6% (2) c/s: 4836 trying: skulls ^C Session aborted
A.Davous, 01/02/2009
26
EXAMPLE FOR JOHN - 2

... New UNIX ... 12345 guesses: ... New UNIX ... cathy guesses: ... New UNIX ... guesses: password: 12345 (essai1) time: 0:00:00:05 8% (2)
c/s: 4880
trying: Sunshine1
^C
password: cathy
(essai1) time: 0:00:00:04 6% (2)
c/s: 4891
trying: decembers
^C
password: djk7sdf 0 time: 0:00:00:34 37% (2) c/s: 4886 trying: blondie? ^C
A.Davous, 01/02/2009
27
SOME PHYSICAL ATTACKS

Physical access must be protected if not, attacker can open the case and reset EEPROM (where BIOS password is saved) or can steal hard disk BIOS (or boot PROM for Sun) level must be protected (with password) if not, attacker can boot on its own CD/DVD If partitions are not encrypted, booting with a CD/DVD gives access to data (with mount command) and so to /etc/passwd (this is an official recovery procedure of lost root password) For backup purpose, recovery CD (or software installation CD) are usually needed # mkbootdisk `uname r` Network may need to be redundant (High Availability) by duplicating network interfaces, switches, routers. Multiple redundant interfacing is named channel bounding (or IP multipath for Sun) otherwise, DoS
ROOT PASSWORD RECOVERY

Simplest procedure using single user mode case of Fedora 10 When Grub screen, edit current boot line (e) Edit kernel line (e) by adding single at end (single user mode) Save and boot (b) Command passwd can be entered with root privileges to reset root password GRUB protected if : GRUB bootloader have a timeout (/boot/grub/menu.lst) suppress it (0) Or a password (add line password md5 PASSWORD in menu.lst) Encrypted password is given by command # grub-md5-crypt which returns a PASSWORD that can be pasted
A.Davous, 17/09/2008 Solaris vs. Linux 29
ROOT, sudo AND SECURITY

Never log as root directly su (minus to inherit root environment instead of users one) Never change root shell Package sudo used to give some determined root rights to standard users (with their own passwords !) - Configuration file : /etc/sudoers (440) editable only with visudo command see man sudo, man sudoers - Never configure shells or utilities that escape to shell as commands (more, less, vi,) because commands will be executed as root ! - sudo v , restart timeout - sudo may be integrated to PAM - passwords are not encrypted ; SSH is the solution - usage can be forced by replacing su command to a symbolic link to sudo
Unix Security Advanced Admin 30
A.Davous, 01/02/2009
SUDO CONFIGURATION LINES EXAMPLES

Host_Alias User_Alias Cmnd_Alias Defaults root antoine ADMINS dgb FILESERVERS = fs1, fs2 ADMINS = antoine, john SOFTWARE = /bin/rpm, /usr/bin/yum requiretty
ALL = (ALL) ALL fs1 = /sbin/mount, /mnt/cdrom FILESERVERS = SOFTWARE fs2 = (operator) /bin/ls
The most important : sudoers config should be set to span over multiples servers (by simple file transfer and copy) Last : the user dgb may run /bin/ls, but only as operator eg, # sudo u operator /bin/ls
REMINDER : TELNET, (T)FTP, R* SERVICES

Started by (x)inetd server Reminder telnet : useful for (tests not only port 23) # telnet host [port] TFTP : used for X terminals startup : no authentication at all telnet, FTP : security problem with clear-text passwords shown R* services Commands : rlogin, rsh, rcp, ruptime, rwho Configuration : /etc/hosts.equiv , ~/.rhosts Syntax : user@host Authentication is done without password if succeeded (handy for rcp) But security problem : if one listed host is unsecured, local host is unsecured ! This is because with r* services authentication scheme, local authentication is based on remote one. So use rsync for file transfer (nothing to do with r* services) or better SSH/SFTP for everything.
INETD AND XINETD

Extended Internet services daemon Unique daemon that waits for incoming connections for a number of other services and start corresponding server (echo, telnet, FTP, r* services most are standard and/or well-known Unix services but not all) Process : inetd or xinetd (reminder : kill HUP) Startup for xinetd : /etc/init.d/xinetd Log by syslog but configurable Old style configuration (inetd) : /etc/inetd.conf
(reminder : /etc/services)
Configuration (xinetd) in : /etc/xinetd.conf /etc/xinetd.d/*
(one config file per service)
Even tough (x)inetd is a mandatory service (think about installing embedded servers with no SSH package installed yet), controlled services are more and more disabled for security reasons why ? For example, telnet and FTP are sending clear-text passwords ! Other : installation with core, verbose mode
A.Davous, 01/02/2009
33
TCPWRAPPERS
Package that secure connections to given well-known services those handled by (x)inetd for sure, but others (SSH) which ones ? For sshd example : # strings f /sbin/sshd | grep hosts_access /usr/sbin/sshd: hosts_access (YES ! If no line returned, no) TcpWrappers is transparently inserted between network and service ; adds access control and logging features Binary: tcpd but not a daemon (invoked at connection). This is why no service to restart after configuration modification Configuration files: /etc/hosts.allow /etc/hosts.deny Syntax of configuration lines service_list : host_list [ : (command to log) ] host_list may be an hostname, a list, an IP address or network, a keyword (ALL, LOCAL) but never use EXCEPT as shown in documentation
A.Davous, 01/02/2009
34
ROOT LOGIN DEVICES

Kinds of terminals console ttyn (tty1,..) vc/n (vc/1,..) # console # serial terminals # virtual consoles
Where root can directly login to Configurable in /etc/securetty Security Should be all disabled (by commenting with #) except console and/or tty1
A.Davous, 01/02/2009
35
WELL-KNOWN SERVICES AND PORTS

Service FTP SSH telnet SMTP DNS DHCP (BOOTP) TFTP HTTP(S) Port 21 (20), 990 (989) 22 23, 992 25, 992 53 67 (s), 68 (c) 69 80, (443) Service NTP IMAP SNMP LDAP LPD NFS X11 SMB Port 123 143 (v2), 220 (v3), 993 (v4) 161, 162 389, 636 515 2049, 4045/udp 6000-19, 6063 445
Kerberos
POP-3 RPC
88, 749, 750

110, 995 111
AD
3268, 3269
A.Davous, 01/02/2009
36
PORT SCANNING
TCP ports scanning Normal handshake, port open : SYN, SYN+ACK, ACK Normal handshake, port closed : SYN, RST+ACK (note : this is logged ! ) Half-open SYN scan, port open : SYN, SYN+ACK, RST Half-open SYN scan, port closed : SYN, RST+ACK (note : this may not be logged but usually is) Anyhow, some systems (FW) will think about SYN flooding. So nmap can be used with T option to slow down flood Probe = malformed TCP packet (i.e. FIN probe with FIN flag set, or XMAS probe with FIN, URG, PUSH, TCP flags set, NULL probe with TCP set) Stealth TCP scan, port open : TCP probe, No response (this is garbage) Stealth TCP scan, port closed : TCP probe, RST+ACK (notes : also named inverse TCP flag ; Windows does not respect standard and does not send RST from a closed port ; nmap can use options for each kind of probe : sF, sX, sN) Some other techniques : analysis of ACK probe, TTL field, window field UDP ports scanning UDP probe, port open : UDP probe, No response UDP probe, port closed : UDP probe, ICMP dest port unreachable (note : nmap can use option sU) Using specific UDP service clients to test server not realistic for large number of ports
A.Davous, 01/02/2009
37
REMINDER : NETWORK
TCP/IP layers : application telnet, NFS, DNS, FTP, SSH transport TCP, UDP internet (OSI network) IP, ICMP network access (Ethernet, ARP) MAC address 48 bits 24 first OUI (Organizationally Unique Identifier) Service = transport protocol (TCP or UDP) + port /etc/protocols associate internet protocol (OSI network layer) and protocol identifier /etc/services associate transport protocol (transport layer) and port number IPv6 : 128 bits address (48 firsts for FAI - end for MAC) Compatible IPv4 (::FFFF:a.b.c.d) , loopback is ::1 , broadcast is FF02::1 http://www.potaroo.net/tools/ipv4/index.html
A.Davous, 01/02/2009
TCP/IP NETWORK PROTOCOLS MAP (from RADCOM website)
(Attached PDF file, available from RADCOM at www.radcom.com)
A.Davous, 01/02/2009
39
TCP/IP NETWORK PROTOCOLS MAP (from protocol.com website)
A.Davous, 01/02/2009
40
TCP STATE MACHINE
A.Davous, 01/02/2009
41
TOOL: WIRESHARK - 1
Other well-known tcpdump (well see it later) Wireshark can import tcpdump dump file, snoop (Sun) dump file Open-source and modular conception you can add your own decoder Related to sniffing but many other obscure tools are used in real life by hackers Promiscuous mode i.e. listen to all frames on LAN (libpcap needed WinPcap for Windows environment) Can be used in text mode without GUI but not recommended (in line mode use tcpdump instead with o option to export dump to Wireshark) Configurable columns (Edit, Preferences) Filtering : when capturing (lot of options) or viewing (also) can work as ring buffer with triggers Important options : Resolutions : MAC, network, transport network should be avoided as it creates new traffic Fragmented IP are reassembled by default but configurable (Edit, Preferences, IP protocol options) Analyze, Follow TCP stream : useful to present TCP session in one window Rich statistics options Rich export and presentation options
A.Davous, 01/02/2009
42
TOOL: WIRESHARK - 2
FIELD ip.addr ip.dst ip.flags.df ip.ttl http.request icmp.type ftp.response.data dns.response FILTER ip.addr == 192.168.10.2 (ip.addr == 192.168.10.2) && (dns.response) TYPE IPv4 address IPv4 address Boolean Unsigned integer Boolean Unsigned integer Characters string Boolean MEANING Source or destination IP address Destination IP address Dont fragment flag Time to live HTTP request ICMP command type FTP data DNS response MEANING All packets coming from or going to 192.168.10.2 host All packets coming from or going to 192.168.10.2 host which are DNS responses
A.Davous, 01/02/2009
43
REMINDER : FILES
In Unix everything is a file (IO from files or from peripherals are the same) In Unix, a file belongs to a user AND to a group (no mandatory relationship between both) ; a user can belong to many groups ; so, to give access to a set of files or commands belonging to a group is done by adding the user to the group When a file is created, it belong to the user who created it and its group except if upper directory is setgid (BSD style) Commands : chown [-R], chgrp, chmod
Access rights for files (directory) : r read (can ls it), w write (can supp/rename files into), x execute (can cd into) (to be executable, a script shell needs rx, a binary only x ) umask 022 command in profile files to set permission of new files
Special access : t sticky bit (can write a dir but not supp file ; /tmp) s setuid bit (set resources access of process to owner and not to the one that run it) s setgid bit (for a file, set resources access of process to owning group and not the one that run it for a dir, see upper) find / [-user root] -xdev perm {-4000 | -2000}
A.Davous, 01/02/2009
SERVICES- COMPLEMENTS
Commands : init 0, init 6, init s ps ef, kill -<signal>, pgrep, pkill, <service-script> start|stop|restart (service startup script) Command chkconfig (specific to Fedora): usage: chkconfig --list [name] chkconfig --add <name> chkconfig --del <name> chkconfig --override <name> chkconfig [--level <levels>] <name> <on|off|reset|resetpriorities> chkconfig header in startup scripts And finally, system-config-services GUI applet specific to Linux Command service and semi-graphical GUI sysvconfig, both specific to Debian
A.Davous, 01/02/2009
NETWORK COMMANDS
hostname (nodename) ifconfig ping arp [-n] [-a] ... netstat [-rn] ... route [add | del ] ... traceroute nslookup, dig
A.Davous, 01/02/2009
NAME RESOLUTION AND ROUTING

Name resolution /etc/hosts name resolution (eventually distributed by NIS, but to avoided) /etc/resolv.conf domain definition and name servers location (suppression will deactivate DNS resolution) /etc/hosts.conf name services switch (or /etc/nsswitch.conf) Routing On LAN (hubs) no routing necessary On small networks, static routes may be necessary On large networks (WAN), dynamic routing handled by routed and gated daemons (support of RIP, OSPF, BGP, EGP) On Linux, static routes may be defined in /etc/sysconfig/static-routes
A.Davous, 01/02/2009
47
NETWORK FILES: DHCP AS EXAMPLE

Linux
Interface config /etc/sysconfig/network-scripts/ifcfg_eth0 /etc/sysconfig/network
Solaris
/etc/hostname.hme0 /etc/init.d/network
Startup script
DHCP activation Daemon Client lease file
/etc/init.d/network (/sbin/ifup)
BOOTPRTO=dhcp in /etc/sysconfig/network-scripts/ifcfg_eth0 dhcpd /etc/dhcp/dhcpd-eth0.info
/etc/init.d/network
touch /etc/dhcp.hme0 Config in /etc/default/dhcpagent dhcpagent /etc/dhcp/hme0.dhc
A.Davous, 01/02/2009
48
Sun xVM VirtualBox - 1

VirtualBox release 2.1.2 found at www.virtualbox.org (accept installation of USB and network drivers) Host and guest concepts, see manual Guest additions concept Fedora 10 found at fedoraproject.org/en/get-fedora (F10-i686-Live.iso, 32 bits although 64 supported by xVM, English edition, installable Live CD)
A.Davous, 01/02/2009
49

Installation procedure (example is Fedora) New machine ; choose OS, select memory size (2 GB but less than host !), add virtual disk (fixed, 10 GB). Mount OS ISO local file as CD/DVD-ROM Start !... (ignore both messages no additions installed yet) When started, use Install on hard disk icon. Select French keyboard. Shut down, unmount CD/DVD and restart. Upgrade system and application packages (Yum). Install dkms package (Dynamic Kernel Module Support Framework). Install GNU make, gcc packages. Mount Guest Additions ISO with Devices, Install Guest Additions xVM menu. Run Suns script (cd /media/VBOXADDITIONS_2.1.2_41885/ ; sh ./VBoxLinuxAdditions-x86.run) Restart.
A.Davous, 01/02/2009
50

Installation procedure particularities for Debian 4 Installation of small image via Internet. Disk partitioning without LVM, one root partition. Desktop and system packages. Synaptic Package Manager used for package installation : make, gcc and kernel headers (linux-headers-2.6.18-6 and linux-headers-2.6.18-6686 ; check release with command uname a).
A.Davous, 01/02/2009
51
REMOTE ACCESS TO SYSTEM

Xming XLaunch utility But otherwise, X specific, exporting display : Run your X server on PC (nothing required if PuTTY used because X protocol is SSHd encapsulated - port 22 ; otherwise, ports XDMCP 177 and 6000 should be opened) Then, on client : setenv DISPLAY server:0.0 echo $DISPLAY Putty
A.Davous, 01/02/2009
52
REDHAT PACKAGE MANGER COMMANDS

# # # # # rpm rpm rpm rpm rpm qa ql qc qR qi | grep <package-search-string> <package-name> <package-name> <package-name> <package-name> Get package name List files included in package List configuration files included in package List required dependant packages Information on package
A.Davous, 01/02/2009
53
USEFUL LINKS
http://www.dwheeler.com/secure-programs/ www.cpan.org http://www.sun.com/software/security/jass http://www.digilife.be/quickreferences/quickrefs.htm http://www.cert.org/cert/ http://www.auscert.org.au/5816 http://www.protocols.com/pbook/tcpip1.htm#MAP
Secure Programming for Linux and Unix HOWTO Perl packages and more Suns JASS Solaris Security Toolkit Quick Reference Cards useful for those related to Unix CERT Security information AusCERT Unix and Linux Security Checklist v3.0 RADCOM protocols.com web site (protocols map)
A.Davous, 01/02/2009
54
BIBLIOGRAPHY
Unix System Administration Handbook Evi Nemeth, Garth Snyder, Scott Seebass, Trent R. Hein Prentice Hall Essential System Administration Aeleen Frisch OReilly English. Third edition 2001. Few security aspects. All Unices covered (HP, Aix, Sun, RedHat, BSD). 854 p. English, but French version available (Les bases de ladministration systme). Third edition 2002. Few security aspects. All Unices covered (HP, Aix, Sun, RedHat, BSD, Tru64). 1172 p. English, but French version available (TCP/IP illustr - Vuibert). A must for TCP/IP matter. No OS privileged but Unix foundations. 592 p. English, but French version available. Third edition 2002. Covers RedHat and Solaris. 772 p. English. Second edition 2007. Covers Unix and Windows from network services breaches perspective. 478 p. French. First edition 2007. Focuses on Fedora (as it is a native secured OS). 342 p. 39 . Recommended for this course
55
TCP/IP illustrated volume 1 Richard Stevens Addison-Wesley TCP/IP Network Administration Craig Hunt OReilly Network Security Assessment Chris McNab OReilly GNU/Linux Fedora, Spcial Scurit Huet-Verhille ENI Editions
A.Davous, 01/02/2009
WINDOWS TOOLS USED DURING THIS SESSION

Wireshark (prev. Ethereal), network protocol analyzer PuTTY, SSH client Xming, PC X server
http://www.wireshark.org http://www.chiark.greenend.org.u k/~sgtatham/putty/ http://www.straightrunning.com/ XmingNotes/ http://www.virtualbox.org/
VirtualBox, virtualization
EasyBCD, Windows Vista bootloader utility Apache JMeter, HTTP workbench
http://neosmart.net/ http://jakarta.apache.org/jmeter/
A.Davous, 01/02/2009
56

Unix+Security+Advanced+Admin+ Session2 Feb14

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Unix+Security+Advanced+Admin+ Session2 Feb14

Uploaded by

Copyright:

Available Formats

UNIX SYSTEM SECURITY AND ADVANCED ADMINISTRATION

(SCURIT SYSTME SOUS UNIX ET ADMINISTRATION AVANCE)

Unix Security Advanced Admin

Unix Security Advanced Admin

FOR INFORMATION UNIX RELEASES

Solaris 1.0 (= SunOS 4)

Linus Torwalds Linux

Solaris 9 (= SunOS 5.9)

Solaris vs. Linux

FOR INFORMATION UNIX FLAVORS

Unix Security Advanced Admin

REMINDER UNIX MANDATORY

Unix Security Advanced Admin

Take identity of someone else

Reject authentication or transaction

Unix Security Advanced Admin

MALICIOUS PROGRAMS (MALWARES)

Crash the system at a given time

SECURITY KEY CONCEPTS

RISKS AND STRATEGY

Unix Security Advanced Admin

Unix Security Advanced Admin

SOME TABLE LAWS

Unix Security Advanced Admin

DAEMONS, SERVERS, SERVICES

Unix Security Advanced Admin

WELL KNOWN DAEMONS

Apache HTTP server

Unix Security Advanced Admin

REMINDER : BOOTING SHUTTING DOWN

Linux (Fedora Core)

Linux (Fedora Core)

MBR ofROM BIOS device boot

Kernel loading and initialization

(GRUB see /boot/grub/menu.lst) Boot loader (GRUB see /boot/grub/menu.lst)

Device detection and config.

Execution of ofstartup scripts Execution startup scripts

Exec.Execution of startup scripts of startup scripts

Solaris vs. Linux

Unix Security Advanced Admin

Unix Security Advanced Admin

USERS ADMINISTRATION - PROFILES

/etc/profile (login shells) .profile (login shells)

Unix Security Advanced Admin

PASSWORD CRACK TOOLS

John the Ripper

Unix Security Advanced Admin

EXAMPLE FOR JOHN - 1

Unix Security Advanced Admin

EXAMPLE FOR JOHN - 2

(essai1) time: 0:00:00:04 6% (2)

Unix Security Advanced Admin

SOME PHYSICAL ATTACKS

ROOT PASSWORD RECOVERY

ROOT, sudo AND SECURITY

SUDO CONFIGURATION LINES EXAMPLES

REMINDER : TELNET, (T)FTP, R* SERVICES

INETD AND XINETD

Configuration (xinetd) in : /etc/xinetd.conf /etc/xinetd.d/*

(one config file per service)

Unix Security Advanced Admin

Unix Security Advanced Admin

ROOT LOGIN DEVICES